Cyber News 03NOV2025

General

• Quick lessons from BlackBasta's breach (data exfil and ransomware) of UK Business Process Outsourcer (BPO) Capita, based up the UK Information Commissioner's Office (ICO).
  • https://blog.bushidotoken.net/2025/10/lessons-from-blackbasta-ransomware.html
  • https://ico.org.uk/media2/pv5nhks4/capita-plc-and-cpsl-monetary-penalty-notice.pdf
• There's a "bug" in Windows Shortcut (.lnk files), exploited in "campaigns dating back to 2017", and it's still unpatched, still exploited today. (ZDI-CAN-25373 / ZDI-25-148 / CVE-2025-9491)
  So, what's the magic "bug"? Pre-padding a field with whitespace, so that it looks empty.
  • https://arstechnica.com/security/2025/10/two-windows-vulnerabilities-one-a-0-day-are-under-active-exploitation/
  • https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html?cjdata=MXxOfDB8WXww&PID=100017430&SID=100098X1555750X4cec6e7befe415cc1b460bd10321db96&cjevent=ca4154cdb82811f080f4017e0a1cb828
  • https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/
• MrICQ (Part of the Jabber Zeus banking trojan crew) in US Custody, after being indicted back in 2012!
  • https://krebsonsecurity.com/2025/11/alleged-jabber-zeus-coder-mricq-in-u-s-custody/
• [AU] Federal court imposes AU$5.8m fine for Australian Clinical Labs Limited, in relation to a data breach at MedLab Pathology, following a Feb 2022 cyber-attack.

"$4.2million for ACL's failure to take reasonable steps to protect personal information"

"$800,000 for ACL's failure to carry out a reasonable and expeditious assessment of whether an eligible data breach had occurred"

• https://www.hoganlovells.com/en/publications/landmark-civil-penalty-of-au58-million-issued-under-australias-privacy-act
• https://www.oaic.gov.au/news/media-centre/australian-clinical-labs-ordered-to-pay-penalties-in-relation-to-medlab-pathology-data-breach-in-first-for-privacy-act
• [AU] QANTAS Chief Customer and Digital Officer will step down in December.
  • https://www.itnews.com.au/news/qantas-digital-and-customer-head-steps-down-621437
  • https://www.reuters.com/world/asia-pacific/qantas-digital-customer-head-steps-down-months-after-cyber-breach-internal-memo-2025-10-30/
• [RU] Rule #1 for operating in Russia - don't hack other Russians (or CIS members). Meduza Infostealer (not Medusa Ransomware) pays the price.
  • https://www.bleepingcomputer.com/news/security/alleged-meduza-stealer-malware-admins-arrested-after-hacking-russian-org/
  • https://therecord.media/meduza-stealer-malware-suspected-developers-arrested-russia
  • https://www.theregister.com/2025/10/31/russia_arrests_three_meduza_cyber_suspects/
  • https://www.bankinfosecurity.com/russian-police-bust-suspected-meduza-infostealer-developers-a-29901
  • (Older) https://bi-zone.medium.com/stone-wolf-employs-meduza-stealer-to-hack-russian-companies-db3fd0e7af02
  • Article 61 of the Russian Constitution: https://www.constituteproject.org/constitution/Russia_2014

A citizen of the Russian Federation may not be deported from the Russian Federation or extradited to another state.

Getting Techy

• USB-distributed crypto-currency-miner - very retro. "Tangerine Turkey"
  • https://www.cybereason.com/blog/tangerine-turkey
• Analysis of an Android banking (and crypto-currency-wallet) trojan (bankbot-ynrk). Use the Accessibility service 'elevation' trick on pre-Android-14 devices.
  • https://www.cyfirma.com/research/investigation-report-android-bankbot-ynrk-mobile-banking-trojan/
• Two-faced binaries - runs legitimate code on most systems, then switches to malicious code on target systems. Pretty sure a system like this has been used in the wild before.
  • https://www.synacktiv.com/en/publications/creating-a-two-face-rust-binary-on-linux

Privacy

• Google wants AI Search to be more 'personal', be letting it read all of your data in Google services. Of course, it will have Advertisements, as well.
  • https://www.bleepingcomputer.com/news/google/google-says-search-ai-mode-will-know-everything-about-you/
  • https://www.bleepingcomputer.com/news/google/google-confirms-ai-search-will-have-ads-but-they-may-look-different/
• [CZ] Airport facial-recognition system finally shutdown, seven years after installation, four-years since a complaint was filed with the Czech Data Protection Authority.
  • https://edri.org/our-work/czech-police-forced-to-turn-off-facial-recognition-cameras-at-the-prague-airport-thanks-to-the-ai-act/
• [US] The CBP's 'Fortify' app (as used by ICE) performs facial and fingerprint recognition (tagged with location), to decide on legal residency. CBP have declared that their app trumps paperwork like a birth certificate. All photos, fingerprints and location data are stored for 15 years. Welcome to Oceania.
  PS You can't refuse to be scanned.
  • (404 Media) https://archive.is/6MLic

an apparent biometric match by Mobile Fortify is a ‘definitive’ determination of a person’s status and that an ICE officer may ignore evidence of American citizenship—including a birth certificate—if the app says the person is an alien

AI

• OpenAI investigates advertising to support its massive ($1tn) spending, tied to "a massive number of former Meta staff".

"ChatGPT has about 800 million users, but only 5% percent pay"

• https://www.bleepingcomputer.com/news/artificial-intelligence/openai-is-going-meta-route-as-it-considers-memory-based-ads-on-chatgpt/
• (The Information) https://archive.is/2uP2I
• (Financial Times - OpenAI Spending) https://archive.is/fNRGa