svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief June 11, 2025

Jun 11, 2025

bulletproof VPN - stay anonymous

Evoke Wellness settles $1.9M FTC case over deceptive addiction treatment ads

Evoke Wellness agreed to pay $1.9M to settle FTC allegations of impersonating rival addiction treatment clinics via Google ads and telemarketing, violating the FTC Act and Opioid Addiction Recovery Fraud Prevention Act. The settlement includes a permanent ban on deceptive practices and mandates compliance monitoring.
Source: DataBreaches

Former Evoke Wellness employee sold 240 patient records on dark web

A former employee at Evoke Wellness allegedly stole names, addresses, SSNs, and insurance details from addiction treatment patients and sold the data on the dark web, leading to identity theft and fraudulent purchases. The breach impacted 240 victims, with no public disclosure from the company.
Source: DataBreaches

DanaBot malware crew exposed by C2 bug, leading to indictments

A memory leak flaw (“DanaBleed”) in DanaBot’s C2 protocol (introduced in 2022) exposed operator IPs, victim data, and backend infrastructure, enabling law enforcement to dismantle the operation and indict 16 members. The group, active since 2018, stole credentials and deployed ransomware.
Impact: Unauthenticated data exposure enabling law enforcement action.
Mitigation: Infrastructure seizures and domain takedowns have neutralized the threat.
Source: BleepingComputer

ConnectWise rotates code-signing certificates over security concerns

ConnectWise is replacing DigiCert-signed certificates for ScreenConnect, Automate, and RMM due to a configuration handling issue that could allow misuse if an attacker gains system-level access. The update must be applied by June 13 to avoid disruptions.
Impact: Potential abuse of installer configuration for malicious payloads.
Mitigation: Patch to v25.4 (ScreenConnect) or latest builds for other products.
Source: BleepingComputer

Secure Boot bypass flaw (CVE-2025-3052) affects UEFI systems

A vulnerability in a BIOS utility signed with Microsoft’s UEFI CA 2011 certificate allows attackers to disable Secure Boot via NVRAM variable manipulation, enabling bootkit malware. 14 modules were added to Microsoft’s revocation list in June 2025 Patch Tuesday.
Impact: Secure Boot bypass leading to pre-OS code execution.
Mitigation: Apply Microsoft’s June 2025 patches to update the Secure Boot dbx.
Source: BleepingComputer

Microsoft Outlook to block .library-ms and .search-ms attachments

Microsoft will block .library-ms and .search-ms files in Outlook Web/Windows starting July 2025 due to their abuse in NTLM hash theft and malware delivery. These file types were used in recent phishing campaigns exploiting Windows vulnerabilities.
Impact: Reduced attack surface for NTLM relay and malware attacks.
Mitigation: Administrators can manually allow the files if required.
Source: BleepingComputer

Texas DOT breach exposes 300K crash records

Texas DOT confirmed a May 12 breach where attackers used compromised credentials to access its Crash Records Information System (CRIS), downloading 300K reports containing names, addresses, DL numbers, and insurance details. No ransomware group has claimed responsibility.
Source: BleepingComputer

FIN6 targets recruiters with fake resumes delivering More_eggs malware

FIN6 impersonates job seekers on LinkedIn/Indeed, directing recruiters to AWS-hosted fake resume sites that deliver the More_eggs backdoor via ZIP archives. The campaign uses CAPTCHA walls and IP filtering to evade detection.
Impact: Credential theft and ransomware deployment.
Mitigation: Verify job seeker identities independently; block suspicious domains.
Source: BleepingComputer

Ivanti fixes hardcoded key flaws in Workspace Control exposing SQL credentials

Three high-severity flaws (CVE-2025-5353, CVE-2025-22455, CVE-2025-22463) in Ivanti Workspace Control (IWC) v10.19.0.0 and earlier allow local attackers to decrypt SQL and environment passwords due to hardcoded cryptographic keys.
Impact: Credential compromise leading to privilege escalation.
Mitigation: Upgrade to IWC v10.19.10.0.
Source: BleepingComputer

Roundcube XSS flaw (CVE-2024-42009) exploited in attacks

A cross-site scripting (XSS) vulnerability in Roundcube Webmail (fixed in 2024) is being actively exploited to steal emails via malicious messages. CISA added it to its KEV catalog, urging patching by June 30. Over 85,000 servers remain unpatched.
Impact: Email theft and session hijacking.
Mitigation: Update to Roundcube 1.6.8 or 1.5.8.
Source: TheHackerNews

Salesforce Industry Cloud misconfigurations expose sensitive data

Researchers found 20 misconfigurations in Salesforce Industry Cloud, including 5 CVEs (e.g., CVE-2025-43697), allowing unauthorized access to encrypted data and credentials. Salesforce patched 3 issues; customers must fix the rest.
Impact: Data breaches violating HIPAA/GDPR.
Mitigation: Enable “EnforceDMFLSAndDataEncryption” and audit configurations.
Source: TheHackerNews

Rust-based Myth Stealer malware targets gamers via fake cheat sites

Myth Stealer, a Rust-based infostealer, spreads via fake gaming sites and cracked software, stealing browser cookies, passwords, and crypto wallet data. It uses CAPTCHA walls and anti-analysis checks to evade detection.
Impact: Credential theft and financial fraud.
Mitigation: Block known malicious domains (e.g., Blogger-hosted pages).
Source: TheHackerNews

Google patches flaw exposing account-linked phone numbers

A brute-force vulnerability in Google’s account recovery flow allowed attackers to derive any user’s phone number using display names and masked digits. Google fixed the issue in June 2025 after awarding a $5K bounty.
Impact: Privacy breach enabling SIM-swapping.
Mitigation: Google disabled the legacy recovery form.
Source: TheHackerNews

Rare Werewolf APT uses 4t Tray Minimizer for stealthy attacks

The Russia-targeting APT leverages legitimate tools (4t Tray Minimizer, AnyDesk, Blat) to deploy XMRig miners and steal credentials. Attacks begin with phishing emails containing password-protected archives.
Impact: Cryptojacking and data exfiltration.
Mitigation: Block macros in email attachments; monitor for unusual process behavior.
Source: TheHackerNews

SAP fixes critical NetWeaver flaw (CVE-2025-42989)

A missing authorization check in SAP NetWeaver’s RFC framework (CVSS 9.6) allows privilege escalation via tRFC/qRFC calls. Patched in June 2025, but may require manual permission adjustments.
Impact: System compromise via unauthorized commands.
Mitigation: Apply SAP Note 3385407.
Source: SecurityWeek

Sensata confirms data stolen in April ransomware attack

Sensitive employee data (SSNs, financial/medical info) was exfiltrated in a March-April 2025 ransomware attack on Sensata Technologies. The breach impacted 362 Maine residents; no ransomware group claimed responsibility.
Source: SecurityWeek

Exploited Roundcube RCE (CVE-2025-49113) affects 85K servers

A PHP object deserialization flaw in Roundcube 1.1.0–1.6.10 allows post-auth RCE. Exploits are already sold on dark web, with 85,000+ servers still vulnerable.
Impact: Full server compromise via crafted email attachments.
Mitigation: Update to 1.6.11 or 1.5.10 immediately.
Source: SecurityWeek

Share this brief: https://svo.bz/ZzY1

If you want to support us, you can donate here: Donate