Advisory ID: NCC-CSIRT-2025-011

Summary: 

Security experts have discovered an ongoing scam where fake online ads trick people into downloading bogus software. Instead of the real program, they get PS1Bot, a hidden tool that runs mostly in memory, so it is harder to detect. Once installed, it can stay on the computer, steal information, record keystrokes, take screenshots, spy on activity, and give hackers long-term remote access. This attack has been active all through 2025 and is still happening. 

Damage/Probability: High/Critical

Product(s): 

Windows-based Devices

Version(s): 

All version of Windows endpoints where users browse the web and can execute PowerShell

Platform(s): 

Windows OS

Description: 

Hackers are running an online ad scam where fake ads appear in search results. These ads lead people to websites that appear to offer popular software, but the downloads are infected.

When someone installs the fake program, a hidden tool called PS1Bot secretly runs in the background without leaving obvious files on the computer, making it harder for antivirus software to spot.

Once inside, PS1Bot can:

• Stay on the computer even after a restart.
• Steal saved passwords, browser data, and files.
• Record every key you press and take screenshots.
• Scan the computer and network to learn more about the target.
• Allow hackers to control the computer from far away and install other tools later.

Because it works mostly in memory and can change what it does over time, it is very hard to detect. This attack has been going on all through 2025, and it is still active. 

Impacts: 

1. Theft of sensitive information, including credentials and corporate data.
2. Potential foothold for ransomware or broader network compromise.
3. Increased risk where PowerShell execution is unrestricted and ad filtering is absent.

Solutions: 

• PS1Bot spreads through fake ads; stop it with technical defences and user awareness (education).
• Avoid clicking suspicious ads.
• Do not install software via ads; only install software from pre-approved sources (vendor portals, package managers, internal repositories).
• Only download software from official websites.
• Disable third-party cookies where possible; limit ad exposure using enterprise controls; enforce safe-browsing features.
• Block risky scripts like PowerShell if you do not need them.

• Treat malvertising/SEO-poisoning as a primary initial-access vector in phishing programs.

References:

• https://blog.talosintelligence.com/ps1bot-malvertising-campaign/

• https://thehackernews.com/2025/08/new-ps1bot-malware-campaign-uses.html

• https://undercodenews.com/malvertising-menace-ps1bot-malware-campaign-uncovered-in-2025/

• https://advisory.eventussecurity.com/advisory/malvertising-campaign-delivers-multi-stage-ps1bot-stealer-framework/

• https://nubetia.com/new-ps1bot-malware-campaign-leverages-malvertising-for-multi-stage-in-memory-attacks/

• https://demandteq.com/new-ps1bot-malware-campaign-exploits-malvertising-for-stealthy-multi-stage-attacks/

   

Advisory ID: NCC-CSIRT-2025-010

Summary: 

Security experts at ESET found a serious vulnerability in WinRAR (CVE-2025-8088) that hackers were already using. They sent specially made RAR files which, when opened in older versions of WinRAR, secretly installed harmful programs that run every time the computer starts. This gave attackers control through malware called RomCom, often sent in phishing emails. WinRAR has fixed the problem in version 7.13, and everyone should update immediately to stay safe. 

Damage/Probability: MEDIUM/Critical

Product(s): 

WinRAR for Windows

Version(s): 

Versions before 7.13

Platform(s): 

Windows OS

Description: 

This security vulnerability affects WinRAR versions before 7.13. It lets hackers hide files in a RAR archive that, when opened, can put those files anywhere on your computer, not just in the folder you chose.

In real attacks, hackers sent these malicious RAR files in phishing emails. When people opened them, the files were secretly placed in the computer’s Startup folder so they would run every time the computer turned on. These files installed a harmful program called RomCom, which lets attackers control the computer, steal data, and spread to other systems.

The problem is fixed in WinRAR 7.13, which stops files from being placed outside the chosen extraction folder. Everyone should update as soon as possible..

Impacts: 

If exploited, this flaw can let hackers break into computers, secretly install tools to keep access, steal passwords, move through other systems in the network, and possibly demand ransom or steal sensitive information. The risk is much higher for organizations that let staff open RAR files on their computers without security checks.

Solutions: 

• Update WinRAR to the latest version (7.13+) or uninstall it if you do not require it. Use vendor downloads from the official site.
• Do not extract RAR files received by email unless you can validate the sender and expected content. Prefer vendors that provide password-protected downloads via trusted portals rather than email attachments.
• Enable endpoint protection and ensure it is up to date; run a full system scan if you recently opened a RAR attachment.
• If you suspect infection, disconnect the machine from networks, preserve evidence, and contact your IT/security team or a reputable incident response provider.

References:

• https://www.bleepingcomputer.com/news/security/winrar-zero-day-flaw-exploited-by-romcom-hackers-in-phishing-attacks/

• https://franetic.com/google-data-breach-exposed-potential-ads-customer-info/

• https://techcrunch.com/2025/08/06/google-says-hackers-stole-its-customers-data-in-a-breach-of-its-salesforce-database/

• https://hackread.com/google-salesforce-data-breach-shinyhunters-vishing-scam/

Advisory ID: NCC-CSIRT-2025-009

Summary: 

Researchers at the German cybersecurity firm ERNW disclosed three vulnerabilities affecting Airoha Bluetooth SoCs, chipsets commonly used in True Wireless Stereo (TWS) earbuds, headphones, speakers, and microphones from major vendors. The flaws could enable attackers to hijack devices within ~10 m Bluetooth range, access call history, contacts, audio streams, and even remotely activate microphones via the Hands-Free Profile (HFP). 

Damage/Probability: MEDIUM/Critical

Product(s): 

• Sony Microphone
• Bose QuietComfort/Noise Cancelling Earbuds
• JBL Live Earbuds
• Beyerdynamic Amiron Microphone
• Marshall ACTON/MAJOR/STANMORE Microphone
• Jabra Elite Microphone

Version(s): 

• Sony (e.g., WH‑1000XM3/4/5)
• All versions of Bose QuietComfort/Noise Cancelling Earbuds,
• JBL Live Buds 3
• Beyerdynamic Amiron 300
• All versions of Marshall ACTON/MAJOR/STANMORE
• Jabra Elite 8 Active

Platform(s): 

Bluetooth

Description: 

The researchers identified three security vulnerabilities in Airoha Bluetooth System-on-Chip (SoC) firmware used in a wide range of Bluetooth audio devices. These flaws exist in both Bluetooth Classic and Bluetooth Low Energy (BLE) protocols and primarily affect devices implementing the Hands-Free Profile (HFP) and proprietary debug interfaces.

      1. CVE-2025-20700 – Unauthenticated GATT Access over BLE

• Airoha SoCs expose BLE GATT services without proper access control. An attacker in range (~10 meters) can perform unauthenticated reads and writes to GATT characteristics. This allows:

  • Extraction of metadata (e.g., media status, battery level)
  • Memory manipulation and limited device control

   2. CVE-2025-20701 – Unauthorized Access via Bluetooth Classic

  Bluetooth Classic implementations fail to enforce authentication before accepting control commands. An attacker can:

  • Connect to the device without pairing
  • Hijack control channels used for media playback and HFP
  • Initiate silent calls and activate voice assistants

   3. CVE-2025-20702 – Exploitable Debug Protocol

  Airoha firmware includes an undocumented debug protocol accessible over Bluetooth. This allows attackers to:

  • Dump RAM and Flash memory
  • Extract Bluetooth link keys and other sensitive data
  • Inject or alter memory contents
  • Activate microphone and audio streams remotely

   The exploitation Conditions include:

  • Proximity: All exploits require physical proximity (typically <10 m).
  • No user interaction: Attacks can be carried out without pairing or user consent.
  • Complexity: While requiring specialized knowledge, tools and public documentation lower the barrier for advanced attackers.
  This combination of flaws enables remote memory access, device control, and audio surveillance, compromising the security guarantees of modern Bluetooth peripherals.

Impacts: 

The flaws let nearby attackers secretly turn Bluetooth audio devices into listening tools, steal call data, and access device memory, posing a serious privacy and surveillance risk.

Solutions: 

• Check for firmware updates from device vendors regularly—many are only beginning to release patches following Airoha’s SDK update.
• Temporarily disable Bluetooth or set devices to undiscoverable, especially in sensitive environments.
• Avoid using vulnerable audio devices where confidentiality is critical (e.g., meetings, investigations).

References:

• https://www.bleepingcomputer.com/news/security/bluetooth-flaws-could-let-hackers-spy-through-your-microphone/

• https://www.techradar.com/pro/security/this-worrying-bluetooth-security-flaw-could-let-hackers-spy-on-your-device-via-microphone

• https://www.archynewsy.com/bluetooth-security-hacker-microphone-spy-risk/#google_vignette

• https://www.blackhatethicalhacking.com/news/bluetooth-bugs-in-sony-bose-jbl-devices-could-let-hackers-spy-or-place-calls/#google_vignette

Advisory ID: NCC-CSIRT-2025-008

Summary: 

Recent research by Cybernews has found about 30 leaked data collections containing nearly 16 billion stolen login details, the largest number ever recorded. Most of this information was gathered through infostealer malware (e.g., RedLine, Raccoon, Vidar, etc.), rather than through direct hacks of major companies. Although the data comes from many separate incidents, its massive size and recent nature make it a serious threat for large-scale misuse of login credentials. 

Damage/Probability: HIGH/Critical

Product(s): 

• Windows OS
• Web browsers
• Password managers

Version(s): 

• Windows OS (all types and versions)
• Web browsers (all types and versions)
• Password managers (all types and versions)

Platform(s): 

• Google (Gmail, Workspace)
• Apple (iCloud, Apple ID)
• Microsoft (Outlook, Office 365)
• Facebook / Meta
• GitHub
• Telegram
• Amazon
• Banking and fintech platforms
• Government (.gov) and enterprise accounts

Description: 

Infostealer malware stole over 16 billion usernames, passwords, and session tokens from infected systems in a massive credential leak. Attackers delivered the malware through phishing emails, fake software installers, and malicious advertisements.

Once compromised, users executed the malware, which harvested the following from their systems:

• Credentials stored in browsers
• Session cookies and tokens are used to bypass multi-factor authentication (MFA)
• Autofill and clipboard data

The attackers then exfiltrated the stolen data to servers they controlled and compiled it into large breach datasets. This data enables them to take over accounts, perform credential stuffing attacks, commit identity theft, and bypass MFA protections.

This incident does not stem from a vulnerability in a specific product. Instead, it results from a widespread malware campaign targeting endpoint users worldwide. 

Consequences:  

• Account takeover, session hijacking, and identity theft across widely used online platforms.

• Organizational risk due to the exposure of corporate and government email credentials.

• Data can be used for phishing, financial fraud, or business email compromise (BEC).

Solution: 

A. Immediate Actions for All Users:

• Change all passwords, prioritize financial, corporate, and administrative accounts.
• Enable Multi-Factor Authentication (MFA), prefer non-SMS methods (e.g., authenticator apps, hardware keys)
• Adopt passkeys/passwordless methods where available (Apple, Google, Facebook)
• Use reputable password managers to generate and store complex, unique credentials.
• Run endpoint malware scans to detect and remove infostealer infections).
• Monitor account activity and respond quickly to unauthorized access.

B. Organizational Measures:

• Enforce regular password rotations and MFA policies.
• Deploy EDR solutions and threat intelligence tools to detect infostealer presence (e.g., Hudson Rock, commercial EDR suites)
• Educate users on phishing and malware risks; implement training programs.
• Audit use of session tokens and cookies; enforce token invalidation on password reset.
• Restrict access to sensitive systems using least-privilege and enforce robust logging.

References:

• https://cybernews.com/security/billions-credentials-exposed-infostealers-data-leak/

• https://www.forbes.com/sites/daveywinder/2025/06/20/16-billion-apple-facebook-google-passwords-leaked---change-yours-now/

• https://www.tomsguide.com/news/live/16-billion-passwords-data-breach

• https://nypost.com/2025/06/20/tech/16-billion-google-apple-other-passwords-leaked-what-to-know/