CyberNews: 17/10/2025 Edition

Published by Dunateo on 2025-10-17

Today’s roundup

  • Gladinet fixes actively exploited zero-day in file-sharing software
  • North Korean Hackers Use EtherHiding to Hide Malware Inside Blockchain Smart Contracts
  • Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites
  • LinkPro Linux Rootkit Uses eBPF to Hide and Activates via Magic TCP Packets
  • Email Bombs Exploit Lax Authentication in Zendesk
  • Denial of Fuzzing: Rust in the Windows kernel
  • China-linked APT Jewelbug targets Russian IT provider in rare cross-nation cyberattack
  • PowerSchool hacker got four years in prison
  • Microsoft warns of a 32% surge in identity hacks, mainly driven by stolen passwords
  • Auction giant Sotheby’s says data breach exposed financial information

    • Summary

    Gladinet has released urgent security updates for its CentreStack business solution to patch a critical local file inclusion vulnerability, identified as CVE-2025-11371. This zero-day flaw has been actively exploited by threat actors since late September, allowing them to compromise affected systems. Users of CentreStack are advised to apply the patches immediately to mitigate the risk of ongoing attacks.

    North Korean state-sponsored hackers, tracked as UNC5342 by Google Threat Intelligence Group, have adopted a novel technique called "EtherHiding" to conceal malware within blockchain smart contracts. This marks the first documented instance of a nation-state actor employing such a method. The tactic facilitates the stealthy distribution of malicious software for cryptocurrency theft and espionage, highlighting an evolving threat landscape in state-sponsored cyber operations.

    A financially motivated threat actor, identified as UNC5142, is exploiting blockchain smart contracts and compromised WordPress websites to distribute information-stealing malware, including Atomic (AMOS), Lumma, Rhadamanthys, and Vidar. This campaign targets both Windows and Apple macOS users, leveraging the "EtherHiding" technique to enhance the stealth and resilience of their malware distribution network. The use of blockchain for command and control or data storage poses new challenges for detection and mitigation.

    Cybersecurity firm Synacktiv has unveiled "LinkPro," a sophisticated new GNU/Linux rootkit discovered during an investigation into a compromised Amazon Web Services (AWS) infrastructure. This rootkit utilizes extended Berkeley Packet Filter (eBPF) modules to maintain stealth and conceal its presence on infected systems. LinkPro is notably activated remotely through the use of specific "magic" TCP packets, indicating advanced evasion and control capabilities by threat actors targeting Linux environments.

    Cybercriminals are exploiting a widespread lack of authentication within the Zendesk customer service platform to launch "email bombing" attacks. This abuse allows threat actors to flood target inboxes with thousands of messages originating simultaneously from hundreds of legitimate Zendesk corporate customers. The vulnerability arises from configurations allowing anonymous support requests without prior verification, enabling attackers to leverage trusted domains for sending malicious or disruptive content, potentially causing denial-of-service for recipients and reputational damage for affected organizations.

    Check Point Research (CPR) has disclosed a denial-of-service vulnerability affecting a new Rust-based kernel component within Windows 11's Graphics Device Interface (GDI). The flaw, which Microsoft has addressed via KB5058499, allows a specially crafted metafile to trigger an out-of-bounds array access, resulting in a kernel panic and a Blue Screen of Death (BSOD) on Windows 11 version 24H2 systems. While Microsoft classified it as moderate, the ability to crash an operating system from a user-space function presents a significant availability risk.

    The China-linked APT group Jewelbug conducted a five-month intrusion into a Russian IT service provider between January and May 2025, marking an expansion of its cyber espionage operations. Symantec reports that attackers compromised code repositories and build systems, suggesting potential supply chain attack ambitions, and exfiltrated data to Yandex Cloud. The group employed a renamed Microsoft debugger file (cdb.exe), credential dumping, scheduled tasks for persistence, and a new backdoor utilizing Microsoft Graph API and OneDrive for command and control. This activity underscores Russia's continued exposure to Chinese cyber espionage despite diplomatic ties.

    Matthew D. Lane, a Massachusetts student, has been sentenced to four years in prison for hacking PowerSchool and another unnamed company, extorting approximately $3 million. Lane accessed a company serving schools, exfiltrating personal data of over 60 million students and 9 million teachers, including sensitive financial and medical information. He demanded $2.85 million in Bitcoin under threat of data leakage and has been ordered to pay $14 million in restitution alongside his prison term and three years of supervised release.

    Microsoft reports a significant 32% surge in identity hacks, with stolen passwords being the primary vector. This alarming trend is exacerbated by the rising use of infostealer malware and sophisticated IT scams that manipulate help desks into unauthorized password resets. The company's warning emphasizes the escalating threat to organizational identities and the necessity for advanced security strategies to counter these prevalent attack methods.

    International auction house Sotheby's has disclosed a data breach incident affecting its systems. The breach resulted in threat actors compromising and stealing sensitive personal and financial information belonging to individuals. Sotheby's is currently in the process of notifying affected parties about the incident.

    Want to dig deeper?

    Vulnerabilities

    CVE-2025-11371 Medium