Cyber Briefing: 2025.05.26

D-Link flaw enables router hijack, TA-ShadowCricket runs decade-long espionage, and Killnet shifts to cybercrime. Philly schools and Naukri hacked, Qakbot leader indicted, AI aids CVE detection.

May 26, 2025

👉 What's the latest in the cyber world today?

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please Subscribe

Get Help

🚨 Cyber Alerts

1. D-Link Routers Exposed by Weak Credentials

A significant security vulnerability, identified as CVE-2025-46176, has been discovered in D-Link's DIR-605L (firmware v2.13B01) and DIR-816L (firmware v2.06B01) routers. The flaw stems from hard-coded Telnet credentials, specifically the username "Alphanetworks" and a plaintext password like "Wj5eH%JC," which are stored directly in the firmware. This allows unauthenticated attackers to gain remote command execution capabilities, enabling them to modify settings, deploy malware, or access the internal network. While D-Link has acknowledged the medium-severity issue, no official patches are available as of May 2025. Users are strongly advised to disable Telnet and restrict WAN access to management ports to mitigate the immediate risk.

2. TA-ShadowCricke Unmasked via Backdoors

TA-ShadowCricket, a highly sophisticated APT group formerly known as Shadow Force, has conducted a decade-long cyber espionage campaign targeting over 2,000 systems in 72 countries, primarily in the Asia-Pacific region. Using a stealthy, multi-stage infection strategy that blends outdated IRC botnets with modern SQL-based backdoors, the group focuses on credential harvesting, data exfiltration, and cryptocurrency mining. While evidence links its infrastructure to Chinese IP addresses, attribution remains unclear due to overlapping indicators and tactics that suggest either state-sponsored operations or a hybrid cybercriminal model.

3. Killnet Resurfaces with New Identity

The notorious Russian hacker group Killnet has reemerged under new leadership after months of silence, shifting from pro-Kremlin hacktivism to profit-driven cybercrime. Analysts suggest the group is now focused on building reputation and revenue rather than ideology, operating more like a mercenary-for-hire service. The reappearance coincided with Russia’s Victory Day, prompting speculation of a renewed disinformation effort. Internal turmoil, leadership changes, and operational fragmentation have reshaped Killnet’s structure, while offshoots continue pursuing politically motivated attacks under similar banners.

For more alerts, click here!

Check Jobs

💥 Cyber Incidents

4. Chinese hackers hit US utilities via Cityworks software flaw

A Chinese-speaking threat group known as UAT-6382 exploited a serious flaw in Trimble's Cityworks software before it was patched, targeting US local governments and utility systems. Cisco Talos revealed the attackers deployed webshells and malware to maintain long-term access and focused on infiltrating utilities. The flaw, CVE-2025-0994, allowed remote code execution on IIS servers and was actively exploited weeks before a patch was issued in February.

5. Naukri Fixes Bug That Exposed Recruiter Email Addresses

Naukri.com fixed a vulnerability in its mobile app API that exposed recruiter email addresses to job seekers. Security researcher Lohith Gowda discovered the issue, which did not affect the website but allowed email visibility through Android and iOS apps. This posed risks such as phishing, spam, and data scraping. Naukri confirmed the bug was resolved and stated that no unusual activity compromising user data was detected.

6. Hackers Steal $700K from Philly School District Accounts

Hackers posing as vendors stole nearly $700,000 from the School District of Philadelphia in 2024 by exploiting its Automated Clearing House payment system. The fraud was discovered during a routine audit by City Controller Christy Brady, who revealed four unauthorized transfers made in February and March. The district reported the incident to federal and internal authorities and is now reinforcing its internal controls. The stolen funds have not been recovered, and the affected vendors remain unpaid.

For more incidents, click here!

Get Shield 360

📢 Cyber News

7. Russian hacker indicted for Qakbot attacks

Rustam Gallyamov, a 48-year-old Russian hacker, has been indicted by the U.S. Department of Justice for leading the Qakbot malware operation that infected over 700,000 systems worldwide and facilitated ransomware, credential theft, and botnet activity. Despite a takedown of Qakbot's infrastructure in 2023, Gallyamov allegedly continued attacks into 2025. Authorities seek to recover over $24 million in crypto assets and highlight this case as a major step in international cybercrime enforcement.

8. OpenAI Finds Zero-Day Vulnerability

A zero-day vulnerability, CVE-2025-37899, was discovered in the Linux kernel’s SMB module using OpenAI’s o3 language model. The flaw is a use-after-free issue in the logoff command handler of the ksmbd kernel module, caused by unsafe memory access between concurrent connections. Security researcher Sean H. leveraged o3’s targeted code analysis capabilities to find this bug and another prior vulnerability, showing the potential of AI-assisted security research despite current limitations like false positives. The model’s ability to understand concurrency and suggest better fixes than humans highlights AI’s growing role in vulnerability discovery.

9. NIST Launches New Metric to Track Exploited Vulnerabilities

NIST has introduced the Likely Exploited Vulnerabilities (LEV) metric to help organizations better assess if vulnerabilities have been exploited. Building on the Exploit Prediction Scoring System (EPSS), LEV offers more detailed historical exploitation data for each CVE, aiding vulnerability prioritization. The new metric complements existing tools like EPSS and KEV lists while addressing their limitations. Although LEV has some accuracy constraints due to EPSS’s design, it provides a valuable step forward in understanding and managing exploited vulnerabilities.

For more news, click here

Check Events

📈Cyber Stocks

On May 23, 2025, Zscaler rose 0.51%, CrowdStrike Holdings gained 2.59%, Palo Alto Networks increased 0.33%, Fortinet dipped 0.44%, and SentinelOne edged up 0.07%

💡 Cyber Tip

If you own a D-Link router, check for security issues now.

Certain D-Link routers, including DIR-605L and DIR-816L, have been found to contain hard-coded login credentials that could let attackers take full control of your network. This flaw allows hackers to bypass passwords and access your device remotely using Telnet.

✅ What you should do

If you use a DIR-605L or DIR-816L router, log into its settings and turn off Telnet access.
Make sure remote management features are disabled, especially from outside your home or office network.
If possible, block port 23 (used for Telnet) on your router’s firewall.
Consider upgrading to a newer router model with ongoing security support.
Always change default usernames and passwords on any network device.

✅ Why this matters
Hackers can use this vulnerability to take over your router, spy on your traffic, and attack other devices on your network. Without a fix from D-Link, your best protection is disabling risky features right away.