Infosec News
-
GhostSpy Android RAT: Stealthy Remote Control Malware
A newly surfaced Android RAT dubbed GhostSpy is making waves in the wild. It uses Accessibility abuse, UI automation, and overlay techniques to gain full device control — logging keystrokes, stealing 2FA codes, bypassing secure banking app protections, and maintaining persistence through anti-uninstall overlays.
High level overview:
- Installs silently via dropper APK using update.apk
- Bypasses permissions with automated UI taps
- Screenshares even protected apps via UI reconstruction
- Intercepts 2FA codes from Google/Microsoft Authenticator
- Remotely wipes device via Device Admin API
- Uses fake full-screen uninstall warnings
- Real-time audio/video surveillance, SMS exfiltration
Sources:
Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
Unimed Data Breach Exposes 14 Million Patient-Doctor Communications
Unimed, Brazil's largest healthcare cooperative, inadvertently exposed over 14 million patient-doctor messages through an unsecured Apache Kafka instance. The breach included sensitive data such as names, phone numbers, email addresses, Unimed card numbers, uploaded images, documents, and real-time chat logs from both human doctors and Unimed's AI chatbot, "Sara".
Cybernews researchers discovered the misconfigured Kafka broker on March 24, 2025, and notified Unimed on March 31. The exposed instance was secured by April 7. Unimed stated on May 29 that the incident was isolated, promptly resolved, and that there is no evidence, so far, of any leakage of sensitive data from clients, cooperative physicians, or healthcare professionals. An in-depth investigation remains ongoing.
Sources:
-
ViciousTrap: Persistent SSH Backdoors Found in 9,000+ ASUS Routers
A sophisticated cyberattack campaign, dubbed ViciousTrap, has compromised over 9,000 ASUS routers, establishing persistent SSH backdoors that survive reboots and firmware updates.
Discovered by GreyNoise in March 2025, the attackers exploit a command injection vulnerability (CVE-2023-39780) and authentication bypass techniques to gain access. They then enable SSH on port 53282 and insert their own public keys into the routers' NVRAM, ensuring persistence even after firmware upgrades.
The attack is stealthy, involving no malware installation and disabling router logging to avoid detection. The compromised routers are believed to be part of a larger operational relay box (ORB) network, potentially laying the groundwork for future botnet activities.
Indicators of Compromise (IOCs):
- SSH enabled on TCP port 53282
- Presence of unauthorized SSH public keys
- Known malicious IP addresses:
- 101.99.91.151
- 101.99.94.173
- 79.141.163.179
- 111.90.146.237
Sources:
Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
New Linux Flaws Allow Password Hash Theft via Core Dumps in Ubuntu, RHEL, FedoraTwo information disclosure flaws have been identified in apport and systemd-coredump, the core dump handlers in Ubuntu, Red Hat Enterprise Linux, and Fedora, according to the Qualys Threat Research Unit (TRU).
CVE-2025-5054 (CVSS score: 4.7) - A race condition in Canonical apport package up to and including 2.32.0 that allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces CVE-2025-4598 (CVSS score: 4.7) - A race condition in systemd-coredump that allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original processSource: https://thehackernews.com/2025/05/new-linux-flaws-allow-password-hash.html?m=1&s=09
-
FBI: Over 900 Organizations Hit by Play Ransomware, SimpleHelp Exploits and ESXi Variants Used
The Play ransomware group, also known as Playcrypt, has compromised approximately 900 organizations since its emergence in June 2022, according to a newly updated advisory from the FBI, CISA, and Australian Cyber Security Centre (ACSC). Initially thought to have about 300 victims as of October 2023, Play has seen a rapid expansion, becoming one of the most active ransomware gangs in 2024 and into 2025.
Play operates as a closed ransomware-as-a-service (RaaS) group employing double-extortion tactics, exfiltrating data before encrypting it to pressure victims into paying ransoms.
Play ransomware’s advanced operational security, tailored builds per target, and use of human-operated extortion methods reflect a shift toward more customized, persistent threat campaigns. The exploitation of RMM software like SimpleHelp and targeting of ESXi environments shows an intent to hit core infrastructure, increasing pressure on victims to pay.
Exploited Vulnerabilities:
Source:
https://www.securityweek.com/fbi-aware-of-900-organizations-hit-by-play-ransomware/Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
Supply-Chain RAT Compromise Strikes 16 Gluestack React-Native-Aria Packages With Nearly 1 Million Weekly Downloads
On June 6, 2025, threat actors injected heavily obfuscated remote-access-trojan (RAT) code into a new version of the Gluestack react-native-aria/focus package on NPM. Within hours, 16 of the 20 total Gluestack React-Native-Aria packages, totaling roughly 960,000 weekly downloads, were compromised. The malicious payload was appended (padded with spaces) to the end of each package’s lib/index.js file, making it easy to miss via the standard NPM code viewer.
Aikido Security’s analysis revealed that the RAT establishes a persistent connection to the attacker’s command-and-control (C2) server and accepts a variety of commands, including directory changes, file uploads, and arbitrary shell execution via child_process.exec(). Additionally, the malware prepends a fake Python path to the Windows PATH environment variable, hijacking legitimate python and pip invocations to execute malicious binaries silently.
Attempts by Aikido researcher Charlie Eriksen to contact Gluestack maintainers via GitHub issues have gone unanswered, and while NPM has been alerted, remediation could take several days. This campaign appears linked to the same actors behind four other NPM compromises earlier this week (biatec-avm-gas-station, cputil-node, lfwfinance/sdk, and lfwfinance/sdk-dev), underscoring the growing risk of high-volume supply-chain attacks in the JavaScript ecosystem.
Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
GitLab Urgently Patches Multiple High‑Severity Flaws Allowing Account Takeover and CI/CD Job Injection
Critical versions released: GitLab has shipped security updates, Community and Enterprise editions 18.0.2, 17.11.4, and 17.10.8, addressing several severe vulnerabilities. Administrators of self-hosted instances are urged to upgrade immediately. GitLab.com already runs the patched versions; dedicated customers unaffected.
Vulnerabilities patched:
- HTML injection / account takeover (CVE‑2025‑4278): A malicious actor could exploit this flaw via the search page, injecting HTML to hijack user sessions and take over accounts remotely.
- Auth bypass in Ultimate EE, CI/CD job injection (CVE‑2025‑5121): This missing-authorization bug allows authenticated users on Ultimate editions to inject arbitrary CI/CD jobs into any future pipelines, raising risk of code injection. Exploitation requires Ultimate license and authenticated access.
- Cross-site scripting (CVE‑2025‑2254): Enables session hijacking via script execution in snippet viewer.
- Denial-of-Service (CVE‑2025‑0673): Infinite redirect loop forcing memory exhaustion and denial of service.
-
Widespread Google Cloud & Cloudflare Outage Disrupts Spotify, Discord, Gmail & More
Timeline & Root Cause
- The outage began approximately 10:51 UTC on June 12, when Google Cloud’s Identity and Access Management (IAM) service began failing, triggering cascading disruptions.
- Around 18:19 UTC, Cloudflare reported numerous authentication and connectivity failures, notably in Access and Zero Trust WARP services.
Services Impacted
- Google Cloud: Over 50 services impacted, BigQuery, App Engine, Cloud Storage, Vertex AI Search, Cloud Shell, Memorystore, Dataproc, Workstations, IAM tools, and more.
- Cloudflare: Authentication failures affected Access, Workers KV, Stream, dashboard, AI Gateway, AutoRAG, WARP, Durable Objects; core network and CDN remained largely unaffected.
Downstream Effects
- Major platforms including Spotify, Discord, Google Workspace (Gmail, Meet), Twitch, Snapchat, Shopify, OpenAI services, and Replit experienced intermittent outages.
- Outage trackers like Downdetector, ThousandEyes, and similar services showed massive report spikes around midday UTC.
Mitigation & Recovery Status
- By 20:09 UTC, Google’s engineering teams had identified the root cause, initiated mitigations, and began service restorations, most regions recovered, except us-central1, with no ETA for full restoration.
- Cloudflare confirmed service recovery under way around 18:30 UTC, though some intermittent authentication errors persisted while caches refreshed.
- A scheduled maintenance was ongoing in Cloudflare’s Dallas data center earlier (08:00–10:00 UTC), but engineers affirm it was unrelated to this global outage.
Sources:
-
Digital Fallout: U.S. Firms Brace for Cyber Crossfire in Iran-Israel Escalation
As Israel and Iran engage in direct military strikes, a covert cyberwar is unfolding in parallel and U.S. companies may soon be caught in the blast radius. Cybersecurity experts are sounding the alarm over a 700% surge in Iranian cyberattacks on Israeli targets since Israel’s June 12 missile strike on Tehran. These attacks include disinformation campaigns, DDoS floods, and phishing operations with potential to escalate into more destructive cyber campaigns depending on the U.S. response.
- U.S. ISACs (Food & Ag, IT) are warning infrastructure operators to harden defenses now.
- Radware reports a 7x increase in Iranian cyber activity.
- Fake SMS alerts are being sent, masquerading as official Israeli government warnings.
- Flashpoint warns: If Iran pivots toward U.S. targets, expect state-backed ransomware or wiper malware to hit critical infrastructure.
Source:
https://www.axios.com/newsletters/axios-future-of-cybersecurity-1038e950-4889-11f0-b558-17dac864894e -
Major Data Breach at Krispy Kreme – Sensitive Employee Data Leaked
Krispy Kreme Doughnut Corporation has confirmed a major data breach compromising sensitive personal data of thousands of current and former employees, as well as their family members. The intrusion was discovered on November 29, 2024, with attackers gaining unauthorized access to internal systems.
Compromised data includes:
- Social Security Numbers (SSNs)
- Dates of Birth
- Driver’s License & Passport Numbers
- Credit/Debit Card Info (w/ CVV)
- Financial Account Logins
- Biometric & Health Insurance Data
- U.S. Military IDs, USCIS & Alien Reg. Numbers
- Digital Signatures & Email Credentials
Source:
-
No, the “16 Billion Credentials” Leak Isn’t a New Breach
An explosive claim, but not a fresh hack. Earlier this week, headlines announced “one of the largest data breaches in history”, a staggering 16 billion credentials allegedly leaked from platforms like Google, Facebook, Apple, and Telegram. However, cybersecurity research reveals this is not a fresh breach at all. Instead, it’s an aggregated dump of older data sourced from infostealer malware, past data breaches, and credential-stuffing attacks compiled into 30 datasets and briefly exposed online.
Where did the data come from?
- Infostealer logs: Malware installed on infected machines that harvest browser and app credentials, storing them in text-based "logs" structured as username:password.
- Credential stuffing collections: Dumps from past breaches that attackers used to test login combos across services.
- Aggregated stale dumps: Some large collections (e.g., 184 million credentials) surfaced earlier, and now combined into a massive compilation.
Despite the hype, no central platform was recently compromised in this event.
Sources:
Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
U.S. House Bans WhatsApp on Gov Devices Citing "High-Risk" Security Flaws
On June 23, 2025, the U.S. House of Representatives officially banned WhatsApp from all government-issued devices, citing serious cybersecurity concerns. The directive came from the House’s Chief Administrative Officer and was based on assessments by the Office of Cybersecurity.
Why the Ban?
- Lack of transparency in WhatsApp’s data handling and encryption models
- Stored data not encrypted at rest, violating federal standards
- General classification of WhatsApp as a “high-risk” communication platform
Sources:
Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
Citrix Netscaler Hit with Critical Actively Exploited CVEs
A newly discovered critical vulnerability in Citrix NetScaler, CVE-2025-5777, is raising serious alarms. The flaw stems from insufficient input validation when NetScaler is configured as a Gateway (VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. This vulnerability carries a CVSS score of 9.3 and may allow memory overread, potentially exposing sensitive data such as session tokens.
In parallel, Google researchers confirmed a second critical flaw, CVE-2025-6543, is actively being exploited as a zero-day. This is a memory overflow vulnerability (CVSS 9.2) that can lead to unintended control flow and denial of service. Like CVE-2025-5777, it affects NetScaler appliances configured as a Gateway or AAA vServer.
Both vulnerabilities impact the following NetScaler ADC and Gateway builds:
- NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56
- NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-58.32
- NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP
- NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS
- Note: 12.1 and 13.0 are End-of-Life (EOL) and are vulnerable
Citrix warns that Secure Private Access on-prem and hybrid deployments using vulnerable NetScaler instances are also at risk.
Cloud Software Group, alongside multiple national security agencies, are urging all customers to immediately patch or upgrade to supported builds. For EOL versions (12.1, 13.0), upgrades are mandatory to eliminate exposure.
Sources:
Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
Fake SonicWall NetExtender Targets VPN Credentials
A new remote access malware campaign is distributing a trojanized version of SonicWall’s NetExtender VPN client, named SilentRoute, to harvest VPN credentials and other sensitive configuration data from unsuspecting users.
SonicWall NetExtender Trojan (SilentRoute):
- The trojan impersonates NetExtender v10.3.2.27, hosted on a spoofed website (now taken down).
- It was digitally signed by CITYLIGHT MEDIA PRIVATE LIMITED, possibly a compromised certificate authority or abuse of a legitimate cert.
- The threat targets users searching for VPN downloads via:
- SEO poisoning
- Phishing
- Malvertising
- Social engineering on platforms like Facebook
Technical Behavior:
- Modifies NeService.exe and NetExtender.exe
- Bypasses normal digital signature validation checks.
- Exfiltrates VPN config data including username, password, and domain to 132.196.198.163 using port 8080.
- Malicious behavior triggered upon clicking "Connect" inside the fake VPN client.
Sources:
Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
CISA & NSA Double Down on Memory-Safe Languages for Secure-by-Design Software
The latest joint guidance from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) elevates memory-safe languages (MSLs) such as Rust, Go, Java, Python, and C# from “best practice” to a national-security baseline. The agencies cite fresh data showing that 70–75 percent of exploited CVEs in the wild are rooted in memory bugs; Google’s Android team, for example, slashed that figure from 76 percent in 2019 to 24 percent in 2024 after mandating Rust/Java for all new code.
CISA and NSA stress that C and C++ can never be fully secured against buffer overflows, use-after-free, data races, and similar flaws because developers, not the compiler, must enforce safety. MSLs collapse whole vulnerability classes by enforcing bounds checking, lifetime/ownership rules, or automatic garbage collection at compile or run time.
Recommended first steps:
- Inventory legacy C/C++ components handling untrusted input.
- Mandate MSLs for all new repositories and features.
- Add Rust clippy, Go govulncheck, or equivalent linters to CI/CD.
- Track % unsafe code (Rust) or % legacy LOC to measure progress.
- Provide developers a focused “borrow-checker / GC” bootcamp to shorten the learning curve.
For those who have been following along, check my post from April 2025 concerning "Systems Programming: Memory Safety":
Sources:
Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
Canada Orders Hikvision Canada to Shut Down Over National Security Concerns
On June 28, 2025, Canada’s Industry Minister Mélanie Joly publicly announced that Hikvision Canada Inc. must cease all operations across the country, citing a comprehensive national security review under the Investment Canada Act. The government determined that “continued operations in Canada would be injurious to Canada’s national security,” following a “multi-step review” relying on information from Canada’s security and intelligence services.
Key aspects of the decision include:
- A complete ban on Hikvision Canada’s operations and device use within federal departments and Crown corporations; officials are auditing legacy systems to ensure removal.
- The move reflects a growing trend of Western governments including the U.S., U.K., Australia, Denmark, and EU institutions restricting Hikvision over concerns relating to surveillance technologies, cyber vulnerabilities, and its ties to the Chinese state.
- Hikvision responded sharply, denouncing the ruling as politically motivated and lacking transparency or evidence, arguing the decision unfairly hinges on their Chinese origin rather than cybersecurity assessments.
- Beijing reacted defensively with China’s commerce ministry urging Canada to reverse the action, branding it as “misuse” of national security, and warned it could harm Sino–Canadian trade relations.
While the ban applies exclusively to Hikvision’s Canadian subsidiary and government usage, the federal government strongly advises Canadian businesses and citizens to reconsider using any Hikvision equipment.
Sources:
- https://www.bleepingcomputer.com/news/security/hikvision-canada-ordered-to-cease-operations-over-security-risks/
- https://www.reuters.com/markets/emerging/ottawa-orders-chinese-manufacturer-hikvision-shutter-canadian-operations-2025-06-28/
- https://www.darkreading.com/threat-intelligence/hikvision-banned-canadian-government
-
Xfinity’s Wi‑Fi Motion: Turning Your Router Into a Living Room Spy
Comcast's Xfinity has launched Wi‑Fi Motion, a feature that transforms xFi Gateway routers into motion detectors using only signatures from Wi‑Fi signal interference, no cameras or motion sensors needed. If enabled, the router senses movement (even minor gestures such as a raised arm) between connected devices and can send alerts via the Xfinity app. Users can adjust sensitivity, exclude pets, and link up to three devices for monitoring.
However, buried in the terms of service, Comcast reserves the right to collect, log, and sell this motion data to advertisers once you opt in. More alarmingly, Comcast also states that logs may be shared with law enforcement, in legal disputes, or under subpoena, without further consent or notification.
Critics point out this isn’t just passive data collection, it’s a detailed log of when and where people or pets are moving in your home, tied directly to your account.
Sources:
-
Malicious "Solidity" VSCode Extension Steals Over $500K in Crypto
A polished VSCode-compatible extension targeting Cursor AI users named “Solidity Language” sneaked into Open VSX, masquerading as a legit Solidity syntax helper. Instead, it executed a PowerShell payload, installed ScreenConnect for remote access, and rolled out VBScript-based downloaders that deployed Quasar RAT and PureLogs stealer. The result: capture of crypto wallet seed phrases and a $500,000 loss for one Russian Ethereum dev.
Key attack highlights:
- Fake vs. real: The malicious plugin (54,000+ downloads) was ranked higher than the official “solidity” (61,000) by gaming Open VSX’s ranking with inflated download counts.
- Quick re-upload: Removed on July 2, but republished the next day as “solidity” with around 2 million fake installs, using near-identical naming (“juanbIanco” vs “juanblanco”).
- Supply-chain risk hub: This campaign isn’t an isolated case; variants like “solaibot”, “among-eth” and malicious npm package “solsafe” have similarly used Open VSX or VS Code as vectors.
Sources:
- Fake vs. real: The malicious plugin (54,000+ downloads) was ranked higher than the official “solidity” (61,000) by gaming Open VSX’s ranking with inflated download counts.
-
Abacus Market: Darknet Domination Turns Into Disappearing Act
Abacus Market, once the largest Western darknet marketplace accepting Bitcoin (and Monero), abruptly shut down in early July 2025 in what analysts believe is a classic exit scam, likely funded by hundreds of millions in cryptocurrency.
Launched in September 2021 (originally as Alphabet Market), Abacus surged holding about 70% of the Bitcoin-enabled darknet market in 2024. In June 2025 it peaked at $6.3 million/month in brokered sales, with daily deposits about $230K across 1,400 transactions. Over the 4+ years, Abacus processed around $100 million in Bitcoin, adding Monero brings estimated total sales to $300–$400 million.
The platform went completely offline without any legal takedown notification, pointing to disappearance with funds. TRM Labs and analysts lean toward an exit scam, though a covert law enforcement operation can't be entirely ruled out.
Sources:
-
Cloudflare 1.1.1.1 incident on July 14, 2025
On 14 July 2025, Cloudflare made a change to our service topologies that caused an outage for 1.1.1.1 on the edge, resulting in downtime for 62 minutes for customers using the 1.1.1.1 public DNS Resolver as well as intermittent degradation of service for Gateway DNS.Cloudflare's 1.1.1.1 Resolver service became unavailable to the Internet starting at 21:52 UTC and ending at 22:54 UTC. The majority of 1.1.1.1 users globally were affected. For many users, not being able to resolve names using the 1.1.1.1 Resolver meant that basically all Internet services were unavailable. This outage can be observed on Cloudflare Radar.
The outage occurred because of a misconfiguration of legacy systems used to maintain the infrastructure that advertises Cloudflare’s IP addresses to the Internet.
This was a global outage. During the outage, Cloudflare's 1.1.1.1 Resolver was unavailable worldwide.
We’re very sorry for this outage. The root cause was an internal configuration error and not the result of an attack or a BGP hijack. In this blog, we’re going to talk about what the failure was, why it occurred, and what we’re doing to make sure this doesn’t happen again.
Source: https://blog.cloudflare.com/cloudflare-1-1-1-1-incident-on-july-14-2025/
