Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, Chinese AI firm DeepSeek exposed sensitive data on the open internet, hackers exploited unpatched Zyxel flaws, infostealer malware compromised Mexican government computers, the Smiths Group battled a cyberattack, PowerSchool began sending out breach notifications, Apple patched a zero-day, hackers exploited XWorm RAT, and Credit Control Corporation settled a lawsuit over a 2023 breach.
DeepSeek Exposed an Online Database Containing Chat History and Backend Info
Chinese artificial intelligence darling DeepSeek exposed a real-time data processing database to the open internet, allowing security researchers to view “a significant volume of chat history, backend data and sensitive information, including log streams, API Secrets and operational details.”
Researchers from Wiz detailed Thursday that a scan of DeepSeek’s publicly accessible domains lead them to an instance of a ClickHouse database created by the AI company. There was no authentication, so Wiz researchers found they could directly query the database using SQL. Lots of company data was kept in plaintext, including API keys and backend details.
“The exposure allowed for full database control and potential privilege escalation within the DeepSeek environment, without any authentication or defense mechanism to the outside world,” Wiz wrote. The company notified DeepSeek, which secured the database.
The Chinese company rocketed to mainstream prominence with the January release of its R1 model. Investors reacted by driving down the share price of U.S. tech companies especially after learning that DeepSeek said it was able to train an advanced model using a fraction of the chips needed by market mainstays such as Meta and OpenAI. Allegations have since surfaced that DeepSeek obtained its computing power by deriving an OpenAI model (see: Accusations Mount Against DeepSeek Over AI Plagiarism).
Hackers Exploit Unpatched Zyxel Vulnerability for Remote Attacks
Cybercriminals are exploiting a critical command injection vulnerability in Zyxel CPE Series devices running without a patch released last July. The flaw, tracked CVE-2024-40891, allows unauthenticated attackers to execute arbitrary commands via the “supervisor” or “zyuser” service accounts.
VulnCheck flagged the issue last year, and security platform GreyNoise Tuesday reported active exploitation attempts from multiple IP addresses. The flaw is similar to CVE-2024-40890 but exploits the telnet protocol instead of HTTP.
Censys found more than 1,500 vulnerable Zyxel CPE devices exposed online, particularly in the Philippines, Turkey, the United Kingdom, France and Italy. Zyxel is yet to release a security advisory or patch for this vulnerability. With no vendor security update available, system admins can block malicious IPs, monitor traffic for unusual telnet requests and restrict access to management interfaces to whitelisted addresses – or disable remote management entirely.
Infostealer Malware Compromises Mexican Government Computers
Hackers infected more than 570 computers linked to Mexico’s government domain gob.mx
with infostealer malware, exposing sensitive data and login credentials.
Mexican cybersecurity startup Silikn uncovered hackers using malware such as RedLine Stealer, Raccoon Stealer, FormBook and Lumma Stealer to extract browser passwords and system data.
Analysis by Mexican newspaper Publimetro found approximately 2,000 credentials belonging to government agencies such as prosecutor’s offices available on BreachForums.
Smiths Group Battles Cyberattack, Systems Taken Offline
British engineering giant Smiths Group suffered a cyberattack that resulted in unauthorized access to some of its networks.
The company said Tuesday that affected systems were swiftly isolated and business continuity plans were activated. Following disclosure, Smiths Group’s stock fell over 2%. The company, headquartered in London, employs 15,000 people across 50 countries and provides technologies for industries including aerospace, defense, energy and life sciences.
PowerSchool Data Breach Exposes Millions of Student and Teacher Records
U.S. edtech provider PowerSchool began notifying on Wednesday individuals affected by its December 2024 data breach, which compromised millions of student and teacher records across North America (see: Don’t Get Schooled: Lessons From PowerSchool’s Big Breach).
One of the hardest-hit districts is the Toronto District School Board, where nearly 1.5 million students’ data was exposed. The data included sensitive information such as gender, medical records, accommodation details and academic progress. The Calgary Board of Education and West Ada School District also confirmed data breaches.
Apple Patches Critical Zero-Day Vulnerability Exploited in the Wild
Apple released updates to fix several security flaws across its devices, including a zero-day vulnerability tracked as CVE-2025-24085, which has been actively exploited. This vulnerability, a use-after-free bug in the Core Media component, could allow a malicious app to elevate privileges.
In addition to fixing the zero-day, the updates address multiple AirPlay vulnerabilities and flaws in Core Audio, which could potentially cause app crashes or arbitrary code execution. The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2025-24085 to its known exploited vulnerabilities catalog.
Hackers Exploit XWorm RAT to Target Script Kiddies, Compromise 18,000+ Devices
Hackers are using a Trojanized version of the XWorm RAT builder to prey on script kiddies, compromising over 18,000 devices worldwide. The malware spread across several platforms, including file-sharing services, GitHub repositories, Telegram channels and YouTube, enabling the attackers to steal sensitive data such as browser credentials, Discord tokens, Telegram data and system information from infected devices.
The malicious tool is packed with advanced features, including system reconnaissance, data exfiltration and the ability to execute commands remotely. It relies on Telegram for command-and-control, using bot tokens and API calls to send commands to the compromised devices and exfiltrate stolen data. The attackers targeted inexperienced hackers by providing an easy-to-use, modified version of XWorm, streamlining the deployment of the RAT.
CloudSEK researchers identified a “kill switch” within the malware, which they used to disrupt its operations on infected devices. Challenges arose due to offline devices and Telegram’s rate-limiting mechanisms, preventing full disruption.
Credit Control Corporation Settles $1.61 Million Class Action Over Data Breach
The R&B Corporation of Virginia, operating as Credit Control Corporation, reached a $1.61 million settlement in a class action lawsuit following a 2023 data breach that exposed the personal and financial information of approximately 286,700 individuals. The breach, which occurred between March 2 and March 7, 2023, involved the unauthorized copying of client files containing sensitive data, including Social Security numbers, account numbers and balances.
The U.S. District for the Eastern District of Virginia granted preliminary approval of the settlement in July 2024 and final approval on Wednesday.
Other Stories from Last Week
With reporting from Information Security Media Group’s David Perera in Washington, D.C.