Red Hat Repos Raided 🦹, IOT Gateway Vulnerable 😲, AWS Certificate Manager for Exfiltration 🚰

Hackers from the Crimson Collective claim to have breached Red Hat's private GitHub repositories, stealing 570GB of data ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

Sign Up |Advertise|View Online TLDR Together With TLDR Information Security 2025-10-03 Security tech that wrecks hackers - not budgets (Sponsor) Your IT team has enough to worry about. Cybersecurity doesn't have to be one of them. Huntress brings enterprise-grade security to ALL businesses, not just the 1% with big teams and budgets. ❤️ Thousands of teams love Huntress and trust their world-renowned team to protect them from modern threats. - from fast-growing startups to global enterprises, Huntress researches and spots hacker tradecraft, tools, and vulnerabilities first—breaking the news and sharing knowledge to keep the community safe. Experience Huntress for yourself…  👀 See why Huntress is consistently rated 5 stars on G2 🎁 FREE Security Awareness Training?! Yep: get the gift of SAT 🔓 Attacks & Vulnerabilities Cybercrims claim raid on 28,000 Red Hat repos, say they have sensitive customer files (2 minute read) Hackers from the Crimson Collective claim to have breached Red Hat's private GitHub repositories, stealing 570GB of data, including customer documents, security tokens, and certain details about major organizations' IT environments. Red Hat hasn't confirmed the breach or responded to extortion demands yet, but sample files are circulating already. 766,000 Impacted by Data Breach at Dealership Software Provider Motility (2 minute read) Motility Software Solutions suffered a ransomware attack that impacted over 766,000 individuals and exposed sensitive data, including Social Security and driver's license numbers. The company detected the breach in August and notified authorities, offering one year of identity protection to victims. Attackers claimed to have stolen 4.3 terabytes of information, but there's no evidence of misuse so far. Company That Sells Spyware for Monitoring Sex Offenders Hacked (3 minute read) RemoteCOM, a company that sells monitoring software for individuals on parole and probation, was hacked. The attacker stole personal data from ~7,000 parole officers and ~14,000 individuals whom the software had monitored. The hacker indicated that the software was one of the easiest they had hacked. 🧠 Strategies & Tactics Using AWS Certificate Manager as a Covert Exfiltration Mechanism (6 minute read) AWS Certificate Manager (ACM) does not offer VPC endpoints, so any cloud resources that want to utilize it must have access to the service. An attacker can also connect an instance to ACM in the attacker's account and use the nsComments field to exfiltrate free-form data. The post concludes with an exploration of other AWS services that can be used in this way, such as SAML provider metadata and Lambda functions. AWS CDK and SaaS Provider Takeover (6 minute read) AWS CDK requires users to bootstrap each environment, either manually or via the 'cdk bootstrap' command, which creates the necessary roles. These roles are configured by default to trust the current account's root principal. This can lead to a vulnerability when a SaaS provider requests an ARN from the user, which it provides to its proxy role to load data from the user's account. If the user provides the SaaS provider with an ARN from their own account, it will be implicitly trusted, exposing the SaaS provider's environment to the user. That innocent PDF is now a Trojan Horse for Gmail attacks (3 minute read) The MatrixPDF toolkit exploits users' trust in PDF files by embedding JavaScript and fake prompts to bypass Gmail's security filters and automatically fetch malicious payloads from external sites. The attack works through two methods: exploiting Gmail's preview function with blurred content prompting users to "Open Secure Document," or using PDF-embedded JavaScript that automatically connects to payload URLs when opened in desktop readers. Security professionals should implement robust attachment sandboxing, restrict personal email access on corporate devices, deploy endpoint detection for suspicious file behavior, and enhance security awareness training that emphasizes zero trust for all file types, including PDFs. 🧑‍💻 Launches & Tools Think Your Team Can Secure AI-Era Code? Prove It at Cybermon 2025 (Sponsor) Starting Oct 6, Cybermon 2025 is a 4-week secure coding challenge where dev teams battle AI-era vulnerabilities through hands-on challenges. Boost your security program's engagement by defeating a Cybermon, earn badges, and win prizes. Join the main event or host a company tournament! To get started, contact Secure Code Warrior Databricks enters the cybersecurity arena with an AI-driven platform (4 minute read) Databricks launched "Data Intelligence for Cybersecurity," an AI-driven platform that addresses the critical issue of security data sprawl by unifying fragmented telemetry from multiple security tools into a single governed foundation. The platform leverages Databricks' Lakehouse architecture with "Agent Bricks" for building AI-powered threat analysis agents, offering conversational dashboards and natural language queries that early adopters, such as Arctic Wolf and Palo Alto Networks, report have improved detection rates while reducing costs. Security professionals should evaluate this platform as a potential complement to existing SIEM tools, particularly for organizations struggling with data fragmentation across multiple security vendors. Zania (Product Launch) Zania is an AI-powered GRC platform that uses autonomous, domain-specific AI agents to automate security governance, risk, and compliance tasks. Its agents continuously collect evidence, test controls, assess vendors, evaluate internal risks, and accurately answer vendor questionnaires, delivering end-to-end compliance management. PayloadsAllTheThings (GitHub Repo) A list of useful payloads and bypasses for Web Application Security and Pentest/CTF. 🎁 Miscellaneous That annoying SMS phish you just got may have come from a box like this (4 minute read) Criminals have been utilizing vulnerable industrial cellular routers to mass-send SMS phishing attacks ("smishing") since 2023. Security researchers found over 18,000 of these devices, easily accessible due to outdated firmware. These routers, mainly used for industrial purposes, help spread phishing links across countries by exploiting weak security or misconfigurations, making detection and shutdown difficult. Here is the email Clop attackers sent to Oracle customers (3 minute read) The Clop ransomware group sent extortion emails to Oracle E-Business Suite customers claiming to have breached their systems and stolen data, framing the attack as a business transaction while threatening to publish stolen information if ransom demands aren't met. Oracle confirmed awareness of the extortion emails and identified potential exploitation of vulnerabilities addressed in their July 2025 critical patch update, though researchers have not yet verified if actual breaches occurred. Organizations should immediately apply Oracle's July 2025 security patches, verify their patch status, monitor for signs of compromise, and establish incident response procedures while being cautious of emails sent from hundreds of compromised third-party accounts used to bypass spam filters. $20 YoLink IoT Gateway Vulnerabilities Put Home Security at Risk (2 minute read) Bishop Fox researchers discovered four critical zero-day vulnerabilities in the $20 YoLink Smart Hub v0382 that allow remote attackers to bypass authentication, intercept unencrypted credentials and Wi-Fi passwords via MQTT, and remotely control other users' devices, including smart locks, through predictable device IDs. The vulnerabilities (CVE-2025-59449, CVE-2025-59448, CVE-2025-59451, and CVE-2025-59452) affect the ESP32-based hub, which serves as a central gateway for home security devices, potentially enabling physical access to users' homes, as no patches are currently available from the manufacturer, YoSmart. Security professionals should immediately disconnect affected hubs from critical networks, avoid using them for physical access control, implement network segmentation to isolate IoT devices, and consider replacing them with vendors that provide regular security updates until patches become available. ⚡ Quick Links Brave browser surpasses the 100 million active monthly users mark (2 minute read) Brave browser reached 101 million monthly active users in September. HackerOne paid $81 million in bug bounties over the past year (2 minute read) HackerOne distributed $81 million in bug bounty rewards over the past 12 months, marking a 13% year-over-year increase. Renault UK Customer Records Stolen in Third-Party Breach (2 minute read) Renault UK warned customers of a data breach via a third-party cyberattack, emphasizing the need for improved supply chain security, regular vendor audits, and customer awareness of phishing risks. Love TLDR? Tell your friends and get rewards! Share your referral link below with friends to get free TLDR swag! https://refer.tldr.tech/dc263000/8 Track your referrals here. Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us. Want to work at TLDR? 💼 Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them! If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.