svoboda.center

Svoboda Cybersecurity Brief May 21, 2025

bulletproof VPN - stay anonymous

PowerSchool Hacker Pleads Guilty to Extortion Scheme

Matthew Lane, 19, agreed to plead guilty to hacking PowerSchool and a telecom company, stealing data on 60M+ students and 10M teachers, and demanding $2.85M in Bitcoin. The breach exposed SSNs, medical data, and passwords.
Source: DataBreaches

Kettering Health Hit by Ransomware, Systems Disrupted

Kettering Health suffered a ransomware attack by Interlock gang, disrupting phone lines, MyChart portal, and forcing ER diversions. Attackers threatened to leak data unless a ransom was paid within 72 hours.
Source: DataBreaches

SK Telecom Breach Lasted 3 Years, Exposed 27M Subscribers

A malware infection in SK Telecom’s systems since June 2022 exposed USIM authentication keys, IMSI, and SMS/contact data for 27M users, raising SIM-swapping risks. The breach involved 25 malware types across 23 servers.
Impact: SIM-swapping, location tracking, and unauthorized porting.
Mitigation: Replace SIM cards, monitor for unusual activity.
Source: BleepingComputer

UK Legal Aid Agency Breach Exposes 15 Years of Applicant Data

Hackers stole names, birthdates, criminal histories, and financial details of legal aid applicants from the UK Ministry of Justice. The breach targeted the Legal Aid Agency, impacting criminal and civil case data.
Source: DataBreaches

Hazy Hawk Exploits DNS Misconfigs to Hijack Trusted Domains

Hazy Hawk hijacked abandoned cloud resources (e.g., CDC, Honeywell, UC Berkeley) via dangling CNAME records, redirecting users to scams and malware. The group cloned legitimate sites to evade detection.
Impact: Credential theft, ad injection, and persistent push notifications.
Mitigation: Remove unused DNS records, deny unknown site notifications.
Source: BleepingComputer

VanHelsing Ransomware Builder Leaked on Hacking Forum

The VanHelsing RaaS source code, including Windows encryptor and affiliate panel, was leaked on RAMP forum. The builder connects to a C2 server and includes an MBR locker.
Impact: Potential surge in ransomware attacks using leaked code.
Mitigation: Monitor for IOCs, restrict unauthorized executables.
Source: BleepingComputer

WordPress Motors Theme Vulnerable to Admin Takeover

CVE-2025-4322 in the Motors theme (≤v5.6.67) allows unauthenticated attackers to reset admin passwords via flawed identity validation. The theme has 22,300+ sales on Envato.
Impact: Full site compromise, data exfiltration.
Mitigation: Update to v5.6.68, audit user accounts.
Source: BleepingComputer

RVTools Supply Chain Attack Delivers Bumblebee Malware

Trojanized RVTools installers from fake domains (e.g., .org typosquat) dropped Bumblebee loader, linked to Conti ransomware affiliates. Dell denied compromise but took sites offline due to DDoS.
Impact: Initial access for ransomware, Cobalt Strike deployment.
Mitigation: Verify hashes, avoid unofficial downloads.
Source: BleepingComputer

100+ Fake Chrome Extensions Hijack Sessions, Steal Data

Malicious extensions mimicked DeepSeek, FortiVPN to steal cookies, credentials, and inject ads. Used excessive permissions and DOM manipulation to bypass CSP. Google removed the extensions.
Impact: Session hijacking, credential theft.
Mitigation: Review extension permissions, use verified developers.
Source: The Hacker News

AWS Default IAM Roles Enable Lateral Movement

Broad permissions in SageMaker, Glue, EMR default roles (e.g., AmazonS3FullAccess) allow attackers to escalate privileges and cross-service exploitation. AWS has patched some roles.
Impact: Account takeover, lateral movement.
Mitigation: Restrict IAM policies, audit service roles.
Source: The Hacker News

PyPI Packages Exploit Instagram/TikTok APIs for Account Validation

Malicious packages (checker-SaGaF, steinlurks) checked stolen emails against TikTok/Instagram APIs to validate accounts for credential stuffing. Downloaded 7,000+ times before removal.
Impact: Account takeover, targeted phishing.
Mitigation: Monitor for suspicious API traffic, enforce MFA.
Source: The Hacker News

VMware Patches NATO-Flagged Cloud Foundation Flaws

CVE-2025-41229 (CVSS 8.2) in VMware Cloud Foundation allows internal service access via directory traversal. No workarounds; patch to v5.2.1.2.
Impact: Unauthorized data access.
Mitigation: Apply updates immediately.
Source: SecurityWeek

O2 4G Calling Leaked User Locations via VoLTE

A flaw in O2’s 4G Calling exposed IMSI, IMEI, and location codes in network responses, enabling geolocation tracking. Fixed after March 2025 launch.
Impact: Privacy violation, physical tracking.
Mitigation: Disable 4G Calling if unused.
Source: SecurityWeek

Share this brief: https://svo.bz/dveq

If you want to support us, you can donate here: Donate