San Mateo, CA, August 4, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
LightBasin hackers use 4G Raspberry Pi in bank attack
According to Group-IB, the hacking group LightBasin attempted an unusual hybrid cyberattack using a Raspberry Pi equipped with 4G to infiltrate a bank’s ATM network. The attackers physically connected the device to an ATM network switch, establishing a hidden remote channel that let the hackers move laterally and deploy backdoors. The Pi hosted the TinyShell backdoor and served as a command-and-control hub, enabling access to the bank’s Network Monitoring Server and later the Mail Server. Although the goal of the scheme was to deploy the powerful Unix rootkit “Caketap” to spoof ATM transactions and withdraw cash fraudulently, the operation was thwarted. Known for targeting financial and telecom systems, LightBasin employed advanced anti-forensic techniques, including obscuring process metadata and disguising malware as legitimate Linux components. Read more.
NY cyber chief warns Trump budget cuts risk security
The Trump administration’s sweeping cybersecurity budget cuts have raised alarm bells among experts and state officials, including New York’s chief cyber officer Colin Ahern. Since taking office, Trump’s team has eliminated over 100 roles at CISA, slashed the agency’s budget by $135 million, and cut over $1.2 billion in federal cybersecurity spending. While offensive cyber operations saw a $1 billion boost, critical defensive initiatives were scaled back or suspended. Ahern warned these decisions jeopardize national resilience, saying, “everybody wants a federal government that has significant capabilities to deter our adversaries that is resilient against cyberattacks and other attacks from our enemies… Like we’ve said publicly, we do think that what’s happening in Washington is putting those things at risk.” New York State is ramping up state-level action with new legislation mandates, cybersecurity training for government staff, and rapid breach reporting, while proposed regulations and grant programs aim to secure water infrastructure. Read more.
Lazarus Group spreads malware through open-source tools
A new cyber-espionage campaign attributed to North Korea’s Lazarus Group has weaponized the open source ecosystem with over 200 malicious packages discovered in the first half of 2025, according to Sonatype. The firm blocked 234 compromised npm and PyPI packages, which may have reached up to 36,000 victims. These packages mimicked legitimate libraries and were used to deploy multi-stage attacks focused on stealth, persistence, and data exfiltration. Sonatype said Lazarus is shifting from financial opportunism to strategic espionage, aiming to infiltrate DevOps-heavy environments and CI/CD pipelines. “They are leveraging open source to silently harvest sensitive data and pave the way for long-term access to lucrative financial information and espionage operations,” Sonatype’s report says. “The stolen credentials are not the end goal. They are the key to unlocking the kingdom – gaining access to source code repositories, cloud infrastructure, and internal networks.” Read more.
Average US data breach now tops $10 million
The global average cost of a data breach has declined for the first time in five years, dropping 9% from $4.88 million in 2024 to $4.4 million, according to a report from IBM. The drop is credited to faster detection and containment using automated tools, shorter breach investigations, and more efficient crisis management. Costs in the US, however, have increased with the average breach rising to over $10 million due to stricter regulations and more expensive detection systems. Italy, Germany, and South Korea all reported sharp cost declines of 21% or more. IBM’s study, based on incidents at 600 organizations and interviews with thousands of executives, found breach sizes ranging from 3,000 to over 113,000 stolen files. Healthcare remains the most expensive sector for breaches, with an average cost of $7.42 million, despite a drop from last year’s $9.77 million. These organizations also took the longest to contain breaches, averaging 279 days which is 35 days more than the global average. Read more.
Gemini CLI flaw enables hidden code exfiltration
A critical vulnerability in Google’s Gemini Command Line Interface (CLI), an AI-powered coding assistant, has been patched after it was demonstrated that attackers could silently execute arbitrary code and exfiltrate data. TraceBit researchers exploited prompt injection, poor validation, and misleading UX to embed malicious commands in context files like README.md documents that Gemini CLI processes automatically. Once triggered, the AI executed hidden instructions, transferring credentials to a remote server while appearing to perform benign tasks. The flaw exploited Gemini’s design, which allows it to read entire documents for coding context, and its support for whitelisted commands, enabling covert shell operations. The exploit follows a growing pattern of agentic AI systems acting autonomously in dangerous ways, with prior cases including assistants that erased user data via similar injection techniques. Privacy advocates like Signal CEO Meredith Whittaker warn that such agents, given their deep system access, can blur the lines between helpful software and internal threats. Read more.
Tea app breach exposes photos, IDs, and messages
The Tea app, a women-only dating safety platform, has suffered a severe data breach that continues to worsen as hackers leak stolen content across the internet. Initially stemming from an unsecured Firebase storage bucket, the breach exposed 59 GB of data, including 72,000 images, including 13,000 selfies and photo IDs used for user verification, and thousands of media files from posts and messages. A second database has now also surfaced, containing 1.1 million private messages exchanged between users, some discussing deeply personal topics. Security researcher Kasra Rahjerdi revealed that any authenticated Tea user could access this content via an API key, raising major concerns about platform security. Tea confirmed the leak, citing legacy storage issues and law enforcement data retention requirements, and has since taken affected systems offline. The company is working with cybersecurity experts and law enforcement while offering identity protection to impacted users. Read more.
Google slow to act on Firebase spyware abuse
Google has suspended the account of spyware operator Catwatchful after it was found using Firebase, Google’s development platform, to host infrastructure that exfiltrated data from Android phones. The takedown came a month after TechCrunch alerted Google, causing experts to voice concern over the delay given the platform’s clear rules regarding hosting malicious software. Catwatchful, posing as a child-monitoring tool, secretly recorded victims’ private messages, photos, and locations, transmitting the data to a web portal accessible to those who installed it. Researcher Eric Daigle uncovered a severe security flaw that exposed the app’s backend, revealing over 62,000 customer emails and plaintext passwords, along with data from 26,000 victim devices. The breach also identified Catwatchful’s creator, Omar Soca Charcov of Uruguay, who ignored inquiries and failed to notify victims. Catwatchful is the fifth spyware app to suffer a major breach in 2025, demonstrating once again that poor security in stalkerware can endanger users and victims alike. Read more.
Chaos ransomware linked to former BlackSuit group
A new ransomware-as-a-service operation called Chaos has emerged in February of this year. Researchers believe that the group is made up of former BlackSuit gang members displaced by a law enforcement takedown. “Chaos RaaS actors initiated low-effort spam flooding, escalating to voice-based social engineering for access, followed by RMM tool abuse for persistent connection and legitimate file-sharing software for data exfiltration,” Cisco Talos researchers Anna Bennett, James Nutland, and Chetan Raghuprasad said. Chaos targets both local and network resources across Windows, Linux, NAS, and ESXi environments, with most victims based in the US. In exchange for a ransom, Chaos offers a “detailed penetration overview with main kill chain and security recommendations.” Read more.
Data brokers fail to comply with privacy law
A new UC Irvine study reveals widespread noncompliance among California’s registered data brokers, with 40% of the 543 companies contacted failing to respond at all to legacy consumer data requests under the California Consumer Privacy Act (CCPA). Researchers found a lack of standardization and burdensome identity verification processes that actually require consumers to share more personal data in the name of privacy. “Exercising one’s privacy rights under CCPA introduces new privacy risks,” the study warned. Experts argue that the state’s enforcement is weak and the industry thrives on obfuscation. Privacy researcher Justin Sherman noted that brokers who freely sell data often hide behind strict ID checks only when consumers try to opt out. Despite clear legal obligations, the report shows that many brokers disregard or complicate requests to evade accountability. Read more.
WordPress plugin flaws leave 10,000 sites vulnerable
Over 10,000 WordPress sites were exposed to full site takeover attacks due to three critical vulnerabilities in the HT Contact Form Widget plugin used with Elementor and Gutenberg. Discovered by researchers and detailed by Wordfence, the flaws include CVE-2025-7340 (arbitrary file upload, CVSS 9.8), CVE-2025-7341 (arbitrary file deletion), and CVE-2025-7360 (arbitrary file move). Attackers could upload executable PHP files, delete vital config files like wp-config.php, or move system files to hijack sites. A patch was released July 13, five days after Wordfence alerted developer HasTech IT. Wordfence urges all users to update immediately and implement robust file and directory protections, noting that even one outdated plugin can enable a catastrophic compromise. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
