🕵🏻‍♂️ [InfoSec MASHUP] 47/2025

🔓 BREACHES & SECURITY INCIDENTS

🇮🇹 A hacker says they stole 2.3 TB of data from Italian IT firm Almaviva and leaked it on a dark web forum. The files reportedly include internal documents, contracts, HR and accounting records tied to FS Italiane. Almaviva confirmed a cyberattack, is investigating with authorities, and says critical services remain protected.

🇺🇸 🧑‍⚖️ The SEC has dropped its case against SolarWinds and its CISO over the huge 2020 Sunburst cyberespionage breach. The agency gave no public reason for ending the lawsuit. SolarWinds called the decision a vindication and said it eases CISOs’ concerns about disclosure chills.

🔓️ ☁️ A third-party vendor breach tied to Gainsight has exposed data in over 200 Salesforce instances — The attack appears linked to the same criminal group behind recent Salesloft Drift supply-chain intrusions. Salesforce revoked app access tokens while investigations by Gainsight and others continue.

→ Google says hackers stole data from 200 companies following Gainsight breach

🇫🇷 French childcare payroll service Pajemploi suffered a cyberattack that may have exposed personal data for up to 1.2 million people. Exposed data may include names, birthplaces, addresses, social security numbers, and bank institution names, but not IBANs, emails, phones, or passwords. Pajemploi has notified authorities, is informing affected individuals, and says services remain operational.

🇫🇷 European fiber operator Eurofiber France says hackers breached its ticket system and ATE customer portal on November 13, stealing data. The company secured systems, patched the flaw, and reported the incident and an extortion attempt to authorities. About 10,000 customers — including some government entities — may be affected, with exposed tickets, credentials, API keys, backups, and internal files.

🌩️ Cloudflare said the outage that hit many popular sites was not a hacker attack — A bug in a bot-mitigation service crashed after a routine configuration change and caused broad network problems. The company fixed the issue hours later and has published a full explanation.

→ The Cloudflare Outage May Be a Security Roadmap

🇬🇧 💸 Jaguar Land Rover said a September cyberattack cost the company about $260 million and forced it to pause production. The hacker group called "Scattered Lapsus$ Hunters" stole data and disrupted assembly lines in several countries. The attack also hurt the U.K. economy and prompted a 1.5-billion-pound government loan.

→ More breaches:

• Princeton University Data Breach Impacts Alumni, Students, Employees

• Pennsylvania Attorney General Confirms Data Breach After Ransomware Attack

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign 

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇹🇭 🇷🇺 🇺🇸 Thai police arrested a Russian man in Phuket on Nov. 6 after an FBI tip linked him to cyberattacks on U.S. and European government agencies. Authorities seized laptops, phones, and digital wallets, and FBI agents were present. The suspect is held for possible extradition to the United States while Russian diplomats visit him.

🇷🇺 ❌ Five Eyes nations and the Netherlands sanctioned two bulletproof hosting providers and key people to disrupt services used by ransomware and phishing groups. Officials named Russia-based Media Land and affiliates, plus parties tied to the Aeza Group. Authorities also issued a mitigation guide and urged cutting peering partners to make the infrastructure harder to use.

🇮🇷 👀 Iranian state-linked group APT42 (SpearSpecter) is running a long-term espionage campaign against senior defense and government officials. They use social engineering, target relatives, and lure victims to fake sites or decoy files to install the TameCat backdoor. TameCat uses Telegram and Discord for covert command-and-control, steals credentials and documents, and hides via in-memory loading and legitimate tools.

→ New Amazon Threat Intelligence findings: Nation-state actors bridging cyber and kinetic warfare

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇺🇸 📡 Sen. Maria Cantwell is urging the FCC not to remove cybersecurity rules for telecom companies — She says scrapping the rules would weaken protections after China’s Salt Typhoon hacks. Cantwell asked the FCC chair for documents and testimony to justify the rollback.

🇺🇸 Sen. Mark Warner warned that politically driven firings and cuts in the Trump administration have weakened U.S. cyber defenses — He said layoffs at CISA and vacant intelligence posts leave critical infrastructure and elections more vulnerable. Warner called the trend dangerous and said failures could have catastrophic consequences.

⏸️ 🧑‍⚖️ NSO Group asked the court to pause a permanent injunction that bars it from targeting WhatsApp while it appeals. The company says enforcing the order would destroy its Pegasus business and stop U.S. agencies from licensing its tools. NSO also argues the injunction conflicts with the Computer Fraud and Abuse Act and harms public safety.

🇬🇧 🇨🇳 MI5 warned MPs that Chinese spies are using LinkedIn and fake recruiters to target lawmakers and officials. The agency named specific profiles and said the outreach is widespread and aimed at building long-term influence. The government plans security upgrades while critics say prosecutions and political responses have been uneven.

🇬🇧 🚗 British troops have been warned not to discuss sensitive military matters inside official vehicles amid mounting fears that China is eavesdropping on conversations conducted on the move.

🔐 More than 60 trade and tech groups urged governments to reject efforts to weaken or bypass encryption — They said strong encryption protects privacy, security, and trust for users and businesses. The groups warned that backdoors or mandated access would harm everyone more than help law enforcement.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🇨🇳 🎧️ China-linked APT24 used a stealthy malware called BadAudio in a three-year espionage campaign. They spread it via spearphishing, compromised websites and a tainted JavaScript library to infect Windows users. BadAudio is heavily obfuscated, uses DLL hijacking, and loads further payloads like Cobalt Strike while avoiding detection.

🏦 🎠 Sturnus is a new Android banking trojan that targets users of WhatsApp, Telegram, and Signal. It can show fake bank login screens, log keystrokes, take remote control, and stop removal. By reading screens via Accessibility features, it bypasses end-to-end encryption and steals messages in real time.

→ Vulnerability Allowed Scraping of 3.5 Billion WhatsApp Accounts

🎣 A phishing kit called Sneaky 2FA uses Browser-in-the-Browser pop-ups to mimic Microsoft login pages and steal credentials. Attackers add bot checks, conditional loading, and quick domain rotation to evade detection. Even newer defenses like passkeys can be bypassed by malicious extensions or downgrade tricks, so users and organizations must stay cautious.

🪱 Seven npm packages by developer "dino_reborn" used Adspect redirects to hide malicious behavior and steer real users to crypto scam pages. Six packages fingerprint visitors, block developer tools, and forward targets’ IPs to Adspect to decide who gets redirected. Non-targets see a fake company page to avoid detection.

💥 Microsoft said the Aisuru IoT botnet launched a 15.72 Tbps DDoS attack on Azure from over 500,000 IPs. The UDP flood peaked at 3.64 billion packets per second and targeted an Australian IP. Aisuru, tied to compromised routers and cameras, has caused multiple record-breaking attacks and distorted DNS rankings.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

😲 🗳️ The International Association of Cryptologic Research canceled its leadership election after an official lost…….. a decryption key — Votes were cast and tallied with Helios, a cryptographic system that keeps ballots private and verifiable. Losing one trustee’s key made it impossible to decrypt and certify the results.

👋 Mozilla will end its partnership with Onerep next month and shut down Monitor Plus by Dec. 17, 2025. The move follows reporting that Onerep’s founder ran many people-search sites and still owned a data broker. Mozilla says it will keep the free Monitor breach service and refund Monitor Plus subscribers for unused time.

😱 🦠 Microsoft warned that its new Copilot Actions AI can infect machines and steal sensitive data. Security experts criticized releasing the feature before its risks were fully understood. Microsoft says users should only enable it if they understand the security implications.

🇺🇸 💸 A California man, Kunal Mehta, pleaded guilty to laundering at least $25 million stolen in a $230 million cryptocurrency heist — The crime ring used social engineering, crypto mixers, and shell companies to steal and hide funds. Prosecutors say the group spent the money on luxury items and some errors linked the laundered crypto back to the theft.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Google Issues Security Fix for Actively Exploited Chrome V8 Zero-Day Vulnerability

• SolarWinds Patches Three Critical Serv-U Vulnerabilities

• SonicWall Patches High-Severity Flaws in Firewalls, Email Security Appliance

💥 Attackers are exploiting a recently patched 7-Zip vulnerability (CVE-2025-11001) that can lead to remote code execution. The bug lets crafted ZIP files misuse symbolic links to write files outside the intended folder, enabling code execution when 7-Zip runs with high privileges. NHS England warns active exploitation is happening and a PoC exploit is public.

💰️ Meta paid $4 million in 2025 through its bug bounty program, bringing total payouts to over $25 million. The company rewarded about 800 of 13,000 vulnerability reports, including serious issues in Unity for Quest VR and WhatsApp account enumeration and URL processing bugs. Meta is building a WhatsApp Research Proxy to help researchers find more bugs and will expand access over time.

🔓️ 🗓️ A critical Fortinet FortiWeb flaw was actively exploited before the company publicly disclosed it, leaving many customers exposed. Researchers say Fortinet’s delayed communication and late CVE assignment hindered defenders’ ability to respond. Attackers gained administrative access on devices, and agencies urged urgent patching.

🛰️ ICS, OT & IoT

🇨🇳 Researchers say thousands of older Asus routers were hacked by a suspected China-state group — The attack targets seven unsupported Asus models that no longer get security patches. It’s unclear what the hackers are doing with the controlled devices.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.