cyberlights – week 23/2025
A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!
News For All
😩 Teachers Are Not OK security news – Teachers express frustration over AI's impact on education, revealing challenges like grading AI-generated work, maintaining academic integrity, and witnessing students' declining critical thinking skills. https://www.404media.co/teachers-are-not-ok-ai-chatgpt/
🔒 Google fixed the second actively exploited Chrome zero vulnerability – Google patched three vulnerabilities in Chrome, including one actively exploited zero-day that allows attackers to trigger heap corruption via crafted HTML. Users should update to the latest version. https://securityaffairs.com/178560/hacking/google-fixed-the-second-actively-exploited-chrome-zero-day-since-the-start-of-the-year.html
🐊 Crocodilus malware adds fake entries to victims' contact lists in new scam campaign malware – Crocodilus, an evolving Android banking trojan, now inserts fake contacts to impersonate trusted sources, facilitating scams. It's spreading through malicious ads targeting financially stable users across multiple regions. https://therecord.media/crocodilus-android-malware-banking-fraud
❎ Twitter launches 'XChat' encrypted DMs with big caveats security news – Elon Musk's X platform introduces 'XChat' with encryption and file-sharing features, but experts doubt its security claims, citing potential lack of true end-to-end encryption and centralized data control. https://www.theregister.com/2025/06/03/xs_new_encrypted_xchat_feature/
🤬 Meta and Yandex are de-anonymizing Android users’ web browsing identifiers privacy – Meta and Yandex are using tracking code to de-anonymize Android users by exploiting browser protocols, allowing them to link web activity to app identities. Google is investigating these practices. https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/
🧑🌾 How the Farm Industry Spied on Animal Rights Activists and Pushed the FBI to Treat Them as Bioterrorists security news – Internal documents reveal a collaboration between the agricultural industry and the FBI to surveil animal rights activists, branding them as bioterrorists while using corporate spies to infiltrate their groups. https://www.wired.com/story/fbi-wmdd-dxe-animal-agriculture-alliance/
💍 Cartier disclosed a data breach following a cyber attack data breach – Cartier reported a data breach that exposed limited customer information, including names and email addresses, following a cyberattack. The company is enhancing security and cooperating with authorities. https://securityaffairs.com/178601/data-breach/cartier-disclosed-a-data-breach-following-a-cyber-attack.html
💼 Google warns of cybercriminals targeting Salesforce app to steal data, extort companies cybercrime – Cybercriminals, known as UNC6040, are exploiting Salesforce's Data Loader tool to steal sensitive data and extort companies. The group uses vishing tactics to trick employees into granting access. https://therecord.media/google-warns-cybercriminals-targeting-salesforce-apps
🔍 Apple Gave Governments Data on Thousands of Push Notifications privacy – Apple disclosed that it provided governments with data on thousands of push notifications, revealing device identities and sometimes unencrypted content, highlighting the extent of governmental data requests. https://www.404media.co/apple-gave-governments-data-on-thousands-of-push-notifications/
💻 Feds seize 145 domains associated with BidenCash cybercrime platform cybercrime – U.S. authorities seized 145 domains and cryptocurrency funds linked to BidenCash, a cybercrime marketplace that trafficked over 15 million stolen credit card numbers, generating $17 million in illicit revenue. https://cyberscoop.com/bidencash-marketplace-domains-seized/
🎸 Musikhaus Thomann: Kriminelle locken in Fake warning – The official Thomann online store is only accessible at thomann.de, with country-specific versions available at respective domains. Any other addresses are fake sites attempting to deceive users. https://www.watchlist-internet.at/news/musikhaus-thomann-fake-shops/
💰 DOJ seizes $7.7M from crypto funds linked to North Korea’s IT worker scheme security news – Federal authorities seized $7.74 million linked to North Korean IT workers illegally employed abroad, funneling wages to the regime. The operation exploits remote contracting and cryptocurrency to evade U.S. sanctions. https://cyberscoop.com/doj-seizure-crypto-north-korea-it-workers/
🚫 OpenAI takes down ChatGPT accounts linked to state-backed hacking, disinformation cybercrime – OpenAI banned accounts using ChatGPT for illicit activities, including malware refinement, social media disinformation, and employment scams tied to North Korea. The operations exploited ChatGPT for various cybercriminal purposes. https://therecord.media/openai-takes-down-chatgpt-accounts-hacking
💔 Marks & Spencer's ransomware nightmare – more details emerge cybercrime – Marks & Spencer suffered a severe ransomware attack, disrupting operations and leading to £40 million in lost sales weekly. The DragonForce group claimed responsibility, stealing customer data and highlighting M&S's cybersecurity vulnerabilities. https://www.bitdefender.com/en-us/blog/hotforsecurity/marks-spencers-ransomware-nightmare-more-details-emerge
🦠 Millions of low-cost Android devices turn home networks into crime platforms cybercrime – The FBI warns that millions of low-cost Android devices are infected with BadBox malware, turning home networks into crime platforms. Users are urged to evaluate and potentially replace suspicious devices. https://arstechnica.com/security/2025/06/millions-of-low-cost-android-devices-turn-home-networks-into-crime-platforms/
🧑⚖️ Italian lawmakers say Italy used spyware to target phones of immigration activists, but not against journalist privacy – An Italian parliamentary committee confirmed the government used Paragon spyware to target immigration activists but found no evidence against journalist Francesco Cancellato. The investigation raises questions about who targeted him and the use of spyware in Italy. https://techcrunch.com/2025/06/06/italian-lawmakers-say-italy-used-spyware-to-target-phones-of-immigration-activists-but-not-against-journalist/
😨 Ransomware scum leak patient data after disrupting services cybercrime – Kettering Health faces potential patient data leaks following a ransomware attack by Interlock, which disrupted services and canceled appointments. The leaked data reportedly includes sensitive information, though verification is pending. https://www.theregister.com/2025/06/04/ransomware_scum_leak_kettering_patient_data/
Some More, For the Curious
🛠️ Experts published a detailed analysis of Cisco IOS XE WLC flaw CVE vulnerability – A critical vulnerability in Cisco IOS XE WLC could allow remote attackers to upload files and execute commands. Users should disable the affected feature until a fix is applied. https://securityaffairs.com/178497/security/cisco-ios-xe-wlc-flaw-cve-2025-20188.html
💰 Illicit crypto-miners pouncing on insecure DevOps tools cybercrime – A campaign by attackers named JINX–0132 exploits misconfigured DevOps tools like HashiCorp Nomad, Consul, Docker API, and Gitea, risking theft of cloud resources for cryptocurrency mining. https://www.theregister.com/2025/06/03/illicit_miners_hashicorp_tools/
🐳 How to find container-based threats in host-based logs security research – Containers pose security risks despite their isolation, as they share the host kernel. This article outlines methods for threat hunters to analyze host logs to identify container-based threats. https://securelist.com/host-based-logs-container-based-threats/116643/
❤️🔥 The strange tale of ischhfd83: When cybercriminals eat their own security research – Sophos X-Ops uncovered a scheme where the Sakura RAT, designed to target cybercriminals, was itself backdoored, revealing a network of malicious repositories aimed at unsuspecting users, particularly gamers and novice hackers. https://news.sophos.com/en-us/2025/06/04/the-strange-tale-of-ischhfd83-when-cybercriminals-eat-their-own/
⚠️ HPE StoreOnce Faces Critical CVE-2025-37093 Vulnerability — Urges Immediate Patch Upgrade vulnerability – HPE disclosed eight vulnerabilities in StoreOnce, with CVE-2025-37093 being critical due to authentication bypass. Users are urged to upgrade to version 4.3.11 immediately to mitigate risks. https://thecyberexpress.com/cve-2025-37093-hits-hpe-storeonce-systems/
🗨️ The Texting Network for the End of the World security news – This article highlights key topics on online privacy protection, the Matter smart home standard, deepfake scams, Google searches in criminal cases, and updates from Google's I/O 2025 conference. https://www.wired.com/story/youre-not-ready-for-phone-dead-zones/
🔒 Critical flaw in Cisco ISE impacts cloud deployments on AWS, Microsoft Azure, and Oracle Cloud Infrastructure vulnerability – Cisco fixed a critical vulnerability (CVE-2025-20286) in its Identity Services Engine, allowing unauthenticated attackers to exploit shared credentials across cloud deployments on AWS, Azure, and OCI. Administrators are urged to implement mitigations. https://securityaffairs.com/178659/uncategorized/critical-flaw-in-cisco-ise-impacts-cloud-deployments-on-aws-microsoft-azure-and-oracle-cloud-infrastructure.html
💻 Attackers exploit Fortinet flaws to deploy Qilin ransomware security news – Qilin ransomware is exploiting Fortinet vulnerabilities, including CVE-2024-21762 and CVE-2024-55591, to gain remote code execution and target organizations, particularly in Spanish-speaking countries. The group uses double extortion tactics. https://securityaffairs.com/178736/hacking/attackers-exploit-fortinet-flaws-to-deploy-qilin-ransomware.html
⚙️ RCEs and more in the KUNBUS GmbH Revolution Pi PLC vulnerability – Four new vulnerabilities in KUNBUS GmbH's Revolution Pi PLC were discovered, two allowing unauthenticated remote code execution. Users are advised to implement mitigations and upgrade firmware to enhance security. Comment: my former colleagues should take a look at this ;) https://www.pentestpartners.com/security-blog/rces-and-more-in-the-kunbus-gmbh-revolution-pi-plc/
💳 Root Shell on Credit Card Terminal hacking write-up – The article details a security research project on the Worldline Yomani XR payment card terminal, revealing vulnerabilities, tamper protections, and an exposed root shell. The findings highlight significant security concerns in embedded systems. https://stefan-gloor.ch/yomani-hack
🎮 Blitz Malware: A Tale of Game Cheats and Code Repositories malware – Blitz malware, discovered in 2024, exploits backdoored game cheats for distribution and utilizes Hugging Face for command and control infrastructure. The malware operates in two stages: a downloader and a bot payload, with functions including keylogging and cryptocurrency mining. https://unit42.paloaltonetworks.com/blitz-malware-2025/
😱 Camera and Microphone Spying Using Chromium Browsers security research – A dangerous Chromium command allows websites to access cameras and microphones without user consent, enabling continuous recording without any visible indication. https://mrd0x.com/spying-with-chromium-browsers-camera/
CISA Corner
⚠️ CISA Adds Five Known Exploited Vulnerabilities to Catalog warning – CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, highlighting serious risks to federal networks and urging timely remediation for all organizations. https://www.cisa.gov/news-events/alerts/2025/06/02/cisa-adds-five-known-exploited-vulnerabilities-catalog ⚠️ CISA Adds Three Known Exploited Vulnerabilities to Catalog warning – CISA has added three Qualcomm vulnerabilities to its Known Exploited Vulnerabilities Catalog, emphasizing their significant risk to federal networks and urging timely remediation. https://www.cisa.gov/news-events/alerts/2025/06/03/cisa-adds-three-known-exploited-vulnerabilities-catalog ⚠️ CISA Adds One Known Exploited Vulnerability to Catalog warning – CISA added CVE-2025-5419, a critical out-of-bounds vulnerability in Google Chromium's V8, to its Known Exploited Vulnerabilities Catalog, urging organizations to prioritize remediation to mitigate risks. https://www.cisa.gov/news-events/alerts/2025/06/05/cisa-adds-one-known-exploited-vulnerability-catalog
⚙️ CISA Releases Three Industrial Control Systems Advisories vulnerability – CISA has issued three advisories addressing vulnerabilities in Schneider Electric and Mitsubishi Electric ICS products. Users are urged to review the advisories for security measures and technical details. https://www.cisa.gov/news-events/alerts/2025/06/03/cisa-releases-three-industrial-control-systems-advisories ⚙️ CISA Releases Seven Industrial Control Systems Advisories vulnerability – CISA has issued seven advisories detailing vulnerabilities and security issues in various Industrial Control Systems, urging users to review for necessary updates and mitigations. https://www.cisa.gov/news-events/alerts/2025/06/05/cisa-releases-seven-industrial-control-systems-advisories
🛡️ Updated Guidance on Play Ransomware security news – CISA, FBI, and ASD's ACSC released updated guidance on Play ransomware, detailing new tactics and IOCs. They recommend multifactor authentication, offline backups, and software updates for mitigation. https://www.cisa.gov/news-events/alerts/2025/06/04/updated-guidance-play-ransomware
While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.
(by @wrzlbrmpft@infosec.exchange) Obviously, the opinions inside these articles are not my own. No guarantee for correct- or completeness in any way.