Also: Updates on China-Linked APT Hijack, Condé Nast Data Breach, La Poste Cyberattack
Each week, the Information Security Media Group provides a roundup of global cybersecurity incidents. This week, a breach linked to Clop exposed data of about 30,000 Korean Air employees, while a China-affiliated APT group hijacked software updates to disseminate malware. Additionally, a critical zero-day vulnerability remains unpatched, a Condé Nast intrusion resulted in significant user data exposure, pro-Russian hacktivists disrupted services for France’s postal operator, and an extradition involved a suspect tied to a long-standing malware operation.
See Also: Going Beyond the Copilot Pilot – A CISO’s Perspective
Korean Air Reports Breach of 30,000 Employee Records Following Vendor Cyberattack
Recent communications from Korean Air indicate that a security incident at KC&D Service, a vendor previously associated with the airline, compromised sensitive data belonging to approximately 30,000 employees.
The airline’s internal memo revealed that this subsidiary, divested in December 2020, was attacked by external hackers, resulting in unauthorized server access that housed employee information. Leaked details reportedly include names and bank account numbers, as confirmed by Korea JoongAng Daily.
Security analysts monitoring the broader operational activities note that this incident correlates with a larger extortion strategy employed by the Russian-speaking Clop ransomware group. This group exploits critical zero-day vulnerabilities in Oracle’s E-Business Suite, specifically CVE-2025-61882 and CVE-2025-61884, to facilitate unauthorized remote access for data exfiltration. Such vulnerabilities have enabled them to siphon sensitive data from various organizations prior to the deployment of security patches.
Clop is recognized for targeting high-profile victims by exploiting these zero-day vulnerabilities, often resulting in significant data breaches across numerous companies quickly.
In November, Clop took responsibility for the KC&D breach, incorporating Korean Air into its data leak platform, indexing stolen data alongside breaches affecting prominent entities such as Harvard University and The Washington Post.
Evasive Panda Employs Software Updates to Install MgBot Malware
The advanced persistent threat group, Evasive Panda, linked to China, has compromised legitimate software update mechanisms to deploy a customized backdoor known as MgBot, according to recent findings by Kaspersky. This operation, active between November 2022 and November 2024, utilized DNS poisoning and man-in-the-middle techniques to redirect legitimate updates to servers controlled by attackers.
Victims, unknowingly directed to malicious IP addresses, retrieved harmful installers instead of authentic updates. The targeting included update channels for popular platforms such as SohuVA and iQIYI, along with IObit Smart Defrag and Tencent QQ applications.
The deployment of MgBot involved a multi-faceted execution strategy, which included DLL sideloading using a long-signed executable and injection into processes like svchost.exe. The malware maintains persistence and communicates with command-and-control servers via encrypted channels, employing memory execution to evade detection. Analysis suggests that each attack instance was tailored, indicating a targeted approach rather than one driven by opportunism. Infections predominantly occurred in China, India, and Turkey.
Evasive Panda, also known by aliases such as Daggerfly and StormBamboo, has been operational since 2014, and security experts suggest that the group is adept at rapidly adapting its toolkit in response to external scrutiny.
Severe Zero-Day Vulnerability Found in XSpeeder SXZOS Firmware
Security experts have revealed a critical zero-day vulnerability tagged as CVE-2025-54322 within the XSpeeder SXZOS firmware, affecting over 70,000 routers and SD-WAN devices globally. This vulnerability exists within the product’s web interface and allows for remote code execution with root privileges without requiring authentication.
The flaw’s origin lies in unsafe implementations of the eval() function in Django-based web authentication, which can be exploited to execute arbitrary Python code. Numerous proof-of-concept exploits have surfaced on platforms such as GitHub, amplifying the risk of widespread exploitation.
This vulnerability has received a critical CVSS score of 10.0 and remains unpatched at the time of disclosure. Researchers have attempted to notify XSpeeder about the issue for several months, yet there has been no official response or security advisory issued.
Data Breach at Condé Nast Exposes 2.3 Million Wired User Records
A perpetrator operating under the alias “Lovely” has leaked 2.3 million user records from Wired magazine following a breach of Condé Nast’s systems. The actor claimed to be a vulnerability reporter, yet their actions, as described by a data breach blogger, deviated from responsible disclosure practices.
Lovely initially claimed only to have downloaded a limited dataset as proof of the vulnerability. However, the actor later published the dataset across several underground forums, revealing email addresses and usernames, with some records containing personal details such as full names and physical addresses.
The hacker asserted possession of data from a centralized Condé Nast database containing up to 40 million user records from other publications, including Vogue and The New Yorker, while threatening further leaks. As of now, Condé Nast has not publicly validated the breach’s extent.
DDoS Attack on French Postal Operator Claimed by Pro-Russian Hacktivist Group
The hacktivist group NoName057(16) has taken responsibility for a cyberattack that hindered digital services at La Poste, France’s national postal operator, and its banking arm, La Banque Postale. The attack commenced on December 22, disrupting various online services during a busy shipping period.
Despite these disruptions, La Poste confirmed that physical mail and parcel deliveries continued unhindered, with all digital services restored shortly thereafter. NoName057(16) is recognized for executing DDoS attacks through its “DDoSia” project, organizing efforts via Telegram while incentivizing participation through cryptocurrency.
The group typically targets organizations perceived to be antagonistic to Russian interests, including governmental sites and media entities within Ukraine and NATO countries. The incident has been assessed; however, La Poste has indicated that customer and employee data has not been compromised.
Lithuanian Hacker Extradited to South Korea Over KMSAuto Malware Scheme
In collaboration with Interpol, the Korean National Police Agency apprehended a 29-year-old Lithuanian individual accused of deploying malware that siphoned cryptocurrencies from infected systems across the globe. The suspect allegedly integrated harmful code within the prevalent KMSAuto Windows activation tool, which garnered approximately 2.8 million downloads between April 2020 and January 2023.
Upon installation, the malware manipulated cryptocurrency wallet addresses, redirecting funds unlawfully to the hacker’s accounts. Investigators tracked nearly 3,100 wallet addresses involved in over 8,400 fraudulent transactions, with estimated thefts amounting to around 1.7 billion Korean won.
This investigation initiated following a victim’s report of a bitcoin transfer to unintended destinations, attributable to the malware that replaced intended recipient addresses during transactions, a technique referred to as clipboard hijacking. Experts caution that such malware is particularly effective in cryptocurrency theft due to the irreversible nature of transactions, with address substitutions often overlooked.
