Svoboda Cybersecurity Brief May 13, 2025

May 13, 2025

ASUS DriverHub Vulnerability Allows Remote Code Execution

A critical flaw in ASUS DriverHub allowed malicious websites to execute commands with admin rights via crafted HTTP requests. The vulnerability (CVE-2025-3462 and CVE-2025-3463) bypassed origin validation and enabled silent installation of malicious payloads. ASUS patched the issue on May 9, 2025, but users must manually update via the “Update Now” button in DriverHub.
Impact: Attackers could achieve one-click RCE on systems with DriverHub installed.
Mitigation: Update DriverHub immediately or disable it via BIOS settings.
Source: BleepingComputer

ClickFix Attacks Expand to Linux Targets

APT36 (Transparent Tribe) adapted ClickFix social engineering attacks to target Linux users by spoofing India’s Ministry of Defence. Victims are tricked into pasting malicious shell commands, which download a benign payload (mapeal.sh) as a test. The group may escalate to deploying malware in future campaigns.
Impact: Potential precursor to Linux malware deployment.
Mitigation: Avoid executing untrusted clipboard commands.
Source: BleepingComputer

Zero-Day Exploit in Output Messenger Used for Espionage

Turkish-backed group Marbled Dust exploited CVE-2025-27920, a directory traversal flaw in Output Messenger, to steal data and deploy backdoors (OMServerService.exe). The attack targeted Kurdish military-linked users in Iraq.
Impact: Compromised communications, credential theft, and operational disruptions.
Mitigation: Update to Output Messenger V2.0.63.
Source: BleepingComputer

Moldova Arrests DoppelPaymer Ransomware Suspect

A 45-year-old suspect linked to a 2021 DoppelPaymer attack on the Dutch Research Council (NWO) was arrested. The attack caused €4.5M in damages after stolen data was leaked on a dark web site.
Source: BleepingComputer

Fake AI Tools Spread Noodlophile Malware via Facebook

Threat actors used fake AI tool ads (e.g., “CapCut AI”) on Facebook to distribute Noodlophile stealer malware. The payload steals browser credentials and crypto wallets, with some variants bundling XWorm RAT.
Source: The Hacker News

Apple Patches Critical Media Parsing Flaws in iOS/macOS

iOS 18.5 fixes RCE bugs in AppleJPEG, CoreMedia, and WebKit, alongside a FaceTime mute bypass flaw (CVE-2025-31214). No evidence of active exploitation was found.
Impact: Malicious media files could execute arbitrary code.
Mitigation: Update to iOS 18.5 or macOS latest versions.
Source: SecurityWeek

Andy Frain Services Breach Impacts 100,000+

The physical security firm confirmed a 2024 ransomware attack by Black Basta, exposing HR, legal, and accounting data. Victims were offered credit monitoring services.
Source: SecurityWeek

Google Settles Texas Privacy Lawsuit for $1.375B

Google resolved allegations of tracking users in incognito mode and collecting biometric data without consent. The settlement includes policy changes but no admission of wrongdoing.
Source: SecurityWeek

German Authorities Shut Down Crypto Laundering Service eXch

The exchange, linked to laundering $1.5B from the Bybit hack, was seized for facilitating anonymous criminal transactions. Servers and €34M in crypto were confiscated.
Source: SecurityWeek

US Takedowns Botnet Proxy Services Anyproxy and 5socks

A joint operation dismantled services powered by 7,000 hacked IoT devices, charging four Russian/Kazakh suspects. The botnet evaded detection in 90% of cases.
Source: SecurityWeek

Share this brief: https://svo.bz/W1pt

If you want to support us, you can donate here: Donate