cyberlights – week 22/2025
A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!
News For All
🎭 Fake software activation videos on TikTok spread Vidar, StealC malware – Cybercriminals exploit TikTok to distribute Vidar and StealC malware through fake software activation videos, tricking users into running harmful PowerShell commands. https://securityaffairs.com/178269/cyber-crime/fake-software-activation-videos-on-tiktok-spread-vidar-stealc.html
🎀 A Starter Guide to Protecting Your Data From Hackers and Corporations privacy – With rising digital surveillance, this guide offers essential tips for enhancing personal privacy, including using multifactor authentication and privacy-focused tools. https://www.wired.com/story/guide-protect-data-from-hackers-corporations/
🦠 MathWorks’ ransomware disruptions rages on into second week cybercrime – MathWorks confirms a ransomware attack causing prolonged outages of MATLAB and other applications, disrupting users, particularly students, as recovery efforts continue with limited functionality. https://go.theregister.com/feed/www.theregister.com/2025/05/27/mathworks_ransomware_attack_leaves_ondeadline/
📝 Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites cybercrime – Cybercriminals exploit AI interest by creating fake video generator websites to distribute malware like infostealers and backdoors, targeting users through malicious ads on social media. https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/
🔂 The Privacy-Friendly Tech to Replace Your US-Based Email, Browser, and Search privacy – Amid growing concerns over US tech giants, alternatives like Mullvad and Vivaldi for browsing, Qwant and Mojeek for searching, and ProtonMail for email offer privacy-focused options. https://www.wired.com/story/the-privacy-friendly-tech-to-replace-your-us-based-email-browser-and-search/
🥺 Iranian man pleads guilty in Robbinhood ransomware scheme cybercrime – pleaded guilty to charges related to the Robbinhood ransomware scheme, which caused over $19 million in damages to Baltimore and other U.S. cities, facing up to 30 years in prison. https://cyberscoop.com/iranian-man-pleads-guilty-in-robbinhood-ransomware-scheme/
🦠 Crooks use a fake antivirus site to spread Venom RAT and a mix of malware security news – A fake Bitdefender site is distributing the Venom RAT, tricking users into downloading malware designed for password theft and remote access, targeting individuals for financial gain. https://securityaffairs.com/178366/malware/fake-antivirus-spreads-venom-rat.html
📅 Chinese hackers used Google Calendar to aid attacks on government entities security research – Google revealed that APT41, a China-backed hacker group, exploited Google Calendar for command and control in attacks on government entities, using malware dubbed TOUGHPROGRESS to blend in with legitimate activity. https://cyberscoop.com/google-calendar-apt-41-c2-winnti/
🔓 LexisNexis leaked social security numbers and other personal data of over 364,000 people data breach – LexisNexis reported a data breach exposing personal information of over 364,000 individuals, including Social Security numbers, after unauthorized access through a third-party software platform was discovered months later. https://www.theverge.com/news/675702/lexisnexis-data-broker-breach-social-security-numbers
🗺️ Oregon becomes second state to ban sale of precise geolocation data privacy – Oregon's legislature passed a law banning the sale of precise geolocation data, following Maryland's similar legislation, and strengthening protections for children's data privacy. https://therecord.media/oregon-passes-geolocation-kids-data-bill
🤏 Thousands of Asus routers are being hit with stealthy, persistent backdoors cybercrime – Thousands of Asus routers are infected with a persistent backdoor allowing unauthorized access via SSH, exploiting patched vulnerabilities, raising concerns of potential nation-state involvement in the ongoing campaign. https://arstechnica.com/security/2025/05/thousands-of-asus-routers-are-being-hit-with-stealthy-persistent-backdoors/
👙 Victoria's Secret hit by outages as it battles security incident security news – Victoria’s Secret is addressing a security incident causing website outages and disruptions to online orders, prompting precautionary measures including website takedown while in-store services remain operational. https://techcrunch.com/2025/05/28/victorias-secret-hit-by-outages-as-it-battles-security-incident/
📚 No One Knows How to Deal With 'Student-on-Student' AI CSAM security news – A Stanford report highlights the lack of preparedness among schools, parents, and law enforcement to handle cases of students using AI to create nonconsensual intimate imagery, emphasizing the normalization of such practices and the need for better training and reporting mechanisms. https://www.404media.co/no-one-knows-how-to-deal-with-student-on-student-ai-csam/
💸 US government sanctions tech company involved in cyber scams cybercrime – The U.S. government sanctioned Funnull for facilitating 'pig butchering' crypto scams, linked to $200 million in losses for victims. The company provided infrastructure for cybercriminals, including domain generation and web design templates. https://techcrunch.com/2025/05/29/us-government-sanctions-tech-company-involved-in-cyber-scams/
🏰 White House investigating how Trump's chief of staff's phone was hacked security news – The White House is investigating a hack involving chief of staff Susie Wiles' phone, where hackers accessed her contacts and impersonated her using AI to contact other officials. https://techcrunch.com/2025/05/30/white-house-investigating-how-trumps-chief-of-staffs-phone-was-hacked/
🌠 Ransomware kingpin “Stern” apparently IDed by German law enforcement cybercrime – German law enforcement has identified 'Stern,' the leader of the Trickbot ransomware group, linking him to significant cybercrime activities, including targeting hospitals and businesses. https://arstechnica.com/security/2025/05/german-police-say-theyve-identified-trickbot-ransomware-kingpin/
🔒 Chinese-Owned VPNs security news Comment: Don't really like the article, but the topic is essential. https://www.schneier.com/blog/archives/2025/05/chinese-owned-vpns.html
🪥 unlikely household item proved husband was cheating' privacy – Private investigator Paul Jones reveals how a smart toothbrush app exposed a husband's affair by tracking unusual brushing times, highlighting that digital clues can uncover infidelity beyond typical signs. https://www.mirror.co.uk/lifestyle/sex-relationships/relationships/im-private-investigator-unlikely-household-35256619
Some More, For the Curious
❄️ New Russia-affiliated actor Void Blizzard targets critical sectors for espionage security research – Void Blizzard, a new Russia-linked threat actor, targets NATO and Ukraine for espionage, using stolen credentials and spear phishing to access sensitive information across various sectors. https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/
🐻 Dutch intelligence unmasks previously unknown Russian hacking group 'Laundry Bear' security news – Dutch intelligence reveals 'Laundry Bear,' a Russian hacking group targeting organizations for espionage, notably impacting the police and NATO-related entities, using automated, stealthy techniques. https://therecord.media/laundry-bear-void-blizzard-russia-hackers-netherlands
🔗 DragonForce operator chained SimpleHelp flaws to target an MSP and its customers security research – Sophos warns that DragonForce ransomware exploited three SimpleHelp vulnerabilities to target a managed service provider, gaining unauthorized access and enabling data theft. https://securityaffairs.com/178350/cyber-crime/dragonforce-operator-chained-simplehelp-flaws-to-target-an-msp.html
🚨 Pakistan Arrests 21 in ‘Heartsender’ Malware Service – Krebs on Security cybercrime – Pakistan arrested 21 individuals linked to the 'Heartsender' malware service, which facilitated cybercrime operations resulting in over $50 million in losses, primarily targeting business email compromise schemes. https://krebsonsecurity.com/2025/05/pakistan-arrests-21-in-heartsender-malware-service/
🐍 New PumaBot targets Linux IoT surveillance devices malware – PumaBot, a new Go-based botnet, targets Linux IoT devices using SSH brute-force attacks to steal credentials, spread malware, and mine cryptocurrency while employing stealthy evasion tactics. https://securityaffairs.com/178386/malware/pumabot-targets-linux-iot-devices.html
🤔 Questions mount as Ivanti tackles another round of zero-days vulnerability – Ivanti faces multiple attacks exploiting two zero-day vulnerabilities in its Endpoint Manager Mobile software, linked to the China-backed group UNC5221. https://cyberscoop.com/ivanti-epmm-defects-exploited/
🏞️ ConnectWise says nation-state attack targeted multiple ScreenConnect customers security news – ConnectWise is investigating a nation-state attack affecting a small number of its ScreenConnect customers, involving suspicious activity linked to sophisticated threat actors. https://therecord.media/connectwise-nation-state-attack-targeted-some-customers
⏳ Why Take9 Won’t Improve Cybersecurity security news – The Take9 campaign urging a nine-second pause before online actions is criticized for being unrealistic and ineffective, as it fails to address deeper issues in cybersecurity awareness and places undue blame on users for attacks. https://www.schneier.com/blog/archives/2025/05/why-take9-wont-improve-cybersecurity.html
⚠️ New Apache InLong Vulnerability (CVE-2025-27522) Exposes Systems to Remote Code Execution Risks vulnerability – A new vulnerability (CVE-2025-27522) in Apache InLong allows for remote code execution due to insecure deserialization of data during JDBC processing. Users are urged to upgrade to version 2.2.0 or apply the necessary patch. https://thecyberexpress.com/apache-inlong-cve-2025-27522/
🚨 Top counter antivirus service disrupted in global takedown security news – Law enforcement seized the AVCheck service, used by cybercriminals to test malware against antivirus tools, as part of a global crackdown on cybercrime, disrupting operations of malicious tool providers. https://cyberscoop.com/avcheck-global-takedown/
🦆 Two Linux flaws can lead to the disclosure of sensitive data vulnerability – Qualys warns of two vulnerabilities in Ubuntu's Apport and systemd-coredump that allow local attackers to access sensitive data from core dumps. https://securityaffairs.com/178464/hacking/two-linux-flaws-can-lead-to-the-disclosure-of-sensitive-data.html
🥽 Deep Dive into a Dumped Malware without a PE Header malware – The article details the analysis of malware without a PE header, revealing its capabilities for remote access, data exfiltration, and communication with a C2 server. https://www.fortinet.com/blog/threat-research/deep-dive-into-a-dumped-malware-without-a-pe-header
⚠️ Researchers Drop PoC for Fortinet CVE-2025-32756, Urging Quick Patching vulnerability – A critical vulnerability (CVE-2025-32756) in Fortinet products allows unauthenticated remote code execution and is actively exploited. Researchers released a proof of concept, urging users to patch immediately. https://hackread.com/researchers-poc-fortinet-cve-2025-32756-quick-patch/
🖼️ SANS Internet Storm Center security news – The article discusses the use of steganography in SVG images, highlighting their advantages over bitmap formats for data hiding, while emphasizing the importance of encryption and potential risks from compression. https://isc.sans.edu/diary/rss/31978
🥃 FiberGateway GR241AG – Full Exploit Chain hacking write-up – The article details the discovery of vulnerabilities in the FiberGateway GR241AG router, allowing root access through physical and remote exploitation methods, impacting over 1.6 million households in Portugal. https://r0ny.net/FiberGateway-GR241AG-Full-Exploit-Chain/
CISA Corner
🛡️ New Guidance for SIEM and SOAR Implementation security news – CISA and international partners released guidance for implementing SIEM and SOAR platforms, aiming to enhance cybersecurity through improved threat detection, incident response, and log prioritization. https://www.cisa.gov/news-events/alerts/2025/05/27/new-guidance-siem-and-soar-implementation
⚙️ CISA Releases One Industrial Control Systems Advisory vulnerability – CISA issued an advisory on the Johnson Controls iSTAR Configuration Utility tool, highlighting current security issues and vulnerabilities in Industrial Control Systems. Users are urged to review for mitigations. https://www.cisa.gov/news-events/alerts/2025/05/27/cisa-releases-one-industrial-control-systems-advisory ⚙️ CISA Releases Five Industrial Control Systems Advisories vulnerability – CISA issued five advisories regarding security vulnerabilities in various Industrial Control Systems, urging users to review the advisories for technical details and mitigation strategies. https://www.cisa.gov/news-events/alerts/2025/05/29/cisa-releases-five-industrial-control-systems-advisories
While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.
(by @wrzlbrmpft@infosec.exchange) Obviously, the opinions inside these articles are not my own. No guarantee for correct- or completeness in any way.