$15 Billion Scams, CentreStack Zero-Days, and the 17 Million Account Breach Fallout

Show Notes

Today we dive into the industrial scale of cybercrime, discussing the seizure of $15 billion in crypto assets linked to forced-labor scam networks and the staggering 17.6 million accounts impacted by the Prosper data breach. Plus, we analyze urgent patches for exploited zero-days in CentreStack and critical DoS flaws in industrial UPS devices.

Transcript

Mike Housch: Welcome back to Cyber Scoops & Digital Shenanigans. I'm your host, Mike Housch, and we have a packed episode this week, covering everything from massive financial data theft to the successful disruption of major ransomware campaigns and critical infrastructure vulnerabilities that need immediate attention. The global digital battleground is busier than ever, so let's get into the scoops.

Segment 1: The Breach Report

We start with two major data breaches that remind us just how vulnerable personal and financial data remain. First up is the peer-to-peer lending marketplace, Prosper, where more than 17 million individuals were likely impacted by a breach. According to Have I Been Pwned, the database compromised contained sensitive details pertaining to 17.6 million Prosper accounts. Hackers accessed and exfiltrated names, addresses, IP addresses, email addresses, dates of birth, Social Security numbers (SSNs), government IDs, and even employment and income details. While Prosper stated there's no evidence of unauthorized access to customer accounts or funds, they are offering free credit monitoring as appropriate once the analysis is complete. This is a massive haul of PII, making identity protection paramount for anyone who has ever interacted with their service.

In other breach news, the famed auction house Sotheby’s also disclosed a data breach. Hackers stole highly sensitive personal information, including names, SSNs, and financial account data, following an intrusion discovered on July 24th. While the total number of affected people has not been disclosed nationally, limited filings (such as 2 residents in Maine and 10 in Massachusetts) suggest the overall number might be relatively small compared to the Prosper incident. Regardless of the scale, Sotheby's is offering impacted individuals 12 months of free credit monitoring services. It's unclear whether the victims were employees or customers, or if this was linked to a ransomware attack. These incidents underscore the consistent threat to organizations handling high-value personal data, from luxury auctioneers to lending platforms.

Segment 2: Law Enforcement and Disruption

Moving away from breaches and into proactive defense, Microsoft recently executed a significant disruption against the threat group Vanilla Tempest. This group, also known as Vice Spider and Vice Society, has been active since at least 2021, often targeting the education and healthcare sectors. Microsoft disrupted their campaign, which aimed to deploy the Rhysida ransomware. The key to the disruption? Microsoft revoked more than 200 certificates that the cybercriminals were using to sign their malware. Vanilla Tempest was observed using fake Microsoft Teams setup files, delivered via domains like teams-download.buzz, to install a backdoor named Oyster, which then facilitated the Rhysida deployment. While the actors will likely re-arm with new certificates, this action makes their current malware easier to detect and block.

On the topic of massive criminal takedowns, the US government achieved a historic operation, seizing $15 billion (approximately 127,271 bitcoin) worth of cryptocurrency assets. These funds were linked to one of the world’s largest operators of forced-labor scam compounds across Southeast Asia. These compounds are known for conducting sophisticated "pig butchering" or Shā Zhū Pán romance baiting schemes. The DoJ unsealed an indictment against the Prince Group and its CEO, Chen Zhi, noting that trafficked workers were confined in prison-like compounds and forced to carry out these online scams on an industrial scale. This seizure highlights the immense scale of industrialized, organized cybercrime globally.

Segment 3: Must-Patch Vulnerabilities

Security teams need to pay attention to two critical vulnerabilities that span both the cloud file-sharing world and the industrial control space.

First, Gladinet has rushed out patches for a CentreStack vulnerability (CVE-2025-11371) that has been actively exploited in the wild since late September. This zero-day issue is an unauthenticated local file inclusion bug affecting default configurations of CentreStack and Triofox products. Crucially, attackers exploited it to retrieve a configuration file containing the machineKey cryptographic key. Once they have that key, they can exploit a related ViewState deserialization vulnerability to achieve remote code execution with the privileges of the IIS application pool user, allowing them to potentially take full control of the vulnerable system. Organizations must apply the patches immediately, specifically CentreStack version 16.10.10408.56683.

Second, we turn to industrial cybersecurity and the Phoenix Contact QUINT4 uninterruptible power supply (UPS) devices. The vendor released patches for several flaws, including four that can be exploited for Denial-of-Service (DoS) attacks by remote, unauthenticated attackers. One vulnerability, CVE-2025-41703, is particularly concerning: an unauthenticated attacker can use a Modbus command to turn off the UPS output, leading to a 'denial of power service'. This could put devices into a permanent DoS condition that prevents remote recovery. Because CVE-2025-41703 cannot be addressed without disrupting legitimate functionality, Phoenix Contact strongly recommends using affected devices only in isolated industrial networks and protecting them with a firewall.

Segment 4: Evolving Attack Methods

Finally, let’s look at how threat actors are refining their tactics. We are seeing continued evolution in phishing, specifically with the emergence of the Whisper 2FA phishing kit. This kit has quickly become the third most common Phishing-as-a-Service (PhaaS) offering after Tycoon and EvilProxy, generating close to a million attacks targeting Microsoft accounts last month. Whisper 2FA is defined by its ability to steal credentials multiple times through a real-time credential exfiltration loop using AJAX technology. This loop continues until a valid multi-factor authentication token is obtained, effectively bypassing traditional MFA protections.

We’re also seeing hackers leverage legitimate tools to bypass defenses. Cybersecurity researchers documented a rise in attacks exploiting Remote Monitoring and Management (RMM) tools. APT groups and ransomware crews are using phishing emails—often warning of fake logins to ConnectWise ScreenConnect instances—to gain initial access. They then use legitimate features of platforms like ScreenConnect, including unattended access, to establish persistence and move laterally within compromised networks.

And don't forget the basics. Legacy Windows communication protocols like LLMNR and NBT-NS continue to expose organizations to credential theft. Since these protocols accept responses from any device without authentication, an attacker on the same subnet can use tools like Responder to trick a system into sending NTLMv2 hashes, which can then be cracked offline. The defense here is simple but crucial: disable LLMNR and NBT-NS, and enforce secure methods like Kerberos.

(8:30 - 10:00) Segment 5: CISO Strategy & Wrap Up

Mike Housch: The common threads this week are clear: patch immediately when an exploit is confirmed in the wild, as with Gladinet’s CentreStack. For critical systems like industrial controls, network segmentation and isolation are not optional, especially when certain flaws (like the Phoenix Contact UPS Modbus command) cannot be patched. And finally, understand that attackers are innovating, not just by creating new malware, but by weaponizing legitimate tools and services—from RMM platforms to sophisticated 2FA bypass kits like Whisper 2FA.

The digital world is moving fast. Staying secure means understanding how these threats work, paying attention to the small signs, and not letting convenience replace caution.

That’s all the time we have for this week’s Cyber Scoops. Stay secure out there.