🔒 Cybersecurity And Much More — Vol. 5 №2

Week of [April 10, 2025]

Your go-to newsletter for security, AI, breaches, tools, and insights — with zero fluff.

👋 Hey friends,

Hope your week’s been secure and your builds passed your CI/CD Security Checks. This edition is packed with:

• 🎯 Breach of the week
• 🧠 Critical CVE to patch
• ⚒️ Tools making noise
• 🤖 AI in cybersecurity
• 🔗 Links, and mindset

Let’s dive in 👇

🧨 Breach of the Week: Supply Chain Attacks do not care about your Risk Register Freshness 😉.

Notable data breaches reported during the week of April 5–12, 2025:

1. DBS Group and Bank of China (BoC) Singapore Branch

• Incident: Ransomware attack on third-party data vendor Toppan Next Tech (TNT) compromised customer information from DBS Group and BoC Singapore.
• Impact: Affected 8,200 DBS client statements and 3,000 BoC customers’ data, including names, addresses, and equity and loan holdings.
• Response: Both banks confirmed core systems and customer funds remain secure. Investigations continue with the Monetary Authority of Singapore (MAS) and Cyber Security Agency of Singapore (CSA).

2. Oracle Cloud

• Incident: Oracle disclosed a breach in their 2017 “legacy environment” involving stolen client credentials.
• Impact: Attacker “rose87168” shared data, including recent records, on a hacking forum.
• Response: Oracle confirmed the breach affected only Oracle Cloud Classic, not current Oracle Cloud infrastructure.

3. Europcar Mobility Group

• Incident: GitLab breach exposed Europcar’s mobile app source code and customer information.
• Impact: Up to 200,000 Goldcar and Ubeeqo customers’ names and email addresses potentially exposed.
• Response: Europcar is notifying affected customers and has informed data protection authorities.

4. State Bar of Texas

• Incident: INC ransomware group breached the State Bar of Texas.
• Impact: Unauthorized access between January 28–February 9, 2025, exposed legal case documents.
• Response: Organization offering affected members free Experian credit and identity theft monitoring.

5. Port of Seattle

• Incident: August 2024 ransomware attack disrupted port services and systems.
• Impact: Compromised data of 90,000 individuals, including names, birth dates, Social Security numbers, driver’s licenses, and some medical information of employees, contractors, and parking customers.
• Response: Port notifying affected individuals and strengthening security measures.

💬 My Take: Common themes show attackers targeting third-party vendors, exploiting legacy systems, and focusing on organizations with valuable personal and financial data. The breaches emphasize the need for robust vendor security assessments and legacy system security management.

🤯 Researchers are on Fire 🔥

Researchers Hack Source Code from Google Gemini

By: Roni “Lupin” Carta, Justin “Rhynorater” Gardner, Joseph “rez0” Thacker

🔍 Overview

At a bugSWAT live hacking event, researchers legally extracted internal binaries and .proto files from the Google Gemini Python sandbox—without breaching sandbox containment.

🧠 Key Findings

• The Entry Point: The team used legitimate API access from within the Python sandbox to download a 579MB internal binary.
• Dissection Tools: Using tools like binwalk, they decompressed and analyzed the binary.

Discovered Inside:

• Proprietary source code
• Internal folder structure
• Python scripts and .proto files used for RPC communication
• References to services like YouTube, Flights, Maps, and more
• RPC Insight: They discovered that Gemini uses protobuf-based RPC over file descriptors to communicate with backend services, suggesting potential for privilege escalation with the right file handles.

⚙️ Impact

While no user data was accessed or exposed, the researchers successfully revealed sensitive internal implementation details and communication protocols behind Google Gemini — valuable intel in the wrong hands.

✅ Response

Google confirmed the issue, acknowledged the creativity of the approach, and authorized public disclosure after reviewing the report. The team received a bug bounty reward.

🧩 Takeaway

This research underscores how sandboxed environments can leak sensitive artifacts even without full breakouts, highlighting the importance of defense-in-depth and file permission hygiene in complex AI infrastructure.

🔗 Read more:

https://www.vulnu.com/p/researchers-hack-source-code-from-google-gemini

🔐 Critical CVE to Watch

🚨 Microsoft Windows — CLFS Driver Use-After-Free Vulnerability (CVE-2025–29824)

Microsoft has disclosed a critical use-after-free vulnerability (CWE-416) in the Common Log File System (CLFS) driver affecting Windows systems.

This vulnerability allows local privilege escalation by an authorized attacker, and it is known to be actively exploited in ransomware campaigns.

🔐 Action Required:

• Apply the latest mitigations from Microsoft
• Follow BOD 22–01 guidance for cloud environments
• Consider discontinuing use if mitigations are unavailable

📅 Date Added: April 8, 2025

🛑 Due Date for Remediation: April 29, 2025

🔗 References:

• Microsoft: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-29824
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29824

⚠️ CVE Alert: Linux Kernel — USB Audio Driver Out-of-Bounds Access (CVE-2024–53197)

A new vulnerability has been identified in the Linux Kernel’s USB-audio driver that allows out-of-bounds access (CWE-787).

An attacker with physical access can exploit this flaw using a malicious USB device to manipulate system memory, escalate privileges, or even execute arbitrary code.

🔍 Exploitation in Ransomware Campaigns: Unknown

📦 Impacts multiple open-source components and third-party products.

🛡️ Recommended Actions:

• Apply mitigations from your Linux vendor
• Follow BOD 22–01 guidance for cloud environments
• Discontinue use if mitigations are not feasible

📅 Date Added: April 9, 2025

🚨 Due Date: April 30, 2025

🔗 Additional Resources:

• Linux CVE Announcement: https://lore.kernel.org/linux-cve-announce/2024122725-CVE-2024-53197-6aef@gregkh/
• Android Security Bulletin: https://source.android.com/docs/security/bulletin/2025-04-01
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-53197

🚨 Apache Tomcat — Path Equivalence Vulnerability (CVE-2025–24813)

A newly disclosed vulnerability in Apache Tomcat introduces serious risk: a path equivalence flaw that allows remote attackers to execute code, disclose sensitive information, or inject malicious content via partial PUT requests.

🔍 Related CWEs: CWE-44 (Code Injection), CWE-502 (Deserialization of Untrusted Data)

🧨 Ransomware Activity: Unknown

📌 Recommended Actions:

• Apply vendor-provided mitigations immediately
• Follow BOD 22–01 guidance for cloud environments
• If fixes are unavailable, consider discontinuing use of the product

📅 Date Added: April 1, 2025

🛑 Due Date: April 22, 2025

🔗 Resources:

• Apache Disclosure: https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24813

🚨 CVE Alert: reviewdog/action-setup — Malicious Code in GitHub Action (CVE-2025–30154)

A malicious code injection vulnerability has been identified in the reviewdog/action-setup GitHub Action, potentially exposing secrets to GitHub Actions workflow logs. 📦 This is a supply chain risk affecting a widely used open-source CI/CD tool.

🛠️ CWE-506: Embedded Malicious Code

🎯 Impact: Secrets may be dumped to logs and exposed to unauthorized access.

⚠️ Used in ransomware campaigns? Unknown (but high risk due to automation environment)

🛡️ Recommended Actions:

• Follow CISA’s mitigation guidance
• Apply vendor patches
• Review and rotate exposed credentials
• Follow BOD 22–01 guidance for cloud environments
• Remove or disable the vulnerable action if no fix is available

📅 Date Added: March 24, 2025

🛑 Due Date: April 14, 2025

🔗 Additional References:

• GitHub Advisory: https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc
• NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2025-30154

🚨 CVE Alert: Chromium Mojo Sandbox Escape Vulnerability (CVE-2025–2783)

A sandbox escape vulnerability has been discovered in Google Chromium Mojo on Windows, stemming from a logic error involving incorrect handle assignment.

This flaw affects multiple Chromium-based browsers, including:

🌐 Google Chrome

🧭 Microsoft Edge

🎭 Opera

…and potentially others.

⚠️ Ransomware activity? Unknown

🔐 Impact: Enables attackers to escape the browser sandbox and potentially execute arbitrary code with elevated privileges.

🛠️ Action Required:

• Apply the latest patches from Google and other browser vendors
• Follow BOD 22–01 guidance for cloud environments
• Discontinue use if mitigations are not yet available

📅 Date Added: March 27, 2025

📌 Due Date: April 17, 2025

🔗 More Info:

• Chrome Security Blog: https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html
• NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2025-2783

🛡️ Juniper Junos OS — Improper Isolation Vulnerability (CVE-2025–21590)

A new vulnerability has been disclosed in Juniper Junos OS that could allow local attackers with shell access to inject and execute arbitrary code due to improper isolation between system components.

🔍 CWE-653: Improper Isolation or Compartmentalization

📉 Impact: Threat actors with high privileges can escalate control within the system

⚠️ Ransomware activity? Unknown

📌 Action Steps:

• Apply security patches provided by Juniper
• Follow BOD 22–01 for guidance on mitigating risks in cloud or hybrid environments
• If mitigations are unavailable, consider limiting access or disabling affected systems

📅 Date Added: March 13, 2025

🛑 Remediation Due Date: April 3, 2025

🔗 More Info:

• Juniper Security Bulletin: https://supportportal.juniper.net/s/article/2025-03-Out-of-Cycle-Security-Bulletin-Junos-OS-A-local-attacker-with-shell-access-can-execute-arbitrary-code-CVE-2025-21590?language=en_US
• NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2025-21590

🍏 CVE Alert: Apple WebKit Sandbox Escape (CVE-2025–24201)

A critical out-of-bounds write vulnerability has been discovered in WebKit, the engine powering Apple Safari and many HTML parsers on iOS, iPadOS, macOS, and other Apple products.

📉 Impact: Malicious web content may break out of the Web Content sandbox, potentially enabling remote code execution or unauthorized access.

💥 Affects:

• Apple Safari
• iOS, iPadOS, macOS
• Non-Apple products that rely on WebKit

🧠 Related CWE: CWE-787 (Out-of-Bounds Write)

⚠️ Ransomware activity? Unknown

🛡️ Action Required:

• Apply patches from Apple immediately
• Follow BOD 22–01 guidance for cloud use
• Consider disabling affected functionality if updates aren’t feasible

📅 Date Added: March 13, 2025

⏳ Due Date: April 3, 2025

🔗 Resources:

• Apple Security Updates: https://support.apple.com/en-us/122281
• NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2025-24201

⚒️ Security Tool Spotlight

Scanning the OpenAI Cookbook with Kereva-Scanner

Kereva-Scanner is an open-source static analysis tool that scans LLM workflows for security and performance vulnerabilities. Unlike behavioral testing (“evals”), which only catches issues in specific test scenarios, Kereva-Scanner examines code structure to identify potential problems before deployment. Without executing your Python files and Jupyter notebooks, it analyzes three key areas:

• Prompt issues: Flaws in prompt construction — including improper XML tag handling, subjective language, lengthy lists, and inefficient caching. These issues often lead to higher API costs and inconsistent outputs.
• Chain issues: Data flow vulnerabilities, particularly inadequate user input sanitization, which can enable prompt injection attacks. These security gaps create significant risks in production environments.
• Output issues: Problems with output processing, such as unsafe execution practices and inadequate structured output validation, which can disrupt your application’s logic.

👉 Read more: https://www.kereva.io/articles/3

🤖 AI in Security

😈 VirusTotal MCP Server

A powerful Model Context Protocol (MCP) server that interfaces with the VirusTotal API. It provides in-depth security analysis by automatically gathering relationship data and integrates smoothly with MCP-compatible applications like Claude Desktop.

Install it Manually

Install the server globally via npm:

npm install -g @burtthecoder/mcp-virustotal

Add to your Claude Desktop configuration file:

{
  "mcpServers": {
    "virustotal": {
      "command": "mcp-virustotal",
      "env": {
        "VIRUSTOTAL_API_KEY": "your-virustotal-api-key"
      }
    }
  }
}

Configuration file location:

• macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
• Windows: %APPDATA%\\Claude\\claude_desktop_config.json

Restart Claude Desktop.

Github link: https://github.com/BurtTheCoder/mcp-virustotal

🧑🏻‍💻 Semgrep MCP Server

A Model Context Protocol (MCP) server that leverages Semgrep to scan code for security vulnerabilities. Level up your vibe coding with better security! 🔒

Model Context Protocol (MCP) is a standardized API that enables LLMs, agents, and IDEs (like Cursor, VS Code, and Windsurf) to access specialized help, gather context, and leverage powerful tools. Semgrep is a fast, precise static analysis tool that can understand many languages semantically and includes over 5,000 rules. 🛠

Getting started

Run the Python package as a CLI command using uv:

uvx semgrep-mcp # see --help for more options

Or, run as a Docker container:

docker run -i --rm ghcr.io/semgrep/mcp -t stdio

Github link: https://github.com/semgrep/mcp

🧊 Kubectl MCP Server

A Model Context Protocol (MCP) server for Kubernetes that lets AI assistants — including Claude and Cursor — interact with Kubernetes clusters using natural language commands.

Model Context Protocol (MCP) Integration

The Kubectl MCP Tool implements the Model Context Protocol (MCP), providing a standardized interface for AI assistants to interact with Kubernetes clusters. The architecture includes these key components:

1. MCP Server: Handles and processes requests from MCP clients (AI assistants)
2. Tools Registry: Manages Kubernetes operations through defined MCP tool schemas
3. Transport Layer: Enables communication via stdio, SSE, and HTTP protocols
4. Core Operations: Converts tool requests into Kubernetes API operations
5. Response Formatter: Structures Kubernetes outputs into MCP-compatible formats

🔗 Github link: https://github.com/rohitg00/kubectl-mcp-server

🐋 Deepseek reportedly restricts employee travel

According to insiders, Deepseek employees working on AI models must surrender their passports and are restricted from traveling abroad freely. It remains unclear whether these restrictions originate from the company or Chinese authorities.

In Zhejiang province, home to Deepseek’s parent company, government officials now screen potential investors before permitting meetings with company management. These measures aim to prevent data leaks and unauthorized acquisitions.

These restrictions stand in stark contrast to Deepseek’s public image as an open-source champion and underdog promoting free access to AI models. Since its R1 breakthrough, the company’s prominence has grown substantially. CEO Liang Wenfeng receives invitations to meet with China’s leadership, while local governments integrate Deepseek’s open-source models into their infrastructure.

Questions remain about whether these new restrictions stem from Deepseek’s management or Chinese government directives. The scope of affected employees is also uncertain. Deepseek’s workforce consists of approximately 130 people, while its parent company High-Flyer, a hedge fund, employs about 200 people.

Read more: https://the-decoder.com/chinas-deepseek-reportedly-restricts-employee-travel-amid-ai-security-concerns/

🧵 Links Worth Your Time

• Hands-On Artificial Intelligence for Cybersecurity: Implement smart AI systems for preventing cyber attacks and detecting threats and network anomalies. Link: https://a.co/d/dd4mWGG
• Machine Learning for Cybersecurity Cookbook: Learn how to apply modern AI to create powerful cybersecurity solutions for malware, pentesting, social engineering, data privacy, and intrusion detection. Link: https://a.co/d/3K6prZX
• OpenAI Academy: Master AI with a collection of lessons and hands-on tutorials. Link: https://academy.openai.com/home

💬 Quote of the Week

“Security is no longer just about control — it’s about context.”

🔁 Let’s Connect

👋 Want to talk security strategy, AI use cases, or risk reduction? DM me.

🔗 Follow me on LinkedIn: https://www.linkedin.com/in/seif-hateb

📨 Subscribe here: https://www.linkedin.com/build-relation/newsletter-follow?entityUrn=6875131677169999872

If this helped, share with your team or post on LinkedIn. Appreciate the ❤