Svoboda Cybersecurity Brief May 30, 2025

May 30, 2025

ConnectWise ScreenConnect Breach by Suspected Nation-State Actor

ConnectWise disclosed a suspected state-sponsored cyberattack affecting a limited number of ScreenConnect customers. The company is investigating with Mandiant and coordinating with law enforcement. The breach may be linked to CVE-2025-3935, a high-severity ViewState code injection flaw patched in April 2025.
Impact: Potential RCE and unauthorized access to customer environments via stolen machine keys.
Mitigation: Ensure ScreenConnect is updated to the latest version and monitor for suspicious activity.
Source: BleepingComputer

Ransomware Disrupts Covenant Health Hospitals in Maine and New Hampshire

Covenant Health hospitals in Maine and New Hampshire experienced a cyberattack, forcing system shutdowns and outpatient lab closures. The incident, suspected to be ransomware, impacted St. Joseph’s Hospital and other facilities.
Impact: Operational disruptions and potential patient data exposure.
Mitigation: Isolate affected systems, restore from backups, and review incident response plans.
Source: DataBreaches.net

ALN Medical Management Data Breach Affects 1.8 Million Patients

ALN Medical Management updated breach reports to state regulators, revealing over 1.8 million patients impacted by a March 2024 hack. Stored data may date back years, with breach notifications still being mailed.
Impact: Large-scale exposure of patient data, potentially including older records.
Mitigation: Freeze credit reports and monitor for identity theft.
Source: DataBreaches.net

Russian-Linked Hackers Target UK Defense Ministry via Phishing

RomCom hackers posed as journalists to target UK Defense Ministry staff in an espionage operation. The attack was thwarted, but malware named “Damascened Peacock” was linked to the group.
Impact: Potential data theft and unauthorized access to sensitive defense systems.
Mitigation: Train staff to recognize phishing and implement multi-factor authentication.
Source: DataBreaches.net

Cybercriminals Abuse Google Apps Script for Phishing Attacks

Threat actors host phishing pages on Google Apps Script to evade detection, mimicking legitimate login screens. The pages steal credentials and redirect victims to real services to avoid suspicion.
Impact: Credential theft and potential account compromise.
Mitigation: Block or flag Google Apps Script URLs in email security policies.
Source: BleepingComputer

Victoria’s Secret Website Offline After Cybersecurity Incident

Victoria’s Secret took its website offline due to a security incident, with external experts investigating. Stores remain open, but online services are disrupted.
Impact: Operational downtime and potential data breach.
Mitigation: Isolate affected systems and review third-party vendor security.
Source: SecurityWeek

LexisNexis Data Breach Exposes 364,000 Individuals

LexisNexis disclosed a December 2024 breach where attackers stole personal data from GitHub via a compromised account. Exposed data includes names, SSNs, and contact information.
Impact: Identity theft risk for affected individuals.
Mitigation: Enable credit monitoring and review GitHub access controls.
Source: BleepingComputer

Chinese APT41 Exploits Google Calendar for C2 Operations

APT41 used TOUGHPROGRESS malware, which leverages Google Calendar for command-and-control. The malware decrypts C2 domains in memory and exfiltrates data via Calendar events.
Impact: Data theft and persistent access to compromised systems.
Mitigation: Monitor for unusual Calendar activity and restrict external tool usage.
Source: The Hacker News

Critical Vulnerability in WordPress Wishlist Plugin (CVE-2025-47577)

A CVSS 10.0 flaw in TI WooCommerce Wishlist plugin allows unauthenticated file uploads, enabling RCE. The vulnerability affects versions up to 2.9.2 and requires WC Fields Factory plugin activation.
Impact: Remote code execution on vulnerable WordPress sites.
Mitigation: Deactivate the plugin until a patch is released.
Source: The Hacker News

Cybercriminals Exploit AI Hype to Spread Ransomware

Threat actors distribute fake AI tools (e.g., ChatGPT, InVideo AI) to deliver ransomware like CyberLock and Lucky_Gh0$t. Malware encrypts files or corrupts GUIs, demanding ransoms.
Impact: Data loss and system disruption.
Mitigation: Download AI tools only from official sources and verify checksums.
Source: BleepingComputer

US Sanctions Philippines Firm Behind $200M Cyber Scams

Funnull Technology, a Philippines-based company, facilitated crypto scams by hosting malicious sites. The US Treasury sanctioned Funnull and its administrator, freezing assets linked to the operation.
Impact: Financial losses for victims and disruption of scam infrastructure.
Mitigation: Educate users on recognizing investment scams.
Source: BleepingComputer

Apple Safari Vulnerable to Fullscreen Browser-in-the-Middle Attacks

Safari lacks clear visual cues for fullscreen mode, enabling attackers to spoof login pages. The flaw allows credential theft via manipulated windows.
Impact: Credential theft and account compromise.
Mitigation: Disable automatic fullscreen transitions or use browsers with clearer alerts.
Source: BleepingComputer

DragonForce Ransomware Exploits SimpleHelp Flaws

DragonForce abused CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726 in SimpleHelp RMM to deploy ransomware on MSP customer endpoints. The group exfiltrated data before encryption.
Impact: Data theft and ransomware deployment across MSP clients.
Mitigation: Patch SimpleHelp and monitor RMM tools for unusual activity.
Source: The Hacker News

New Windows RAT Evades Detection with Corrupted Headers

A novel RAT with corrupted DOS/PE headers persists in memory, using TLS for C2 communication. The malware captures screenshots and enables remote access.
Impact: Persistent backdoor access and data exfiltration.
Mitigation: Monitor for unusual process behavior and memory anomalies.
Source: The Hacker News

Microsoft Authenticator Deprecates Password Autofill Feature

Microsoft Authenticator will remove password autofill by July 2025, urging users to export passwords or switch to Edge. The change follows a phased deprecation timeline.
Impact: Disruption for users relying on Authenticator for password management.
Mitigation: Export passwords to CSV or migrate to Edge/other managers.
Source: BleepingComputer

Chinese Earth Lamia Group Targets Multiple Industries

Earth Lamia exploits SQLi flaws (e.g., CVE-2024-9047, CVE-2024-27198) to deploy backdoors like Pulsepack. The group targets finance, government, and logistics sectors.
Impact: Data theft and system compromise.
Mitigation: Patch web apps and monitor for suspicious SQL activity.
Source: SecurityWeek

9,000 ASUS Routers Backdoored via Patched Flaw (CVE-2023-39780)

Attackers exploited CVE-2023-39780 to backdoor ASUS routers, enabling persistent SSH access. GreyNoise estimates 9,000 devices are compromised.
Impact: Persistent backdoor access and potential botnet recruitment.
Mitigation: Update router firmware and reset configurations.
Source: SecurityWeek

Share this brief: https://svo.bz/lmdS

If you want to support us, you can donate here: Donate