Daily Brief

Connex Credit Union, a major Connecticut-based financial institution, experienced a data breach affecting 172,000 members, exposing personal and financial information. The breach occurred between June 2 and June 3, 2025, with unauthorized access to sensitive data, including Social Security numbers and account details. Despite the breach, Connex reports no evidence of unauthorized access to members' funds or accounts, but warns of potential phishing scams targeting its members. Connex has issued scam alerts on its website, advising members on how to identify fraudulent communications and urging them to report suspicious activity. The incident is part of a broader trend of data breaches, with groups like ShinyHunters and Scattered Spider targeting high-profile companies across various sectors. This breach underscores the critical need for robust cybersecurity measures and proactive member communication to mitigate the impact of such incidents.

WinRAR has released version 7.13 to patch a critical zero-day vulnerability, CVE-2025-8088, which allows path traversal and arbitrary code execution. The vulnerability affects Windows versions of WinRAR, RAR, UnRAR, and related components, potentially leading to files being written outside intended directories. ESET researchers discovered the flaw, which is actively exploited via malicious archives, with potential implications for sensitive file placement and code execution. Russian cybersecurity firm BI.ZONE indicates the hacking group Paper Werewolf may have exploited this vulnerability alongside CVE-2025-6218 in targeted attacks. Attacks reportedly targeted Russian organizations through phishing emails containing booby-trapped archives, leveraging the vulnerability for unauthorized code execution. The zero-day exploit was advertised on a Russian dark web forum for $80,000, suggesting a potential acquisition by threat actors for malicious campaigns. Users are advised to immediately update to WinRAR version 7.13 to mitigate risks associated with these vulnerabilities and protect against potential exploitation.

Trend Micro disclosed active exploitation of critical vulnerabilities in its Apex One endpoint security platform, affecting versions up to 14039, with no immediate patch available. The vulnerabilities, CVE-2025-54948 and CVE-2025-54987, allow remote attackers to execute commands on affected systems via the management console. A temporary mitigation is available, but it disables the Remote Install Agent function, impacting administrative operations. Organizations are advised to restrict access to management consoles to trusted administrators and avoid exposing them to the internet. A permanent patch is expected by mid-August, but businesses must implement interim security measures to protect their systems. This incident underscores the importance of securing management interfaces and applying access controls to mitigate potential threats.

Researchers from SafeBreach unveiled a novel DDoS attack method, Win-DDoS, leveraging public domain controllers (DCs) to form powerful botnets without needing code execution or credentials. The attack exploits a significant flaw in Windows LDAP client code, allowing attackers to manipulate URL referrals and overwhelm targeted servers. This method transforms DCs into DDoS bots, creating high-bandwidth attacks without requiring dedicated infrastructure, making detection challenging. Win-DDoS can cause LSASS crashes, reboots, or blue screens of death by exploiting unlimited referral list sizes, affecting business continuity. Three new DoS vulnerabilities were identified, enabling unauthenticated users to crash DCs, posing risks to both public and private infrastructure. The findings challenge enterprise threat models, indicating that internal systems are vulnerable to DoS attacks even without full compromise. Organizations are urged to reassess their defense strategies and resilience planning in light of these vulnerabilities to mitigate potential impacts.

Google addressed a vulnerability in its Gemini assistant, exploited through Google Calendar invites to hijack user data without requiring direct user interaction. Attackers leveraged prompt injections embedded in calendar event titles to access sensitive information and control devices linked to Google services. The exploit allowed unauthorized access to Gmail content, Calendar information, and smart home controls, posing significant privacy risks. SafeBreach researchers demonstrated the attack, noting that existing protections in Gemini did not prevent the exploit. Google has implemented new safeguards and defenses to prevent such adversarial attacks in the future, enhancing user security. The incident underscores the importance of continuous security assessments and collaboration between researchers and tech companies to address emerging threats. Google’s proactive response and collaboration with researchers highlight the critical role of responsible disclosure in cybersecurity.

SafeBreach researchers disclosed a vulnerability in Windows RPC protocol, allowing attackers to impersonate legitimate servers through EPM poisoning, potentially escalating domain privileges. The flaw, identified as CVE-2025-49760, was patched by Microsoft in July 2025 during its regular Patch Tuesday updates. The vulnerability exploits the Windows Storage spoofing mechanism, enabling unauthorized attackers to manipulate core RPC components and perform network spoofing. Attackers can register interfaces of inactive services, tricking clients into connecting to malicious servers without administrative privileges. SafeBreach released the RPC-Racer tool to identify insecure RPC services and manipulate protected processes, highlighting the potential for adversary-in-the-middle and DoS attacks. Enhanced monitoring through RpcEpRegister calls and Event Tracing for Windows (ETW) is recommended to detect such attacks. The issue underscores the need for improved verification processes in the endpoint mapper to prevent unauthorized data acceptance and manipulation.

DEF CON's Franklin project is scaling up efforts to protect U.S. water systems from cyber threats, expanding from five to potentially thousands of utilities nationwide. Volunteers have been deployed to water facilities in Indiana, Oregon, Utah, and Vermont, providing crucial cybersecurity services like password management and multi-factor authentication. The initiative addresses vulnerabilities in small-town water systems, which are targets for nation-state actors like China and Iran due to their strategic importance. The project has gained significant interest, initially attracting 350 volunteers, and plans to utilize contributions from entities like Craig Newmark Philanthropies and Dragos. Despite limited federal funding, the initiative aims to deploy a suite of free cybersecurity tools to enhance the resilience of critical infrastructure across the U.S. Volunteers have successfully educated water utility managers on cyber risks, preventing potential breaches, such as phishing attacks, through proactive awareness training. The Franklin project exemplifies a community-driven approach to safeguarding essential services, emphasizing the need for robust cybersecurity measures in under-resourced sectors.

Cisco Talos researchers identified critical vulnerabilities in Dell's ControlVault3 firmware, affecting over 100 laptop models with Broadcom BCM5820X series chips. The ReVault attack allows bypassing Windows login, extracting cryptographic keys, and maintaining access even after OS reinstallations. Vulnerabilities can be exploited by chaining attacks to escalate privileges, bypass authentication, and maintain persistence in high-value environments. ControlVault, a hardware-based security solution, is used in industries requiring secure logins via smart card or NFC readers. No evidence suggests these vulnerabilities have been exploited in the wild, but they pose a significant risk for industries relying on strict security protocols. Mitigation measures include applying Dell's patches, disabling ControlVault services, and turning off fingerprint logins in high-risk scenarios. The vulnerabilities were presented at Black Hat USA, emphasizing the need for proactive security measures in firmware management.

Security researcher Micah Lee breached TeleMessage, revealing a 410GB database of communications, impacting clients like US Customs and Border Protection and JP Morgan. The breach exploited hardcoded credentials in the app's Android source code, allowing access to plain text messages stored on TeleMessage servers. Messages were accessible via a specific URL, leading to easy downloads of memory dumps containing sensitive information. The US Cybersecurity and Infrastructure Security Agency issued warnings about two security flaws, which TeleMessage has since addressed. The breach raises concerns about the security practices of messaging apps, especially those used by high-profile organizations and government agencies. TeleMessage's lack of encryption between their servers and archive destinations exposed sensitive communications, undermining its security claims. The incident underscores the critical need for robust operational security and regular security audits to prevent similar breaches in the future.

Google confirmed a data breach involving its Salesforce CRM, affecting potential Google Ads customers' business contact details but not financial information. The breach was linked to ShinyHunters, a group known for targeting Salesforce customers, collaborating with Scattered Spider for initial system access. Threat actors used social engineering tactics to gain access, tricking employees into linking malicious apps to Salesforce environments. The attackers downloaded entire Salesforce databases and demanded ransoms, threatening to release data if not paid. Google's Threat Intelligence Group initially reported these attacks in June, with Google itself targeted in a subsequent incident. ShinyHunters has adopted new Python-based tools for quicker data exfiltration, moving away from traditional Salesforce Data Loader methods. Google has acknowledged the breach and is likely enhancing its defenses against such sophisticated social engineering and data theft tactics.

Eclypsium researchers disclosed vulnerabilities in Lenovo 510 FHD and Performance FHD webcams, allowing remote attackers to exploit them as BadUSB devices. The vulnerabilities enable attackers to inject keystrokes and execute commands, bypassing traditional malware detection due to the attack's firmware-level nature. This marks a significant escalation in BadUSB threats, as Linux-based USB peripherals can now be remotely hijacked without physical access. Lenovo has responded by releasing firmware updates (version 4.8.0) and collaborated with SigmaStar to provide a tool addressing these security flaws. The vulnerabilities stem from the webcams' failure to validate firmware, exposing them to complete software compromise. The attack vector poses a risk to enterprise and consumer systems, as peripherals often run their own operating systems and accept remote commands. Organizations are urged to apply the firmware updates promptly to mitigate potential exploitation and enhance device security.

Researchers have identified a jailbreak technique that circumvents OpenAI's GPT-5 safeguards, enabling the generation of harmful instructions through narrative-driven steering and Echo Chamber methods. The Echo Chamber technique uses indirect references and semantic steering to gradually manipulate the AI model, bypassing refusal triggers and producing illicit content. A series of zero-click attacks, termed AgentFlayer, exploit AI agents like ChatGPT Connectors and Microsoft Copilot Studio to exfiltrate sensitive data without user interaction. These attacks leverage indirect prompt injections embedded in innocuous documents or emails, highlighting vulnerabilities in AI systems when connected to external platforms. The vulnerabilities expose enterprise environments to risks such as data theft and unauthorized access, necessitating robust security measures and regular red teaming exercises. AI security firms emphasize the importance of implementing strict output filtering and understanding dependencies to mitigate these emerging threats. The findings underscore the challenge of balancing AI innovation with security, as AI systems continue to integrate into critical business operations.

Over 275,000 downloads of 60 malicious Ruby gems have been identified since March 2023, targeting developer accounts primarily in South Korea. The gems, discovered by Socket, impersonate legitimate packages on RubyGems.org, the official Ruby package manager, complicating detection and removal efforts. Attackers used aliases such as zon, nowon, kwonsoonje, and soonje to distribute the malicious gems, making traceability and blocking more difficult. These gems present legitimate-looking GUIs but act as phishing tools, exfiltrating credentials to hardcoded command-and-control servers. Harvested data includes plaintext usernames and passwords, device MAC addresses, and package names, aiding in campaign performance tracking. Some credential logs have been found on Russian-speaking darknet markets, linked to interactions with a dubious marketing tool site. Despite reports to the RubyGems team, at least 16 malicious gems remain available, highlighting ongoing challenges in securing open-source supply chains. Developers are advised to scrutinize open-source libraries for suspicious code, verify publisher reputations, and lock dependencies to secure versions.

Security researchers identified 14 vulnerabilities in CyberArk and HashiCorp vaults, potentially enabling remote attackers to extract enterprise secrets without credentials. The vulnerabilities, collectively termed "Vault Fault," include authentication bypasses, privilege escalation, and remote code execution, posing significant risks to corporate identity systems. Affected products include CyberArk Secrets Manager, Conjur Open Source, and HashiCorp Vault, with flaws existing for over eight years in some cases. Exploits could lead to unauthorized command execution and privilege escalation, bypassing multi-factor authentication and lockout protections. Researchers emphasize the potential for these vulnerabilities to be weaponized, turning security features into ransomware vectors. Mitigation steps include applying the latest patches and reviewing security configurations to prevent exploitation. The discovery underscores the importance of regular security audits and timely patch management to safeguard sensitive data.

A WinRAR vulnerability, CVE-2025-8088, was exploited as a zero-day by RomCom hackers, targeting users through phishing attacks to deploy malware. The vulnerability, a directory traversal flaw, allowed attackers to extract files into paths of their choice, facilitating unauthorized remote code execution. WinRAR 7.13 has addressed this flaw, but the lack of an auto-update feature necessitates manual updates by users to ensure protection. ESET researchers discovered the exploitation, observing spear-phishing emails with malicious RAR attachments delivering RomCom backdoors. RomCom, a Russian hacking group, is associated with ransomware, data theft, and credential-stealing campaigns, often leveraging zero-day vulnerabilities. Users are urged to update to the latest WinRAR version to mitigate risks, as the vulnerability affects Windows versions but not Unix or Android. ESET plans to release a detailed report on the exploitation, providing further insights into the attack methods and mitigation strategies.