Svoboda Cybersecurity Brief July 03, 2025
Jul 03, 2025bulletproof VPN - stay anonymous
Qantas Data Breach Impacts Up to 6 Million Customers
Qantas disclosed a cyberattack targeting a third-party customer service platform used by its Manila call center, potentially exposing names, email addresses, phone numbers, birth dates, and frequent flyer numbers of 6 million customers. The breach method aligns with Scattered Spider’s social engineering tactics, though no attribution has been confirmed.
Source: SecurityWeek
Cl0p Cybercrime Gang’s Data Exfiltration Tool Vulnerable to RCE
A vulnerability (CWE-20, CVSS 8.9) was discovered in Cl0p’s Python-based data exfiltration tool used in the MOVEit mass attacks. The flaw allows remote code execution due to improper input sanitization, potentially enabling defenders to exploit the tool against the gang.
Impact: Attackers’ own tool could be weaponized against them.
Mitigation: Organizations should monitor for exploitation attempts and patch related systems.
Source: The Register
US Sanctions Russian Bulletproof Hosting Provider Aeza Group
The U.S. Treasury sanctioned Aeza Group, a Russian hosting provider linked to ransomware groups (BianLian, RedLine) and influence operations (Doppelgänger). Four individuals were also sanctioned, including CEO Arsenii Penzev, who was previously arrested for hosting dark web drug markets.
Source: The Hacker News
DOJ Investigates Ex-Ransomware Negotiator for Extortion Kickbacks
A former DigitalMint negotiator is under investigation for allegedly colluding with ransomware gangs (BlackCat) to inflate ransom demands and receive kickbacks. The case highlights ethical risks in incident response firms profiting from ransom payments.
Source: BleepingComputer
Forminator WordPress Plugin Vulnerability Exposes 400k Sites
CVE-2025-6463 (CVSS 8.8) in Forminator allows arbitrary file deletion via unvalidated form submissions, enabling attackers to delete wp-config.php and hijack sites. The flaw affects versions ≤1.44.2.
Impact: Full site takeover.
Mitigation: Update to v1.44.3 immediately.
Source: SecurityWeek
Hackers Use PDFs in Callback Phishing Campaigns
Attackers impersonate Microsoft, DocuSign, and PayPal via PDF attachments urging victims to call adversary-controlled numbers (“TOAD” attacks). Cisco Talos observed VoIP numbers reused for multi-stage social engineering.
Source: The Hacker News
Cisco Unified CM Contains Hardcoded Root SSH Credentials
CVE-2025-20309 (critical severity) in Cisco Unified CM exposes static root credentials in releases 15.0.1.13010-1 through 15.0.1.13017-1, allowing unauthenticated remote access.
Impact: Full system compromise.
Mitigation: Apply patch CSCwp27755 or upgrade to 15SU3.
Source: BleepingComputer
North Korean Hackers Deploy Nim-Based macOS Malware (NimDoor)
NimDoor malware uses signal-based persistence (SIGINT/SIGTERM handlers) to reinstall itself and steals Telegram/Solana wallet data. Campaigns target Web3/crypto firms via fake Zoom SDK updates.
Source: The Hacker News
Kelly Benefits Breach Expands to 553,000 Victims
Initially reported as affecting 32,000, the December 2024 breach now impacts 553,000 individuals, exposing SSNs, medical data, and financial info. No ransomware group has claimed responsibility.
Source: SecurityWeek
Vercel’s v0 AI Tool Weaponized for Phishing Page Generation
Threat actors abused Vercel’s AI tool to create convincing login page clones at scale, hosting malicious resources on Vercel’s infrastructure to evade detection.
Source: The Hacker News
International Criminal Court Targeted in Cyberattack
The ICC confirmed a sophisticated cyberattack coinciding with NATO summit, following a 2023 espionage incident. No attribution or specific impacts were disclosed.
Source: SecurityWeek
20% of US Law Firms Hit by Cyberattacks in Past Year
Proton’s survey revealed 8% of firms lost data, while 65% lacked breach response awareness. The legal sector faces rising threats due to sensitive client data holdings.
Source: Law.com
Firefox Store Flooded with 40+ Fake Crypto Wallet Extensions
Malicious clones of MetaMask, Phantom, and Trust Wallet exfiltrate seed phrases via injected event listeners. Many extensions have hundreds of fake reviews despite reports to Mozilla.
Source: BleepingComputer
Share this brief: https://svo.bz/sWbX
If you want to support us, you can donate here: Donate