Also, Akira Ransomware Resumes Attacks Via SonicWall Flaws
Anviksha More (AnvikshaMore) •
September 11, 2025 Â Â
Image: Shutterstock/ISMG
Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, the Vidar infostealer is badder than ever, BlackDB admin pleaded guilty, Akira ransomware hackers resumed attacks on SonicWall flaws and Patch Tuesday. A warning for British bankers, a Cursor flaw let hackers run code, a Brazilian dating app shut down. Kazakhstan state oil company KazMunayGas said it was running a training exercise and wasn’t hacked. Wealthsimple and Hello Gym data breaches. A macOS backdoor hid in plain sight for years.
See Also: Post-Quantum Cryptography – A Fundamental Pillar in the Future of Cybersecurity [ES]
Vidar Strikes Back
Vidar malware is better than ever at infecting Windows machines, warn security researchers who observed a new strain of the long-running cybercrime-as-a-service infostealer.
Designed to grab as much valuable information as it can from infected machines – including credentials, session cookies, cryptocurrency wallet files and saved credit cards – Vidar is one of a handful of infostealers that dominated the cybercrime underground for years now.
A new strain observed by Aryaka Threat Research Labs exhibits “heightened stealth and persistence through encrypted command-and-control (C2) channels, Abuse of Living-off-the-Land Binaries (LOLBins) and covert exfiltration methods.”
Infostealers mainly spread through social engineering, by hackers who send phishing emails or lace web downloads with infections that result in massive data breaches including at data management platform provider Snowflake and organizations across the U.S. defense sector, including military agencies (see: Infostealers Tied to Stolen AI and Defense Credentials).
Among the techniques deployed by Vidar’s newest iteration to avoid detection is disabling the antimalware scan interface, a Windows core function that allows antivirus applications to scan scripts before execution, Aryaka researchers wrote. The malware sets the AmsiInitFailed function to true, “effectively disabling AMSI checks and allowing malicious PowerShell code to run undetected.” It excludes its binary from Microsoft Defender scans. It additionally creates persistence across computer reboots by configuring a scheduled task to execute a PowerShell script at the moment of user logon with a hidden window and a bypassed execution policy.
Its developers also set up the malware to dynamically retrieve command-and-control “from seemingly benign sources such as Stream and Telegram profiles.”
“Vidar poses a significant risk to both individual users and enterprise environments,” warns Aryaka.
BlackDB Illicit Marketplace Admin Pleads Guilty
A Kosovar national admitted in U.S. federal court that he was driving force behind the BlackDB.cc, an illicit marketplace active since 2018 through 2024 that sold compromised credentials, payment card data and personal data.
Liridon Masurica, 33, known online as @blackdb, pleaded guilty to one count of conspiracy to commit access device fraud after Kosovar authorities extradited him to Tampa, Florida to face a six count criminal indictment. His plea agreement shows the illicit marketplace facilitated at least $123,054 in sales of stolen data.
Masurica now faces a maximum of 10 years in federal prison, a potential fine of $250,000 and the prospect of paying out restitution to victims. A sentencing date has not yet been set.
Kosovar authorities arrested him on Dec. 12, 2024, following a U.S. grand jury indictment. He initially pleaded not guilty (see: Kosovar Man in Tampa Jail for Running Online Illicit Bazaar).
Akira Ransomware Resumes Attacks on SonicWall Flaws
Affiliates of the Akira ransomware gang are again exploiting a critical SonicWall vulnerability, CVE-2024-40766, along with SSLVPN misconfigurations to breach corporate networks, warns a Rapid7 advisory.
Ransomware hacker attacks against SonicWall appliances this summer were initially thought to be a zero-day when attacks resurfaced this summer. SonicWall clarified that the campaign was tied to the year-old vulnerability, a 9.8 CVSS-rated improper access control bug first disclosed in August 2024. It remains unpatched in many environments. More than 438,000 SonicWall devices are still exposed online.
The Akira and Fog ransomware gangs already used the vulnerability to hack into systems in campaigns lasting from roughly between September and December 2024. SonicWall reported fewer than 40 confirmed cases during the most recent wave and linked many to legacy credential use during migrations from Gen 6 to Gen 7 firewalls.
Rapid7 warned that following SonicWall’s mitigation guidance may inadvertently create new risks if default LDAP group configurations remain enabled, allowing unauthorized users to access SSLVPN services. Attackers have also been seen exploiting public access to the Virtual Office portal hosted by SonicWall appliances, enabling them to configure MFA/TOTP if they already possess stolen credentials.
Rapid7 said it has already handled a double-digit number of incidents among its customers and expects broader industry impact if organizations do not act quickly.
Microsoft Patches 86 Vulnerabilities, Warns on Critical HPC Flaw
Microsoft published its September Patch Tuesday updates, addressing 86 security flaws across Windows and other products. None of the vulnerabilities are known to have been exploited in the wild, but eight carry an “exploitation more likely” rating, including issues in the Windows kernel, NTFS, TCP/IP driver, Hyper-V, NTLM and SMB.
The most severe bug fixed this month is CVE-2025-55232, a remote code execution vulnerability in the High Performance Compute Pack, with a CVSS score of 9.8 out of 10. Microsoft is urging customers to ensure HPC Pack clusters are placed behind firewalls and running in trusted networks, particularly securing TCP port 5999.
Other high-priority patches include two remote code execution flaws in routing and remote access service – CVE-2025-54106 and CVE-2025-54113; an RCE bug in SharePoint – CVE-2025-54897; a remote code execution vulnerability in Office – CVE-2025-54910; and a privilege escalation issue in SQL Server – CVE-2025-55227. Several of these vulnerabilities carry CVSS scores above 8.0 and are rated high severity.
Despite their potential impact, Microsoft’s exploitability assessments classify all of this month’s patched vulnerabilities – including the critical HPC Pack flaw – as “exploitation less likely” or “exploitation unlikely.”
Experts Warn British Financial Sector to Watch for Scattered Lapsus$ Hunters Attacks
The British financial sector is vulnerable to supply chain threats from hacking groups such as Scattered Lapsus$, security experts told attendees at the Information Security Media Group Financial Sector Summit.
Scattered Lapsus$ Hunters, a band of adolescent native English-speaking hackers previously linked to breaches at Marks & Spencer, Co-op and Harrods, claimed responsibility for an attack on Jaguar Land Rover that halted the automaker’s production and distribution globally (see: Jaguar Land Rover Hackers Stole Data).
Speaking at the event on Thursday, William Dixon, senior associate fellow for cyber and international security at the Royal United Services Institute, described the incidents as “shocking,” adding that cybersecurity professionals and government authorities had “almost allowed them to happen.”
Dixon argued risk exist from an assumption that Russian-speaking groups pose the greatest threat to Western critical infrastructure. “Well, actually, we’ve got some homegrown cybercrime networks now, and that is different. It seems a missed opportunity where we’ve got threat actors causing millions of dollars of damage that are in jurisdictions where we can actually apprehend them,” he said.
The U.K. financial sector has so far avoided a Scattered Lapsus$ Hunters attack, but the incidents showcase how critical infrastructure vulnerabilities can disrupt supply chains, said Sam Goddard, regional information security officer for the U.K. and Europe at W.R. Berkley Corporation.
“The financial services industry will continue to be one of the most targeted and the most mature and the most regulated,” Goddard said.
Cursor Flaw Lets Hackers Run Code
A security weakness in the AI-powered Cursor code editor could enable malicious code to run automatically when a developer opens a project folder, researchers at Oasis Security warned.
Cursor is a popular fork of Visual Studio Code with over a million users. It disables VS Code’s Workspace Trust feature by default. Workspace Trust is designed to block automatic task execution without user consent, meaning that Cursor immediately runs tasks defined in a project’s .vscode/tasks.json file – even if the developer only intends to browse the code.
Attackers could exploit this behavior by adding malicious tasks to public repositories, enabling theft of API keys and credentials, modification of local files, or installation of malware, Oasis Security demonstrated in a proof-of-concept.
Unlike VS Code, which does not auto-run tasks by default, Cursor has stated it will keep auto-run enabled, arguing that Workspace Trust would break features users rely on, including AI integrations.
Cursor says it will soon update its documentation with security guidance. Oasis recommends developers verify repositories before opening them, avoid globally exposing credentials, or use a different editor for untrusted projects.
Brazilian Dating App Shuts Down After Security Flaw Exposes User Data
Brazilian lesbian dating app Sapphos went offline after a major security flaw exposed sensitive user information, including government ID selfies.
Launched in early September, Sapphos required users to verify their identity by uploading a selfie with an official ID. On Monday, independent researchers disclosed that the app’s API contained an insecure direct object reference vulnerability, allowing outsiders to access personal data and photos from other users’ accounts without authorization. Screenshots posted on social media showed names, birthdates and verification photos.
Facing growing criticism, the women-led development team deleted the entire database, took the app offline and notified roughly 17,000 users that their data had been erased. Refunds were issued for premium subscriptions, which cost up to $90, reported Brazilian media.
The company initially described the disclosure as an “attack,” possibly orchestrated by men, but later acknowledged a security oversight. Developers said they have reported the issue to Brazil’s cybercrime police and pledged to relaunch the app only after rebuilding its infrastructure, expanding the team and conducting more rigorous security testing.
Kazakh Oil Giant Denies Russian Hack, Calls It Drill
Kazakhstan state oil company KazMunayGas rejected claims by cybersecurity firm Seqrite that it was targeted by a Russian-linked hacking group, calling the indicators of malicious activity a planned internal security exercise.
Seqrite Labs reported Sept. 4 the discovery of “NoisyBear,” a group it said has been active since April, focusing on Central Asia’s energy sector. The firm said NoisyBear compromised a KazMunayGas finance employee’s mailbox in May and sent phishing emails disguised as corporate policy updates, salary changes and IT notices, containing malicious archives designed to deliver malware. Seqrite attributed the campaign to Russia, citing Russian language use, infrastructure from a sanctioned hosting provider Aeza Group and similarities to past Moscow-linked attacks.
KazMunayGas disputes this account, telling Kazakh outlet Orda that the incident was a scheduled phishing simulation meant to test employee awareness. The company said some staff were informed in advance and the results were used to issue security recommendations. Russian cybersecurity expert Oleg Shakirov said that Seqrite’s own screenshots showed test accounts among recipients, reinforcing KazMunayGas’s version. Seqrite has not commented further.
Wealthsimple Breached
Canadian online investment platform Wealthsimple disclosed a data breach that exposed personal information of less than 1% of its three million customers. The Toronto-based fintech, which manages over $61 billion in assets, offers trading, cryptocurrency, tax filing and savings services across Canada.
The company said it detected the breach on Aug. 30 and confirmed that no customer funds were stolen and that passwords were not compromised.
Exposed data includes contact details, government-issued IDs submitted during onboarding, account numbers, IP addresses, social insurance numbers and dates of birth. Wealthsimple said the data was accessed for only a brief period before the issue was contained.
Wealthsimple has not disclosed the total number of impacted users or identified the compromised third-party software provider but says customer accounts remain secure.
Exposed Database Leaks 1.6 Million Gym Voicemails and Calls
A data exposure involving Hello Gym, a U.S. and Canadian communications platform for fitness centers, leaked 1.6 million audio files containing calls and voicemails tied to gym members. Security researcher Jeremiah Fowler discovered the unprotected and unencrypted storage during routine monitoring.
The files, stored in MP3 format, include personally identifying information such as full names, phone numbers and reasons for calls, including billing issues and membership renewals. The recordings date from 2020 to 2025.
Though some of the leaked recordings come from franchise gyms that used Hello Gym’s third-party communication tools, parent brands said they did not record customer calls themselves. The breach was traced back to a third-party contractor.
After the disclosure, the exposed repository was locked down within hours. It remains unknown how many people accessed the data before the issue was fixed or how long the repository was exposed.
Hello Gym provides lead management, VoIP, call tracking and outreach tools to gyms and fitness studios.
Modular Mac Backdoor ‘ChillyHell’ Hid in Plain Sight for Years
A modular macOS backdoor, dubbed ChillyHell, has been hiding in plain sight for years, said researchers at Jamf. Researchers from the Apple cybersecurity firm wrote they spotted in May a sample of the malware uploaded to VirusTotal – where it cleared detection tests from antivirus vendors.
The backdoor has actually been a known quantity since 2023, when Mandiant described it in a private report, Jamf wrote. The cyberthreat intel company said hackers deployed ChillHell against a Ukrainian auto insurance website which government employees were required to use for official travel. Mandiant attributed the attack to a threat actor it tracks as UNC4487.
Despite its malicious nature, ChillHelly developers successfully passed through an automated Apple review that bestowed the computing giant’s stamp of approval. “The sample is developer-signed and successfully passed Apple’s notarization process in 2021. Its notarization status remained active until these recent findings,” Jamf wrote.
The malware uses three different persistence mechanisms to cling to infected Mac computers. It can install itself as a LaunchAgent – or, if it obtains elevated privileges, as a LaunchDaemon. As a fallback mechanism, it can inject a launch command into “the appropriate shell configuration based on the user’s shell and home director.”
Other Stories From Last Week
With reporting from Information Security Media Group’s Gregory Sirico in New Jersey, Pooja Tikekar in Mumbai and David Perera in Northern Virginia.