svoboda.center

Svoboda Cybersecurity Brief June 18, 2025

bulletproof VPN - stay anonymous

Episource Healthcare Data Breach Exposes 5.4 Million Patients

Episource, a healthcare technology provider, suffered a cyberattack between January 27 and February 6, 2025, exposing names, addresses, health insurance details, and Social Security numbers of 5.4 million patients. The breach was detected via anomalous activity, but it remains unclear if ransomware was involved.
Source: DataBreaches.net

Helsinki Education Division Breach: 750K Documents Stolen

A 2024 attack on Helsinki’s Education Division (KASKO) resulted in the theft of 2TB of data, including sensitive personal details of students and staff. The breach exploited an unmaintained VPN server and poor network monitoring.
Impact: Data could be used for identity theft and fraud.
Mitigation: Improve network monitoring, enforce data management policies, and patch VPN systems.
Source: DataBreaches.net

Anubis Ransomware Emerges with Built-in Wiper Capabilities

Anubis, a new Ransomware-as-a-Service (RaaS) group, combines encryption with directory wiping, severely hindering recovery. Trend Micro observed command-line operations altering system settings and deleting files.
Impact: Permanent data loss and operational disruption.
Mitigation: Isolate backups, monitor for unusual system changes, and apply endpoint detection.
Source: DataBreaches.net

HealthEC Settles Data Breach Lawsuit for $5.48 Million

HealthEC agreed to a $5.48 million settlement after a 2023 breach exposed 4.65 million patients’ PHI, including health records and SSNs. The breach involved unauthorized system access and exfiltration.
Source: DataBreaches.net

US Offers $10M Bounty for Iranian Hackers Behind IOControl Malware

The US State Department seeks info on Iranian hackers linked to CyberAv3ngers, who targeted critical infrastructure with IOControl malware. The group is tied to Iran’s IRGC Cyber-Electronic Command.
Source: DataBreaches.net

Scania Insurance Data Breach via Compromised Credentials

Scania’s financial services system was breached using stolen IT partner credentials, exposing insurance claim documents. Attackers attempted extortion after leaking samples on hacking forums.
Impact: Sensitive personal/financial data exposure.
Mitigation: Enforce MFA, monitor for infostealer malware, and segment third-party access.
Source: BleepingComputer

Veeam Patches Critical RCE Flaw (CVE-2025-23121) in Backup Servers

Veeam fixed a domain-joined RCE vulnerability allowing low-privilege users to execute code on Backup Servers. The flaw affects Veeam Backup & Replication 12+.
Impact: Full system compromise via lateral movement.
Mitigation: Update to v12.3.2.3617, isolate backup servers, and audit domain permissions.
Source: BleepingComputer

Sitecore XP Hardcoded Password (CVE-2025-XXXX) Enables RCE Chain

Sitecore XP versions 10.1–10.4 contain a hardcoded password (“b”) for the sitecore\ServicesAPI account, enabling RCE via Zip Slip and PowerShell Extension flaws.
Impact: Full system takeover in enterprise deployments.
Mitigation: Patch immediately, rotate credentials, and audit service accounts.
Source: BleepingComputer

Google Chrome Zero-Day (CVE-2025-2783) Exploited by TaxOff Group

TaxOff exploited a Chrome sandbox escape (CVE-2025-2783) to deploy the Trinper backdoor via phishing emails. The backdoor captures keystrokes, files, and executes remote commands.
Impact: Data exfiltration and persistent access.
Mitigation: Update Chrome, block phishing domains, and monitor for Trinper C2 traffic.
Source: The Hacker News

Flodrix Botnet Exploits Langflow RCE (CVE-2025-3248)

Attackers are exploiting a Langflow authentication bypass to deploy the Flodrix botnet, which conducts DDoS attacks. The malware obfuscates C2 traffic and self-deletes to evade detection.
Impact: DDoS attacks and system compromise.
Mitigation: Update Langflow to v1.3.0+, restrict inbound traffic, and monitor for suspicious downloads.
Source: The Hacker News

TP-Link Router Flaw (CVE-2023-33538) Actively Exploited

CISA warns of active exploitation of a command injection flaw in discontinued TP-Link routers (TL-WR940N, TL-WR841N, TL-WR740N). PoC code was briefly public.
Impact: Remote code execution on vulnerable devices.
Mitigation: Replace EoL routers, segment network access, and monitor for anomalous traffic.
Source: The Hacker News

LightPerlGirl ClickFix Variant Drops Lumma Stealer

A new ClickFix variant targets users via compromised WordPress sites, tricking them into executing obfuscated PowerShell commands to deploy Lumma infostealer.
Impact: Credential theft and potential enterprise network compromise.
Mitigation: Block execution of unsigned PowerShell scripts, educate users on social engineering.
Source: SecurityWeek

Scattered Spider Shifts Focus to US Insurance Firms

Google warns that Scattered Spider is targeting US insurance companies via help desk social engineering. The group collaborates with DragonForce ransomware operators.
Impact: Data theft and ransomware deployment.
Mitigation: Train help desks on verification, enforce MFA, and monitor for unusual access patterns.
Source: SecurityWeek

Share this brief: https://svo.bz/FU5m

If you want to support us, you can donate here: Donate