Cyber Victor – a leading blog on cyber security

Pennsylvania’s largest Workers and Teachers’ Union, PSEA, has exposed the personal information of over half a million individuals. PSEA is a labor union that represents public school teachers, higher education faculty members, school support staff, and retired educators across the Keystone State.

“PSEA experienced a security incident on or about July 6, 2024 that impacted our network environment,” the organization said in breach notification letters sent on March 17, 2025 to 517,487 individuals. “Through a thorough investigation and extensive review of impacted data which was completed on February 18, 2025, we determined that the data acquired by the unauthorized actor contained some personal information belonging to individuals whose information was contained within certain files within our network.”

PSEA says the stolen information varies by individual and consists of personal, financial, and health data, including driver’s license or state IDs, social security numbers, account numbers and PINs, account usernames and passwords, security codes, payment card information, passport information, taxpayer ID numbers, health insurance and medical information.

While the workers and teachers’ union has not disclosed the threat actor’s identity, the Rhysida ransomware took credit for the PSEA data breach in September 2024 and listed the labor union on its data leak site.

A law firm is currently investigating whether affected individuals are entitled to compensation.

Read more about it here.

On March 9, 2025, threat intelligence firm GreyNoise observed a coordinated surge in SSRF exploitation, affecting multiple widely used platforms. At least 400 IP addresses have been seen actively exploiting multiple SSRF CVEs simultaneously, with notable overlap between attack attempts. The top countries receiving SSRF exploitation attempts during the surge were the US, Germany, Singapore, India, and Japan. GreyNoise has observed Grafana path traversal attempts preceding the coordinated SSRF surge, indicating attackers may be using Grafana as a foothold for deeper exploitation.

Server-Side Request Forgery (SSRF) is a web security vulnerability that allows an attacker to cause the server-side application to make requests to an unintended location, either internally towards the organization’s network or externally to exfiltrate data. It is one of the OWASP Top 10 Application Security Risks.

Historical parallels: SSRF vulnerabilities played a key role in the 2019 Capital One breach, which exposed 100M+ records.

GreyNoise has identified active exploitation attempts against the following flaws:

• CVE-2017-0929 (CVSS score: 7.5) – DotNetNuke
• CVE-2020-7796 (CVSS score: 9.8) – Zimbra Collaboration Suite
• CVE-2021-21973 (CVSS score: 5.3) – VMware vCenter
• CVE-2021-22054 (CVSS score: 7.5) – VMware Workspace ONE UEM
• CVE-2021-22175 (CVSS score: 9.8) – GitLab CE/EE
• CVE-2021-22214 (CVSS score: 8.6) – GitLab CE/EE
• CVE-2021-39935 (CVSS score: 7.5) – GitLab CE/EE
• CVE-2023-5830 (CVSS score: 9.8) – ColumbiaSoft DocumentLocator
• CVE-2024-6587 (CVSS score: 7.5) – BerriAI LiteLLM
• CVE-2024-21893 (CVSS score: 8.2) – Ivanti Connect Secure
• OpenBMCS 2.4 Authenticated SSRF Attempt (No CVE)
• Zimbra Collaboration Suite SSRF Attempt (No CVE)

Organizations should promptly patch and secure affected systems, apply mitigations for targeted CVEs, and restrict outbound access to necessary endpoints. They should also monitor for suspicious outbound requests by setting up alerts for any unexpected activity.

Read more about it here.

Meta has fired “roughly” 20 employees for leaking confidential information, The Verge reports.

“We tell employees when they join the company, and we offer periodic reminders, that it is against our policies to leak internal information, no matter the intent,” Meta spokesperson Dave Arnold told the publication. “We recently conducted an investigation that resulted in roughly 20 employees being terminated for sharing confidential information outside the company, and we expect there will be more. We take this seriously, and will continue to take action when we identify leaks.”

The move comes in response to a surge of news stories that shared leaked details about Meta’s internal meetings and undisclosed product plans, including a recent all-hands led by Meta CEO Mark Zuckerberg. Following the leaks, Meta warned employees that leakers would be fired.

Meta did non disclose any details about the content leaked.

Read more about it here.

Hipshipper, an international shipping platform used by sellers on eBay, Shopify and Amazon, accidentally exposed 14.3 million shipping labels with personal customer information. Researchers at Cybernews found the exposed data in December 2024, but it wasn’t fixed until January 2025. Hipshipper helps people ship packages to over 150 countries, offering tracking, free insurance and easy returns. The unprotected AWS bucket exposed shipping labels are important because they detail what’s inside the packages and where they’re supposed to go.

Cybernews researchers added: “Cybercriminals can exploit leaked data to orchestrate advanced scams and phishing attacks. For example, crooks may impersonate trusted businesses and distribute fraudulent messages that leverage specific order details to demand urgent verification of personal or financial information.” Sophisticated attackers could employ the details to impersonate businesses and lure sensitive information from customers. With shipping labels at hand, attackers could reference specific orders, adding credibility to otherwise fraudulent demands.

The leaked data included full names, home addresses, phone numbers and order details (dates of mailing, parcel information, etc.).

Read more about it here.

Online food ordering and delivery platform GrubHub suffered a data breach that exposed the personal information of drivers, merchants and customers.

“We recently detected unusual activity within our environment traced to a third-party service provider for our Support Team” the company said on Monday, February 3, 2025.

“We immediately terminated the account’s access and removed the service provider from our systems altogether.”

The following data was accessed, varying by individual: Names, email addresses and phone numbers, as well as partial payment card information for a subset of campus diners (card type and last four digits of the card number).

The threat actor also accessed hashed passwords for certain legacy systems, and the company rotated any passwords that was believed might have been at risk.

GrubHub has not disclosed whether it was targeted by a ransomware attack, and as of this writing, no known ransomware group has claimed responsibility.

Grubhub is a popular food-ordering and delivery platform with more than 375,000 merchants and 200,000 delivery providers using its platform in more than 4,000 US cities.

Read more about it here.

DeepSeek, the Chinese AI startup known for its DeepSeek-R1 LLM model, has publicly exposed two databases containing sensitive user and operational information.

Wiz Research discovered a publicly accessible ClickHouse database belonging to DeepSeek, containing over 1 million log entries, and exposing chat history, secret keys, and backend details.

“Within minutes, we found a publicly accessible ClickHouse database linked to DeepSeek, completely open and unauthenticated, exposing sensitive data. It was hosted at oauth2callback.deepseek.com:9000 and dev.deepseek.com:9000.” reads the report published by Wiz.

“This database contained a significant volume of chat history, backend data and sensitive information, including log streams, API Secrets, and operational details.” continues the report.

This exposure could have allowed full database control and potential privilege escalation within the DeepSeek environment, without any authentication.

After responsible disclosure, DeepSeek promptly secured the issue.

Read more about it here.

In February 2024, UnitedHealth subsidiary Change Healthcare suffered a massive ransomware attack, leading to widespread disruption to the US healthcare system. This disruption prevented doctors and pharmacies from filing claims and pharmacies from accepting discount prescription cards, causing patients to pay full price for medications.

It was later discovered that the BlackCat ransomware gang, also known as ALPHV, was behind the attack. The threat actors used stolen credentials to breach the company’s Citrix remote access service, which did not have multi-factor authentication enabled. After breaching the network, the threat actors stole 6 TB of data and encrypted computers, causing the company to shut down IT systems and its online platforms for billing, claims, and prescription fulfillment.

In October 2024, UnitedHealth reported to the US Department of Health and Human Services Office for Civil Rights that the attack affected 100 million people. However, on January 24, 2025, UnitedHealth confirmed that the figure has nearly doubled to 190 million, which is 56% of the US population.

The Securities and Exchange Commission (SEC) Cybersecurity Disclosure rules require that public companies disclose material cybersecurity incidents within four business days of becoming alerted to them.

Despite these rules, companies have managed to take extensive time in investigating and addressing critical aspects of their breaches. In fact, it took Change Healthcare four months to notify customers of its incident, nine months to admit that 100 million people were affected, and nearly a year to update that figure to 190 million.

Read more about it here.

“On January 7, 2025, CrowdStrike identified a phishing campaign exploiting its recruitment branding to deliver malware disguised as an “employee CRM application.” The attack begins with a phishing email impersonating CrowdStrike recruitment, directing recipients to a malicious website. Victims are prompted to download and run a fake application, which serves as a downloader for the cryptominer XMRig”, reads the report published by CrowdStrike.

The email tricks recipients by claiming they have been selected for a junior developer role and must join a recruitment call by downloading a CRM tool via an embedded link. The phishing message directs the victims to a malicious website that appears to offer download options for both Windows and macOS.

However, regardless of the chosen option, a Windows executable written in Rust is downloaded. The application serves as a downloader for XMRig. The CrowdStrike researchers noticed it uses evasion mechanisms, such as detecting whether an anti-malware tool is running. If these checks are passed, the executable displays a fake error message. Then executable proceeds to download additional payloads to achieve persistence and run the XMRig miner.

The company recommended avoiding any interviews carried out through instant message or email, and refusing to download any software for an interview. It also stressed the importance of verifying the authenticity of any CrowdStrike hiring communications by contacting recruiting@crowdstrike.com.

Read more about it here.

ShadowServer researchers reported that over 3.3 million POP3 and IMAP mail servers lack TLS encryption, exposing them to network sniffing attacks.

POP3 (Post Office Protocol 3) and IMAP (Internet Message Access Protocol) are two protocols used to access emails from mail servers.

With POP3, the e-mails are downloaded to the local device and often deleted from the mail server. With IMAP, emails remain on the server, with synchronized access across user devices.

TLS (Transport Layer Security) is a cryptographic protocol designed to provide secure communication over a computer network. It is widely used to secure data transmitted over the internet, such as emails, web browsing, instant messaging, and file transfers.

ShadowServer scanned the internet for hosts running a POP3 service on port 110/TCP or 995/TCP without TLS support. Users connecting to these mail servers may be sending their credentials unencrypted, where they could be intercepted by adversaries.

“This means that passwords used for mail access may be intercepted. Additionally, service exposure may enable password guessing attacks against the server”, reads the post published by ShadowServer.

“If you receive this report from us, please enable TLS support for POP3 as well as consider whether the service needs to be enabled at all or moved behind a VPN.”

“We have started notifying about hosts running POP3/IMAP services without TLS enabled, meaning usernames/passwords are not encrypted when transmitted. We see around 3.3M such cases with POP3 & a similar amount with IMAP (most overlap).”

Read more about it here.

A massive cyberattack led the state of Rhode Island to take down its online portal used by residents to obtain social services such as SNAP and Medicaid benefits, as well as health insurance purchased through HealthSource RI.

The cyberattack began on December 5, 2024, when Deloitte, the developer and maintainer of RIBridges system, alerted state officials to suspicious activity. Initially, it was unclear whether sensitive data had been accessed. Over the following days, Deloitte implemented additional security measures while investigating the breach.

On December 10, hackers provided a screenshot of file folders as proof of their access, prompting Deloitte to confirm that the RIBridges system had been compromised. Further analysis revealed a high probability that the stolen files contained personally identifiable information (PII). By December 13, Deloitte identified malicious code within the system, leading the state to shut down RIBridges to mitigate further damage and begin remediation.

While the exact infiltration method is still under investigation, early findings suggest that the attackers exploited vulnerabilities in the system’s architecture, likely either through phishing emails targeting administrative accounts or through unpatched software weaknesses. The malware deployed by the cyber criminals enabled unauthorized access and allowed the attackers to exfiltrate data unnoticed for several days.

The FBI and other federal agencies are assisting in the investigation, while Deloitte works to remediate the vulnerabilities and restore RIBridges

Read more about it here.