13 Cybersecurity News Summarised – 14/07/2025

I got to say, this week was a busy one for the criminals. We have a brand new APT group “NightEagle”, we have AI deepfakes in geopolitics and a few exploited in the wild zero days that span many many versions of very popular software.

---

If you have been reading these and have some feedback, I’d love to get it, to make it more useful, comment, or DM me on LinkedIn.

Also, you can now subscribe to get these summaries to your inbox ~ once a week. Scroll down to subscribe.

1. Anatsa Android Banking Trojan Resurfaces Targeting U.S. and Canadian Users

The long-running Anatsa Android trojan has reappeared in North America, hijacking a legitimate file-reader app to deliver a malicious update between June 24–30. Once installed, Anatsa can steal banking credentials, log keystrokes, and execute unauthorized transactions, putting financial institutions and customers at risk of account takeover and monetary loss.

Key Details

• This marks the third U.S. and Canada-focused Anatsa campaign since 2020, per ThreatFabric.
• Attackers published a benign file-reader app to the Play Store, which amassed over 50,000 downloads.

Next Steps

• Enforce mobile app installation policies via MDM to block unapproved file-reader tools.
• Educate users to verify app publishers and reviews before installing.

Read more at ThreatFabric

2. CTM360 Report: Over 17,000 Fake News Sites Driving Global Investment Scams

A CTM360 report reveals 17,000+ Baiting News Sites masquerading as reputable outlets to funnel users into investment fraud across 50 countries. By combining sponsored ads, fake articles, and a two-phase scam process—initial trust building followed by “advisor” calls—attackers extract funds and harvest personal data. 

Key Details

• 17,000+ fake sites tracked on cheap TLDs (.xyz, .click, .shop) or hidden in compromised subfolders
• Sites mimic CNN, BBC, CNBC and regional media to promote scam platforms like Trap10 or Eclipse Earn
• Two-phase fraud: fake news and ads to lure victims, followed by “account verifications” and advisor calls to extract funds
• Victim data (ID docs, contacts) repurposed for phishing, identity theft, and secondary fraud

Next Steps

• Train teams to spot fake news sites and two-phase investment scams

Read more at CTM360

3. Chinese National Arrested in Milan on U.S. Warrant Over HAFNIUM COVID-19 Research Hacks

On July 3, Italian police detained Xu Zewei under a U.S. indictment alleging he led HAFNIUM intrusions to steal COVID-19 vaccine research and exploit Microsoft Exchange zero-day vulnerabilities at U.S. universities and law firms. The arrest highlights ongoing state-backed espionage risks to critical research and reinforces the need for rigorous third-party vendor oversight and rapid patch management.

Key Details

• Indicted on nine counts—including wire fraud and identity theft—with a potential 77-year sentence.
• Accused of acting under China’s Ministry of State Security and Shanghai State Security Bureau direction.
• HAFNIUM campaign targeted over 60,000 U.S. entities, successfully compromising more than 12,700 systems.
• Specific February 22, 2020 breach aimed at virologists’ and immunologists’ email accounts at a Texas research university.

Read more at ANSA

4. Linux Secure Boot Bypass: Debug Shell Exploit Enables Persistent Malware Injection

Researchers have discovered that attackers with physical access can trigger a built-in debug shell after repeated encrypted-root password failures, modify the initramfs, and inject malware that survives reboots—even on systems using Secure Boot. This affects default Ubuntu 25.04 and Fedora 42 installs and highlights gaps in standard hardening guidelines.

Key Details

• Attack triggers after multiple wrong LUKS passphrases, dropping to initramfs shell
• Initramfs can be unpacked, scripts injected, and repacked without breaking signed kernel checks
• Demonstrated on Ubuntu 25.04 and Fedora 42 with default encrypted-root settings
• Requires a USB drive with mounting tools and prewritten payload scripts

Next Steps

• Encrypt the boot partition with LUKS or enable SSD native encryption

Read more at Insinuator

5. Security Flaws in Public EV Chargers Enable Data Theft and Network Attacks

A security researcher demonstrated that unencrypted powerline communications between electric vehicles and public chargers expose vehicle and charger identifiers, allowing man-in-the-middle attacks to intercept data, spoof sessions to steal electricity, brute-force charger SSH ports, and crash charging station management systems for widespread denial-of-service. These gaps could lead to unauthorized billing, charger network compromise, and potential grid disruptions, demanding immediate action from CISOs and infrastructure teams.

Key Details

• Powerline communication between EV and charger often unencrypted or uses self-signed TLS, exposing EVCCID/EVSEID identifiers.
• Attackers can spoof MAC-based EVCCIDs to authorize free charging via Plug & Charge.
• Chargers expose SSH on the powerline interface, allowing brute-force attacks to gain device or network access.
• Researcher crashed StEVe CSMS and CitrineOS platforms, triggering full denial-of-service on charger networks.

Read more at Cybernews

6. Critical SUDO Chroot and Host-Configuration Bugs Enable Root Escalation

Researchers have disclosed two local privilege-escalation vulnerabilities in the Sudo utility—one in the Chroot feature rated CVSS 9.3 and another, undetected for 12 years, tied to host-restriction rules. Both flaws affect multiple Sudo versions on Debian and Ubuntu systems and can grant attackers unintended root access.

Key Details

• Both issues fixed in Sudo 1.9.17p1; advisories credit Rich Mirch of Stratascale CRU.

Next Steps

• Upgrade all Sudo installations to version 1.9.17p1 immediately.
• Audit sudoers files for host-based rule misconfigurations.
• Scan for user-writable Chroot directories and unauthorized /etc/nsswitch.conf files.

Read more at CSO Online

7. FlirtAI iOS App Exposed 160K Private Chat Screenshots via Unprotected Cloud Storage

Researchers found 160,000 unprotected screenshots in a public Google Cloud bucket, many involving teenage users of the FlirtAI “wingman” app. The exposure of minors’ private messaging data raises significant privacy and legal compliance risks, highlighting the need for stricter cloud storage controls and consent procedures.

Key Details

• Bucket belonged to Buddy Network GmbH and was publicly accessible until June 16, 2025.
• Leaked 160,000 screenshots from chats and dating profiles—many subjects unaware their data was shared.
• Evidence indicates frequent app usage by teenagers (17+ age rating on App Store).
• Potential GDPR violations due to processing minors’ data without proper consent.

Next Steps

• Audit cloud storage permissions and enforce private access controls.
• Implement data retention and minimization policies for user-provided content.

Read more at Cybernews

8. Stolen Shellter Elite Framework Used by Criminals to Evade Detection

Elastic Security Labs discovered that threat actors have been abusing a stolen commercial copy of Shellter Elite to stealthily package multiple infostealers, bypassing antimalware defenses. Security teams and CISOs should review how offensive tools are licensed and monitored, and deploy detections for Shellter-derived artifacts to mitigate similar evasion-based attacks.

Key Details

• Shellter Elite v11.0 released April 16, 2025, was stolen from a vetted customer.
• Since late April, Lumma, Arechclient2 (Sectop RAT) and Rhadamanthys infostealers used it.
• Payloads showed Shellter-specific license expiry and self-disarm artifacts.
• Shellter Project patched upcoming release after Elastic’s detections surfaced.

Next Steps

• Audit and revoke compromised Shellter licenses immediately
• Deploy YARA signatures for Shellter Elite artifacts

Read more at SecurityWeek

9. Russian-Linked Actors Use AI Deepfakes of Rubio to Target Officials

A State Department cable warns that a suspected Russia-linked actor used AI-generated deepfakes of Secretary of State Marco Rubio to contact at least five foreign ministers and U.S. officials via smishing, vishing, and Signal messaging, aiming to harvest intelligence or access sensitive accounts. The campaign’s realistic voice cloning, official branding, and naming-convention mimicry underscore the rising threat of AI-enabled impersonation in high-level diplomatic channels.

Key Details

• Targets included three foreign ministers, a U.S. governor, and a member of Congress in mid-June.
• Attackers used AI-generated voicemail and text invites to move conversations onto Signal.
• Phishing emails employed fake “@state.gov” addresses and official Bureau of Diplomatic Technology logos.

Next Steps

• Enforce secondary verification for any unsolicited high-level requests.
• Update incident response playbooks to include AI deepfake detection.
• Restrict use of unvetted messaging apps for official diplomacy.

Read more at Washington Post

10. Critical SQL Server Vulnerability CVE-2025-49719 Exposes Sensitive Data Over Network

A critical information‐disclosure flaw in Microsoft SQL Server (CVE-2025-49719) enables unauthenticated attackers to read uninitialized memory over network connections. The issue impacts all supported SQL Server versions from 2016 through 2022, and Microsoft released urgent patches on July 8, 2025. Organizations should apply updates immediately and tighten network controls to prevent data leakage.

Key Details

• Affects SQL Server 2016, 2017, 2019 and 2022 (all supported builds)
• Patches released July 8 2025

Next Steps

• Deploy version-specific SQL Server security updates immediately
• Restrict and monitor TCP/IP access to database instances

Read more at Microsoft Security Response Center

11. North America-Based APT “NightEagle” Uses Microsoft Exchange Zero-Day to Target China’s High-Tech and Military Sectors

QiAnXin’s RedDrip unit has identified a previously unseen APT, dubbed “NightEagle”, exploiting an unknown Microsoft Exchange zero-day vulnerability to harvest machineKey values and deploy a .NET loader on IIS servers. The group maintains stealthy persistence via a Go-based Chisel tunnel, exfiltrating mailbox data from AI, semiconductor, quantum and military organizations in China over the past year. 

Key Details

• Attackers extract the machineKey to access and exfiltrate mailbox contents, including attachments.
• Persistence via a modified Go-based Chisel scheduled every four hours to C2 servers.
• NightEagle operates 9pm–6am Beijing time, suggesting a North America time zone.

Next Steps

• Segregate Exchange IIS workloads and restrict outbound tunnels.

Read more at CSO Online

12. U.S. Treasury Sanctions North Korean Intel Official for IT Worker Fraud Scheme

The U.S. Treasury’s Office of Foreign Assets Control designated Song Kum Hyok, a senior Reconnaissance General Bureau official, for supplying stolen U.S. identities to North Korean IT contractors in China and Russia, who secured remote jobs and introduced malware to corporate networks. Russian national Gayk Asatryan and four affiliated companies were also sanctioned for facilitating the scheme that funds North Korea’s weapons programs.

Key Details

• Song created aliases using U.S. names, SSNs and addresses for hires in 2022–23.
• The scheme generated millions in salaries and delivered malware for further exploitation.
• Asatryan signed 10-year contracts bringing 30 and 50 North Korean workers to Russia.
• Thousands of North Korean IT specialists operate in China, Russia and Southeast Asia.

Next Steps

• Validate remote employees’ identities against original documents.
• Scan networks for signs of unauthorized malware callbacks.
• Screen third-party vendors against OFAC sanctions lists.

Read more at U.S. Department of the Treasury

13. South Korean Government Imposes Regulatory Penalties on SK Telecom Over 27M-Record Breach

South Korea fined SK Telecom 30 million won and imposed strict security mandates after a breach exposed 27 million SIM-related records. Requirements include quarterly server assessments, free USIM replacements, and elevating the CISO to report directly to the CEO—underscoring tougher oversight for critical infrastructure providers.

Key Details

• Investigation found 28 infected servers hosting 33 malware strains, notably 27 BPFDoor variants.
• Compromised data included 27 million phone numbers, subscriber IDs, and 25 additional SIM data fields.
• Fine of up to 30 million won for late breach notification under the Information and Communications Network Act.
• Mandated quarterly vulnerability scans, encrypted password storage, free USIM swaps, and penalty-free cancellations.
• CISO role to report directly to the CEO and implement stronger supply chain security controls.

Read more at Dark Reading

Get This to Your Inbox Next Week