Advisory ID: NCC-CSIRT-2025-008

Summary: 

Recent research by Cybernews has found about 30 leaked data collections containing nearly 16 billion stolen login details, the largest number ever recorded. Most of this information was gathered through infostealer malware (e.g., RedLine, Raccoon, Vidar, etc.), rather than through direct hacks of major companies. Although the data comes from many separate incidents, its massive size and recent nature make it a serious threat for large-scale misuse of login credentials. 

Damage/Probability: HIGH/Critical

Product(s): 

• Windows OS
• Web browsers
• Password managers

Version(s): 

• Windows OS (all types and versions)
• Web browsers (all types and versions)
• Password managers (all types and versions)

Platform(s): 

• Google (Gmail, Workspace)
• Apple (iCloud, Apple ID)
• Microsoft (Outlook, Office 365)
• Facebook / Meta
• GitHub
• Telegram
• Amazon
• Banking and fintech platforms
• Government (.gov) and enterprise accounts

Description: 

Infostealer malware stole over 16 billion usernames, passwords, and session tokens from infected systems in a massive credential leak. Attackers delivered the malware through phishing emails, fake software installers, and malicious advertisements.

Once compromised, users executed the malware, which harvested the following from their systems:

• Credentials stored in browsers
• Session cookies and tokens are used to bypass multi-factor authentication (MFA)
• Autofill and clipboard data

The attackers then exfiltrated the stolen data to servers they controlled and compiled it into large breach datasets. This data enables them to take over accounts, perform credential stuffing attacks, commit identity theft, and bypass MFA protections.

This incident does not stem from a vulnerability in a specific product. Instead, it results from a widespread malware campaign targeting endpoint users worldwide. 

Consequences:  

• Account takeover, session hijacking, and identity theft across widely used online platforms.

• Organizational risk due to the exposure of corporate and government email credentials.

• Data can be used for phishing, financial fraud, or business email compromise (BEC).

Solution: 

A. Immediate Actions for All Users:

• Change all passwords, prioritize financial, corporate, and administrative accounts.
• Enable Multi-Factor Authentication (MFA), prefer non-SMS methods (e.g., authenticator apps, hardware keys)
• Adopt passkeys/passwordless methods where available (Apple, Google, Facebook)
• Use reputable password managers to generate and store complex, unique credentials.
• Run endpoint malware scans to detect and remove infostealer infections).
• Monitor account activity and respond quickly to unauthorized access.

B. Organizational Measures:

• Enforce regular password rotations and MFA policies.
• Deploy EDR solutions and threat intelligence tools to detect infostealer presence (e.g., Hudson Rock, commercial EDR suites)
• Educate users on phishing and malware risks; implement training programs.
• Audit use of session tokens and cookies; enforce token invalidation on password reset.
• Restrict access to sensitive systems using least-privilege and enforce robust logging.

References:

• https://cybernews.com/security/billions-credentials-exposed-infostealers-data-leak/

• https://www.forbes.com/sites/daveywinder/2025/06/20/16-billion-apple-facebook-google-passwords-leaked---change-yours-now/

• https://www.tomsguide.com/news/live/16-billion-passwords-data-breach

• https://nypost.com/2025/06/20/tech/16-billion-google-apple-other-passwords-leaked-what-to-know/

Advisory ID: NCC-CSIRT-2025-007

Summary: 

Qualys Threat Research Unit (TRU) recently discovered two interconnected Local Privilege Escalation (LPE) vulnerabilities affecting many mainstream Linux distributions. The issues, tracked as CVE‑2025‑6018 and CVE‑2025‑6019, enable unprivileged users to escalate privileges to root, with CVE‑6019 alone being sufficient to compromise systems with minimal user permissions. 

Damage/Probability: HIGH/Critical

Product(s): 

• openSUSE, SUSE Linux

• Ubuntui

• Debian

• Fedora

• Arch Linux 

Version(s): 

• openSUSE Leap 15, SUSE Linux Enterprise 15 (CVE‑6018 & CVE‑6019 chain)

• Ubuntu (22.04, 24.04 LTS)

• Debian 12 (Bookworm)

• Fedora 39/40

• Arch Linux Rolling‑release distros using udisks2

• Any other Linux systems deploying unpatched versions of libblockdev/udisks2

Platform(s): Linux OS

Description: 

The reported vulnerability involves a local privilege escalation flaw in the udisks2 service, specifically within its libblockdev component. Identified as CVE‑2025‑6019, the flaw allows a local, unprivileged user to gain root access by exploiting insecure handling of device mount operations via the D-Bus interface.

On affected systems, attackers can manipulate mount paths and symbolic links to overwrite or execute files as root. When combined with a second flaw (CVE‑2025‑6018) found in the PAM configuration of SUSE-based distributions, the attack chain becomes easier by automatically granting certain users elevated privileges (marked as active).

The flaw affects multiple Linux distributions, including Ubuntu, Debian, Fedora, and openSUSE. The exploitation requires only local access and standard tools like udisksctl, making it low-complexity but high-impact.. 

Consequences:  

• A complete local-to-root exploit chain exists, combining both CVEs to achieve full system compromise.

• CVE‑2025‑6019 alone is exploitable on multiple major distributions, including Ubuntu, Debian, Fedora, and openSUSE Leap 15, even without leveraging CVE‑6018.

• Recovery from root compromise includes potential for system-wide backdoors, agent tampering, persistence mechanisms, and lateral movement across networks.

Solution: 

1. Immediate Patching

• Apply vendor updates for both PAM (for SUSE) and libblockdev/udisks2 across all distributions.

• Confirm that CVE‑2025‑6019 is patched—even on systems using older versions of udisks2

   2. Access Restriction Controls

• Restrict or tightly control D‑Bus access to udisks2.

• On shared or multi-user systems, constrain which users can mount or manage devices.

  3. Security Policy Reinforcement

• Reinforce D‑Bus interactions using AppArmor or SELinux to limit udisks2

• Temporarily disable udisks2 on systems that do not require dynamic device management.

  4. Proactive Monitoring

• Log and inspect all udisksctl invocations and D‑Bus activity related to storage management.

• Look for anomalous mount operations, symlink manipulations, or unexpected processes invoking udisks2.

  5. Patch Chain Dependencies

• Particularly for SUSE-based systems, patch PAM appropriately to prevent exploitation of CVE‑6018 before CVE‑6019 is leveraged.

References: 

• https://www.bleepingcomputer.com/news/linux/new-linux-udisks-flaw-lets-attackers-get-root-on-major-linux-distros/

• https://www.infosecurity-magazine.com/news/linux-flaws-allowing-root-access/

• https://cyberpress.org/privilege-escalation-vulnerabilities/

• https://securityonline.info/critical-linux-root-exploit-chain-discovered-in-pam-udisks-affecting-major-distros/

• https://www.securityweek.com/linux-security-new-flaws-allow-root-access-cisa-warns-of-old-bug-exploitation/

• https://www.blackhatethicalhacking.com/new-linux-vulnerabilities-allow-instant-root-access-across-major-distros/

Advisory ID:  ngCERT-2025-050014

Probability:    High

Damage:        Critical

Platform(s):   Web Application

SUMMARY

ngCERT is aware of a critical vulnerability referred to as the Directory Traversal vulnerability. Directory Traversal, also known as Path Traversal or directory climbing, is a web application server flaw that enables attackers to gain unauthorized access to files and directories on a server by manipulating file paths. This flaw arises from weak input validation, which allows attackers to navigate outside the designated directory structure. The severity of the impact can vary, however, it often results in significant consequences such as data breaches or unauthorised system access. Additionally, following best practices like regular vulnerability testing, code audits, and implementing access control is essential for preventing exploitation.

DESCRIPTION

Directory Traversal is a security vulnerability in web application servers caused by an HTTP exploit. It occurs due to weak input validation or insecure file-handling practices. This flaw allows an attacker to manipulate file paths, gaining access to directories and files outside the designated directory structure on a web server. Malicious attackers exploit this vulnerability by manipulating URL paths or parameters through the server’s file system by taking advantage of sequences like “../” (Unix) or “..\” (Windows) and retrieve sensitive information, such as configuration or password files, or other critical data. Directory Traversal can lead to the exposure of sensitive system or application details, unauthorized access to restricted files, and the potential for further attacks that compromise the server or other connected systems.

CONSEQUENCES

Falling prey to these attacks could potentially lead to:

1. Authentication Bypass: Directory traversal can be used to bypass authentication mechanisms and gain unauthorized privileges.
2. Data Exposure: Confidential information, such as configuration files or user data, may be exposed.
3. Unauthorized Access: Attackers gain access to sensitive files and directories.
4. Data Manipulation: Attackers can modify or delete critical files, leading to service disruptions.

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Minimize network exposure for all control system devices and ensure that they are not accessible from the Internet.
2. Implement a location control system, networks and remote devices behind firewalls, and isolate them from the business network.
3. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version. Also, recognize that a VPN is only as secure as the connected devices.
4. Perform proper impact analysis and risk assessment before deploying defensive measures.

 REFERENCES

• https://www.techtarget.com/searchsecurity/definition/directory-traversal
• https://learn.snyk.io/lesson/directory-traversal/
• https://www.invicti.com/learn/directory-traversal-path-traversal/
• https://www.imperva.com/learn/application-security/directory-traversal/
• https://www.acunetix.com/websitesecurity/directory-traversal/
• https://portswigger.net/web-security/information-disclosure

Advisory ID:  ngCERT-2025-050012

Probability:    High

Damage:        Critical

Platform(s):   Windows operating system

SUMMARY

Lumma Stealer (also known as LummaC2) is a potent and widely distributed information-stealing malware targeting Windows systems. Operated as Malware-as-a-Service (MaaS) via illicit cybercrime markets, it was recently disrupted by Microsoft in response to its escalating threat profile. Lumma Stealer poses a high risk due to its commercial availability, sophisticated evasion, broad data theft capabilities, and network propagation. Its recent disruption highlights active law enforcement attention, but residual infections and potential re-emergence remain concerns. ngCERT urges organizations to reassess their security measures and implement strategies to mitigate infection risks.

DESCRIPTION

Lumma Stealer is a fast-spreading information-stealing malware distributed via underground forums as Malware-as-a-Service (MaaS). It targets Microsoft Windows (MS-Windows) systems through phishing emails, malicious downloads, or cracked software. Once installed, it enables cybercriminals to remotely steal data.

CONSEQUENCES

KEY CHARACTERISTICS & IMPACT:

1. Infection Vectors: Primarily spreads through phishing emails, malicious advertisements (malvertising), pirated software, and cracked games. Installs silently, functioning as a backdoor.
2. Data Theft: Actively steals sensitive information including:Login credentials (browsers, applications)

1. • Financial data (banking details, cards)
   • Login credentials (browsers, applications)
   • Cryptocurrency wallet information
   • Browser cookies & session data
   • Other confidential files.
   • Persistence & Evasion: Employs advanced techniques like code injection and encrypted communication with Command-and-Control (C2) servers to evade detection.
   3. Lateral Movement: Capable of spreading within compromised networks, amplifying damage.
   4. Monetisation: Stolen data is typically sold on dark web markets or used directly for financial fraud and identity theft.

   Lumma Stealer poses a high risk due to its commercial availability, sophisticated evasion, broad data theft capabilities, and network propagation

SOLUTION/MITIGATION

 The following mitigations should be considered:

1. User Awareness: Train staff/users to identify phishing attempts and avoid downloading pirated/cracked software.
2. Endpoint Protection: Ensure robust, updated anti-malware solutions with behavioral detection capabilities.
3. Network Monitoring: Implement monitoring for suspicious outbound traffic (C2 communication) and lateral movement attempts.
4. Patch Management: Keep all systems and software rigorously updated.
5. Least Privilege: Enforce strict access controls to limit the impact of lateral movement.

Assessment: Lumma Stealer represents a significant ongoing threat to organizational and personal data security, requiring vigilant defensive measures. 

REFERENCES

• https://thehackernews.com/2025/05/fbi-and-europol-disrupt-lumma-stealer.htm
• https://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/
• https://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha
• https://www.europol.europa.eu/media-press/newsroom/news/europol-and-microsoft-disrupt-world%E2%80%99s-largest-infostealer-lumma
• https://www.trellix.com/blogs/research/a-deep-dive-into-the-latest-version-of-lumma-infostealer