Svoboda Cybersecurity Brief May 22, 2025
May 22, 2025bulletproof VPN - stay anonymous
Russian APT28 Campaign Targets Western Logistics Firms
Western intelligence agencies exposed a widespread Russian hacking campaign by APT28 (Fancy Bear) targeting logistics and tech firms in over a dozen countries. The group exploited trust relationships, compromised IoT cameras, and used tactics like password spraying, spear-phishing, and Outlook NTLM vulnerability (CVE-2023-23397) to track aid shipments to Ukraine.
Source: DataBreaches.net
Microsoft-Led Takedown Disrupts Lumma Stealer Infrastructure
Microsoft and global law enforcement seized 2,300 domains tied to the Lumma Stealer malware, a favored tool for credential theft. The operation also dismantled its C2 infrastructure and dark web marketplaces, impacting over 394,000 infected systems.
Source: BleepingComputer
Critical SAMLify Flaw Allows Admin Impersonation
A critical SAML authentication bypass (CVE-2025-47949, CVSS 9.9) in Samlify lets attackers inject unsigned assertions into signed SAML responses, enabling privilege escalation.
Impact: Full SSO bypass, allowing unauthorized admin access.
Mitigation: Upgrade to Samlify 2.10.0 (note: GitHub still lists 2.9.1 as latest).
Source: BleepingComputer
3AM Ransomware Uses Vishing and Email Bombing
A 3AM ransomware affiliate spoofed IT support calls and bombarded targets with emails to gain remote access via Quick Assist. The attack involved QEMU emulation for evasion and exfiltrated 868 GB of data.
Source: BleepingComputer
Kettering Health Hit by Interlock Ransomware
The Ohio healthcare network suffered a system-wide outage after an Interlock ransomware attack, forcing cancellations of elective procedures. The group threatened to leak stolen data unless paid.
Source: BleepingComputer
EU Sanctions Stark Industries for Hosting Cybercriminals
The EU sanctioned Stark Industries, a bulletproof hosting provider, for enabling Russian state-sponsored attacks. The Neculiti brothers operated the service, which hosted FIN7 infrastructure.
Source: BleepingComputer
Marks & Spencer Faces $402M Loss After DragonForce Ransomware
The UK retailer estimates a £300M profit hit following a Scattered Spider ransomware attack using DragonForce encryptor. Online systems remain disabled until July.
Source: BleepingComputer
Fake Kling AI Ads Deliver RAT Malware
Counterfeit Facebook ads promoted fake Kling AI sites, delivering a RAT via disguised executables. The campaign targeted over 22 million users, exfiltrating credentials and session tokens.
Source: The Hacker News
Critical Flaw in AutomationDirect Industrial Gateway
CVE-2025-36535 (CVSS 10) exposes AutomationDirect’s MB-Gateway devices to remote attacks due to missing authentication in the embedded webserver. Over 100 devices are internet-exposed.
Impact: Unauthorized configuration changes, Modbus disruption, and potential code execution.
Mitigation: Replace with EKI-1221-CE gateway; hardware limitations prevent patches.
Source: SecurityWeek
PureRAT Malware Surges Targeting Russian Firms
Kaspersky reported a 4x increase in PureRAT attacks, which steals credentials and injects clipper malware to hijack crypto transactions. The campaign uses double-extended RAR attachments.
Source: The Hacker News
Discord Scraping Exposes 2B Messages
Researchers published 2 billion scraped Discord messages (2015–2024) from 3,167 servers, raising privacy concerns despite claimed anonymization. A separate tool, Searchcord, exposes non-anonymized chats.
Source: DataBreaches.net
Google Chrome Adds Auto-Password Change for Breached Logins
Chrome’s Password Manager now auto-updates compromised passwords on supported sites, using .well-known/change-password redirects. The feature builds on existing breach alerts.
Source: The Hacker News
PWA JavaScript Attack Redirects to Adult Scams
Malicious JS injections redirect mobile users to Chinese adult-content PWAs, bypassing browser protections. The campaign filters out desktop users and leverages third-party JS.
Source: The Hacker News
Share this brief: https://svo.bz/R45a
If you want to support us, you can donate here: Donate