Daily Brief

CISA has officially recognized the CVE-2025-5777, referred to as CitrixBleed 2, as a critical security flaw being actively exploited. CitrixBleed 2 allows remote attackers to read sensitive data from NetScaler devices set up as gateway servers without requiring authentication, posing serious security risks. Originally identified and patched by Citrix in June 2025, subsequent reports from researchers indicated that the patch was not widely applied, leading to active exploits. Security researcher Kevin Beaumont named the bug “CitrixBleed 2” due to its similarities to a previous critical vulnerability in the same NetScaler product. Despite Citrix’s initial claims of no evidence of exploitation, multiple security researchers and groups, including Greynoise and Akamai, have observed attempts and successes in exploiting this vulnerability. The vulnerability's simplicity in exploitation — targeting a specific URL path with no prior conditions — makes it accessible to a wide range of attackers. The potential impact includes unauthorized access to VPNs, internal networks, and sensitive data, creating substantial risks for federal enterprises and other organizations.

Microsoft has replaced the default JScript engine with JScript9Legacy in Windows 11 version 24H2 to enhance security and performance. The update addresses vulnerabilities in the old JScript, such as cross-site scripting (XSS) and memory corruption, which posed significant web threats. JScript9Legacy offers better compliance with modern JavaScript security standards and improved handling of scripts outside the browser. The transition requires no user action, as JScript9Legacy is enabled by default in the latest Windows version, ensuring seamless script execution. Legacy scripts will continue to operate without modification, and Microsoft offers support for any potential compatibility issues. This update also aligns with Microsoft's shift from Internet Explorer to the more secure Edge browser.

A Dutch court sentenced a former engineer of ASML and NXP to three years in prison for stealing semiconductor technology and sharing it with Russian contacts. The convict, reportedly a Russian named German Aksenov, transferred corporate data to Russia's FSB intelligence service, earning around €40,000. Legal proceedings revealed he used encrypted messaging apps and cloud storage to send technical semiconductor manufacturing files to an unnamed recipient in Russia. The files included sensitive information on equipment and processes required for setting up semiconductor production. Although accused of planning to assist in setting up a microchip production line, he was acquitted of this charge as no technical assistance was ultimately provided. NXP expressed satisfaction with the verdict, highlighting their zero-tolerance policy toward data theft and embezzlement. The court could not conclusively link the money received by the defendant to the sale of the stolen intellectual property.

Cybersecurity researchers identified a severe vulnerability in the mcp-remote open-source project, tracked as CVE-2025-6514, with a high CVSS score of 9.6. The flaw allows execution of arbitrary OS commands when the mcp-remote tool connects to an untrusted MCP server, creating potential for a full system compromise. mcp-remote facilitates communication between MCP clients and servers, widely used with over 437,000 downloads. Affected versions of the tool ranged from 0.0.5 to 0.1.15; the vulnerability was resolved in version 0.1.16 released on June 17, 2025. Impacted operating systems include Windows, macOS, and Linux, though the level of command execution control varies. To mitigate risks, users are urged to update mcp-remote to the latest version and ensure connections are made only to trusted MCP servers using HTTPS. This disclosure followed recent findings of other significant vulnerabilities within MCP tools and systems, underscoring ongoing security challenges in managing MCP server interactions.

Russian professional basketball player Daniil Kasatkin was arrested in France on charges related to his alleged involvement with a ransomware gang. The arrest was executed at Charles de Gaulle airport on June 21 after Kasatkin landed in France with his fiancée. Kasatkin is accused of acting as a negotiator for the ransomware gang, which is believed to have attacked over 900 companies, including two federal agencies. The U.S. is seeking extradition of Kasatkin to face charges including "conspiracy to commit computer fraud" and "computer fraud conspiracy." Kasatkin's lawyer claims his client's innocence, attributing the charges to a possibly compromised second-hand computer Kasatkin had purchased. The implicated ransomware gang closely resembles the activities of the notorious Conti group, known for targeting state governments and possibly federal agencies. This arrest comes amid other notable cybersecurity actions in France, including the arrest of four operators from the BreachForums hacking forum.

Four critical vulnerabilities, named PerfektBlue, were identified in the BlueSDK Bluetooth stack by OpenSynergy, affecting vehicles from Mercedes-Benz AG, Volkswagen, and Skoda. The vulnerabilities allow remote code execution and can potentially grant an attacker access to the vehicle’s infotainment system and other critical components. Although patches were released by OpenSynergy in September 2024, many automakers have yet to implement these updates. The PCA Cyber Security team discovered these vulnerabilities and demonstrated possible attacks, including the ability to track GPS coordinates and access phone contacts from the vehicle. Volkswagen acknowledged the issue and began investigations, noting that exploiting these vulnerabilities requires specific conditions, including proximity to the vehicle. PCA Cyber Security also hinted at another unnamed major automotive OEM affected by these issues, planning a full disclosure by November 2025. The impact of these vulnerabilities is significant as it highlights not just the potential control over in-vehicle systems but also worries about the slow response from automakers to patch known flaws.

Russia's State Duma has rejected a bill aimed at legalizing ethical hacking, citing national security concerns. Politicians expressed concerns that vulnerabilities discovered could be exploited by hostile nations if shared with foreign software companies. The bill lacked clarity on how existing laws would adapt to allow ethical hacking, including practices like penetration testing and bug bounties. Despite the rejection, established Russian cybersecurity firms can still conduct vulnerability research, but individual researchers face significant legal risks. Unauthorized access to computer systems, even for ethical purposes, can lead to prosecution under the Russian Criminal Code. Russia does not encourage cybercrime; however, it often overlooks activities targeting its adversaries, reflecting a culture of tacit approval. Ethical hacking in Russia is confined primarily to collaborations between cybersecurity companies and domestic software vendors under strict confidentiality and control measures. Russian researchers face limitations on probing foreign software due to sanctions, particularly following Russia's invasion of Ukraine.

Cryptocurrency enthusiasts are being targeted by a social engineering scam involving fake AI, gaming, and Web3 startup firms. Attackers create convincing profiles for these non-existent companies on social platforms like Telegram and Discord, attempting to lure victims into downloading malware-infected software. The scam uses sophisticated techniques like spoofed social media accounts and professional-looking websites hosting project documentation on platforms like GitHub and Notion. Users are deceived into downloading malicious software which then deploys stealers like Realst and AMOS, designed to extract sensitive information including crypto-wallet credentials. The malware campaign, active since at least March 2024, uses various themes and verified social media accounts to enhance credibility and entice potential victims. Victims who download and open the malicious files on Windows or macOS are subject to data theft that includes documents and crypto-wallet details. Darktrace's report reveals similarities between these operations and those of a known cybercrime group, though direct attribution remains uncertain.

The CJIS Security Policy sets stringent guidelines for handling sensitive law enforcement data, applicable to both government entities and private contractors. CJIS, established in the late 1990s, consolidates criminal databases across the U.S. to ensure uniform security standards in data handling. Compliance involves robust identity and access management protocols, including secure passwords, multifactor authentication, and strict access controls. Non-compliance can lead to severe consequences, such as significant data breaches exposing sensitive criminal information. Verizon’s Data Breach Investigation Report highlights that stolen credentials play a role in almost 45% of all breaches, underlining the importance of secure password policies. Specops Software offers tools that integrate with Active Directory to help organizations meet CJIS standards, streamline administrative tasks, and maintain audit-ready compliance. Entities needing to comply include any organization that might handle criminal justice information, not just police departments.

The UK National Crime Agency (NCA) arrested four individuals linked to cyberattacks on Marks & Spencer, Co-op, and Harrods. Arrestees include two 19-year-old men, a 17-year-old male, and a 20-year-old female from London and the West Midlands. Charges against the suspects include Computer Misuse Act offenses, blackmail, money laundering, and participating in organized crime. Electronic devices were seized during the arrests to find evidence and possible connections to other co-conspirators. The attacks impacted the retailers severely, with Marks & Spencer experiencing a significant data breach leading to forced password resets for customers. Financially, the incident is estimated to create a $402,000,000 profit loss for Marks & Spencer. The attackers, believed to be part of the Scattered Spider group, also targeted US insurance and transportation sectors. This article lays ground for continued international cooperation in investigating and obstructing cybercrime.

The UK National Crime Agency (NCA) detailed the arrest of four individuals linked to a major cyber attack on retailers Marks & Spencer, Co-op, and Harrods. Arrests include two men aged 19, a 17-year-old, and a 20-year-old woman, targeted for their suspected involvement in Computer Misuse Act offenses, blackmail, money laundering, and organized crime activities. The NCA conducted raids in the West Midlands and London, confiscating numerous electronic devices for forensic evaluation. The attacks, recognized as significant cyber events by the Cyber Monitoring Centre, inflicted financial damages estimated between £270 million and £440 million. The suspects are believed to be part of Scattered Spider, a decentralized group known for sophisticated social engineering and ransomware attacks. Scattered Spider, notorious within The Com collective, employs methods like phishing to secure unauthorized access to high-value targets across different sectors. The case remains a high priority for NCA, with ongoing international collaboration to bring the perpetrators to justice and prevent future incidents.

The UK's National Crime Agency (NCA) apprehended four individuals linked to recent ransomware attacks on major retailers, including M&S, Co-op, and Harrods. Arrests were made at various locations across the UK, targeting two men from the West Midlands, one man from London, and one woman from Staffordshire. Those detained are suspected of being involved in all three attacks, facing preliminary charges under the Computer Misuse Act, alongside allegations of blackmail and money laundering. The NCA seized electronic devices from the suspects for forensic analysis to gather more evidence in their ongoing investigation. Authorities emphasize the significance of these arrests but have withheld specific details to protect the right to a fair trial and manage significant safeguarding concerns. The NCA's Deputy Director, Paul Foster, highlighted the disruption caused by cyberattacks and reiterated the importance of cooperation between businesses and law enforcement in cybercrime cases. The investigation remains a top priority for the NCA, with further work anticipated both in the UK and with international partners.

New artifacts of ZuRu malware discovered, targeting macOS developers with a trojanized Termius app. The malware impersonates legitimate tools and uses modified versions of Khepri for command and control. Initially identified in 2021, ZuRu has evolved to exploit various popular macOS applications. The trojan relies on sponsored web searches, indicating opportunistic rather than targeted attacks. The latest version includes modifications to bypass detection, utilizing a hacked Termius.app and additional malicious executables. ZuRu's persistence mechanisms and update features ensure it remains active and up-to-date on infected systems. Researchers highlight the need for robust endpoint protection to guard against such sophisticated malware tactics.

Generative AI is increasingly integrated into daily-use SaaS applications, raising urgent security and privacy concerns for businesses. A significant 95% of U.S. companies now employ generative AI, highlighting the rapid adoption and the accompanying need for effective governance. AI governance involves establishing policies and controls to ensure responsible and secure AI usage aligned with organizational goals and compliance requirements. Without proper governance, AI tools may expose sensitive data, violate compliance laws, or function unpredictably due to biases or model changes. Companies face challenges in AI management due to lack of visibility and fragmented tool ownership across departments. Effective AI governance should include an inventory of AI usage, clear usage policies, monitored access, continuous risk assessment, and cross-functional collaboration. Specialized platforms like Reco's Dynamic SaaS Security solution are emerging to support organizations in managing AI-related risks efficiently.

Google Cloud now allows UK organizations to keep AI data fully within the country, addressing local data sovereignty needs. Despite local data storage, support services for UK users will be handled by Google’s global support team, potentially compromising data sovereignty. Concerns arise about US authorities accessing UK-stored data under US CLOUD Act, despite data being physically located in the UK. Veteran Linux vendor SUSE warns about risks of data crossing borders due to support services based outside the UK. Google offers encryption solutions where customers control their own keys, enhancing data security and compliance. CEO of UK cloud vendor Civo criticizes Google's approach, expressing concerns about US influence and inadequate safeguards against overseas data access. Google's processes for handling government data requests are stated to align with international best practices, yet specifics remain general. Alternatives like Google Cloud Airgapped and Google Cloud Dedicated present more controlled data environments but are limited to certain EU countries.