Svoboda Cybersecurity Brief June 28, 2025
Jun 28, 2025bulletproof VPN - stay anonymous
Scattered Spider targets North American aviation and transportation sectors
Threat actor Scattered Spider (UNC3944) has shifted focus to North American airline and transportation organizations, using social engineering and help desk attacks to bypass MFA and gain access. Recent incidents include attacks on WestJet and potentially Hawaiian Airlines, leveraging self-service password resets and SIM swapping techniques.
Impact: Potential for network compromise, data theft, and operational disruption.
Mitigation: Strengthen help desk identity verification, enforce password/MFA resets, and review Mandiant’s UNC3944 defense guidance.
Source: BleepingComputer
Citrix Bleed 2 (CVE-2025-5777) likely exploited in attacks
ReliaQuest reports exploitation of CVE-2025-5777, a critical NetScaler ADC/Gateway flaw allowing session token theft and MFA bypass. Attackers have leveraged stolen sessions for AD reconnaissance and lateral movement. Citrix disputes exploitation claims but recommends patching.
Impact: Session hijacking, credential theft, and network compromise.
Mitigation: Patch to NetScaler 14.1-43.56+ or 13.1-58.32+, terminate active sessions, and restrict external access.
Source: BleepingComputer
Ahold Delhaize breach exposes 2.2M records via INC Ransom
The retail giant confirmed a November 2024 ransomware attack compromised personal, financial, and health data of 2.2M individuals. INC Ransom leaked samples, including employee records with SSNs, bank details, and medical info.
Source: BleepingComputer
MOVEit Transfer faces renewed scanning and exploit attempts
GreyNoise observed surge in scanning (200-300 IPs/day) targeting MOVEit Transfer, with exploitation attempts for CVE-2023-34362 and CVE-2023-36934. Cl0p previously exploited these flaws in 2023.
Impact: Potential mass exploitation and data theft.
Mitigation: Patch MOVEit, block suspicious IPs, and restrict internet exposure.
Source: The Hacker News
Silver Fox targets Chinese users with Sainbox RAT and Hidden rootkit
The China-linked group distributed fake WPS Office installers via Chinese-language sites, deploying Sainbox RAT (Gh0st variant) and Hidden rootkit via DLL sideloading. Campaign mimics legitimate software updates.
Source: The Hacker News
Compumedics breach impacts 10 healthcare providers
A February-March 2025 intrusion at sleep diagnostics vendor Compumedics exposed patient data (names, medical records, diagnoses) across 10 providers, including Northern Light Health. SSNs and insurance data may be compromised.
Source: DataBreaches.net
LapDogs ORB network hacks 1,000+ SOHO devices for espionage
China-linked actors compromised Ruckus, ASUS, and Cisco-Linksys devices via N-day exploits (CVE-2015-1548, CVE-2017-17663), deploying ShortLeash backdoor with fake Nginx servers. Targets include US and Southeast Asian entities.
Source: The Hacker News
Mustang Panda attacks Tibetans with PUBLOAD and Pubshell malware
The China-aligned group used Tibet-themed lures to deliver PUBLOAD downloader and Pubshell backdoor via weaponized archives. Ties to prior campaigns using TONESHELL and USB worms.
Source: The Hacker News
Open VSX vulnerability allowed repository takeover
A flaw in Eclipse’s Open VSX exposed super-admin tokens, risking supply-chain compromise for 8M+ developers. Patched after disclosure in May.
Impact: Malware injection and backdooring of extensions.
Mitigation: Update Open VSX and audit extension integrity.
Source: SecurityWeek
CMS warns of Medicare audit phishing via fake faxes
Scammers impersonate CMS, sending fraudulent faxes requesting medical records under guise of audits. Targets healthcare providers and suppliers.
Source: DataBreaches.net
Share this brief: https://svo.bz/k0jI
If you want to support us, you can donate here: Donate