North Korea sends thousands of IT workers abroad to secure remote jobs at Western companies using hundreds of fake identities
TLDR Information Security 2025-08-05
Attacks & Vulnerabilities
New Plague Linux Malware Stealthily Maintains SSH Access (2 minute read)
Plague is a stealthy Linux malware that had evaded detection for over a year. It acts as a malicious PAM module, using layered obfuscation techniques and environment tampering to avoid detection. The Plague backdoor also scrubs the SSH_CONNECTION and SSH_CLIENT environment variables and redirects HISTFILE to /dev/null.
Northwest Radiologists Data Breach Hits 350,000 in Washington (2 minute read)
Northwest Radiologists suffered a data breach between January 20 and 25 that exposed the personal information of 350,000 Washington State residents. Compromised data includes names, addresses, Social Security numbers, medical records, and health insurance details. The company has secured its systems, notified authorities, and is offering free credit monitoring to affected individuals.
Vietnamese cybercriminals using PXA Stealer have infected more than 4,000 victims across 62 countries, stealing 200,000 passwords, credit card data, and 4 million browser cookies. The malware abuses legitimate software like Microsoft Word and PDF readers for sideloading attacks, then sells the stolen data on Telegram marketplaces such as Sherlock.
Strategies & Tactics
Exploiting Self-XSS Using Disk Cache (5 minute read)
Security researchers have developed a novel technique to exploit self-XSS vulnerabilities by combining login CSRF attacks with browser disk cache manipulation. The attack works by forcing victims to log into attacker-controlled accounts, then using browser history navigation (history.go(-2)) to access cached victim data from previous sessions. Organizations can defend against this attack vector by implementing Cache-Control: no-store headers on sensitive endpoints to prevent disk cache exploitation.
Our Journey From Fragile SSH to Zero-Trust Connections (4 minute read)
A Redditor shares their journey building an open-source alternative to tools like Vercel and Railway. Initially, users would bring their own servers and provide keys in the UI. However, due to privacy and security concerns, dflow added the ability to purchase servers via AWS, along with a free promo program that was quickly abused. They later discovered that they could use Tailscale to allow servers to dynamically join their network with one command, or even automatically as part of their Dockerfile, without the need to exchange SSH keys.
Newly discovered critical vulnerabilities in NVIDIA’s Triton Inference Server allow remote attackers to gain full system control. The flaws (CVE-2025-23319, CVE-2025-23320, and CVE-2025-23334) could enable AI model theft, data exposure, and network infiltration. NVIDIA has released patches, and users are advised to update to the latest version immediately.
Launches & Tools
Kanvas is an Incident Response (IR) case management tool with an intuitive, Python-based desktop interface.
Introducing SRA Verify – an AWS Security Reference Architecture Assessment Tool (3 minute read)
SRA Verify is an open-source security assessment tool that validates AWS environments against the Security Reference Architecture through automated checks across CloudTrail, GuardDuty, Config, Security Hub, and other services. The tool maps directly to AWS SRA recommendations and helps organizations verify that their multi-account security implementations align with AWS best practices. Teams can use the GitHub repository for infrastructure-as-code examples to remediate identified gaps.
Deptective is a tool that automatically determines the native dependencies required to run any given program or command.
Miscellaneous
APT36: A Phishing Campaign Targeting Indian Government Entities (8 minute read)
APT36 (Transparent Tribe), a Pakistan-linked threat group, is conducting a sophisticated phishing campaign against Indian government entities using typo-squatted domains that mimic official portals to harvest credentials and bypass Kavach MFA. The operation employs real-time OTP harvesting with C2 infrastructure hosted on Pakistani servers and coordinated domain registrations, indicating state-sponsored backing. Organizations should immediately block identified IOCs, including the domains mgovcloud[.]in and virtualeoffice[.]cloud, as well as associated IP addresses.
North Korea Sent Me Abroad to Be a Secret IT Worker. My wages Funded the Regime (10 minute read)
North Korea sends thousands of IT workers abroad to secure remote jobs at Western companies using hundreds of fake identities, generating $250-600 million annually for the state. The workers use stolen identities from European citizens to apply for US and European tech jobs, often resulting in multiple North Koreans unknowingly hired by the same company. An estimated 85% of earnings are sent back to fund the regime. Security firms report interviewing dozens of suspected North Korean IT workers who use AI face-swapping technology and work from locations where it’s never daytime during supposed US business hours.
Gene Sequencing Giant Illumina Settles for $9.8M Over Product Vulnerabilities (2 minute read)
Gene sequencing company Illumina agreed to pay $9.8 million to settle Justice Department accusations that it sold cybersecurity-vulnerable genomic sequencing systems to federal agencies between 2016 and 2023. The company allegedly lacked proper security programs and falsely claimed its software met cybersecurity standards.
Quick Links
Pwn2Own Hacking Contest Pays $1M for WhatsApp Exploit (2 minute read)
Meta is co-sponsoring Pwn2Own Ireland 2025 (Oct 21-24), offering $1M for zero-click WhatsApp RCE exploits - registration closes on October 16.
Google Says Its AI-Based Bug Hunter Found 20 Security Vulnerabilities (2 minute read)
Google’s AI bug hunter, “Big Sleep,” discovered its first 20 security vulnerabilities in open-source software such as FFmpeg and ImageMagick.
Proton Fixes Authenticator Bug Leaking TOTP Secrets in Logs (2 minute read)
Over the weekend, a Redditor discovered that Proton’s new Authenticator app for iOS was logging TOTP secrets to the local device.