CyberSecurity Newsletter 7th March, 2025
In this week’s news: Oracle confirms a data breach, hacker breached the GitLab repositories of Europcar, Royal Mail is investigating claims of a significant data breach, 50 online merchants compromised exploiting Stripe's legacy API, Chinese state threat actor actively exploiting critical Ivanti vulnerability, malicious PyPi package named 'disgrasya' that abuses legitimate WooCommerce stores for validating stolen credit cards, Port of Seattle is notifying 90,000 people of a data breach, and vulnerability in the WinRAR file archiver solution could be exploited to bypass the Mark of the Web.
Oracle confirms a data breach and started informing customers while downplaying the impact of the incident. A threat actor using the moniker ‘rose87168’ claimed to possess millions of data lines tied to over 140,000 Oracle Cloud tenants, including encrypted credentials.
https://securityaffairs.com/176278/data-breach/oracle-privately-notifies-cloud-data-breach-to-customers.html
A hacker breached the GitLab repositories of multinational car-rental company Europcar Mobility Group and stole source code for Android and iOS applications, as well as some personal information belonging to up to 200,000 customers. The actor tried to extort the company by threatening to publish 37GB of data that includes backups and details about the company’s cloud infrastructure and internal applications.
https://www.bleepingcomputer.com/news/security/europcar-gitlab-breach-exposes-data-of-up-to-200-000-customers/
Royal Mail is investigating claims of a significant data breach after a threat actor leaked over 144GB of data allegedly stolen from its systems. The incident involves Spectos GmbH, a third-party data analytics provider. A threat actor, using the handle “GHNA” on BreachForums, released 16,549 files. These allegedly contain Royal Mail customers’ personally identifiable information (PII). This includes names, addresses, planned delivery dates, and more.
https://dailysecurityreview.com/security-spotlight/royal-mail-data-breach-no-operational-impact-reported/
Nearly 50 online merchants have already been compromised in intrusions exploiting Stripe's legacy application programming interface "api.stripe[.]com/v1/sources" for payment data validation part of an advanced web skimmer campaign that has been underway since August.
https://www.scworld.com/brief/ongoing-web-skimmer-campaign-taps-deprecated-stripe-api
A Chinese state threat actor is actively exploiting a newly disclosed critical Ivanti vulnerability, according to Mandiant researchers. The suspected espionage actor has been targeting CVE-2025-22457, a buffer overflow vulnerability that can lead to attackers achieving remote code execution. The researchers have also observed the deployment of two-newly identified malware families by the group, tracked as UNC5221, following successful exploitation.
https://www.infosecurity-magazine.com/news/chinese-state-hackers-ivanti-flaw/
GitHub found 39M secrets leaked in 2024 and launched new tools to help developers and organizations secure sensitive data in code. Microsoft-owned code hosting platform GitHub announced the discovery of 39 million secrets leaked in 2024.
https://securityaffairs.com/176170/security/39m-secrets-exposed-github-rolls-out-new-security-tools.html
President Donald Trump this week fired Air Force Gen. Timothy Haugh, who served as the head of U.S. Cyber Command and the National Security Agency. Gen. Haugh’s was fired just over a year into a typical three-year term. Intelligence experts warn that the decision could significantly impact national security. Trump also fired Haugh’s deputy, Wendy Noble. Army Lt. Gen. William Hartman, Cyber Command’s deputy, will serve as acting head of both Cyber Command and NSA.
https://securityaffairs.com/176196/intelligence/president-trump-fired-the-head-of-u-s-cyber-command-and-nsa.html
A newly discovered malicious PyPi package named 'disgrasya' that abuses legitimate WooCommerce stores for validating stolen credit cards has been downloaded over 34,000 times from the open-source package platform. The script specifically targeted WooCommerce stores using the CyberSource payment gateway to validate cards, which is a key step for carding actors who need to evaluate thousands of stolen cards from dark web dumps and leaked databases to determine their value and potential exploitation.
https://www.bleepingcomputer.com/news/security/carding-tool-abusing-woocommerce-api-downloaded-34k-times-on-pypi/
A large-scale phishing campaign dubbed 'PoisonSeed' compromises corporate email marketing accounts to distribute emails containing crypto seed phrases used to drain cryptocurrency wallets. According to SilentPush, the campaign targets Coinbase and Ledger using compromised accounts at Mailchimp, SendGrid, HubSpot, Mailgun, and Zoho.
https://www.bleepingcomputer.com/news/security/poisonseed-phishing-campaign-behind-emails-with-wallet-seed-phrases/
The North Korean threat actors behind the ongoing Contagious Interview campaign are spreading their tentacles on the npm ecosystem by publishing more malicious packages that deliver the BeaverTail malware, as well as a new remote access trojan (RAT) loader.
https://thehackernews.com/2025/04/north-korean-hackers-deploy-beavertail.html
Port of Seattle is notifying 90,000 people of a data breach after personal data was stolen in a ransomware attack in August 2024.
https://securityaffairs.com/176205/data-breach/port-of-seattle-august-data-breach-impacted-90000-people.html
An amateur hacker’s operational security error enabled researchers to uncover more details about a cybercrime operation utilizing the Proton66 bulletproof hosting service, DomainTools reported Thursday. The threat actor known as “Coquettte” was uncovered by DomainTools while investigating domains hosted by Proton66.
https://www.scworld.com/news/hackers-opsec-lapse-reveals-hub-for-amateur-cybercriminals
A massive wave of credential stuffing attacks hit multiple large Australian super funds, compromising thousands of members’ accounts. The Association of Superannuation Funds of Australia (ASFA), Australia's advocacy body for the superannuation industry, said today that "a number of members were affected" even though the "majority of the attempts were repelled."
https://www.bleepingcomputer.com/news/security/australian-pension-funds-hit-by-wave-of-credential-stuffing-attacks/
A now-patched flaw in Verizon ’s iOS Call Filter app exposed call records of millions. No abuse found. Only phone numbers and timestamps were at risk. Verizon’s Call Filter app allows users to identify and manage unwanted calls, such as spam and robocalls. It offers features like spam detection, automatic blocking of high-risk spam calls, and the ability to report unwanted numbers.
https://securityaffairs.com/176217/hacking/verizon-s-ios-call-filter-app-flaw.html
The HellCat ransomware group has once again demonstrated their relentless focus on exploiting Jira credentials stolen through infostealer malware, targeting four new organizations: HighWire Press, Asseco, Racami, and LeoVegas Group.
https://www.infostealers.com/article/hellcat-ransomware-group-strikes-again-four-new-victims-breached-via-jira-credentials-from-infostealer-logs/
Coinbase is fixing a misleading account activity message that has caused confusion and anxiety, making users think their credentials were compromised. Over the past couple of weeks, numerous people have contacted BleepingComputer about concerns that they think Coinbase has a serious security issue. After receiving Coinbase phishing emails or texts, they logged into their accounts and checked the activity log, finding numerous entries stating "second_factor_failure" or "2-step verification failed" with login attempts from unusual locations.
https://www.bleepingcomputer.com/news/security/coinbase-to-fix-2fa-account-activity-entry-freaking-out-users/
A vulnerability in the WinRAR file archiver solution could be exploited to bypass the Mark of the Web (MotW) security warning and execute arbitrary code on a Windows machine. The security issue is tracked as CVE-2025-31334 and affects all WinRAR versions except the most recent release, which is currently 7.11.
https://www.bleepingcomputer.com/news/security/winrar-flaw-bypasses-windows-mark-of-the-web-security-alerts/
A likely lone wolf actor behind the EncryptHub persona was acknowledged by Microsoft for discovering and reporting two security flaws in Windows last month, painting a picture of a "conflicted" individual straddling a legitimate career in cybersecurity and pursuing cybercrime. In a new extensive analysis published by Outpost24 KrakenLabs, the Swedish security company unmasked the up-and-coming cybercriminal, who, about 10 years ago, fled his hometown in Kharkov, Ukraine, to a new place somewhere near the Romanian coast.
https://thehackernews.com/2025/04/microsoft-credits-encrypthub-hacker.html
A massive malvertising attack is striking adult content portals, including top porn domain xHamster.com which has close to half a billion monthly visitors. The malicious advertisement was being served by TrafficHaus (it has since been removed), and was for a dating application called “Sex Messenger.”
https://www.infosecurity-magazine.com/news/porn-site-xhamster-hit-by/
A researcher used ChatGPT-4o to create a replica of his passport in just five minutes, realistic enough to deceive most automated KYC systems.
https://securityaffairs.com/176224/security/chatgpt-4o-to-create-a-replica-of-his-passport-in-just-five-minutes.html
OpenAI is reportedly testing a new "watermark" for the Image Generation model, which is a part of the ChatGPT 4o model. This is an interesting move, and it's likely because more and more users are generating Studio Ghibli artwork using the ImageGen model.
https://www.bleepingcomputer.com/news/artificial-intelligence/openai-tests-watermarking-for-chatgpt-4o-image-generation-model/