In today’s cybersecurity news…
Google’s Find Hub turns into remote-wipe weapon
Researchers at South Korea’s cybersecurity firm Genians say North Korean hacking group KONNI used Google’s Find My Device service to remotely wipe Android phones of South Korean targets, erasing evidence of their espionage. The attackers stole Google credentials through phishing, then triggered unauthorized factory resets using the cloud feature. KONNI spread further infections via the KakaoTalk app and exploited GPS data to time attacks. The group, linked to Pyongyang’s intelligence agency, has increasingly used cloud tools to conceal operations. (The Register)
Qilin ransomware activity surges
Cybersecurity firm S-RM reported a surge in ransomware attacks linked to the long-running Qilin [chee-leen] group, which mainly targets small and midsize businesses in construction, healthcare, and finance. Qilin affiliates, including members of Scattered Spider, exploit unpatched VPNs, weak authentication, and exposed interfaces to steal data and encrypt systems. S-RM said 88% of cases this year involved both data theft and encryption, with stolen data leaked on dark-web sites. The firm warned Qilin now uses Telegram and WikiLeaksV2 for extortion. (Infosecurity Magazine)
GootLoader is back
Cybersecurity firm Huntress says the GootLoader malware has resurfaced, using a new evasion technique that hides malicious ZIP files behind custom WOFF2 web fonts on compromised WordPress sites. The trick disguises filenames by substituting glyphs, making them appear harmless until rendered in browsers. GootLoader infections have led to domain controller compromises within 17 hours, deploying the Supper backdoor for remote access. Linked to threat group Hive0127, GootLoader continues spreading via SEO poisoning and Google Ads. (The Hacker News)
SAP fixes hardcoded credentials flaw
SAP’s November patch cycle fixed two critical flaws, including a hardcoded credentials bug in the SQL Anywhere Monitor rated 10.0 severity, which could let attackers execute arbitrary code. Another critical issue in SAP Solution Manager let authenticated users inject malicious code and take full system control. SAP also patched one high- and 14 medium-severity bugs, plus reissued a NetWeaver fix from October. No active exploitation has been observed. (BleepingComputer)
Huge thanks to our sponsor, Vanta
Is it “Do I have the right controls in place?”
Or “Are my vendors secure?”
….or the really scary one: “how do I get out from under these old tools and manual processes?
Enter Vanta.
Vanta automates manual work, so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. Vanta also fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit-ready—ALL…THE…TIME. With Vanta, you get everything you need to move faster, scale confidently—and get back to sleep.
Get started at vanta.com/headlines
Android RAT boasts full device espionage
Researchers at Zimperium uncovered Fantasy Hub, a Russian-sold Android remote access trojan (RAT) offered as Malware-as-a-Service, enabling full device surveillance and control through Telegram. The spyware steals data, intercepts messages, accesses cameras and microphones via WebRTC, and uses fake Google Play pages to spread. Attackers also deploy counterfeit banking apps for Alfa, PSB, Tbank, and Sber to steal credentials. Zimperium says Fantasy Hub’s MaaS model, social engineering, and SMS-handler abuse make it especially dangerous for BYOD and consumer devices. (Security Affairs)
Critical Triofox vulnerability exploited
A critical Triofox vulnerability was exploited in the wild by threat actor UNC6485, allowing creation of a new admin account and execution of remote access tools. The flaw stems from improper access control on initial setup pages. Attackers abused the built-in antivirus feature to run malicious scripts, including a Zoho UEMS installer, enabling Zoho Assist and AnyDesk access, lateral movement, and password changes. Organizations are advised to update Triofox, audit admin accounts, and restrict antivirus execution paths. (SecurityWeek)
GlobalLogic impacted by attack on Oracle
Hitachi subsidiary GlobalLogic was affected by a Clop ransomware campaign targeting Oracle E-Business Suite customers. Human resources data for nearly 10,500 current and former employees was exposed, including names, contact info, Social Security numbers, and bank details. The breach began July 10th, discovered October 9th, with the last malicious activity August 20th. Clop reportedly demanded up to $50 million from victims, and dozens of Oracle customers were impacted. (CyberScoop)
Google intros Private AI Compute
Google is launching Private AI Compute, a cloud platform that lets devices run advanced AI tasks while keeping data private. It’s similar to Apple’s Private Cloud Compute and moves intensive AI processing to the cloud without exposing sensitive information to Google. The system is meant to expand AI features on devices like Pixel 10 phones, enabling more personalized suggestions from tools like Magic Cue and supporting additional languages for Recorder transcriptions. Google frames it as a secure way to handle complex AI tasks beyond on-device capabilities. (The Verge)