Daily Brief

U.S. authorities disrupted a North Korean scheme involving IT workers at over 100 U.S. companies using fake or stolen identities. These workers not only drew salaries but also engaged in stealing sensitive data and siphoned off over $900,000 in a crypto heist targeting a blockchain firm. The Justice Department conducted 21 searches across 14 states, adding to previous operations in an effort to curb these activities. At least one North Korean worker accessed sensitive data from a defense contractor in California, including ITAR-related information. U.S. government seized 21 web domains, 29 financial accounts, and nearly 200 laptops and remote access devices in the crackdown. The State Department offers rewards up to $5 million for information on disrupting financial operations linked to North Korean state-supported activities. North Koreans have used the identities of over 80 U.S. persons to fraudulently secure positions and channel funds to the Kim regime in North Korea.

Iranian hackers breached a U.S. water facility using a default password, affecting 7,000 users. The incident highlights the severe risks associated with default passwords in critical infrastructures. CISA has advised manufacturers to eliminate default credentials to enhance security. Default credentials, such as "admin/admin" or "1234", continue to be a major security gap exploited by attackers. Historical cyberattacks like the Mirai botnet, which disrupted major internet services, were facilitated by unchanged factory default passwords. The UK has implemented laws against shipping IoT devices with preset passwords to combat these risks. Manufacturers are encouraged to adopt secure-by-design best practices to minimize cyber vulnerabilities. IT professionals are urged to enforce strict password policies and implement solutions like Specops Password Policy to mitigate risks.

A Pakistan-linked hacking group, identified as TAG-140, is deploying a variant of the DRAT remote access trojan (RAT) to infiltrate Indian government, defense, and railway sectors. This group is associated with SideCopy and Transparent Tribe, using cloned Indian Ministry of Defence press release portals to launch attacks. The attacks employ sophisticated phishing techniques to deliver malware, focusing on data theft, surveillance, and disrupting critical services. Recorded Future's analysis highlights the evolution of TAG-140’s malware, noting increased flexibility and reduced obfuscation to improve attack reliability. DRAT V2, the updated malware tool, features enhanced post-exploitation capabilities, such as arbitrary shell command execution and C2 communication improvements. The adversary has broadened its target sectors to include maritime, oil and gas, and external affairs ministries, indicating a strategic expansion of their operational focus. Other campaign activities noted involve disseminating malicious PDFs targeting defense personnel and employing advanced evasion techniques to avoid detection.

A security research discovered a SQL vulnerability in a piece of stalkerware named Catwatchful which enabled access to a database containing 62,000 user accounts. The researcher, Eric Daigle, published a blog detailing his findings, commenting on the software's intended undetectability and how he managed to compromise it. Despite efforts by Daigle and TechCrunch, Catwatchful remained operational, setting up temporary sites and deploying patches to rectify the discovered SQL injection flaw. The incident also highlighted ongoing issues with software supply chain security, as researchers demonstrated how verification for IDE extensions can be easily spoofed. Swiss NGO Radix, linked to government agencies, was hit by ransomware but government systems remained uncompromised. The Common Vulnerabilities and Exposure (CVE) Program seeks participation from security experts and consumers to better align with real-world use cases and improve security norm establishment. A healthcare breach in the US involved Esse Health, affecting potentially 263,601 patients with compromised personal and healthcare related information.

Ingram Micro experienced a major system outage due to a ransomware attack, confirmed on July 3. The attack was claimed by SafePay ransomware crew, who cited network security misconfigurations at Ingram Micro. The disruption led to an inability for Ingram to process orders and manage licenses for products like Microsoft 365 and Dropbox. Ingram Micro took immediate steps to secure its systems, including taking certain systems offline and implementing mitigation measures. The company has initiated a thorough investigation with cybersecurity experts and has also notified law enforcement. SafePay's ransom note revealed that they accessed and encrypted sensitive data including financial statements, intellectual property, and customer files. The ransomware group threatened to publish the encrypted data on the web and has given Ingram a week to negotiate. SafePay suggested they exploited vulnerabilities through Ingram’s GlobalProtect VPN platform, although this remains unconfirmed.

Ingram Micro, a major global IT distributor, has been hit by a ransomware attack by the SafePay group, leading to extensive system outages. The cyberattack initiated early Thursday, shutting down Ingram Micro's internal systems, websites, and online ordering functions. Employees encountered ransom notes on their devices, though it remains unconfirmed whether data encryption occurred. The SafePay ransomware, recently emerging in November 2024, has added Ingram Micro to its 220+ victim list. Ingram Micro took precautionary steps by instructing employees to work remotely and avoid using the compromised GlobalProtect VPN. Despite ongoing IT disruptions, services like Microsoft 365, Teams, and SharePoint are reported to be functioning. As of the latest updates, Ingram Micro has neither publicly acknowledged the attack nor communicated it directly to their employees. Sources revealed the attackers might have accessed Ingram Micro’s network via compromised credentials on the GlobalProtect VPN platform.

Cybersecurity experts noted a 19-fold increase in the abuse of .es domains predominantly for credential phishing. Over 1,300 subdomains across 447 .es domains have been found hosting malicious web pages, 99% aimed at phishing. Most abuses attempt to steal Microsoft credentials, leveraging sophisticated email themes such as fake HR requests. A small percentage (1%) of these malicious campaigns involved distributing RATs like ConnectWise RAT and XWorm. The majority of these phishing pages are hosted on Cloudflare, taking advantage of its easy deployment features. The .es top-level domain, typically having more stringent registration requirements, is third most abused TLD after .com and .ru. The methods used are traditional, utilizing fake emails and randomly generated subdomains to host phishing sites. This trend in .es domain abuse is suggestive of becoming a habitual technique among a broad group of cybercriminals.

Taiwan's National Security Bureau (NSB) has issued a warning about security risks posed by Chinese-developed apps including TikTok, Weibo, and RedNote due to their data practices. The NSB, along with other Taiwanese security agencies, reviewed these apps and found significant issues such as excessive data collection and privacy infringements. Each app was evaluated against 15 security indicators, with RedNote violating all, and TikTok and Weibo breaching 13. Concerns highlighted include extensive data harvesting like facial recognition data, screenshots, clipboard contents, contact lists, and device information sent to servers in China. NSB emphasized the mandatory compliance of Chinese companies in sharing user data with the Chinese government, which poses a direct threat to the privacy of Taiwanese users. The advisory comes amidst global actions with countries like India and Canada implementing bans on Chinese apps, citing similar security concerns. NSB has urged the public and businesses in Taiwan to remain vigilant about mobile security and avoid downloading apps developed in China to safeguard personal and corporate data.

Threat actors are exploiting exposed Java Debug Wire Protocol (JDWP) interfaces for deploying cryptocurrency miners and gaining remote code execution capabilities. The malicious activity was discovered by Wiz researchers in their honeypot servers running TeamCity, which is especially vulnerable when operating in debug mode. JDWP, critical for debugging Java applications, lacks built-in authentication, exposing it to significant security risks if improperly managed or left exposed. Over 2,600 IP addresses, mainly from China, the U.S., Germany, Singapore, and Hong Kong, have been observed scanning for vulnerable JDWP endpoints. A new malware named Hpingbot, capable of targeting both Windows and Linux systems, has been detailed by NSFOCUS; it creates botnets for launching distributed denial-of-service (DDoS) attacks. Hpingbot is distinct because it is built from scratch, showing significant innovation by utilizing Pastebin for distributing loads and leveraging hping3 for DDoS attacks. Attackers are using weak SSH configurations to initially infiltrate systems with Hpingbot, further showcasing the critical need for strong cybersecurity practices around SSH.

A hacker known as "Rey," linked to the Hellcat Ransomware group, has allegedly breached Spanish telecom giant Telefónica, threatening to leak 106GB of data. Rey has already leaked a 2.6GB archive to validate their claims of the data breach which supposedly includes internal communications, customer records, and employee data. The breach reportedly occurred on May 30, facilitated by a misconfiguration in a Jira server previously compromised. Despite multiple inquiries by BleepingComputer, Telefónica has not acknowledged the recent breach, and one representative dismissed it as an extortion attempt with outdated data. Files in the leaked data include emails and invoices from Telefónica's operations across several countries, with some content dated as recent as 2021. The hacker has shifted to distributing the stolen data through various platforms, after initial takedown due to legal issues, increasing the risk of widespread data exposure.

Ingram Micro is facing a significant global outage affecting its websites and internal systems. The technology distribution giant has not disclosed the cause of the outage, prompting concerns about a possible cyberattack. The outage began on a Thursday morning, making it impossible for customers worldwide to place orders. Employees are also unable to access certain internal systems, further complicating operations. Visitors to the Ingram Micro website encounter messages indicating access restrictions or maintenance. Despite speculation of a ransomware attack amongst the online community, the exact nature of the incident remains unconfirmed. The extended unavailability of services is typical of a major breach, making this situation alarming for partners and businesses relying on Ingram Micro. The company has yet to respond officially about the ongoing issues or any steps being taken to resolve them.

NightEagle APT (aka APT-Q-95) exploits Microsoft Exchange servers using a zero-day exploit chain, primarily targeting China's government, defense, and technology sectors. Active since 2023, this threat actor alters network infrastructure rapidly, complicating tracking and mitigation efforts. Attacks focus on high-value sectors such as high-tech, chip semiconductors, quantum technology, AI, and military, aiming to gather sensitive intelligence. NightEagle was identified by QiAnXin's RedDrip Team, revealing their findings at CYDES 2025 in Malaysia. The APT uses a modified version of the Chisel tool, setting up persistent access and data exfiltration mechanisms on compromised networks. A .NET loader delivers the NightEagle Trojan via IIS service in Microsoft Exchange, enabling unauthorized data access and remote control. QiAnXin researchers suggest a North American origin for NightEagle, based on the attack timing aligned with nighttime hours in Beijing. Microsoft has been contacted for comments on the breach, indicating ongoing investigation and response efforts.

Two significant vulnerabilities found in Sudo, impacting various Linux distributions, allow local users to gain root access. CVE-2025-32462 and CVE-2025-32463 are severe flaws that bypass Sudo's security protocols to execute unauthorized commands. CVE-2025-32462 exploits the "-h" host option in Sudo, which has been flawed since its inclusion in September 2013. CVE-2025-32463 utilizes the "-R" chroot option, enabling arbitrary command execution without any Sudo rules for the user. The vulnerabilities were disclosed responsibly on April 1, 2025, and have since been patched in Sudo version 1.9.17p1. Both vulnerabilities primarily affect systems using common sudoers files distributed across multiple machines or LDAP-based sudoers. Linux users are urged to update their systems with the patched version of Sudo to mitigate the risk of these vulnerabilities. The discovery underscores the need for continuous vigilance and timely patching of foundational security tools like Sudo.

Generative AI (GenAI) introduces risks for unintended data leaks in businesses, affecting sensitive enterprise data. AI agents interact with corporate systems like SharePoint and S3 buckets, potentially exposing confidential information without proper controls. Lack of stringent access controls, governance policies, and oversight can lead sensitive data to be revealed to unauthorized parties or even online. Real-world instances include AI revealing internal salary details or unveiling unreleased product designs during routine operations. The upcoming free webinar titled "Securing AI Agents and Preventing Data Exposure in GenAI Workflows" aims to address these issues by offering guidance on securing AI implementations. The session, hosted by Sentra's AI security experts, will discuss common AI misconfigurations and their causes, emphasizing the need for careful management of permissions and outputs from large language models (LLMs). The event targets professionals involved in AI development, deployment, or management, stressing the importance of proactive data protection measures in the era of GenAI.

Google faced a court ruling requiring them to pay $314 million for unauthorized data transfers on Android devices, violating California law. The lawsuit began in August 2019, with plaintiffs claiming that Google used cellular data without permission, even when devices were idle. Plaintiffs demonstrated through experiments that Google's background data transfers involved significant amounts of cellular data. Information transmitted included log files and app metrics, which were argued not to be time-sensitive and could have been delayed until a Wi-Fi connection was available. The court sided with the plaintiffs, emphasizing that the data transfers imposed unnecessary costs on users for Google’s benefit. Post-verdict, Google announced plans to appeal, stating that these data transfers were crucial for Android device performance and security. This court decision comes after Google's recent $1.4 billion settlement in Texas over similar privacy concerns involving location and facial recognition data.