Clop Linked to Korean Air Vendor Data Breach

This week, Information Security Media Group reports significant cybersecurity incidents including a breach tying Clop ransomware to Korean Air vendor data compromise, a sophisticated attack by a China-linked APT leveraging software update hijacking, an alarming zero-day vulnerability affecting XSpeeder firmware, and a major data leak from Condé Nast. Additionally, pro-Russian hacktivists have disrupted postal services in France, and a Lithuanian hacker has faced extradition to South Korea related to a malicious cryptocurrency scheme.

Korean Air disclosed a breach that compromised sensitive information of approximately 30,000 employees, resulting from a cyberattack on KC&D Service, its former in-flight catering subsidiary. The attacker gained unauthorized access to servers containing employee details, including names and bank data, as stated in a notice shared with employees.

This incident is part of a broader extortion campaign believed to be conducted by the Clop ransomware group, known for exploiting zero-day vulnerabilities within systems like Oracle E-Business Suite. Analysis indicated that the attackers executed remote code injection using two critical vulnerabilities tracked as CVE-2025-61882 and CVE-2025-61884. Clop’s previous operations have often targeted widely-used systems, allowing them to compromise multiple organizations swiftly.

A sophisticated group, referred to as Evasive Panda, has been utilizing compromised software update channels to deploy a tailored backdoor known as MgBot. Security reports suggest that between November 2022 and November 2024, the group conducted operations involving DNS poisoning and adversarial middleware techniques to target legitimate software requests, redirecting them to malicious servers.

Attack vectors focused on popular apps and platforms such as SohuVA and iQIYI Video, employing tactics to ensure stealthy installation of malware through DLL sideloading and process injection. The malware established persistence and communicated with its command-and-control servers via encrypted channels, demonstrating advanced operational security measures. The targeted approach indicates a highly organized campaign rather than haphazard intrusion.

Researchers have identified a severe unauthenticated zero-day vulnerability affecting XSpeeder’s SXZOS firmware, which poses risks to over 70,000 devices globally. The flaw, cataloged as CVE-2025-54322, allows attackers to execute remote code with root privileges via an unsafe web interface.

This vulnerability arises from inadequate safeguards within the Django-based authentication mechanism, enabling attackers to inject malicious code through crafted HTTP requests. Despite researchers’ efforts to notify XSpeeder for over seven months, no public security advisories have been issued, highlighting the ongoing risks associated with this unpatched flaw.

In a troubling incident, 2.3 million user records from Wired magazine were leaked by an attacker known as “Lovely,” following an intrusion into Condé Nast’s systems. The attack was framed as a vulnerability report, but further actions led to extensive data exposure across underground forums.

The leaked data, reportedly intact as of September, includes email addresses, usernames, and in some cases, full personal information. The individual also claimed access to a broader database containing up to 40 million records from various Condé Nast publications, threatening further disclosures.

The pro-Russian group NoName057(16) has claimed responsibility for a DDoS attack that incapacitated digital services at La Poste, France’s national postal service, during a critical period for online operations. The attack commenced on December 22 and led to widespread disruption of essential services, although physical mail delivery was reportedly maintained.

NoName057(16) is known for its DDoS campaigns and mobilizes its operations through the “DDoSia” project, leveraging cryptocurrency incentives for participation. La Poste emphasized that no customer data was compromised in the attack, which aligns with the group’s typical operational targets.

A 29-year-old Lithuanian individual was extradited to South Korea, accused of embedding malicious code in KMSAuto, a software tool that activated Windows. This malware reportedly siphoned cryptocurrency from systems globally, with an estimated 2.8 million downloads leading to significant financial losses.

The malware’s clipboard hijacking technique redirected cryptocurrencies to the attacker’s wallet during transactions, raising significant concerns about the security of such widely used utilities. The investigation highlighted the critical need for vigilance against similar risks associated with tool downloads.

Additional Insights from This Week’s Cybersecurity Landscape