🕵🏻‍♂️ [InfoSec MASHUP] 51/2025

🔓 BREACHES & SECURITY INCIDENTS

🇻🇪 🛢️ Venezuela’s state oil company PDVSA suffered a cyberattack that disrupted export operations. PDVSA says only administrative systems were hit and operational areas stayed running, but internal reports and sources say key terminal systems and deliveries were offline. PDVSA blamed the United States and domestic conspirators for the attack amid rising tensions.

🔞 The hacking group called Scattered Lapsus$ Hunters says it stole Pornhub Premium users’ viewing and personal data and is trying to extort the site. The data came from a breach at analytics provider Mixpanel that exposed events and user details for many customers. Mixpanel’s breach also affected other companies like OpenAI and SoundCloud, putting millions of users’ data at risk.

🚗 Auto parts supplier LKQ confirmed it was hit in the Oracle E-Business Suite hack tied to the Cl0p ransomware group. Over 9,000 people’s personal data, including SSNs and EINs for sole proprietor suppliers, were compromised. Several terabytes of stolen files were posted online, and LKQ says only its EBS environment was affected.

🎧️ SoundCloud says a security breach exposed a database with user emails and public profile info. About 20% of users (roughly 28 million accounts) may be affected. The company blocked access, tightened security, and the incident disrupted VPN access and caused outages.

🇫🇷 France's Interior Ministry says hackers breached its email servers and accessed some files. Officials have tightened security and opened an investigation. They are still unsure who is responsible or whether data was stolen (UPDATE: France arrests suspect tied to cyberattack on Interior Ministry).

🤷 Google is ending its dark web report alerts in February — The reports showed lists of leaked user data from hidden sites. Google says these alerts aren’t very useful because there’s little users can do about dark web leaks.

🇯🇵 Japanese company Askul suffered a ransomware attack that exposed over 700,000 records. The RansomHouse group stole more than 1 TB of data and leaked it after Askul refused to pay. The breach disrupted orders and logistics and affected customers, partners, employees, and executives.

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign 

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇷🇺 🇺🇦 Russian-linked APT28 ran a long phishing campaign to steal UKR.net email credentials and 2FA codes. They used fake UKR.net login pages hosted on services like Mocky, tinyurl redirects, and blogspot subdomains. Recorded Future says this supports GRU intelligence gathering and shifted to ngrok/Serveo tunneling after infrastructure takedowns.

🇺🇸 🇷🇺 U.S. authorities dismantled E-Note, an alleged crypto exchange and payment service used to launder tens of millions from ransomware and other cybercrimes. A Russian national, Mykhalio Chudnovets, was indicted for running the service and faces money-laundering conspiracy charges. Law enforcement seized servers and records that may help trace funds and identify users.

🇪🇺 🇺🇦 European authorities dismantled a Ukraine-based call center fraud ring that stole over €10 million from more than 400 victims. Twelve suspects were arrested and extensive assets and forged IDs seized after raids in Dnipro, Ivano-Frankivsk, and Kyiv. The scam used fake bank and police personas, remote access tools, and in-person cash pickups, with staff paid commissions.

🇷🇺 ☁️ Amazon says the Russian GRU-linked group called Sandworm has shifted from exploiting software bugs to abusing misconfigured network edge devices on AWS to gain access. The group has targeted energy firms, utilities, telecoms, and cloud infrastructure in Western countries since 2021. Amazon has notified affected customers, remediated compromised EC2 instances, and shared intelligence with partners.

🇺🇸 ⚖️ Nathan Austad pleaded guilty to taking part in a credential stuffing attack that compromised over 60,000 betting site accounts. The hackers added payment methods, stole about $600,000 from 1,600 victims, and sold access to accounts. Austad faces up to five years in prison; two co-conspirators already pleaded guilty.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇺🇸 With the Cybersecurity Information Sharing Act set to expire soon, Congress may pass another short extension because lawmakers disagree on a long-term fix. House Homeland Security Chair Andrew Garbarino said there are three different bill approaches and no consensus. He also noted committees are working on broader cyber issues like regulations, workforce and using AI for defense.

🇺🇸 📺️ 📸 Texas sued five TV makers, saying their smart TVs used ACR technology to secretly capture what people watch. The suit claims screenshots were taken every 500 ms and sent to companies without users' consent. Texas also warned that Chinese-owned firms could expose U.S. data to Beijing under China's security laws

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🎠 📲 Cellik is an Android remote access trojan that gives attackers full control of infected phones, including screen streaming, keylogging, camera/mic access, and file/cloud access. It can hide a browser and overlay fake login screens to steal credentials, and it can inject its code into legitimate Google Play apps with one click. The malware is sold on the dark web for about $150/month and includes tools for wide surveillance and data theft.

🎅 💸 A new malware called SantaStealer is being sold as a service and targets browsers, crypto wallets, messaging apps, and documents. Researchers say it runs in memory, uses many data-stealing modules, and uploads stolen data to a hardcoded server. The tool is still immature, poorly hidden, and advertised on Telegram and hacker forums.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

🧩 Eight browser extensions with over 8 million installs collect full AI conversations and sell them for marketing. They promise privacy but inject scripts that capture chats from ChatGPT, Gemini, Claude, and others. The extensions remain listed and even carry “Featured” badges in the stores.

🇺🇸 ⚖️ The American Bar Association warns that AI is undermining legal procedures and court evidence. Deepfakes and AI errors are creating doubts about authenticity and trust in trials. The ABA also notes AI can speed routine legal work and is developing guidance to manage risks.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Apple Patches Two Zero-Days Tied to Mysterious Exploited Chrome Flaw

• Atlassian Patches Critical Apache Tika Flaw

• FreePBX Patches Critical SQLi, File-Upload, and AUTHTYPE Bypass Flaws Enabling RCE

💥 🩹 SonicWall warned customers to patch a new SMA1000 local privilege escalation bug (CVE-2025-40602) that was chained in zero-day attacks. Attackers combined it with a pre-auth deserialization flaw (CVE-2025-23006) to run commands as root on exposed devices. Over 950 SMA1000 appliances are internet-exposed, so unpatched systems face high risk.

🚚 The National Motor Freight Traffic Association (NMFTA) warns that cargo theft is shifting from brute-force theft to sophisticated, cyber-enabled heists — Criminals use hacking, social engineering, AI deepfakes, and stolen credentials to take over accounts, spoof dispatches, and divert shipments. Companies using cyber awareness training and phishing simulations are seeing fewer successful attacks.

🇨🇳 Google linked five more Chinese hacking groups to attacks exploiting the severe React2Shell flaw (CVE-2025-55182). The bug lets attackers run code on vulnerable React/Next.js sites and has been used to steal AWS credentials and other data. Thousands of systems worldwide remain exposed and actors from multiple countries are actively exploiting it.

→ React2Shell fallout spreads to sensitive targets as public exploits hit all-time high

💥 Threat actors began exploiting two critical Fortinet flaws (CVE-2025-59718, CVE-2025-59719) days after patches were released. The bugs let attackers bypass FortiCloud SSO, log in as admin, and export device configs containing hashed credentials. Administrators should apply the patches, disable FortiCloud SSO, restrict management access, and reset credentials if breached.

🔓️ ☁️ A flaw in JumpCloud Remote Assist for Windows lets an unprivileged local user trick the uninstaller into performing privileged file operations in a user-writable %TEMP% folder. Attackers can use symbolic links or mount-point tricks to overwrite system files or trigger a takeover, causing BSODs or gaining SYSTEM shells. JumpCloud fixed it in version 0.317.0 and organizations should update immediately.

🛰️ ICS, OT & IoT

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.