Cyber Briefing: 2025.04.25
New malware, CVEs, and breaches reveal stealthier tactics, critical flaws, and growing risks across Linux, Ruby, schools, and major organizations worldwide.
Listen to our podcast here!
Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this?
👉 What are the latest cybersecurity alerts, incidents, and news?
🚨 Cyber Alerts
1. Linux Rootkit Evades Detection with io_uring
Researchers have uncovered a new Linux rootkit, called Curing, that exploits the io_uring asynchronous I/O interface to evade traditional runtime detection tools. This method bypasses conventional system call monitoring, creating a critical blind spot for popular tools like Falco and Tetragon, which depend heavily on system call hooking. By using io_uring—introduced in Linux kernel version 5.1—the malware can issue commands from a command-and-control server and execute them without making standard system calls, staying hidden from typical defenses.
2. Critical Path Traversal Flaws in Rack Ruby
Cybersecurity researchers have identified multiple critical vulnerabilities in the Rack Ruby web server interface. The most dangerous flaw, CVE-2025-27610, allows unauthenticated attackers to access sensitive files and configuration data using path traversal techniques. This vulnerability stems from misconfigured static content middleware that fails to sanitize user-supplied paths, allowing attackers to access files outside the designated directories. Experts strongly recommend updating to the latest version of Rack Ruby to address these flaws
3. ToyMaker Exploits Backdoors for Ransomware
Cybersecurity experts uncovered ToyMaker, a threat actor exploiting vulnerabilities in critical infrastructure. ToyMaker used custom backdoors like LAGTOY to extract credentials from organizations and maintained persistent access. Afterward, ToyMaker handed control to the Cactus ransomware group, which deployed ransomware and extorted victims. The coordinated attack shows the increasing specialization of cybercriminal groups in modern operations.
For more alerts click here!
💥 Cyber Incidents
4. Cambridge University Press Data Breach
Cambridge University Press & Assessment reported a data breach that may have compromised sensitive personal data. The breach was first identified on June 5, 2024, when suspicious activity was detected in a network segment of its subsidiary in Australia. An investigation confirmed that unauthorized third-party access had potentially exposed sensitive information, including names and Social Security numbers. In response, the company began notifying affected individuals on April 23, 2025, offering them a list of compromised data and complimentary credit monitoring services to help protect their information.
5. KYB Reports Breach Affecting Personal Data
KYB Americas Corporation recently informed the Attorney General of New Hampshire about a data breach. The breach was discovered on February 18, 2025, after the company noticed certain systems were inaccessible, prompting an immediate investigation. The investigation revealed that unauthorized access occurred between February 11 and February 17, 2025, compromising sensitive personal information. Although the specific types of exposed data have not been publicly disclosed, it is believed to include Social Security numbers, driver’s license numbers, account numbers, and other financial details.
6. Cyberattack on South Korea Election System
The National Election Commission (NEC) of South Korea confirmed a cyberattack targeting its election statistical system on the official website. The attack, which occurred for about three hours, was promptly detected through the NEC's integrated control and information protection systems. After identifying the source, the NEC swiftly blocked the suspicious IP address, preventing further disruption, and confirmed that no damage was done. With the upcoming presidential election in South Korea just 40 days away, the NEC has escalated the matter by requesting an investigation from local law enforcement to ensure the integrity of the election process.
For more incidents click here!
📢 Cyber News
7. AI Expansion in US Schools Raises Concerns
The U.S. government’s initiative to expand AI in K-12 schools aims to enhance global competitiveness by integrating advanced technology in education. The executive order encourages public-private partnerships, incentivizes teacher training, and creates resources to help schools adopt AI tools. While experts view the move as a step toward reinforcing American leadership in AI, they raise concerns about the lack of privacy and cybersecurity measures. With AI systems handling sensitive student data, researchers warn that the initiative could expose schools to risks if proper safeguards are not implemented to prevent data breaches and misuse.
8. FBI Offers Reward for Tips on Salt Typhoon
The FBI, in partnership with the U.S. Department of State, is offering a reward of up to $10 million for information that leads to the identification or location of individuals connected to the Salt Typhoon cyberattacks. The hackers, believed to be linked to China, have launched a sophisticated cyber-espionage campaign targeting multiple U.S. telecommunications companies. They have stolen call data records, accessed private communications, and compromised information tied to ongoing U.S. law enforcement investigations.
9. Exploitation of CVEs Increased in Q1 2025
In the first quarter of 2025, 159 CVEs were identified as exploited, marking an increase from the previous quarter. Of these, 28.3% were targeted within a day of their disclosure, equating to 45 flaws exploited immediately. Most of the vulnerabilities were found in content management systems (CMS), followed by network edge devices and operating systems. As the exploitation of vulnerabilities grows, security experts continue to track and assess these rapidly weaponized flaws.
For more news click here!
📈Cyber Stocks
💡 Cyber Tip
Secure Linux Systems Against Stealthy Rootkits Using io_uring
A new Linux rootkit, "Curing," exploits io_uring to bypass detection by tools like Falco, making it invisible to traditional system call monitoring.
✅ Actions You Should Take:
Update detection tools – Use security tools that support io_uring visibility or kernel-level monitoring.
Limit io_uring use – Restrict or disable io_uring where not needed, especially on exposed systems.
Implement behavior-based monitoring – Look for anomalies in process behavior, not just system calls.
Why it matters: Attackers are adopting advanced methods like io_uring to remain hidden, leaving systems vulnerable unless monitoring tools evolve.
📚 Cyber Book
The Cyber Insurance Imperative by David Finz
📊 Cyber Poll
Copyright © 2025 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on:
Substack, LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.