svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief April 16, 2025

Apr 16, 2025

bulletproof VPN - stay anonymous

Russian APT29 Deploys New GrapeLoader Malware in Embassy Phishing Campaign

Russian state-sponsored group APT29 (Midnight Blizzard) targeted European diplomatic entities with a new malware loader called GrapeLoader and an updated WineLoader backdoor. The campaign used spear-phishing emails impersonating Ministries of Foreign Affairs, delivering malicious ZIP archives via DLL sideloading. GrapeLoader employs anti-analysis techniques like delayed shellcode execution and memory protection tricks.
Impact: Stealthy reconnaissance and persistent access to high-value targets.
Mitigation: Monitor for suspicious DLL sideloading, enforce email filtering, and apply EDR solutions with memory analysis.
Source: BleepingComputer

Chinese UNC5174 Hackers Target Linux with SNOWLIGHT and VShell Malware

Chinese threat actor UNC5174 (Uteus) attacked Linux systems using SNOWLIGHT malware and a new open-source RAT VShell. The campaign exploited Ivanti vulnerabilities (CVE-2024-8963, CVE-2024-9380) and leveraged WebSockets for C2 communication. VShell collects SSH keys, cloud credentials, and system data.
Impact: Compromise of critical infrastructure and espionage.
Mitigation: Patch Ivanti appliances, monitor for unusual WebSocket traffic, and restrict lateral movement.
Source: TheHackerNews

4Chan Hack Exposes Admin Panels and Source Code

4Chan was taken offline after hackers leaked internal admin tools, emails, and PHP source code. Attackers claimed access for over a year, exploiting outdated PHP versions. Screenshots showed access to IP logs, board management, and database controls.
Impact: Potential data leaks and prolonged service disruption.
Mitigation: Update legacy PHP installations, enforce MFA for admin panels, and audit third-party code.
Source: BleepingComputer

Landmark Admin Data Breach Expands to 1.6 Million Victims

The May 2024 ransomware attack on Landmark Admin exposed Social Security numbers, medical records, and financial data of 1.6 million individuals—double earlier estimates. VPN credentials were compromised, but exfiltrated data remains unconfirmed.
Impact: Identity theft and financial fraud risks.
Mitigation: Revoke compromised VPN credentials, provide credit monitoring, and segment sensitive data.
Source: BleepingComputer

Critical Apache Roller Flaw Allows Session Hijacking After Password Reset

CVE-2025-24859 (CVSS 10.0) in Apache Roller lets attackers maintain active sessions post-password change. Fixed in v6.1.5, the flaw affected all prior versions.
Impact: Unauthorized account access despite credential updates.
Mitigation: Upgrade to Roller 6.1.5 and enforce session termination policies.
Source: TheHackerNews

North Korean Hackers Pose as Employers to Deliver RN Stealer Malware

Slow Pisces (UNC4899) targeted crypto developers via LinkedIn job lures, delivering RN Loader and RN Stealer malware. The macOS malware steals iCloud Keychain, SSH keys, and cloud credentials via YAML deserialization.
Impact: Theft of developer credentials and cloud infrastructure compromise.
Mitigation: Scan for suspicious YAML/JS execution, restrict third-party repo access.
Source: TheHackerNews

MITRE Warns CVE Program May Collapse Without US Funding

MITRE’s contract to manage the CVE program expires April 16, risking disruption to vulnerability databases. NIST already struggles with a 32% backlog in CVE processing.
Impact: Delayed vulnerability disclosures and weakened threat intelligence.
Source: SecurityWeek

DaVita Dialysis Provider Hit by Ransomware

DaVita’s systems were encrypted in an April 12 attack, disrupting operations. The ransomware group and data theft scope are unconfirmed.
Impact: Potential healthcare service delays and patient data exposure.
Mitigation: Isolate backups, audit remote access, and test IR plans.
Source: SecurityWeek

Malicious PyPI Package Hijacks MEXC Crypto Trades

The ccxt-mexc-futures package rerouted API requests to attacker-controlled servers, stealing API keys and crypto tokens. Downloaded 1,065 times before removal.
Impact: Financial theft via redirected trades.
Mitigation: Revoke exposed API keys, audit PyPI dependencies.
Source: TheHackerNews

China Accuses NSA of Cyberattacks During Asian Winter Games

China named three alleged NSA operatives for attacks on Games infrastructure and Huawei, citing encrypted data packets targeting Windows systems. No evidence was provided.
Source: SecurityWeek

Share this brief: https://svo.bz/2LGq

If you want to support us, you can donate here: Donate