cyberlights – week 28/2025
A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!
News For All
🍔 Would you like an IDOR with that? Leaking 64 million McDonald’s job applications security research – A security flaw in McDonald’s recruitment bot exposed personal data of 64 million applicants due to weak default credentials and an insecure API. Prompt remediation followed disclosure. https://ian.sh/mcdonalds
🕷️ Scattered Spider weaves web of social-engineered destruction cybercrime – Scattered Spider, a decentralized cybercrime group, exploits social engineering and phishing to target multiple industries, amassing over $66 million in extortion demands through clever tactics. https://cyberscoop.com/scattered-spider-social-engineering-cybercrime/
🤖 Unless users take action, Android will let Gemini access third-party apps privacy – Google's Gemini AI will soon access third-party apps like WhatsApp, overriding user settings. Users seeking to prevent this may struggle to find clear guidance on disabling or removing Gemini. https://arstechnica.com/security/2025/07/unless-users-take-action-android-will-let-gemini-access-third-party-apps/
💰 „Hallo Mama, das ist meine neue Nummer“ – Ein Blick hinter die Kulissen des Evergreens cybercrime – Scammers exploit emotional manipulation, posing as family members in need of urgent money transfers, often targeting parents to redirect funds into their own accounts. https://www.watchlist-internet.at/news/hallo-mama-hinter-den-kulissen/
🎨 Browser hijacking campaign infects 2.3M Chrome, Edge users security news – A malicious Chrome and Edge extension disguised as a color picker has hijacked over 2.3 million users' browsers, tracking activities and capturing sensitive data through silent updates. https://www.theregister.com/2025/07/08/browser_hijacking_campaign/
⛑️ Microsoft Patch Tuesday July 2025: 130 Vulnerabilities Fixed, 17 High-Risk vulnerability – Microsoft's July Patch Tuesday fixed 130 vulnerabilities, including 17 high-risk ones, with a critical remote code execution flaw rated 9.8 affecting Windows 10 and above. https://thecyberexpress.com/microsoft-patch-tuesday-july-2025/
🏃 Yet Another Strava Privacy Leak data breach – Based on a new Strava Leak, Bruce Schneier points towards privacy, the impact of technology on society, and the need for informed public engagement in security matters. https://www.schneier.com/blog/archives/2025/07/yet-another-strava-privacy-leak.html
🎮 Activision pulls Call of Duty game after PC players are hacked security news – Activision has removed an outdated and insecure version of Call of Duty from the Microsoft Store after reports of hacking incidents affecting PC players. https://www.theverge.com/news/702255/call-of-duty-wwii-pc-game-pass-hacking-activision
🔒 AiLock ransomware: What you need to know cybercrime – AiLock is a ransomware-as-a-service that threatens victims with data leaks and regulatory notifications if ransoms aren't paid. Organizations are advised to enhance security measures to mitigate risks. https://www.fortra.com/blog/ailock-ransomware
💸 Fake CNN and BBC sites used to push investment scams security news – Cybercriminals are creating fake news websites mimicking CNN and BBC to promote fraudulent cryptocurrency investments, tricking users into sharing personal data and making deposits. https://therecord.media/news-websites-faked-to-spread-investment-scams
⚖️ German court rules Meta tracking technology violates European privacy laws privacy – A German court ruled that Meta must pay €5,000 to a user for violating GDPR by tracking data via pixels on third-party sites, potentially opening the door for extensive lawsuits. https://therecord.media/german-court-meta-tracking-tech
📱 Using Signal groups for activism privacy – Signal offers secure communication for activists, allowing safe organization through group features like QR code invites, admin approval, and announcement-only settings, ensuring privacy from law enforcement. https://micahflee.com/using-signal-groups-for-activism/
🚨 FinanzOnline – „Dringende Sicherheitswarnung wegen Anmeldeversuchs“ ist Phishing warning – Criminals are sending phishing emails claiming unauthorized login attempts to FinanzOnline accounts, attempting to steal user information under the guise of security alerts about 'unknown devices.' https://www.watchlist-internet.at/news/finanzonline-sicherheitswarnung-phishing/
👮 UK NCA arrested four people over M&S, Co-op cyberattacks cybercrime – The UK NCA arrested four individuals, including three teens, linked to cyberattacks on M&S and Co-op, which caused significant financial losses estimated between £270M and £440M. https://securityaffairs.com/179806/cyber-crime/uk-nca-arrested-four-people-over-ms-co-op-cyberattacks.html
🏀 Pro basketball player and 4 youths arrested in connection to ransomware crimes cybercrime – Authorities arrested former basketball player Daniil Kasatkin and four others linked to ransomware attacks, including operations targeting M&S and Co-op, attributed to the Scattered Spider group. https://arstechnica.com/security/2025/07/pro-basketball-player-and-4-youths-arrested-in-connection-to-ransomware-crimes/
🚗 Researchers identify critical vulnerabilities in automotive Bluetooth systems vulnerability – Researchers discovered four critical vulnerabilities in the OpenSynergy BlueSDK Bluetooth stack, affecting vehicles from Mercedes-Benz, Volkswagen, and Skoda, potentially allowing remote code execution via Bluetooth connections. https://cyberscoop.com/perfektblue-bluetooth-vulnerabilties-bluesdk-software/
💰 Hacker returns cryptocurrency stolen from GMX exchange after $5 million bounty payment cybercrime – A hacker returned $42 million stolen from GMX exchange after receiving a $5 million bounty, with the company agreeing not to pursue legal action if the funds were returned. https://therecord.media/hacker-returns-stolen-gmx-bounty
🤖 AI therapy bots fuel delusions and give dangerous advice, Stanford study finds security research – A Stanford study reveals critical flaws in AI therapy bots like ChatGPT, highlighting their tendency to validate harmful beliefs and provide dangerous advice, particularly for users with mental health issues. https://arstechnica.com/ai/2025/07/ai-therapy-bots-fuel-delusions-and-give-dangerous-advice-stanford-study-finds/
Some More, For the Curious
🔍 Hiding Prompt Injections in Academic Papers security research https://www.schneier.com/blog/archives/2025/07/hiding-prompt-injections-in-academic-papers.html
💡 Researchers Jailbreak AI by Flooding It With Bullshit Jargon security research – A study reveals that AI chatbots can be manipulated into providing harmful information by using complex jargon and fake citations, a technique dubbed 'InfoFlood.' https://www.404media.co/researchers-jailbreak-ai-by-flooding-it-with-bullshit-jargon/
🛡️ Google Online Security Blog: Advancing Protection in Chrome on Android cyber defense – Chrome's Advanced Protection enhances security on Android by isolating websites and disabling JavaScript optimizers to reduce vulnerabilities, catering to users with varying risk profiles. http://security.googleblog.com/2025/07/advancing-protection-in-chrome-on.html
🦠 Hackers weaponize Shellter red teaming tool to spread infostealers malware – Hackers exploit the leaked Shellter tool to package infostealer malware, evading detection and targeting users via phishing campaigns. Elastic Security Labs has developed a dynamic unpacker to counter this threat. https://securityaffairs.com/179745/malware/hackers-weaponize-shellter-red-teaming-tool-to-spread-infostealers.html
🚨 Critical CitrixBleed 2 vulnerability has been under active exploit for weeks vulnerability – A critical Citrix vulnerability allowing MFA bypass has been actively exploited for weeks, despite Citrix's claims of no evidence. Researchers criticize the lack of details in advisories, complicating defense efforts. https://arstechnica.com/security/2025/07/critical-citrixbleed-2-vulnerability-has-been-under-active-exploit-for-weeks/
🔍 Uncovering Privilege Escalation Bugs in Lenovo Vantage — Atredis Partners vulnerability – Atredis Partners discovered multiple privilege escalation vulnerabilities in Lenovo Vantage, allowing attackers to exploit SQL injection and manifest manipulation for elevated access. Lenovo released patches on July 8. https://www.atredis.com/blog/2025/7/7/uncovering-privilege-escalation-bugs-in-lenovo-vantage
⚠️ Azure's Front Door WAF WTF: IP Restriction Bypass vulnerability – A critical flaw in Azure's Front Door WAF allows IP restriction bypass using the X-Forwarded-For header, undermining security expectations and highlighting poor documentation and variable naming practices. https://trustedsec.com/blog/azures-front-door-waf-wtf-ip-restriction-bypass
🐛 CVE-2025-48384: Git vulnerable to arbitrary file write on non-Windows systems vulnerability – CVE-2025-48384 allows arbitrary file writes and remote code execution on Linux and macOS when using git clone —recursive on malicious repositories. A patch was released on July 8, 2025. https://securitylabs.datadoghq.com/articles/git-arbitrary-file-write/
🍳 Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5 hacking write-up – Research reveals critical vulnerabilities in the Thermomix TM5, allowing firmware downgrades and arbitrary code execution through weaknesses in nonce tampering, known AES keys, and incomplete secure boot mechanisms. https://www.synacktiv.com/en/publications/let-me-cook-you-a-vulnerability-exploiting-the-thermomix-tm5.html
⚠️ Critical Vulnerability in FortiWeb warning – Fortinet has released a security advisory for a critical vulnerability (CVE-2025-25257) in FortiWeb, allowing unauthorized code execution via crafted HTTP requests. Affected versions require immediate updates. https://cert.europa.eu/publications/security-advisories/2025-024/
🚨 10/10 Wing FTP bug exploited within hours, cyber pros say security news – A critical remote code execution vulnerability in Wing FTP Server was exploited within hours of public disclosure, allowing attackers to execute Lua code. Users are urged to patch immediately. https://www.theregister.com/2025/07/11/1010_wing_ftp_bug_exploited/
📄 Export to PDF allows local file inclusion/path traversal in Microsoft 365 security research – A vulnerability in Microsoft 365's PDF conversion feature allowed local file inclusion via HTML files, enabling access to sensitive server data. The issue has been reported and remediated, earning a $3000 bounty. https://security.humanativaspa.it/export-to-pdf-allows-local-file-inclusion-path-traversal-in-microsoft-365/
CISA Corner
⚠️ CISA Adds Four Known Exploited Vulnerabilities to Catalog warning – CISA has identified four new vulnerabilities that are actively exploited, emphasizing the need for federal agencies to remediate these risks to enhance cybersecurity. https://www.cisa.gov/news-events/alerts/2025/07/07/cisa-adds-four-known-exploited-vulnerabilities-catalog ⚠️ CISA Adds One Known Exploited Vulnerability to Catalog warning – CISA has added a new vulnerability to its Known Exploited Vulnerabilities Catalog, urging all organizations to prioritize remediation to protect against cyber threats. https://www.cisa.gov/news-events/alerts/2025/07/10/cisa-adds-one-known-exploited-vulnerability-catalog
⚙️ CISA Releases One Industrial Control Systems Advisory vulnerability – CISA issued an advisory regarding vulnerabilities in Emerson ValveLink products, urging users to review the advisory for technical details and mitigation strategies. https://www.cisa.gov/news-events/alerts/2025/07/08/cisa-releases-one-industrial-control-systems-advisory ⚙️ CISA Releases Thirteen Industrial Control Systems Advisories vulnerability – CISA has released thirteen advisories regarding vulnerabilities in various Industrial Control Systems by Siemens, Delta Electronics, Advantech, KUNBUS, End/Head-of-Train, ECOVACS and IDEC, urging users to review for technical details and necessary mitigations. https://www.cisa.gov/news-events/alerts/2025/07/10/cisa-releases-thirteen-industrial-control-systems-advisories
While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.
(by @wrzlbrmpft@infosec.exchange) Obviously, the opinions inside these articles are not my own. No guarantee for correct- or completeness in any way.