CyberNews: 02/11/2025 Edition

Today’s roundup

Summary

Check Point Research has disclosed three critical vulnerabilities in the Windows Graphics Device Interface (GDI), patched between May and August 2025. These flaws, including CVE-2025-30388 (RCE), CVE-2025-53766 (Critical RCE), and CVE-2025-47984 (Information Disclosure), could facilitate remote code execution and memory exposure. Notably, CVE-2025-53766 requires no user interaction and is remotely exploitable, posing a significant risk to affected systems.


China-linked APT group UNC6384 is actively conducting a cyber espionage campaign targeting European diplomatic entities in Hungary, Belgium, Serbia, Italy, and the Netherlands. The group exploits a Windows shortcut zero-day vulnerability (ZDI-CAN-25373) via phishing emails containing EU/NATO-themed lures. The attack chain deploys the PlugX RAT through multi-stage processes involving PowerShell, tar archives, and DLL side-loading of legitimate Canon utilities for stealthy in-memory execution. The campaign, which commenced in September, leverages distributed infrastructure for evasion.


The Australian Signals Directorate (ASD) has issued a warning regarding persistent cyberattacks exploiting a critical vulnerability (CVE-2023-20198, CVSS 10.0) in unpatched Cisco IOS XE devices. Threat actors are installing a Lua-based webshell named "BadCandy." Since July 2025, over 400 devices have been compromised, with 150 still exposed. Although the webshell is non-persistent after reboot, unpatched systems are subject to continuous re-exploitation. Organizations are urged to apply patches, disable HTTP server features, and implement hardening measures.


Yuriy Igorevich Rybtsov, known as "MrICQ," an alleged coder for the Jabber Zeus banking trojan group, has been extradited from Italy and is now in U.S. custody. Indicted in 2012, Rybtsov is accused of developing key components of the ZeuS malware, which stole banking credentials and enabled multi-factor authentication bypass via its "Leprechaun" feature. The group targeted small-to-mid-sized businesses, laundering millions through money mules. This arrest follows the 2022 apprehension and 2024 sentencing of group leader Vyacheslav "Tank" Penchukov.


A hacker has claimed responsibility for a data breach at the University of Pennsylvania, asserting the theft of 1.2 million donor records and internal documents. This disclosure follows an incident last week where offensive emails were sent to current and former students from university accounts, initially hinting at a general data breach threat. The hacker's claim suggests a more extensive compromise than previously indicated, involving a substantial volume of sensitive donor information.


The Open VSX registry has initiated a rotation of access tokens in response to a supply-chain malware attack. Threat actors exploited tokens accidentally leaked by developers in public repositories to publish malicious extensions. This incident underscores the persistent risks within software development supply chains, where compromised credentials can facilitate malware distribution and affect numerous downstream users.


A recent report criticizes the typical corporate response to data leaks, arguing that legal efforts to ban public access to stolen data primarily serve to protect brand reputation rather than consumers. Referencing a significant Qantas cybersecurity attack that exposed 5 million frequent flyer records, the article contends that court orders restricting access to leaked information disproportionately benefit cybercriminals and hinder consumers' ability to protect themselves from further harm.

Want to dig deeper?

Vulnerabilities