svoboda.center

Svoboda Cybersecurity Brief June 24, 2025

bulletproof VPN - stay anonymous

McLaren Health Care Data Breach Impacts 743,000 Patients

McLaren Health Care disclosed a ransomware attack by INC Ransom in July-August 2024, exposing names, SSNs, driver’s licenses, medical data, and health insurance info of 743,131 patients. This is the second major breach in two years, following a 2023 Alphv/BlackCat attack affecting 2.2 million.
Source: BleepingComputer

Steelmaker Nucor Confirms Data Theft in Cyberattack

Nucor, North America’s largest steel producer, confirmed hackers exfiltrated limited data during a May 2025 breach that forced temporary production halts. Systems have been restored, and the company believes the threat actor is no longer active.
Source: SecurityWeek

Pro-Russian Hackers Disrupt Dutch Government Websites Ahead of NATO Summit

NoName05716 claimed responsibility for DDoS attacks on Dutch municipal and provincial government websites, disrupting access to official documents. The attacks targeted NotuBiz, a service provider for multiple regions, ahead of a NATO summit.
Source: DataBreaches.net

Iran-Linked Hackers Leak Saudi Games Attendee and Athlete Data

Cyber Fattah, an Iran-linked group, leaked SQL dumps containing visitor and athlete data from Saudi Games via compromised phpMyAdmin access. The breach is part of Iran’s anti-Saudi propaganda efforts targeting major events.
Source: DataBreaches.net

Oxford City Council Investigates Legacy System Breach

Attackers accessed unencrypted historic data (2001–2022) on legacy systems, including election worker details, during a June 2025 cyberattack. The council claims no evidence of mass data extraction but admits poor security practices.
Source: DataBreaches.net

China’s Salt Typhoon Exploits Cisco Flaw to Target Canadian Telecom

Salt Typhoon exploited CVE-2023-20198 (Cisco IOS XE flaw) to breach a Canadian telecom in February 2025, configuring GRE tunnels for traffic collection. The group has previously targeted US telcos like AT&T and Verizon.
Impact: Espionage via network traffic interception.
Mitigation: Patch Cisco devices and monitor for unauthorized GRE tunnels.
Source: BleepingComputer

APT28 Uses Signal Chats to Deliver Malware to Ukrainian Targets

APT28 (UAC-0001) leveraged Signal messages to deliver malicious documents (Акт.doc) loading Covenant malware, which deployed BeardShell (C++ backdoor) and SlimAgent (screenshot grabber). Attacks targeted Ukrainian government entities in 2024–2025.
Impact: Data exfiltration and persistent access via COM hijacking.
Mitigation: Monitor interactions with app.koofr.net and api.icedrive.net.
Source: BleepingComputer

SparkKitty Crypto-Stealing Malware Found on Google Play and Apple App Store

SparkKitty, a mobile malware variant, stole all device images (potentially including crypto wallet recovery phrases) via apps like SOEX (Google Play) and 币coin (Apple App Store). The malware used OCR to filter text-containing images.
Impact: Theft of sensitive images and crypto credentials.
Mitigation: Avoid storing seed phrases digitally; scrutinize app permissions.
Source: BleepingComputer

Echo Chamber Jailbreak Bypasses AI Guardrails with 90% Success Rate

NeuralTrust’s Echo Chamber jailbreak manipulates LLM context via indirect semantic steering, achieving 90% success in generating harmful content (e.g., hate speech, violence). Tested on GPT-4o and Gemini models.
Impact: Unrestricted harmful output from AI systems.
Mitigation: Implement layered defenses and monitor multi-turn interactions.
Source: SecurityWeek

XDigo Malware Exploits Windows LNK Flaw in Eastern European Attacks

XDigo, a Go-based stealer, exploited ZDI-CAN-25373 (Windows LNK parsing flaw) to target Eastern European governments in March 2025. The attack chain involved malicious LNK files sideloading ETDownloader and NodeInitRAT.
Impact: Data theft and command execution via HTTP C2.
Mitigation: Patch LNK vulnerabilities and monitor for markdown sanitization bypasses.
Source: The Hacker News

DHS Warns of Iranian Cyber Retaliation After US Airstrikes

The DHS anticipates pro-Iranian hacktivist and state-sponsored attacks following US airstrikes on Iranian nuclear sites. Previous Iranian operations include ICS targeting and MFA fatigue attacks.
Source: SecurityWeek

Critical Auth Bypass in Teleport (CVE-2025-49825)

Teleport fixed a 9.8 CVSS flaw allowing SSH authentication bypass in versions ≤17.5.1. Self-hosted deployments must upgrade to patched versions (e.g., 17.5.2).
Impact: Unauthorized access to Teleport-managed systems.
Mitigation: Update to Teleport 17.5.2+ or apply cloud auto-patches.
Source: SecurityWeek

North Korean Hackers Use Deepfake Zoom Calls for Malware Delivery

BlueNoroff (APT38) impersonated executives via deepfake Zoom calls, tricking victims into running malicious scripts masquerading as audio fixes. Attacks targeted crypto and gambling sectors in 2025.
Source: SecurityWeek

Prometei Botnet Resurfaces with Enhanced Capabilities

Prometei, active since 2020, returned in March 2025 with DGA-based C2 and self-updating modules for cryptomining and data theft. Previously exploited ProxyLogon flaws.
Source: The Hacker News

Unsecured Network Shares Pose Legal and Breach Risks

Storing sensitive data on unencrypted network shares (e.g., S:\ drives) exposes organizations to breaches and privacy lawsuits due to lax access controls and governance.
Source: DataBreaches.net

Share this brief: https://svo.bz/MJyq

If you want to support us, you can donate here: Donate