At a glance.
- Scattered Spider hits airlines.
- Critical sudo flaw allows Linux users to gain root privileges.
- US Justice Department shutters suspected North Korean laptop farms.
- Cisco patches maximum-severity flaw in Unified Communications Manager.
- France describes hacking campaign targeting Ivanti appliances.
Scattered Spider hits airlines.
The US FBI is warning that the cybercriminal group Scattered Spider is launching extortion attacks against entities in the aviation sector, TechCrunch reports. The FBI says "anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk." Axios notes that executives from Google's Mandiant and Palo Alto Networks' Unit 42 have also warned of this targeting trend. Mandiant's CTO Charles Carmakal stated in a LinkedIn post, "Scattered Spider has a history of focusing on sectors for a few weeks at a time before expanding their targeting." The group has recently been targeting the retail sector and the insurance industry.
BleepingComputer cites sources as saying Scattered Spider was behind a recent attack against Canadian airline WestJet. The publication says the attackers compromised the airline's data centers and Microsoft Cloud environment by "performing a self-service password reset for an employee, which enabled them to register their own MFA and obtain remote access to the network through Citrix."
The Record cites incident responders as saying the threat actor was also behind last week's attack on Hawaiian Airlines.
Australian airline Qantas this week disclosed a data breach affecting up to 6 million customers, Reuters reports. The airline said a cybercriminal "targeted a call centre and gained access to a third-party customer servicing platform," which contained customer names, email addresses, phone numbers, birth dates, and frequent flyer numbers. Qantas hasn't attributed the attack to any particular threat actor, but BleepingComputer notes that Scattered Spider typically gains initial access via social engineering attacks against organizations' help desks.
Critical sudo flaw allows Linux users to gain root privileges.
Researchers at Stratascale have discovered two elevation-of-privilege flaws affecting the Linux sudo utility, Infosecurity Magazine reports. One of the flaws has been assigned a CVSS score of 9.3. Patches were distributed last week, and administrators should ensure they've installed sudo 1.9.17p1 or later.
The more serious of the two flaws, CVE-2025-32463, was introduced in June 2023 with sudo v1.9.14, and can allow any local unprivileged user to escalate privileges to root. Stratascale explains, "The issue arises from allowing an unprivileged user to invoke chroot() on a writable, untrusted path under their control. Sudo calls chroot() several times, regardless of whether the user has corresponding Sudo rule configured. Allowing a low-privileged user the ability to call chroot() with root authority to a writable location can have various security risks." The researchers found that "any local user can trick Sudo into loading an arbitrary shared object, resulting in arbitrary code execution as root."
US Justice Department shutters suspected North Korean laptop farms.
The US Justice Department announced raids against 29 laptop farms across 16 states in an operation targeting North Korea's fraudulent IT worker schemes. The operation resulted in the seizure of 29 financial accounts used for money laundering, 21 websites, and around 200 computers. The Justice Department also arrested a US citizen and indicted several Chinese, Taiwanese, and North Korean nationals in connection with the schemes.
The DOJ stated, "[C]ertain U.S.-based individuals enabled one of the schemes by creating front companies and fraudulent websites to promote the bona fides of the remote IT workers, and hosted laptop farms where the remote North Korean IT workers could remote access into U.S. victim company-provided laptop computers. Once employed, the North Korean IT workers received regular salary payments, and they gained access to, and in some cases stole, sensitive employer information such as export controlled U.S. military technology and virtual currency."
Cisco patches maximum-severity flaw in Unified Communications Manager.
Cisco has patched a maximum-severity vulnerability affecting the Engineering-Special (ES) builds of Cisco Unified Communications Manager or its Session Management Edition, the Register reports. The flaw, tracked as CVE-2025-20309, "could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted." Cisco notes that the vulnerability is "due to the presence of static user credentials for the root account that are reserved for use during development."
The company has released patches, noting that there's no workaround for the flaw.
France describes hacking campaign targeting Ivanti appliances.
France's cybersecurity agency, ANSSI, said yesterday that multiple government, utility, and private sector entities were hacked last year in a campaign targeting zero-days affecting Ivanti’s Cloud Service Appliance, the Record reports. ANSSI believes the campaign is connected to the China-based threat actor UNC5174, noting that the group may be an initial access broker. The agency says the threat actor "might correspond to a private entity, selling accesses and worthwhile data to several state-linked bodies while seeking its own interests leading lucrative-oriented operations."
The exploited vulnerabilities, which were disclosed last year, are tracked as CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380.
