ThreatsDay: SMS Blasters, OpenEMR, Roblox Hacks

ThreatsDay Bulletin: SMS Blasters, OpenEMR Flaws, and 600K Roblox Compromises

This week's ThreatsDay security bulletin is dense. SMS blaster operations got taken down by law enforcement, critical OpenEMR vulnerabilities surfaced in production healthcare systems, and attackers compromised over 600,000 Roblox accounts. Those three alone would make for a full week. There are 25 more stories on top of them.

Here is a breakdown of the most technically significant developments.

SMS Blaster Busts: How These Attacks Work

SMS blasters are rogue cellular base stations, often called IMSI catchers or fake BTS devices. They impersonate legitimate cell towers, force nearby phones to connect, and then push unsolicited SMS messages directly to those devices. No carrier infrastructure involved. No logs on the provider's side.

Law enforcement took down several operations this week. The busts confirm that these attacks are not theoretical. They are operational, relatively cheap to deploy, and increasingly used for phishing, OTP interception, and fraud campaigns. Developers building SMS-based authentication need to understand that the channel itself is compromised in certain threat models. TOTP apps or hardware keys are safer alternatives when the threat surface includes physical proximity attacks.

OpenEMR Vulnerabilities Put Healthcare Data at Risk

OpenEMR is open-source electronic medical record software used by thousands of clinics worldwide. The newly disclosed flaws include authentication bypass and SQL injection vectors in specific API endpoints. Attackers with network access to an exposed OpenEMR instance could potentially read, modify, or delete patient records without valid credentials.

Healthcare records are high-value targets. They contain insurance data, social security numbers, prescription histories, and personal identifiers that fetch significant prices on criminal markets. If you are running OpenEMR, patch immediately and audit whether your instance is internet-facing. Exposed admin panels and unauthenticated API routes are exactly what automated scanners like VibeWShield are built to detect before attackers find them.

600K Roblox Account Compromises

The Roblox breach affecting 600,000 accounts was not a single intrusion. Evidence points to credential stuffing using previously leaked username and password combinations. Roblox accounts have real monetary value because of the in-platform currency (Robux) and tradeable items. Attackers automate login attempts against massive credential lists and collect whatever accounts still use reused passwords.

For developers, this is a reminder that rate limiting, CAPTCHA, and anomaly detection on login endpoints are not optional features. They are baseline defenses. Accounts with high-value assets need MFA enforced, not just offered.

What Else Made the Bulletin This Week

The remaining 25 stories from the ThreatsDay bulletin cover a range of active threats including supply chain attacks targeting npm packages, a new ransomware variant exploiting unpatched VPN appliances, and several zero-days in widely deployed enterprise software. The full picture shows attackers moving fast across multiple vectors simultaneously.

Security teams cannot afford to treat these as isolated incidents. Patterns matter. SMS-based auth weaknesses, exposed healthcare APIs, and credential stuffing all share a common thread: preventable failures at the application and infrastructure layer.

Check the full vulnerability coverage on our blog for deeper technical analysis on several of the exploits mentioned this week.

How to Protect Your Applications Now

• Disable SMS-based 2FA where possible. Migrate users to TOTP or hardware keys.
• Patch OpenEMR installations immediately. Audit exposed endpoints.
• Implement rate limiting and account lockout policies on all login flows.
• Run automated DAST scans regularly. Waiting for a scheduled pentest is too slow.
• Monitor credential leak databases for your users' email addresses.

FAQ

How do SMS blasters intercept OTP codes? They force phones to connect via a rogue base station, then deliver spoofed messages or intercept outbound authentication requests depending on the attack variant.

Are OpenEMR vulnerabilities being actively exploited? Proof-of-concept code is circulating. Treat active exploitation as likely if your instance has been internet-facing without the latest patches applied.

How can I tell if my app's login endpoint is vulnerable to credential stuffing? Look for missing rate limiting, no CAPTCHA on repeated failures, and no IP-based anomaly detection. Automated scanners can surface these gaps quickly.

Scan your application for exposed endpoints and authentication weaknesses at VibeWShield.