This Week in Cyber 28th March 2025

Analyst Insight

This week in cyber, we have seen a new way of delivering malware reported by the FBI. Online file converters are useful utilities used by millions, but now we are seeing reports of a majority of them delivering malware to unsuspecting users. We have also seen a large-scale data breach on Oracle Cloud with six million user records affected, the incident was denied by Oracle. There was also one of the most significant data privacy issues in recent years with the 23andMe bankruptcy. Millions of customers' genetic data is in limbo as the company desperately looks for a buyer, with no certainty on what the buyers’ potential motives are with the genetic data.

Oracle Refutes Data Breach After Hacker's Claim of Stealing 6 Million Records

A hacker using the alias "rose87168" has claimed to have stolen data from Oracle Cloud's Single Sign-On (SSO) service. In a post on BreachForums, the hacker alleges possession of 6 million user records from Oracle Cloud’s SSO and LDAP and is offering them for sale. The threat actor offered BleepingComputer a .txt file containing a login to the allegedly breached Oracle Cloud server. Oracle released a statement declaring, “There has been no breach of Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.” countering the threat actors claims of a breach. This was disproven later in the week by BleepingComputer after confirming with multiple companies that the associated data samples shared by the threat actor are valid.

Genetic Testing Firm 23andMe Bankrupt, Customers Advised to Delete Accounts

This week, genetic testing and ancestry service 23andMe has filed for Chapter 11 bankruptcy after years of financial struggles. In a press release by 23andMe it states the company “Intends to use Proceedings to Conduct a Value-Maximising Sale Process and Resolve Liabilities,” in relation to customer data 23andMe reassured “No Changes to Customer Data Management and Access”. Despite these assurances, privacy experts are concerned that the sale of the company's assets could lead to the sensitive genetic data of 23andMe customers falling into the wrong hands. This has raised privacy concerns about the potential exposure of personal genetic information. Considering 23andMe’s data breach in 2023, leading to 7 million records’ being stolen, Customers are being advised to delete their 23andMe accounts and request that all DNA samples are destroyed.

Over 200 unique C2 Domains linked to Raspberry Robin.

Security researchers at Silent Push and Team Cymru have recently uncovered a USB-based propagation mechanism employed by the malware Raspberry Robin. They also identified a new distribution method for the malware, which involves archives and Windows Script Files delivered over the popular messaging application Discord. From this, they successfully observed the malware strain employing fast flux techniques, which involve rapidly rotating through a variety of IPs associated with their own individual C2 domains. Researchers believe that the malware may be offered as a botnet to deliver next-stage malware. The tool is also suspected to be used by multiple advanced persistent threat actors in ongoing campaigns.

FBI Warns of Free Online File Converters Infecting Users with Malware

The FBI Denver Field Office released a statement warning about an increase in scams involving free online file converter tools. “Criminals use free online document converter tools to load malware onto victims’ computers, leading to incidents such as ransomware.” Examples include online MP3/MP4 downloaders and PDF to JPG converters; the scammers also trick users by using different domains or typo squatting. The FBI emphasizes the importance of educating people about these scams, by downloading software only from trusted websites, keeping antivirus software updated, and using built-in conversion tools in existing applications.

Broadcom Urgently Patches VMware Tools Vulnerability

Broadcom has released an urgent patch to address a critical authentication bypass vulnerability in VMware Tools for Windows, identified as CVE-2025-22230, it has a severity score of 7.8 (High). This flaw, due to improper access control, allows attackers with non-administrative privileges on a Windows guest VM to perform high-privilege operations. Broadcom strongly advises users to apply the patch immediately, as there are no available workarounds. This issue affects only VMware Tools for Windows, with Linux and macOS remaining unaffected.