CyberSecurity Newsletter June 2nd, 2025
In this week’s news: five major U.S. banking and financial industry groups petitioned the SEC to rescind its cybersecurity incident disclosure rule, U.S. Department of Treasury sanctioned Philippines-based company, new Rust-based infostealer dubbed EDDIESTEALER, maximum-severity Cisco IOS XE WLC arbitrary file upload flaw tracked as CVE-2025-20188, ConnectWise on May 28 reported that an undisclosed nation-state actor has affected “a very small number” of its ScreenConnect customers, Corrupted headers conceal novel Windows RAT, Malicious code attacks on IBM Db2 and Tivoli Monitoring possible, rise in a Chinese-language Phishing-as-a-Service (PhaaS) known as Haozi, international law enforcement operation has taken down AVCheck, and a security researcher has discovered an unprotected database containing more than 184 million login credentials
In a coordinated move, five major U.S. banking and financial industry groups, led by the American Bankers Association (ABA), have petitioned the Securities and Exchange Commission (SEC) to rescind its cybersecurity incident disclosure rule. This rule, adopted in July 2023, mandates that public companies disclose material cybersecurity incidents, such as data breaches or hacks, within four business days of determining their materiality.
https://peakd.com/hive-167922/@justmythoughts/banking-groups-ask-sec-to
The U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Philippines-based company Funnull Technology Inc. and its admin Liu Lizhi for enabling romance scams, causing $200M in U.S. victim losses. A romance scam is a type of online fraud where a scammer pretends to build a romantic relationship with someone to gain their trust and ultimately exploit them, often for financial gain.
https://securityaffairs.com/178450/cyber-crime/us-treasury-sanctioned-the-firm-funnull-technology.html
Meta announced the disruption of three influence operations from Iran, China, and Romania using fake accounts to spread propaganda and manipulate discourse on Facebook, Instagram, and more. The social media giant pointed out that it had removed covert influence campaigns early, preventing them from gaining real audiences on its platforms.
https://securityaffairs.com/178456/social-networks/meta-stopped-covert-operations-from-iran-china-romania.html
A new Rust-based infostealer dubbed EDDIESTEALER is being spread via the popular ClickFix social engineering technique, which uses fake CAPTCHAs to fool users, Elastic Security Labs reported Thursday.
https://www.scworld.com/news/clickfix-used-to-spread-novel-rust-based-infostealer
A multinational law enforcement operation has resulted in the takedown of an online cybercrime syndicate that offered services to threat actors to ensure that their malicious software stayed undetected from security software.
https://thehackernews.com/2025/05/us-doj-seizes-4-domains-supporting.html
Technical details about a maximum-severity Cisco IOS XE WLC arbitrary file upload flaw tracked as CVE-2025-20188 have been made publicly available, bringing us closer to a working exploit. The write-up by Horizon3 researchers does not contain a 'ready-to-run' proof of concept RCE exploit script, but it does provide enough information for a skilled attacker or even an LLM to fill in the missing pieces.
https://www.bleepingcomputer.com/news/security/exploit-details-for-max-severity-cisco-ios-xe-flaw-now-public/
Two information disclosure flaws have been identified in apport and systemd-coredump, the core dump handlers in Ubuntu, Red Hat Enterprise Linux, and Fedora, according to the Qualys Threat Research Unit (TRU).
https://thehackernews.com/2025/05/new-linux-flaws-allow-password-hash.html
Remote monitoring and management (RMM) software provider ConnectWise on May 28 reported that an undisclosed nation-state actor has affected “a very small number” of its ScreenConnect customers. The company, which reportedly has 45,000 managed service provider (MSP) customers, launched an investigation with Google Mandiant in response. The firm said it has contacted all affected customers and was coordinating with law enforcement.
https://www.scworld.com/news/cyberattack-on-connectwise-believed-to-be-nation-state-threat-actor
Attacks by the Southeast Asian hacking group UTG-Q-015 have been continuously advancing since March, when it initially deployed widespread brute-force intrusions that sought to compromise government and enterprise web servers, according to GBHackers News.
https://www.scworld.com/brief/evolving-attacks-by-the-utg-q-015-hacking-operation-detailed
Corrupted headers conceal novel Windows RAT. Identification and analysis efforts have been evaded for weeks by a new Windows remote access trojan through the use of corrupted Disk Operating System and Portable Executable headers, which could have provided more insights regarding the executable, according to The Hacker News.
https://www.scworld.com/brief/corrupted-headers-conceal-novel-windows-rat
A newly emerged threat actor, going by the alias “Often9,” has posted on a prominent cybercrime and database trading forum, claiming to possess 428 million unique TikTok user records. The post is titled “TikTok 2025 Breach – 428M Unique Lines.”
https://hackread.com/threat-actor-tiktok-breach-428-million-records-sale/
Lingerie giant Victoria’s Secret shut down its US website and some in-store services for three days due to an unspecified security incident. Customers attempting to access the Victoria’s Secret website were met with a message explaining the service disruption.
https://hackread.com/victorias-secret-website-down-security-incident/
The Federal Criminal Police Office of Germany (Bundeskriminalamt or BKA) claims that Stern, the leader of the Trickbot and Conti cybercrime gangs, is a 36-year-old Russian named Vitaly Nikolaevich Kovalev. "The subject is suspected of having been the founder of the 'Trickbot' group, also known as 'Wizard Spider,'" BKA said last week [English PDF], after another round of seizures and charges part of Operation Endgame, a joint global law enforcement action targeting malware infrastructure and the threat actors behind it.
https://www.bleepingcomputer.com/news/security/germany-doxxes-conti-ransomware-and-trickbot-ring-leader/
Malicious code attacks on IBM Db2 and Tivoli Monitoring possible. IBM's database management system Db2 and the IT management software Tivoli Monitoring are vulnerable. In the worst case, malicious code can get onto systems.
https://www.heise.de/en/news/Malicious-code-attacks-on-IBM-Db2-and-Tivoli-Monitoring-possible-10420548.html
A new report from cybersecurity firm Netcraft reveals a rise in a Chinese-language Phishing-as-a-Service (PhaaS) known as Haozi. This service makes it incredibly easy for criminals, even those without technical skills, to launch sophisticated phishing attacks. Rob Duncan, a security researcher at Netcraft, discovered this surge over the past five months.
https://hackread.com/chinese-phishing-service-haozi-criminal-profits/
The FortiGuard Incident Response Team has released a detailed investigation into a newly discovered malware that managed to quietly operate on a compromised Windows machine for several weeks. What makes this malware different from others is its deliberate corruption of its own DOS and PE headers, a method designed to obstruct forensic analysis and reconstruction efforts by security researchers.
https://hackread.com/new-malware-corrupts-its-headers-block-analysis/
China’s quantum satellite could potentially be hacked due to tiny delays between its onboard lasers that could be exploited by eavesdroppers in an attack, a former Russia-based quantum researcher who is now working in Singapore has warned.
https://www.scmp.com/news/china/science/article/3312399/chinas-quantum-satellite-can-be-hacked-singapore-based-scientist-warns
The China-linked threat actor behind the recent in-the-wild exploitation of a critical security flaw in SAP NetWeaver has been attributed to a broader set of attacks targeting organizations in Brazil, India, and Southeast Asia since 2023.
https://thehackernews.com/2025/05/china-linked-hackers-exploit-sap-and.html
Cybercriminals camouflaging threats as AI tool installers. Cisco Talos has discovered new threats, including the ransomware CyberLock, Lucky_Gh0$t, and a newly-discovered malware we call “Numero,” all of which masquerade as legitimate AI tool installers. https://blog.talosintelligence.com/fake-ai-tool-installers/
A new malware campaign is distributing a new information-stealing software based on Rust called EDDIESTEALER, utilizing the ClickFix social engineering tactic through fake CAPTCHA verification pages. This campaign tricks users into running a malicious PowerShell script, thereby deploying the info-stealer which harvests sensitive data.
https://thehackernews.com/2025/05/eddiestealer-malware-uses-clickfix.html
A 27-year-old junior defence contractor has been arrested for allegedly leaking restricted information on Indian Navy warships and submarines to suspected Pakistani intelligence agents, Maharashtra’s Anti-Terrorism Squad (ATS) said in a statement issued late Saturday.
https://databreaches.net/2025/06/01/junior-defence-contractor-arrested-for-leaking-indian-naval-secrets-to-suspected-pakistani-spies/
A troubling new online threat is emerging in which criminals hijack subdomains of major organizations, such as Bose, Panasonic, and even the US CDC (Centers for Disease Control and Prevention), to spread malware and perpetrate online scams.
https://www.techradar.com/pro/security/criminals-hijacking-subdomains-of-popular-websites-such-as-bose-or-panasonic-to-infect-victims-with-malware-heres-how-to-stay-safe
On May 6, WhatsApp scored a major victory against NSO Group when a jury ordered the infamous spyware maker to pay more than $167 million in damages to the Meta-owned company. The ruling concluded a legal battle spanning more than five years, which started in October 2019 when WhatsApp accused NSO Group of hacking more than 1,400 of its users by taking advantage of a vulnerability in the chat app’s audio-calling functionality.
https://techcrunch.com/2025/05/30/eight-things-we-learned-from-whatsapp-vs-nso-group-spyware-lawsuit/
Oasis Security's research team uncovered a flaw in Microsoft's OneDrive File Picker that allows websites to access a user’s entire OneDrive content, rather than just the specific files selected for upload via OneDrive File Picker. Researchers estimate that hundreds of apps are affected, including ChatGPT, Slack, Trello, and ClickUp–meaning millions of users may have already granted these apps access to their OneDrive. This flaw could have severe consequences, including customer data leakage and violation of compliance regulations.
https://www.oasis.security/blog/onedrive-file-picker-security-flaw-oasis-research
A security researcher has discovered an unprotected database containing more than 184 million login credentials, likely collected by infostealer malware. Such databases are exposed are a lot more often than they should be. Some companies might leave them open and exposed by mistake, but this one is very different. The exposed data consisted of more than 184 million unique login and password combinations, totaling approximately 47 GB of raw, unencrypted information.
https://www.bitdefender.com/en-us/blog/hotforsecurity/database-184-million-credentials-online
GreyNoise has identified an ongoing exploitation campaign in which attackers have gained unauthorized, persistent access to thousands of ASUS routers exposed to the internet. This appears to be part of a stealth operation to assemble a distributed network of backdoor devices — potentially laying the groundwork for a future botnet.
https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-routers
An international law enforcement operation has taken down AVCheck, a service used by cybercriminals to test whether their malware is detected by commercial antivirus software before deploying it in the wild. The service's official domain at avcheck.net now displays a seizure banner with the crests of the U.S. Department of Justice, the FBI, the U.S. Secret Service, and the Dutch police (Politie).
https://www.bleepingcomputer.com/news/security/police-takes-down-avcheck-antivirus-site-used-by-cybercriminals/
Serviceaide, an enterprise management solutions provider, has experienced a data leak. This leak has affected the personal and medical information of nearly 500,000 Catholic Health patients.
https://www.securitymagazine.com/articles/101659-serviceaide-data-leak-impacts-nearly-500-000-catholic-health-patients
Critical Privilege Escalation Vulnerability Patched in Eventin Plugin. The Eventin plugin, which has over 10k active installations, is a popular event management plugin for WordPress.
https://patchstack.com/articles/critical-privilege-escalation-vulnerability-patched-in-eventin-plugin/
Qualys warns of two information disclosure flaws in apport and systemd-coredump, the core dump handlers in Ubuntu, Red Hat Enterprise Linux, and Fedora distros.
https://securityaffairs.com/178464/hacking/two-linux-flaws-can-lead-to-the-disclosure-of-sensitive-data.html
Two critical vulnerabilities affecting the open-source forum software vBulletin have been discovered, with one confirmed to be actively exploited in the wild. The flaws, tracked under CVE-2025-48827 and CVE-2025-48828, and rated critical (CVSS v3 score: 10.0 and 9.0 respectively), are an API method invocation and a remote code execution (RCE) via template engine abuse flaws.
https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-critical-flaw-in-vbulletin-forum-software/