svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief January 17, 2026

Private VPN — just $1.2/mo

Black Basta Ransomware Leader Identified and Wanted by Interpol

German authorities identified Oleg Evgenievich Nefedov, a 35-year-old Russian national, as the leader of the Black Basta ransomware gang. He operated under aliases like tramp, gg, and kurva. Black Basta, linked to the defunct Conti group, has attacked 600+ companies worldwide, including critical infrastructure. Ukraine and Germany conducted raids, arresting two accomplices specializing in initial access.
Impact: Global ransomware attacks targeting enterprises and critical sectors.
Mitigation: Patch known vulnerabilities, enforce MFA, and monitor for suspicious network activity.
Source: BleepingComputer

StealC Malware Operators Hacked via XSS Flaw in Control Panel

Researchers exploited an XSS flaw in StealC’s web panel to hijack sessions and gather attacker fingerprints, including hardware details and IPs. One operator (YouTubeTA) used compromised YouTube channels to distribute malware, stealing 390K passwords and 30M cookies. The attacker’s location was traced to Ukraine via ISP TRK Cable TV.
Impact: Malware operators exposed, but StealC remains active.
Mitigation: Block malicious domains, monitor for credential leaks, and restrict script execution.
Source: BleepingComputer

China-Linked APT Exploits SiteCore Zero-Day (CVE-2025-53690)

UAT-8837, a suspected Chinese APT, exploited a ViewState deserialization flaw in SiteCore to target North American critical infrastructure. Post-exploitation tools included GoTokenTheft, EarthWorm, and Certipy for credential harvesting and tunneling. The group exfiltrated DLLs for potential supply-chain attacks.
Impact: Initial access to high-value targets, espionage, and data theft.
Mitigation: Patch SiteCore, monitor for suspicious RDP/WMI activity, and segment networks.
Source: BleepingComputer

Fortinet FortiSIEM Critical Flaw (CVE-2025-64155) Actively Exploited

Attackers are exploiting a command injection vulnerability in FortiSIEM’s phMonitor service (port 7900), allowing root-level code execution. Horizon3.ai released PoC exploit code. Temporary workarounds include restricting access to port 7900.
Impact: Full system compromise of unpatched FortiSIEM instances.
Mitigation: Upgrade to fixed versions (7.4.1+, 7.3.5+, etc.) or block port 7900.
Source: BleepingComputer

Jordanian Access Broker Pleads Guilty to Selling Network Access

Feras Albashiti admitted selling unauthorized access to 50+ corporate networks via cryptocurrency payments. He operated on Russian forums like XSS.is under aliases (r1z). Faces up to 10 years in prison.
Impact: Breaches facilitated ransomware and espionage campaigns.
Mitigation: Enforce strict access controls and monitor for credential leaks.
Source: DataBreaches

WhisperPair Attack Hijacks Bluetooth Devices via Fast Pair Flaw (CVE-2025-36911)

A logic error in Google Fast Pair lets attackers forcibly pair Bluetooth accessories (headphones, earbuds) to malicious devices without user consent. Vulnerable brands include Jabra, Sony, and Xiaomi.
Impact: Eavesdropping, audio injection, and user tracking.
Mitigation: Update device firmware and disable Fast Pair if possible.
Source: SecurityWeek

LOTUSLITE Backdoor Targets US Policy Entities with Venezuela-Themed Lures

Mustang Panda (China-linked) used geopolitical decoys to deploy LOTUSLITE, a C++ backdoor with remote shell, file manipulation, and persistence capabilities. The malware mimics Claimloader and communicates via hardcoded C2 servers.
Impact: Espionage and data exfiltration from targeted entities.
Mitigation: Block malicious domains, monitor for DLL sideloading, and train staff on phishing.
Source: TheHackerNews

Malicious Chrome Extensions Hijack HR/ERP Accounts

Five extensions (DataByCloud Access, Tool Access 11) masqueraded as Workday/NetSuite tools to steal cookies, block admin pages, and hijack sessions. One operator used api.databycloud[.]com for exfiltration.
Impact: Account takeover and bypass of security controls.
Mitigation: Remove extensions, reset passwords, and audit session activity.
Source: TheHackerNews

GootLoader Malware Evades Detection with 500–1,000 Concatenated ZIPs

GootLoader now uses malformed ZIP archives (truncated EOCD records) to bypass analysis tools. Victims unwittingly execute JS payloads via Windows’ native unarchiver.
Impact: Delivery of ransomware and other payloads via SEO poisoning.
Mitigation: Block JS execution from temp folders and enforce email attachment scanning.
Source: TheHackerNews

Cisco Patches Zero-Day (CVE-2025-20393) Exploited by Chinese APT

UAT-9686 abused a Spam Quarantine flaw in Cisco AsyncOS to deploy AquaShell backdoor and tunneling tools (Chisel, ReverseSSH). Fixed in AsyncOS 15.0.5-016 and later.
Impact: Root-level compromise of email gateways.
Mitigation: Upgrade immediately or restrict HTTP access to quarantines.
Source: TheHackerNews

CIRO Data Breach Exposes 750K Canadians’ Financial Data

A phishing attack compromised CIRO’s systems, leaking SINs, account numbers, and income details. No evidence of misuse yet, but victims get 2 years of credit monitoring.
Impact: Identity theft and financial fraud risks.
Mitigation: Enable MFA and monitor for credential stuffing.
Source: SecurityWeek

Share this brief: https://svo.bz/EecH

If you want to support us, you can donate here: Donate