🕵🏻‍♂️ [InfoSec MASHUP] 49/2025

🔓 BREACHES & SECURITY INCIDENTS

🇫🇷 French DIY retailer Leroy Merlin says a cyberattack exposed some customers' personal data in France. Leaked details include names, phone numbers, emails, postal addresses, birth dates, and loyalty info, but not bank data or passwords. The company says it blocked access, warns customers to watch for phishing, and is investigating.

🇰🇷 South Korean e-commerce giant Coupang disclosed a data breach that exposed personal information of about 33.7 million customers. Exposed data included names, emails, phone numbers, addresses, and some order histories, but not payment details or login credentials. Coupang reported the breach to authorities, blocked access, and said a former employee is a suspect.

More Oracle EBS Breaches…

🇬🇧 Cl0p ransomware stole invoice files from Barts Health NHS by exploiting an Oracle EBS zero-day. The leaked files include names, addresses, and some former employee and supplier data, and were posted on the dark web. Barts says clinical systems were not affected, has informed authorities, and urges patients to check invoices and watch for scams.

🇺🇸 University of Phoenix disclosed a data breach after attackers exploited a zero-day in Oracle E-Business Suite. The stolen data may include names, contact details, dates of birth, Social Security numbers, and bank account information for students, staff, and suppliers. The incident is linked to the Cl0p extortion campaign that has hit other universities and companies.

→ More breaches:

• Marquis Data Breach Impacts Over 780,000 People

• Personal Information Compromised in Freedom Mobile Data Breach

• Inotiv Says Personal Information Stolen in Ransomware Attack

• Petco confirms security lapse exposed customers’ personal data

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign 

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇺🇸 ⚖️ Twin brothers Muneeb and Sohaib Akhter were arrested for allegedly stealing and deleting government data from a contractor minutes after being fired. The breach affected multiple agencies, including DHS, the IRS, and the EEOC, and involved thousands of files and sensitive records. Prosecutors say the brothers have prior hacking convictions and face multiple federal charges, including identity theft and computer fraud.

🇰🇵 ⏺️ Researchers secretly watched North Korea's Lazarus Group recruit remote IT workers and control their "developer" laptops. They used ANY.RUN sandboxes to record operators stealing identities and setting up persistent access.

🇰🇷 South Korean police arrested four suspects who hacked over 120,000 IP cameras and sold stolen intimate videos to an overseas illegal website. Investigators are also pursuing the site operators and buyers, and have arrested three purchasers so far. Authorities warned viewing such material is a crime, notified victims, and urged users to secure cameras with strong passwords and updates.

🇪🇺 🤑 European authorities shut down Cryptomixer and seized about $28 million in Bitcoin and servers in Switzerland. Europol says the mixing service handled over $1.5 billion and was used for crimes like ransomware and fraud. The takedown is part of a global effort to disrupt crypto laundering networks.

🇦🇺 ⚖️ An Australian man was sentenced to seven years and four months for launching Wi‑Fi “evil twin” attacks at airports and on flights. He used a Wi‑Fi Pineapple to trick victims into entering credentials on fake login pages. Police seized his devices and found intimate images, stolen credentials, and fraud records.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇬🇧 🔔 The UK NCSC is piloting a Proactive Notifications service, run with Netcraft, to warn organizations about exposed device flaws found by internet scanning. It will email specific, non-payment-requesting recommendations for updates or configuration fixes but won’t cover every system or vulnerability.

🇷🇺 🛑 Russia's telecom regulator Roskomnadzor has blocked FaceTime and Snapchat, saying they are used to coordinate terrorist attacks, recruit criminals, and commit fraud. Snapchat was blocked on October 10 and FaceTime was announced blocked this week. The moves follow recent bans on other foreign messaging and gaming platforms for alleged extremist or harmful content.

👀 📲 Leaked investigations found Intellexa could remotely access customers’ Predator spyware systems and logs. Researchers say this raises serious human rights and liability concerns. The probes also tied Predator to malicious ad-based infections, zero-day exploits, and surveillance in multiple countries.

🇺🇸 The Trump administration plans to release a five-page national cybersecurity strategy in January. It outlines six pillars including cyber offense, workforce, procurement, infrastructure, regulation, and emerging tech. Officials say it is a high-level messaging document with follow-on actions and possible executive orders.

🇺🇸 The Congressional remedy for Salt Typhoon? Chinese hackers in the Salt Typhoon operation penetrated major U.S. telecom networks, alarming lawmakers and experts. Some senators and the FCC favor voluntary industry cooperation, while others say strong rules and verification are needed. Critics warn that weak telecom cybersecurity risks national infrastructure and that promises alone may not keep networks safe.

🇺🇸 👨‍⚖️ Texas has dropped its federal lawsuit seeking to void the 25-year-old HIPAA Privacy Rule and 2024 changes that limit sharing reproductive health data. A separate Texas court case already struck down key 2024 HIPAA reproductive-health protections, which eased Texas’ concerns. Experts say withdrawing the suit is pragmatic and the 2000 HIPAA rule likely remains intact.

🇮🇳 📱 India will require new and resold phones to be verified in a central IMEI database and have its Sanchar Saathi app preinstalled or pushed via updates. The government says this will fight theft, cloning, and fraud, but privacy groups warn it gives authorities broad visibility into device ownership. Critics call for clear data safeguards, audits, and limits on how the information is used. [UPDATE: India Rolls Back Order to Preinstall Cybersecurity App on Smartphones]

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

💬 📲 💔 The FBI warns criminals are using altered social media photos in virtual kidnapping scams to extort money. Scammers send urgent texts and fake proof-of-life images to pressure victims without any real abduction. The FBI urges caution, verification methods (like family code words), and saving images for investigations.

🦀 💸 Security researchers found a malicious Rust crate "evm-units" that targeted Windows, macOS, and Linux by pretending to be an Ethereum developer tool. The package downloaded and silently ran OS-specific payloads and checked for Qihoo 360 antivirus to adjust its behavior. The crate was pulled from crates.io after thousands of downloads and had been used as a dependency in another popular package, spreading the attack.

🇷🇺 🎣 Russian-linked Star Blizzard APT targeted Reporters Without Borders with spear-phishing emails in March. The attackers used ProtonMail, spoofing, and a phishing kit that can bypass ProtonMail two-factor authentication. The group has targeted NGOs, governments, and researchers since 2019 and is linked to Russia’s FSB.

🇨🇳 🇺🇸 CISA says Chinese state-linked hackers use a Golang backdoor called BRICKSTORM to keep long-term, stealthy access to VMware vSphere and Windows systems. The malware lets attackers run commands, move laterally, exfiltrate data, and hide C2 traffic using protocols like DoH and VSOCK. CrowdStrike and Mandiant link these intrusions to groups (Warp Panda/UNC5221) targeting governments, tech, and cloud environments.

🇮🇷 🇮🇱 🇪🇬 Iran-linked MuddyWater hackers are targeting Israeli sectors and an Egyptian tech firm with a new C/C++ backdoor called MuddyViper deployed via a Fooder loader. The campaign uses phishing, VPN exploits, remote-management tools, and multiple stealers to harvest credentials, browser data, and maintain covert access. Recent leaks of Iranian cyber unit documents suggest a formal, state-run hacking apparatus behind these operations.

🧩 The Glassworm malware has returned in a third wave with 24 new malicious VS Code packages on OpenVSX and the Microsoft Marketplace. It hides code with invisible Unicode, steals developer accounts and crypto data, and installs proxies and remote-access tools. Attackers push updates, inflate downloads to appear legitimate, and now use Rust implants to evade detection.

🇷🇺 🎠 Albiriox is a new Android banking trojan sold by Russian-speaking actors as malware-as-a-service. It gives real-time remote control of devices and can show fake overlays to steal crypto and banking credentials. The trojan targets over 400 apps and uses a builder with Golden Crypt to evade detection.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

📨 🗑️ Researchers found a zero-click agentic browser attack that can make Perplexity’s Comet browser delete an entire Google Drive by interpreting a crafted email as cleanup instructions. The attack works because the browser agent has OAuth access to Gmail and Drive and will follow polite, sequenced natural-language commands without confirmation.

🇺🇸 Sen. Mark Kelly urged big U.S. investment in AI infrastructure and strict safeguards so the technology reflects American values. He wants clear standards, third-party testing, and international coordination to prevent misuse and protect civil rights. Kelly warned that AI must succeed economically or a failed bubble could cause major harm to the U.S. economy.

📱 🏦 Google is expanding its Android in-call scam protection to include Cash App and JPMorgan Chase users in the U.S. The feature warns you if an unknown caller tries to make you share your screen or banking info, and forces a 30-second pause with only the option to end the call. It works on Android 11+ and aims to stop social-engineering scams that pressure victims into payments or revealing credentials.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Google addresses 107 Android vulnerabilities, including two zero-days

• Chrome 143 Patches High-Severity Vulnerabilities

🐛 A critical vulnerability in React Server Components (CVE-2025-55182) lets unauthenticated attackers run code and threatens many web apps. Researchers and vendors rushed patches and mitigations, warning exploitation is likely soon. Multiple frameworks like Next.js are affected and long-tail impacts are expected.

→ Chinese Hackers Exploiting React2Shell Vulnerability

→ Cloudflare blames today's [Dec. 5, 2025] outage on emergency React2Shell patch

💥 🔓️ JPCERT/CC says attackers have been exploiting a command injection bug in Array Networks AG Series gateways since August 2025. The flaw in DesktopDirect lets attackers run arbitrary commands and drop web shells; Array fixed it in ArrayOS 9.4.5.9. Users should update immediately or disable DesktopDirect and block URLs with semicolons.

🩹 Microsoft silently fixed an exploited LNK shortcut bug (CVE-2025-9491) in its November 2025 updates. The flaw hid long command strings in the Target field so malicious shortcuts could run malware when users opened them. Microsoft and third parties say user warnings and detections reduce risk, and Acros Security offers a 0Patch fix.

🔓️ 🤖 Researchers found a vulnerability in OpenAI’s Codex CLI that let the tool run commands from local project config files without asking the user. An attacker who adds a malicious config to a repo can trigger remote shells, steal secrets, or spread attacks through supply chains. OpenAI patched the issue (CVE-2025-61260) in Codex CLI 0.23.0.

🛰️ ICS, OT & IoT

🤖 Cybersecurity agencies from six countries issued guidance for safely using AI in operational technology for critical infrastructure. The guidance lists four principles: understand AI risks, choose fit-for-purpose use cases, set governance and testing, and add oversight and failsafes. It stresses clear roles, data security, staff training, and continuous monitoring to prevent safety, reliability, and security problems.

💥 CISA added a 2021 ScadaBR XSS flaw (CVE-2021-26829) to its Known Exploited Vulnerabilities list after hacktivists used it to deface an HMI — The vulnerability was patched in June 2021 but can still let attackers run arbitrary code or hijack sessions. The incident, done against a fake water-plant honeypot, shows hacktivists target easy ICS/OT flaws and could signal wider exploitation.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.