Undetectable Android spyware is detectable, Hunters ransomware quits, Salt Typhoon dormant | #ransomware | #cybercrime

The issue seems to appear for some users on Windows 11 24H2 systems, after rebooting their systems following the installation of the June 2025 Windows non-security preview update. Warnings appear in the Event Viewer as “Event 2042” for Windows Firewall with Advanced Security, with a “Config Read Failed” warning and a “More data is available” message. Microsoft says this is a “known issue,” caused by a “new feature that’s still under development and hasn’t yet been fully integrated with the operating system.” The alert can be safely ignored, they said, and a fix is on its way.

Catwatchful is a monitoring application marketed as a parental control application for Android, and which allows users to “view content from a victim’s device in real time, tap into the microphone and cameras, and access photos, videos, chat logs, and location.” It is described as undetectable and hides its presence to prevent being uninstalled by the victim. Unfortunately, a researcher has discovered that the app is prone to SQL Injection attacks, and because of this, “the plaintext logins and passwords of all 62,050 Catwatchful accounts, along with details linking accounts to devices, and tracking administrative data” have been made visible. According to Security Week, “Android users can check whether the spyware has been installed on their devices by dialing “543210” and pressing the call button. This is a built-in backdoor feature that makes the spyware reveal itself to be uninstalled.

This is critical vulnerability with CVE number (CVE-2025-20309) and a CVSS score of 10/10. In its announcement made Wednesday, Cisco stated that it applies to its Unified CM and Unified CM SME communication management software and could allow attackers to log in as the root account. In its advisory, Cisco says the problem, exists because “the enterprise management tools contain default, static credentials that can not be removed or changed.” Cisco on Wednesday announced patches for a critical vulnerability. Cisco has “released a path file that addresses the issue and will include the fix in Unified CM and Unified CM SME release 15SU3, which is expected to roll out this month.”

The group famous for attacks on India multinational Tata Technologies and Chinese owned ICBC Bank, have announced it is closing down business and offering decryption keys to its victims. In an announcement that resembles the type disseminated by larger, legitimate businesses, especially when job losses are involved, the Hunters message blames what it calls recent developments and an overall sense that collecting ransoms is no longer as easy or rewarding as it once was. It calls the decryption offer a “gesture of goodwill.” However, researchers at the security firm Group-IB have already predicted that the same team behind Hunters is rebranding as World Leaks, which “uses an extortion-only model, whereby attackers steal a company’s data and holds it to ransom without deploying any kind of file encryption.”

Based in Minnesota, Surmodics is “the largest U.S. provider of outsourced hydrophilic coatings used to reduce friction for objects such as intravascular medical devices.” Its IT team observed unauthorized access in its network exactly one month ago, forcing the company to shut down parts of its IT system and to find alternate ways to receive and process customer orders. This is the third publicly traded medical device company to report a cyberattack to the SEC in the last eight months, the other two being Artivion and Masimo. While now partially restored, the “scope and details of the IT data” stolen by the hackers are still being analyzed. No group has claimed responsibility, and the company says no proprietary data or third-party information has been released.

Although we have covered this topic a few times in past weeks, this one differs in the payload and is therefore worthy of note. The BlueNoroff APT based out of Pyongyang, is following the same social engineering path of inviting a victim via Telegram to a Calendly invite, which takes them to a Zoom meeting. In this instance, rather than exploiting a faked faulty audio situation, the victim is instructed to “run a malicious script posing as a Zoom SDK update. The script’s execution triggers a multi-stage infection chain leading to the deployment of malicious binaries that SentinelOne collectively tracks as NimDoor.”

The individual under invest igation is a former employee of DigitalMint, “a Chicago-based incident response and digital asset services company that specializes in ransomware negotiation and facilitating cryptocurrency payments to receive a decryptor or prevent stolen data from being publicly released.” According to an initial report from Bloomberg, the DOJ is investigating “whether the suspect worked with ransomware gangs to negotiate payments, then allegedly received a cut of the ransom that was charged to the customer.” DigitalMint has confirmed that one of its former employees is under criminal investigation and informed BleepingComputer that it terminated the employee after learning of the alleged conduct.”

(BleepingComputer and Bloomberg)

Brett Leatherman, new leader of the FBI Cyber division, has told Cyberscoop that Salt Typhoon, “the Chinese hackers behind the massive telecommunications sector breach are “largely contained” and “dormant” in the networks, “locked into the location they’re in” and “not actively infiltrating information.” However, he adds that doesn’t mean they, no longer pose a threat, specifying that “the longer they have a foothold inside [telecommunications networks], the more ways they can create points of persistence.

Spotify, Apple Podcasts, YouTube, RSS link, Amazon Music, add as an Alexa Skill, or search “Cyber Security Headlines” on your favorite podcast app.