ServiceStack RCE, VirtualBox Vulns, NAKIVO Flaw, and Infostealer Crackdown
TL;DR - INTERPOL reported broad infostealer infrastructure disruption, while ransomware and scam ecosystems continued to evolve. - Patch ServiceStack urgently, review VirtualBox and NAKIVO exposure, and watch for payment-card and credential theft fallout. - Priority is high for internet-exposed apps, backup servers, and high-value admin endpoints.
Top Stories
INTERPOL disrupts infostealer infrastructure across 26 countries
INTERPOL said authorities arrested 32 suspects and disrupted roughly 20,000 malicious IPs and domains linked to infostealer activity, with 79% of identified suspicious IPs reportedly taken down during Operation Secure (BleepingComputer).
So what? This is good news operationally, but defenders should not assume infostealer risk has materially disappeared. Large takedowns often create short-term churn: actors re-register domains, shift to alternate C2 infrastructure, or pivot distribution channels. If your organization has recent signs of credential theft, this takedown does not reduce the need for password resets, token revocation, and endpoint review.
What to do next - Review detections for browser credential theft, session cookie theft, and stealer-family behavior from the last 30 days. - Force resets for privileged accounts exposed on unmanaged endpoints. - Invalidate active sessions for SSO, VPN, cloud admin portals, and email where compromise is suspected. - Hunt for connections to newly registered domains and low-reputation IPs replacing disrupted infrastructure.
Anubis ransomware adds data wiping pressure tactic
The Anubis ransomware operation has reportedly added a wiping component to increase pressure on victims, expanding beyond standard encryption/extortion tradecraft (BleepingComputer).
So what? This changes recovery assumptions. Even if an organization has decryption or partial restoration options, a concurrent wiping action can damage systems and reduce post-incident recoverability. For defenders, this reinforces the need to validate offline and immutable backups, not just backup job success.
What to do next - Confirm that critical backups are offline, immutable, or otherwise resistant to attacker deletion and tampering. - Segment backup infrastructure from domain-joined user/admin zones. - Test bare-metal and application-level restores, not only file restores. - Prioritize EDR coverage on hypervisors, backup servers, and admin workstations.
Zero-day broker advertises up to $4 million for Telegram exploits
A Russian exploit acquisition firm is reportedly offering up to $4 million for Telegram exploits, including one-click RCE chains across Android, iOS, and Windows variants (BleepingComputer).
So what? This is not a confirmed in-the-wild exploit report, but it is a market signal. Large payouts suggest strong demand for high-reliability messaging-app compromise. Security teams supporting high-risk users should treat mobile messaging apps as high-value targets for espionage and account takeover.
What to do next - Ensure executives, journalists, legal staff, and other high-risk users are on fully updated devices. - Reduce the use of personal devices for sensitive business communications where possible. - Enroll managed mobile devices in MDM/MAM with rapid patch compliance reporting. - Prepare user guidance for unusual message behavior, unsolicited attachments, and account re-registration prompts.
BogusBazaar scam ecosystem scaled to 100,000 fake shopping sites
Researchers reported a scam service called BogusBazaar generated more than 100,000 fake shopping sites, using AI-generated content and social promotion to lure victims (BleepingComputer).
So what? For SMBs and brands, this is both a fraud and reputation problem. Employees may also be exposed through personal card use on work devices, leading to downstream fraud, phishing, and password reuse risk.
What to do next - Monitor for brand impersonation domains and fraudulent storefront clones. - Alert users to avoid entering payment details on unfamiliar stores reached via ads or social links. - Encourage card alerts and unique passwords for consumer shopping accounts. - If your brand is abused, document malicious domains and work takedown channels quickly.
GitHub launches security campaigns for coordinated remediation
GitHub introduced a security campaigns feature designed to help teams remediate multiple vulnerabilities across repositories in a coordinated way, with integration into GitHub Advanced Security and Copilot Autofix workflows (BleepingComputer).
So what? For teams already using GitHub’s security tooling, this could reduce remediation drift across large codebases. The practical value is governance: bundling related findings, tracking progress, and nudging owners toward closure.
What to do next - Group internet-exposed and auth-related findings into campaign-based remediation waves. - Tie campaign completion to sprint or release gates for critical repositories. - Validate any AI-assisted fixes with code review and regression testing. - Use this as a forcing function to retire stale vulnerable dependencies.
Alleged Scattered Spider member extradited to the U.S.
A 23-year-old Scottish teacher accused of assisting the Scattered Spider cybercrime group has been extradited to the United States to face charges tied to phishing, wire fraud, and identity theft activity (BleepingComputer).
So what? This is another reminder that social engineering remains central to financially motivated intrusions. Help desk impersonation, SIM swaps, MFA fatigue, and identity-centric attacks still deserve top billing in enterprise defense programs.
What to do next - Revisit help desk identity proofing procedures. - Block weak MFA factors where feasible and tighten recovery flows. - Monitor for impossible travel, MFA resets, and abnormal enrollment of new authenticators. - Run targeted awareness training for support staff and identity admins.
Poland reports cyber incidents ahead of election
A Polish minister said foreign hackers were linked to around five cyber incidents before the election, highlighting ongoing concern over digital interference around democratic events (Reuters).
So what? Election-adjacent periods often bring phishing, website defacement, DDoS, data leaks, and influence operations. Even private-sector organizations may be affected if they support media, logistics, public services, or political communications.
What to do next - Raise monitoring for public-facing assets and VIP accounts during politically sensitive periods. - Validate DDoS protections and external DNS change controls. - Review takedown and crisis-communications playbooks. - Increase scrutiny of spearphishing aimed at executives and communications teams.
Texas city notifies 12,000 over possible payment card compromise
The city of Mission, Texas, warned about 12,000 individuals that payment card data may have been exposed after a cyberattack affecting payment processing systems (BleepingComputer).
So what? Municipal and SMB payment environments remain attractive targets because they often combine legacy systems, thin staffing, and broad citizen/customer exposure. If your organization processes payments, segmentation and PCI-focused logging should be immediate review points.
What to do next - Verify cardholder data environment segmentation from general user networks. - Review payment processor integrations, web skimmers exposure, and log retention. - Confirm incident notification workflows and legal/regulatory contact lists. - Hunt for anomalous access to payment systems and admin panels.
Critical Vulnerabilities
CVE-2025-4636 : ServiceStack Framework insecure deserialization RCE
- Severity: Critical, CVSS 9.8
- Affected: ServiceStack Framework before 8.9.3
- Condition: Exploitation is possible when
EnableJsConfigis enabled or when a non-defaultTypeAttrsetting is used - Impact: Unauthenticated remote code execution
- References: NVD, ServiceStack forum advisory, ServiceStack security alert
This is the most urgent item in today’s vulnerability set because it is network-reachable and unauthenticated under exposed conditions.
Immediate defender action
1. Identify every internet-facing or partner-facing application using ServiceStack.
2. Upgrade to 8.9.3 or later.
3. Check whether EnableJsConfig is enabled or TypeAttr is customized.
4. Add compensating controls now if patching is delayed: WAF rules, IP allowlists, endpoint isolation, and request pattern monitoring.
Technical Notes
Quick version checks
find /var/www /opt /srv -type f ( -name "*.deps.json" -o -name "*.runtimeconfig.json" -o -name "*.dll" ) 2>/dev/null | grep -i servicestack
grep -RniE "EnableJsConfig|TypeAttr|JsConfig" /var/www /opt /srv 2>/dev/null
Example config review target
JsConfig.Init(new Config {
// Review whether custom type metadata handling is enabled
TypeAttr = "$type"
});
// Review if JSV config endpoints or parsing behavior are exposed
Plugins.Add(new PostmanFeature());
SetConfig(new HostConfig {
EnableFeatures = Feature.All
});
What to look for in logs - Unexpected requests containing JSV payload markers - Abnormal POST bodies to ServiceStack endpoints - Process creation from the app worker identity - Child shell or scripting engine execution from the application process
Example Linux triage
ps -ef --forest
journalctl -u your-app.service --since "24 hours ago"
grep -RniE "cmd.exe|powershell|bash -c|curl |wget " /var/log 2>/dev/null
CVE-2025-30662, CVE-2025-30669, CVE-2025-30671 : Oracle VM VirtualBox local compromise flaws
- Severity: High, CVSS 8.8
- Affected: Oracle VM VirtualBox 7.1.4 through 7.1.8 and prior to 7.0.28
- Access required: Local, low-privileged attacker with logon/local access
- Impact: Product compromise or complete takeover
- Reference: Oracle CPU advisory
These are important in developer endpoints, labs, training environments, and shared admin jump hosts where VirtualBox is installed. They are not remote unauthenticated bugs, so prioritize based on endpoint exposure and local-user trust boundaries.
Immediate defender action - Inventory VirtualBox installations on admin and developer systems. - Update affected versions per Oracle guidance. - Limit local access on systems hosting sensitive VMs. - Review whether VirtualBox is present on shared workstations or privileged jump boxes where it may not be needed.
Technical Notes
Windows inventory
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
Where-Object { $_.DisplayName -like "*VirtualBox*" } |
Select-Object DisplayName, DisplayVersion, Publisher
Linux inventory
VBoxManage --version 2>/dev/null || virtualbox --help 2>/dev/null | head
dpkg -l | grep -i virtualbox
rpm -qa | grep -i virtualbox
Containment guidance - Remove unnecessary local admin rights. - Restrict interactive logon to systems that host sensitive guest VMs. - Audit developer images and VDI pools for outdated VirtualBox packages.
CVE-2025-49091 : NAKIVO Backup and Replication path traversal/file disclosure
- Severity: High, CVSS 8.6
- Affected: NAKIVO Backup and Replication before 11.0.0.88174
- Impact: Absolute path traversal and sensitive file disclosure; advisory notes potential full takeover when chained with another issue
- References: watchTowr analysis, NAKIVO release notes
Backup infrastructure should always be treated as Tier-0 adjacent. Even a file disclosure flaw can expose credentials, configuration secrets, or paths useful for lateral movement and destructive actions.
Immediate defender action - Upgrade to 11.0.0.88174 or later. - Restrict management interfaces to trusted admin networks or VPN-only access. - Review logs for suspicious file access patterns and requests referencing traversal strings. - Rotate credentials stored or used by the backup platform if compromise is suspected.
Technical Notes
Basic exposure checks
nmap -sV -p 80,443 <nakivo-server>
curl -k -I https://<nakivo-server>/
Hunting indicators
- Requests containing ../, URL-encoded traversal sequences, or unusual path arguments
- Access to configuration, credential, or key material outside expected backup workflows
- New admin users, changed repository settings, or altered retention/immutability policies
Example grep for traversal artifacts
grep -RniE "\.\./|%2e%2e%2f|%2e%2e/" /var/log /opt/nakivo 2>/dev/null
What Defenders Should Do Today
1) Patch based on exploitability, not only score
Today’s list includes both a likely top-priority internet-exposed RCE and several local-compromise issues. Triage accordingly:
- Patch first: ServiceStack instances vulnerable to CVE-2025-4636
- Patch next: Internet-reachable or weakly segmented NAKIVO servers
- Patch by endpoint risk: VirtualBox on shared/admin/developer systems
A simple order-of-operations model: 1. Internet-facing unauthenticated paths 2. Backup and recovery infrastructure 3. Identity and admin endpoints 4. Developer and lab virtualization hosts
2) Assume infostealer exposure creates identity risk
Even with law enforcement disruption, stolen credentials, browser cookies, and session tokens remain a practical enterprise threat.
Minimum response - Reset passwords for users with signs of stealer infection - Revoke refresh tokens and invalidate active sessions - Re-enroll MFA for high-risk users if device compromise is suspected - Review saved credentials in browsers on corporate endpoints
3) Validate backup survivability against modern ransomware
Anubis adding a wipe capability is a reminder that “backup exists” is not the same as “recovery works.”
Checklist - Immutable copies enabled - Offline copies validated - Admin access separated from production identity - Restore tests documented in the last quarter - Hypervisor and backup admin actions logged centrally
4) Tighten help desk and user-verification controls
With continued pressure from identity-focused criminal groups, support workflows remain a weak point.
Priority controls - Require strong identity verification before MFA resets - Flag high-risk account changes for secondary review - Limit who can enroll new authenticators - Alert on password resets followed by unusual VPN or cloud logins
Technical Notes
Sample SIEM queries to adapt
Suspicious process creation from web apps
process_name IN ("cmd.exe","powershell.exe","bash","sh","wscript.exe","cscript.exe")
AND parent_process_name IN ("dotnet","w3wp.exe","java","nginx","apache2")
Traversal attempts against backup/admin apps
url CONTAINS "../"
OR url CONTAINS "%2e%2e%2f"
OR http_request_body CONTAINS "../"
MFA reset followed by risky login
event_type = "mfa_reset"
FOLLOWED BY event_type = "login_success"
WITHIN 2h
AND (geo_anomaly = true OR new_device = true OR privileged_account = true)
Bottom Line
The operational picture today is straightforward: one critical network-reachable application flaw, several important infrastructure bugs, and continued evidence that financially motivated and fraud-driven ecosystems are scaling efficiently. For most teams, the best use of time today is to patch exposed ServiceStack and NAKIVO systems, review VirtualBox footprint, and harden identity and backup controls against stealer and ransomware fallout.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.