Daily Brief

The U.S. Treasury has sanctioned Aeza Group, a Russian bulletproof hosting provider, and its affiliates for aiding cybercriminals. Sanctions target Aeza's involvement in ransomware deployment, technological theft, and illicit drug market operations on the dark web. Key figures arrested include Penzev, charged with leading a criminal organization, and employees Bozoyan, Orel, and Zubova. Aeza Group's services help cybercriminals host phishing sites, command-and-control servers, and evade law enforcement actions. Aeza accused of providing infrastructure to malware families targeting U.S. defense industries and other global victims. The report highlights Aeza’s infrastructure used by pro-Russian operations and other criminal activities. The sanctions are part of broader efforts by the U.S. and international partners to dismantle the support networks for cybercriminals.

The UK government plans to update laws, such as the Submarine Telegraph Act of 1885, amidst threats from cyberattacks and subsea cable sabotage. A recent Strategic Defence Review proposes new legislation to address state-sponsored cybercrime and the risk to undersea infrastructure. The old legislation, only imposing a £1,000 fine for damages, is deemed inadequate for modern threats, which include grey zone threats below official armed conflict. Incidents in the Baltic Sea, including suspected Russian sabotage of underwater data cables, have escalated concerns and highlight vulnerabilities. There is a proposed increase in fines and a draft of new legislation is expected, involving the Ministry of Defence and the Department for Science, Innovation and Technology. The ambiguity of what constitutes an act of war in the context of cyberattacks and subsea sabotage makes international responses challenging. Future legislation will seek a balance between civil and military approaches to enhance national security and ensure readiness for escalating threats.

Unknown cybercriminals have utilized v0, an AI tool by Vercel, to create authentic-looking phishing sites impersonating reputable brands. This development marks a significant evolution in cybercrime, where generative AI is now being used to simplify and accelerate the production of phishing attacks. Vercel's v0 tool, designed for easy creation of web content via natural language prompts, has been misused to generate functional fake login pages without coding expertise. The ease of use of tools like v0 enables even less technically skilled individuals to launch sophisticated phishing operations that convincingly mimic legitimate websites. In addition to utilizing Vercel’s infrastructure for hosting fake sites, criminals also hosted illicit resources such as stolen logos to enhance the authenticity of their phishing pages. Following responsible disclosure practices, Vercel has blocked access to the identified malicious sites. There is a broader trend of malicious actors leveraging uncensored or custom-developed large language models (LLMs) to bolster their cybercriminal activities. The incident underscores a growing shift in phishing tactics, leveraging AI technology to scale and enhance the effectiveness of cyber attacks.

Qantas detected unusual activity on a third-party platform on June 30, indicating a cyberattack. Information of six million customers, including names, email addresses, phone numbers, birth dates, and frequent flyer numbers was compromised. No credit card details, personal financial info, or passport details were stored on the affected system. Qantas is still determining the full extent of the data theft but expects it to be significant. The airline has confirmed that its operations and other systems remain secure despite the breach. Qantas is actively investigating the incident and plans to notify potentially affected customers. The incident could impact numerous commercial partners linked with Qantas' frequent flyer program. This cyberattack could become one of Australia's significant data breaches, alongside recent high-profile cases like Medibank and Optus.

Qantas, Australia's largest airline, disclosed a cyberattack on a third-party platform affecting customer data. The breach, detected on a Monday, involved unauthorized access to a customer service platform used by a Qantas contact center. Significant amounts of customer data were stolen, including names, email addresses, phone numbers, birth dates, and frequent flyer numbers. No financial information or secure login details for frequent flyer accounts were compromised. Qantas promptly reported the incident to the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, and the Australian Federal Police. The incident bears similarities to attacks by the hacker group "Scattered Spider," which has been targeting the aviation sector. Security experts recommend enhancing defenses across infrastructure, identity systems, and third-party vendor platforms in response to such threats.

AT&T has launched a security feature named "Wireless Lock" aimed at safeguarding customers from SIM swap attacks by disabling changes to customer accounts and phone number porting. The feature ensures no modifications can occur to a user's phone number, billing information, authorized users, or phone line transfers without first disabling this lock. Previously tested with a select group of customers, this newly comprehensive service is now available to all AT&T subscribers. SIM swap fraud involves cybercriminals transferring a victim's phone number to a device they control, thus accessing calls, texts, and crucially, multi-factor authentication codes. This cybersecurity measure by AT&T comes considerably later than similar offerings by other telecom giants like Verizon, which introduced it nearly five years ago. SIM swap attacks have been linked to significant thefts, including a notable case in 2020 where over $794,000 in cryptocurrency was stolen. The FCC has implemented new regulations in 2023 requiring tighter identity verification for SIM swaps and number transfers to further combat this type of cybercrime.

Microsoft has open-sourced the GitHub Copilot Chat extension for Visual Studio Code, making the source code publicly available under the MIT license. This release provides transparency on how the AI-based coding assistant operates, including its "agent mode," data sent to large language models, and the design of system prompts. The decision to open source marks a key step in Microsoft's strategy to incorporate artificial intelligence directly into its popular coding editor, outlined initially in May 2025. GitHub Copilot Chat, using a GPT4-based model, assists developers by allowing them to chat with the AI model within VS Code, enhancing coding efficiency. The repository also provides details on telemetry collection mechanisms, increasing transparency regarding data privacy and usage in AI tools. The extension has gained significant popularity, with over 35 million installations, reflecting the growing trend of LLM-assisted coding solutions. Despite the open-sourcing of the Copilot Chat extension, the original GitHub Copilot extension remains proprietary, with plans to merge its features into the open source module in the future. Developers are encouraged to explore, contribute to, and provide feedback on the open-sourced project, with comprehensive documentation and FAQs provided to support them.

Microsoft Intune, a cloud-based endpoint management service, is experiencing issues with saving security baseline customizations during updates. Administrators using Intune are recommended to manually reapply their customizations after updating baseline policies due to this glitch. The problem specifically affects those who update their security baseline to a newer version, such as from 23H2 to 24H2. Microsoft Intune is used by organizations for managing device configurations and policy updates, competing with traditional on-premises tools. This issue poses significant inconvenience and potential workflow interruptions for IT administrators who rely on specific customized settings. Microsoft suggests that the resolved default values may not align with every organization's unique operational needs. There is currently no permanent fix provided by Microsoft; the solution offered involves a temporary manual adjustment by administrators.

A critical vulnerability in Anthropic’s Model Context Protocol (MCP) Inspector allows for remote code execution (RCE). The vulnerability, identified as CVE-2025-49596, has a severe CVSS score of 9.4. Attackers can exploit this flaw to steal data, install backdoors, and navigate through networks undetected. The MCP Inspector is crucial for debugging AI applications but has significant security weaknesses in its default configuration, including missing authentication and encryption. The exploit involves chaining a known web browser flaw (0.0.0.0 Day) with a cross-site request forgery (CSRF) in MCP Inspector, allowing attackers to execute arbitrary code just by visiting a malicious website. The MCP team released a security update (version 0.14.1) that adds necessary security measures such as session tokens and origin validation to close the vulnerability. Before the fix, MCP servers were susceptible to DNS rebinding and CSRF attacks due to default settings that exposed servers to public Internet threats. Following a responsible disclosure policy, the security patch was released on June 13, 2025, after discovery and coordination with cybersecurity experts.

Kelly Benefits reported a data breach affecting 553,660 individuals, revising earlier estimates. Unauthorized access to their IT systems occurred between December 12-17, 2024. Data stolen includes names, Social Security numbers, medical and financial information. The breach involved 46 entities, complicating the investigation and notification process. People affected are at increased risk of phishing, scams, and identity theft. Affected individuals were offered 12 months of free credit monitoring and identity theft protection. The complexity of the breach highlights ongoing challenges in securing sensitive customer data.

The U.S. Department of the Treasury has imposed sanctions on the Russian hosting company Aeza Group for alleged involvement in various cybercriminal activities. Aeza Group, along with four of its operators, is accused of functioning as a bulletproof hosting service, which ignores abuse complaints and law enforcement requests, aiding cybercriminal activities. The sanctioned entity is linked to hosting services for the BianLian ransomware gang, RedLine infostealer operations, and BlackSprut, a darknet drug market. The sanctions also target Aeza International Ltd., Aeza Logistic LLC, and Cloud Solutions LLC, freezing their assets in the U.S. and prohibiting American companies from doing business with them. Prior to these sanctions, some members of Aeza were arrested for illegal banking activities and their involvement in hosting the BlackSprut drug marketplace. The sanctions build on previous U.S. actions from February, which targeted other bulletproof hosting providers associated with the LockBit ransomware gang and various cybercriminals. Aeza was also implicated in the "Doppelgänger" Russian disinformation campaign that mimicked legitimate media sites to spread propaganda in the West.

The International Criminal Court (ICC) reported a sophisticated cyberattack aimed at espionage, the second incident since 2023. This recent cyberattack is similar to a previous one that targeted the ICC while investigating war crimes related to Russia's activities in Ukraine. The ICC has taken measures to contain the attack and mitigate its effects, though specific details of the attack were not disclosed. The occurrence has heightened existing security concerns, amid ICC's active investigations and prosecutions of high-profile war crime cases globally including those involving top Israeli and Russian leaders. In related developments, tensions have escalated with the U.S., especially after retaliatory sanctions were placed on ICC judges following the issuance of arrest warrants for prominent figures. The ICC emphasizes the importance of public and international support to uphold its mandate of justice and accountability amidst ongoing global political tensions. The UN High Commissioner for Human Rights has criticized the U.S. sanctions against ICC judges, calling for respect towards judicial independence and the rule of law.

A security researcher, mr.d0x, has identified a new FileFix attack method that exploits how browsers handle HTML file saving to bypass Windows' Mark of the Web (MoTW) security alerts. This attack tricks users into saving and renaming an HTML page to a .HTA file, which automatically executes embedded JScript through the Windows utility mshta.exe. MoTW typically flags downloaded files from the internet, but files saved directly by browsers as "Webpage, Complete" aren't marked, circumventing these protective measures. The social engineering component of the attack involves convincing users to save malicious webpages with deceptive instructions, such as pretending to safeguard multi-factor authentication codes. The subsequent opening of the .HTA file leads to immediate script execution without security warnings, leveraging the legacy HTML Application (.HTA) file type. Recommendations for mitigating this attack include disabling mshta.exe, making file extensions visible to users, and blocking HTML attachments in emails. Despite the sophistication of cloud threats, simple social engineering tactics like this remain effective in breaching security defenses.

TA829 and UNK_GreenSec demonstrate significant overlaps in infrastructure and attack methods in recent cybersecurity threats. Both groups leverage phishing campaigns with spoofed emails and malicious links to deliver malware, including RomCom RAT and TransferLoader. The tactics include the use of compromised MikroTik routers for REM Proxy services, enhancing their ability to relay traffic and evade detection. The attackers target victims through sophisticated email schemes, using dynamically generated email addresses and embedded links leading to fake cloud storage pages. Their malware deployment strategies involve multiple redirections to filter out non-target systems and deliver different payloads based on the victim's profile. Proofpoint's analysis indicates a mixture of cybercrime and espionage, showing blurred lines between purely criminal and state-sponsored activities. The complexity and similarity in the modus operandi of both groups suggest potential collaboration or shared resources, though definitive evidence linking the two groups directly remains insufficient.

The International Criminal Court (ICC) recently announced it is investigating a sophisticated cyberattack targeted at its systems. Detected last week, the incident was quickly identified and contained using the ICC's cyberattack detection and response mechanisms. This event marks the second significant cyber threat against the ICC in recent years, following a previous cybersecurity incident in September 2023 involving cyber espionage. A comprehensive impact analysis of the recent incident is currently underway, with steps being taken to mitigate any potential effects. The ICC has not disclosed details regarding the specifics of the attack, including the nature of the attack, its direct impact on systems, or whether any data was accessed or exfiltrated. Despite the increasing frequency and sophistication of the attacks, the ICC has not found any evidence linking the previous breaches to specific espionage groups. The ICC emphasizes the importance of public and internal transparency in these incidents and seeks continued support in bolstering its cyber defenses.