Alright team, it's been a pretty active 24 hours in the cyber realm! We've got a few notable breaches, some clever new malware tactics, critical vulnerabilities from Cisco, and a stark reminder about password hygiene. Let's dive in:
Recent Cyber Attacks and Breaches â ïž
- Hyundai AutoEver America suffered a data breach, with attackers accessing personal information including names, Social Security Numbers, and driver's licenses. The intrusion, discovered on March 1st, had been ongoing since February 22nd.
- Japanese media giant Nikkei also disclosed a breach where malware on an employee's laptop led to stolen Slack credentials, exposing the personal details (names, emails, chat histories) of over 17,000 employees and partners. This highlights the growing risk of collaboration platforms as attack vectors.
- SonicWall confirmed that state-sponsored threat actors were behind their September cloud backup breach, accessing firewall configuration files via an API call. While initially downplayed, it's now clear all customers using the cloud backup service were affected, though SonicWall insists no product, firmware, or source code was impacted.
- Russia's Sandworm (APT44) has been deploying data-wiping malware (like ZeroLot and Sting) against Ukraine's critical grain sector, as well as government, energy, and logistics entities. This marks a strategic shift to target Ukraine's economy, with initial access sometimes facilitated by UAC-0099.
- The State of Nevada government successfully recovered from a ransomware attack in August without paying the ransom, incurring $259,000 in overtime costs and $1.3 million in vendor support. The initial compromise in May stemmed from an employee downloading a trojanised system administration tool via a malicious Google ad, leading to a hidden backdoor and eventual ransomware deployment after backups were deleted.
- An Italian communications executive, Francesco Nicodemo, revealed he was targeted with Paragon's Graphite spyware, making him the fifth known Italian victim in a scandal involving political targeting. WhatsApp had notified 90 individuals globally about evidence of similar targeting.
đ€ Bleeping Computer | https://www.bleepingcomputer.com/news/security/hyundai-autoever-america-data-breach-exposes-ssns-drivers-licenses/
đ”đŒ The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/06/nikkeis_private_chats_go_public/
đ° The Hacker News | https://thehackernews.com/2025/11/sonicwall-confirms-state-sponsored.html
đ”đŒ The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/06/sonicwall_fingers_statebacked_cyber_crew/
đ€« CyberScoop | https://cyberscoop.com/sonicwall-customer-portal-nation-state-attack/
đ€ Bleeping Computer | https://www.bleepingcomputer.com/news/security/sandworm-hackers-use-data-wipers-to-disrupt-ukraines-grain-sector/
đïž The Record | https://therecord.media/russia-sandworm-grain-wipers
đ€ Bleeping Computer | https://www.bleepingcomputer.com/news/security/how-a-ransomware-gang-encrypted-nevada-governments-systems/
đïž The Record | https://therecord.media/nevada-declined-ransom-breach
đïž The Record | https://therecord.media/italy-comms-exec-spyware
New Threat Research on Malware and Techniques đĄïž
- The Gootloader malware operation has resurfaced after a seven-month hiatus, continuing its SEO poisoning campaigns to distribute malicious JavaScript files disguised as legal documents. New evasion tactics include using special web fonts to obfuscate filenames in HTML source and crafting malformed Zip archives that unpack differently for Windows Explorer versus analysis tools. It's now dropping the Supper SOCKS5 backdoor, linked to ransomware affiliates like Vanilla Tempest, known for rapid network compromise.
- The Russia-aligned threat actor Curly COMrades is using an innovative evasion technique: weaponising Windows Hyper-V to deploy hidden, lightweight Alpine Linux virtual machines. These VMs host custom reverse shells (CurlyShell) and reverse proxies (CurlCat), effectively isolating malware execution and bypassing host-based EDR detections.
- A new Russia-aligned cluster, InedibleOchotense (possibly a Sandworm sub-cluster), is conducting spear-phishing attacks against Ukrainian entities using trojanised ESET installers. These installers drop the Kalambur (SUMBUR) C# backdoor, which uses Tor for C2 and enables OpenSSH/RDP access. Separately, RomCom (Storm-0978) has been weaponising a WinRAR vulnerability (CVE-2025-8088) in Europe and Canada, deploying various backdoors.
đ€ Bleeping Computer | https://www.bleepingcomputer.com/news/security/gootloader-malware-is-back-with-new-tricks-after-7-month-break/
đ° The Hacker News | https://thehackernews.com/2025/11/hackers-weaponize-windows-hyper-v-to.html
đ° The Hacker News | https://thehackernews.com/2025/11/trojanized-eset-installers-drop.html
Vulnerabilities and Active Exploitation đš
- Cisco has issued patches for two critical vulnerabilities in its Unified Contact Center Express (UCCX) software. CVE-2025-20354 (CVSS 9.8) is an RCE flaw in the Java RMI process, allowing unauthenticated attackers to execute arbitrary commands as root. CVE-2025-20358 (CVSS 9.4) is an authentication bypass, enabling unauthenticated attackers to run scripts as a non-root user. While not yet exploited in the wild, immediate patching (to 12.5 SU3 ES07 or 15.0 ES01) is strongly advised.
- Cisco also warned of a "new attack variant" targeting its ASA and FTD firewalls, exploiting previously patched flaws (CVE-2025-20333 and CVE-2025-20362). These attacks, ongoing for at least six months and linked to the government-backed ArcaneDoor threat crew (UAT4356), now cause devices to continually reload, leading to denial-of-service. Attackers have used zero-days, disabled logging, intercepted CLI commands, intentionally crashed devices, and even modified ROM Monitor for persistence.
đ€ Bleeping Computer | https://www.bleepingcomputer.com/news/security/critical-cisco-uccx-flaw-lets-hackers-run-commands-as-root/
đ”đŒ The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/06/cisco_firewall_ongoing_attacks/
Threat Landscape Commentary đ
- A Comparitech report analysing over two billion leaked passwords in 2025 confirms that "123456", "admin", and "password" remain among the most common. A quarter of passwords were number-only, and 38% contained "123". This highlights persistent poor password hygiene, emphasising the need for longer passphrases or, ideally, biometric passkeys.
đ”đŒ The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/06/most_common_passwords/
Data Privacy and Regulatory Issues đ
- The EU Parliament's Civil Liberties Committee (LIBE) has voted to advance a controversial proposal expanding Europol's data sharing and biometric data collection capabilities. While aimed at combating human trafficking and migrant smuggling, privacy advocates warn it could facilitate mass surveillance and significant data privacy violations across Europe.
- In a decisive move against cybercrime, a Chinese court has sentenced five leaders of a Myanmar crime syndicate to death. The syndicate ran industrial-scale scamming compounds near the China-Myanmar border, defrauding over $4 billion and causing six deaths, highlighting Beijing's severe crackdown on cross-border cyber fraud.
đïž The Record | https://therecord.media/eu-parliament-committee-votes-europol-data-sharing-agreement
đïž The Record | https://therecord.media/china-sentences-5-myanmar-scam-kingpins-to-death
#CyberSecurity #ThreatIntelligence #DataBreach #Ransomware #Malware #APT #NationState #Vulnerabilities #Cisco #Gootloader #Sandworm #Europol #DataPrivacy #InfoSec #CyberAttack #IncidentResponse
CyberVeille.ch
Teddy / Domingo (đšđ”/đŹđ§)
Rene Robichaud
The New Oil
maniabel
SOC Goulash
The DefendOps Diaries
ANY.RUN