🕵🏻‍♂️ [InfoSec MASHUP] 50/2025

🔓 BREACHES & SECURITY INCIDENTS

🇬🇧 💷 The UK fined LastPass £1.2 million after a 2022 breach exposed data and encrypted vaults of up to 1.6 million UK users. Attackers chained compromises of an employee laptop and a senior staffer’s personal device to steal keys and cloud backups. Authorities say LastPass failed to protect customer data and urge stronger passwords and tighter access controls.

🇺🇸 🔓️ A researcher found a Home Depot employee’s GitHub access token exposed online for about a year. The token let someone access hundreds of private repositories and cloud systems. Home Depot ignored the researcher until TechCrunch reported it and the token was revoked.

🐳 🔓️ Security researchers found 10,456 Docker Hub images leaking secrets like API keys, database credentials, and LLM tokens. The leaks affected about 101 companies, including a Fortune 500 firm and a major bank. Researchers warn to stop embedding secrets in images, revoke exposed keys, and use centralized secret management.

🇰🇷 👋 Coupang’s CEO Park Dae-jun resigned after the huge data breach exposed personal data of about 34 million people. He apologized and said he felt deep responsibility. Harold Rogers, the company’s U.S. parent’s top lawyer, will replace him.

💁 Cybersecurity insurer Coalition now offers policies that cover some deepfake incidents and provide response services. Deepfakes are still rare in claims, but they can convincingly impersonate executives to steal money or damage reputations. Experts warn AI tools will make these attacks cheaper and more common for many businesses soon.

🇺🇸 Vitas Healthcare reported a cyber intrusion that exposed personal and medical data. About 319,177 current and former patients were affected. The attacker used a compromised vendor account and accessed systems from Sept. 21 to Oct. 27.

🇺🇸 Tri-Century Eye Care suffered a data breach that may have exposed personal and health information for about 200,000 people. The Pear ransomware group claimed the attack and posted stolen files after Tri-Century refused to pay. Large healthcare breaches like this have affected other eye care providers (Retina Group of Florida, Asheville Eye Associates, and Ocuco) this year.

→ More breaches:

• Data breach at credit check giant 700Credit affects at least 5.6 million

• Pierce County Library Data Breach Impacts 340,000

• Fieldtex Data Breach Impacts 238,000

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇰🇵 💬 Researchers found internal IP Messenger chat logs from North Korean IT workers showing collaboration on software, account sharing, and links to DPRK universities. The logs suggest a local LAN with freelancers trading jobs, personas, and remote access services. Though location and internet access are unclear, the chats give rare insight into their networks and operations.

🇵🇱 🇺🇦 Polish police arrested three Ukrainian men found with advanced hacking gear and spy-detection tools. They face charges for fraud, computer crimes, and possessing devices meant for criminal use. Authorities seized laptops, SIM cards, routers, hard drives, and Flipper Zero-like equipment and detained the men for three months.

🇨🇦 A hacking group called STAC6565, linked to Gold Blade, is targeting Canadian organizations in 80% of its attacks using phishing and ransomware called QWCrypt. They send fake job application emails with malicious files to trick HR staff and gain access to networks. The group uses advanced tools and tactics to steal data and deploy ransomware, especially focusing on critical infrastructure like hypervisors.

🇺🇸 💰️ 🇮🇷 The U.S. is offering up to $10 million for information on members of an Iranian hacking group now called Shahid Shushtari. The group is tied to Iran’s IRGC and blamed for cyberattacks and influence operations against U.S., European, and Middle Eastern targets. Officials named two leaders and urged anyone with tips to contact the Rewards for Justice program.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇩🇪 🇷🇺 Germany says Russian military intelligence carried out an August 2024 cyber-attack on air traffic control and ran an election disinformation campaign. Berlin blamed the Fancy Bear group and summoned the Russian ambassador, vowing coordinated counter-measures with European partners. Russia has not yet responded, though Moscow has denied similar accusations before.

🇺🇦 🇺🇸 🇷🇺 Ukrainian national Victoria Dubranova was extradited to the U.S. and charged for aiding Russian state-linked hacktivist groups in attacks on critical infrastructure. Prosecutors say the groups hit water systems, election systems, nuclear-related sites, and other targets using tools like DDoSia. If convicted, Dubranova faces up to 27 years in prison and related rewards and sanctions target the groups and their members.

🇪🇸 Spanish police arrested a 19-year-old in Barcelona for stealing 64 million personal records from nine companies. He is charged with cybercrime, unauthorized access, and selling the data online. Authorities also seized computers and crypto wallets linked to the sales.

🇵🇹 Portugal updated its cybercrime law to legally protect good-faith security researchers — The exemption applies only if researchers limit testing, report vulnerabilities quickly, avoid harm or data misuse, and follow strict rules. Similar protections have been introduced in Germany and the U.S. for responsible vulnerability research.

🤖 🔓️ Researchers show that MCP sampling lets external servers ask a user's LLM for completions, creating new attack paths. A malicious MCP server can inject hidden instructions, persist them across turns, and make the LLM leak data or call tools without the user knowing. Safeguards are needed to detect and block such prompt injections.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🎣 🕷️ A new phishing kit called Spiderman is targeting customers of many European banks and crypto services with pixel-perfect fake sites. It can steal logins, 2FA/PhotoTAN codes, credit card data, and crypto seed phrases, and lets attackers monitor and export victim data in real time. Researchers warn this enables account takeover, card fraud, SIM swapping, and identity theft, and advise always verifying official domains and reporting unexpected OTP prompts.

📲 DroidLock is Android malware that locks phones, steals data (messages, calls, contacts, audio) and can wipe or change device locks to deny access. It spreads via fake app sites targeting Spanish speakers and tricks users into granting Device Admin and Accessibility permissions. Zimperium says the malware steals lock patterns, uses overlays and VNC for remote control, and Play Protect can block it if devices are up to date.

🇰🇵 North Korean-linked hackers used the new EtherRAT malware to exploit the critical React2Shell flaw in Next.js. EtherRAT runs five Linux persistence methods, uses Ethereum smart contracts for C2, and can self-update. Sysdig urges admins to patch React/Next.js, check persistence, monitor Ethereum RPCs, and rotate credentials.

→ PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182

🧩 Two malicious VSCode extensions in Microsoft’s Marketplace install an infostealer that takes screenshots, steals credentials and crypto wallets, and hijacks browser sessions. The extensions (Bitcoin Black and Codo AI) hid malicious DLLs and used DLL hijacking plus scripts to run payloads stealthily. Developers should only install extensions from reputable publishers to reduce risk.

🔙 🚪 Iran-linked MuddyWater used a new UDP-based backdoor called UDPGangster to target users in Turkey, Israel, and Azerbaijan. Infections began with spear-phishing Word docs that run macros to install the malware, which evades analysis and persists via registry changes. UDPGangster collects system data and communicates with a remote server over UDP to exfiltrate files and run commands.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

🆕 🐧 Kali Linux 2025.4 is released with three new tools (bpf-linker, evil-winrm-py, hexstrike-ai) and desktop updates. GNOME now runs only on Wayland and KDE and Xfce also received improvements. NetHunter gains new device support, and live ISOs are now distributed via BitTorrent.

📊 MITRE released results of the 2025 ATT&CK Enterprise Evaluations for 11 cybersecurity vendors. The tests focused on Scattered Spider and Mustang Panda scenarios, including cloud attacks and adversary reconnaissance, and emphasized protection and high-fidelity detection. Some vendors touted perfect scores, but experts warn such claims can be misleading, and major firms like Microsoft and Palo Alto Networks did not participate.

🤖 🪧 Global cybersecurity agencies issued unified guidance for using AI in critical infrastructure to balance benefits with safety and security. The guidance says AI should advise, not control OT systems, keep humans in the loop, and use push-based architectures to reduce attack risk. It urges transparency from vendors, regular validation to prevent model drift, and training so operators retain manual skills.

🇺🇸 President Trump signed an executive order to stop states from making their own AI rules, saying a patchwork of laws would hurt U.S. competition with China. The order creates a task force to challenge state laws and could cut some federal funding to states with AI regulations. Some states have already passed laws to limit data collection and require transparency to curb AI bias and harms.

🇬🇧 The UK cyber agency warns large language models are inherently vulnerable to prompt injection. These models treat all input as instructions, so malicious prompts can bypass safeguards. Because of their architecture, this weakness may never be fully eliminated.

🔓️ Researchers found a new prompt-injection flaw in major AI coding tools that can turn GitHub workflows into attack paths. Malicious or untrusted content in commits, pull requests, or issues can be treated as instructions by LLMs and trigger privileged actions. The issue affects many models and real projects, and some fixes have begun but the architectural risk remains.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Adobe Patches Nearly 140 Vulnerabilities

• Fortinet Patches Critical Authentication Bypass Vulnerabilities

• Google Patches Gemini Enterprise Vulnerability Exposing Corporate Data

• Google Patches Mysterious Chrome Zero-Day Exploited in the Wild

• IBM Patches Over 100 Vulnerabilities

• Ivanti EPM Update Patches Critical Remote Code Execution Flaw

• Microsoft’s last Patch Tuesday of 2025 addresses 57 defects, including one zero-day

• SAP Patches Critical Vulnerabilities With December 2025 Security Updates

💥 🔓️ Exploitation of React2Shell Surges — The critical React flaw called React2Shell (CVE-2025-55182) lets attackers run code on vulnerable servers using specially crafted HTTP requests. Exploits started immediately after disclosure, with many scans and real attacks delivering malware, miners, and credential theft. Security groups report hundreds of thousands of potentially vulnerable instances and urge rapid patching.

🐛 🩹 React fixed three new vulnerabilities in React Server Components that can cause denial-of-service or leak source code. The bugs affect multiple 19.x releases and were found while testing fixes for a prior critical flaw. Users should update to 19.0.3, 19.1.4, or 19.2.3 immediately.

🐛 🩹 A critical Apache Tika vulnerability (CVE-2025-66516, CVSS 10.0) allows XML External Entity (XXE) injection via crafted XFA inside PDFs. It affects tika-core, tika-pdf-module, and tika-parsers and can lead to data leaks, SSRF, DoS, or RCE. Users should update to tika-core 3.2.2, tika-pdf-module 3.2.2, and tika-parsers 2.0.0 immediately.

💥 🔓️ A large campaign began on December 2 targeting Palo Alto GlobalProtect VPN portals with credential-stuffing and bruteforce login attempts. The attacks came from over 7,000 IPs in 3xK GmbH’s network and then shifted to scanning SonicWall SonicOS API endpoints. Organizations are urged to monitor and block these IPs, enforce MFA, and watch for abnormal authentication activity.

🤑 🐛 White hat researchers won $320,000 at the Zeroday.Cloud live hacking event in London. The contest paid for 11 open source exploits across cloud, AI, databases, and more. Biggest payouts included $40,000 for a Linux kernel exploit and multiple $30,000 database exploits.

🛰️ ICS, OT & IoT

🇨🇳 🇺🇸 ☀️ This one gadget could give China a back door into the U.S. power grid — U.S. solar systems rely heavily on Chinese-made inverters that control electricity flow. Experts and lawmakers warn these devices can be remotely manipulated to cause blackouts. That dependence creates a growing national security risk.

🐛 🔓️ Researchers found three PCIe IDE flaws that could let attackers read or corrupt data, escalate privileges, or cause DoS. Intel and AMD say some of their processors are affected; firmware fixes are being prepared. Exploitation is low-severity because it needs physical or low-level PCIe access, but could matter for targeted hardware attacks.

🐛 🩹 ICS Patch Tuesday — Industrial vendors Siemens, Rockwell Automation, Schneider Electric, and Phoenix Contact released Patch Tuesday advisories fixing multiple vulnerabilities in ICS/OT products. The flaws range from critical code execution and DoS to SQL injection, XSS, MitM, and information exposure across many devices and third-party components. CISA also published advisories on separate vulnerabilities affecting CCTV, an appliance XSS, and U-Boot code execution.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.