Svoboda Cybersecurity Brief June 06, 2025

Jun 06, 2025

BADBOX 2.0 Android Malware Infects Millions of Devices

The FBI warns that the BADBOX 2.0 malware has infected over 1 million Android-based smart TVs, streaming boxes, and IoT devices, turning them into residential proxies for malicious activities like ad fraud and credential stuffing. The malware comes preinstalled or spreads via malicious firmware updates, primarily on uncertified devices manufactured in China.

Impact: Devices become part of a botnet used for cybercrime, exposing home networks to abuse.
Mitigation: Avoid uncertified devices, monitor network traffic, and isolate suspicious devices.
Source: BleepingComputer

Critical Roundcube Webmail Exploit Sold on Hacker Forums

A critical post-authentication RCE vulnerability (CVE-2025-49113) in Roundcube webmail (versions 1.1.0–1.6.10) is being actively exploited, with attackers selling exploits for up to $50,000. The flaw allows PHP object deserialization via the $_GET['_from'] parameter.

Impact: Attackers can execute arbitrary code on vulnerable servers.
Mitigation: Apply the June 1 patch immediately and enforce strong authentication.
Source: BleepingComputer

Play Ransomware Targets 900 Organizations Globally

CISA and FBI updated guidance on Play ransomware (aka Playcrypt), which has hit 900 entities since 2022, focusing on critical infrastructure in North America, Europe, and South America. The group uses multifaceted extortion tactics, including data theft and encryption.

Impact: Operational disruption and data leaks.
Mitigation: Implement offline backups, MFA, and regular patch management.
Source: Databreaches.net

ViLE Hackers Sentenced for Breaching DEA Portal

Two members of the ViLE doxxing group were sentenced to 25–27 months for hacking a DEA intelligence portal to steal SSNs and extort victims. The group used stolen law enforcement credentials to access nonpublic narcotics seizure records.
Source: BleepingComputer

German Vodafone Fined $51M for Privacy Failures

Vodafone’s German subsidiary was fined €45M for authentication flaws in its MeinVodafone portal and fraudulent contract changes by partner agencies. Attackers exploited eSIM profiles via customer service loopholes.
Source: BleepingComputer

Bitter APT Linked to Indian Government Expands Cyber Espionage

New evidence ties the Bitter hacking group (TA397) to the Indian government, targeting diplomatic entities in China and Pakistan via spear-phishing and malware. Campaigns ran from October 2024 to April 2025.
Source: Databreaches.net

Ukraine’s IP Addresses Hijacked for Proxy Services

18% of Ukraine’s IPv4 space was seized or sold post-invasion, with blocks routed through AT&T and Cogent for proxy services. These IPs are now used in cyberattacks, including DDoS campaigns.
Source: KrebsOnSecurity

HMRC Phishing Scam Costs UK £47M

A phishing attack compromised 100,000 UK taxpayer accounts, leading to £47M in losses. Attackers impersonated HMRC to steal credentials via fake portals.
Source: Databreaches.net

US Dermatology Partners Breach Still Opaque After 1 Year

U.S. Dermatology Partners failed to disclose details of a 2024 breach by BianLian ransomware, which leaked 300 GB of patient data. The entity still hasn’t reported the incident to HHS.
Source: Databreaches.net

AT&T Data Repackaged to Link SSNs to Phone Numbers

A threat actor re-released 2021 AT&T breach data, linking 48.9M phone numbers to unencrypted SSNs and DOBs. The data was originally leaked by ShinyHunters.
Source: BleepingComputer

Share this brief: https://svo.bz/oUer

If you want to support us, you can donate here: Donate