Daily Brief

A British IT employee, Mohammed Umar Taj, was sentenced to over seven months in prison for intentionally disrupting his employer's network following his job suspension. Taj exploited retained network access to alter critical login and multi-factor authentication settings, causing significant operational disruption. The criminal activities resulted in roughly £200,000 in direct business losses and reputational damage to the company, affecting clients in Germany and Bahrain. Taj's retaliation involved changing access credentials which left the company and its clients locked out of essential systems. The attack was thoroughly planned and logged by Taj, as revealed by phone call evidence retrieved by the police. Despite the incident, Taj is still listed as the director of TJ Performance, an electrical company based at his residence. The case highlights ongoing issues with companies failing to immediately revoke network access of terminated or suspended employees with privileged access rights.

The Berlin Commissioner for Data Protection has demanded that Google and Apple remove the DeepSeek AI application from their app stores due to GDPR non-compliance. DeepSeek, owned by Hangzhou DeepSeek Artificial Intelligence from Beijing, is accused of illegally collecting and transferring German users' data to servers in China. Under GDPR Article 46 (1), personal data transferred outside the EU must meet EU data protection standards, which are not met by China's lax data protection laws. Despite the app's popularity with 50 million downloads on Google Play and numerous ratings on Apple’s App Store, it faces serious security and privacy challenges. The request for removal follows a refusal by DeepSeek to voluntarily withdraw their apps from German stores after a request on May 6. The Berlin authorities are leveraging Article 16 of the Digital Services Act to potentially enforce the application's removal through Apple and Google. Coordination exists between multiple German regulatory bodies, including state regulators and the Federal Network Agency, to address this matter.

Charles Carmakal of Mandiant has recently highlighted that the Scattered Spider cybercrime group, also known as UNC3944, is now targeting the aviation sector following its focus on retail and insurance industries. Carmakal emphasized the necessity for the aviation industry to enhance security protocols, especially around help desk operations, to prevent social engineering attacks that could compromise multi-factor authentication (MFA) systems and access to sensitive employee details. Sam Rubin from Unit 42 of Palo Alto Networks corroborated these concerns, noting an uptick in social engineering attacks and suspicious MFA reset requests in the aviation sector, warning that immediate action is necessary. This shift in focus comes after cybersecurity incidents were reported by major airlines like Hawaiian Airlines and Canada’s WestJet, which are still investigating the extent of the data potentially compromised. Previous targets in the insurance industry, including companies like Aflac, Erie Indemnity, and Philadelphia Insurance Companies, reported cyber attacks, stressing ongoing investigations and enhanced monitoring despite no direct evidence of ransomware being deployed. Aflac disclosed the involvement of social engineering tactics in the inferred breach, highlighting the sophisticated methods utilized by attackers to infiltrate networks. Experts warn all sectors to bolster their cyber defenses, as Scattered Spider’s targeting is unpredictable and can change rapidly, underscoring the necessity for vigilance across all industries.

U.S. cybersecurity and intelligence agencies have issued warnings about increased cyber threat activities from Iranian state-sponsored groups targeting defense and critical infrastructure. Recent alerts from agencies including CISA, FBI, DC3, and NSA stress the importance of heightened security measures for Defense Industrial Base companies and entities with connections to Israeli organizations. Iranian threat actors commonly exploit vulnerabilities such as outdated software, unpatched systems, and weak passwords for initial access into networks. Techniques used by these actors include using automated password-guessing methods, exploiting default manufacturer passwords, and employing remote access tools and keyloggers for deeper network penetration. The mentioned groups also utilize system engineering tools to infiltrate Operational Technology (OT) networks, posing significant risks to industrial control systems. U.S. and Israeli firms face potential threats of DDoS attacks and ransomware campaigns, accentuating the need for robust cybersecurity defenses. The advisory suggests preventative measures like utilizing tools to review external attack surfaces, ensuring systems are updated, and aligning with frameworks like MITRE ATT&CK to mitigate risks.

Microsoft Defender for Office 365 has introduced a feature to automatically detect and block email bombing attacks. This detection capability is designed to protect organizations from overwhelming quantities of emails meant to hinder operations or mask critical security threats. The update, rolled out in late June 2025, applies to all users by late July without requiring manual configuration, filtering detected threats directly to the Junk folder. Email bombing is typically utilized by cybercriminals to overload systems and facilitate subsequent phishing or malware attacks. Notable cybercrime groups like BlackBasta and ransomware affiliates such as 3AM and the FIN7 group have employed this tactic to compromise corporate networks. The feature addition enhances visibility for security teams, helping them identify genuine threats amidst the flood of spam emails. The tool updates will be visible in various Microsoft Defender for Office 365 interfaces, including Threat Explorer and Advanced Hunting.

Switzerland's government announced a ransomware attack on Radix, a third-party organization, resulting in the theft of sensitive federal data. The data stolen from Radix was later published on the dark web; analysis is ongoing by the Swiss National Cyber Security Centre (NCSC) to assess the impact on government agencies. Radix, a Zurich-based non-profit focused on health promotion, was compromised by the Sarcoma ransomware group on June 16. Sarcoma is known for its phishing tactics, exploiting old vulnerabilities, and targeting RDP connections to facilitate network lateral movements. Post-extortion failure, Sarcoma released 1.3TB of data, including financial records and contracts, freely on their leak portal as of June 29. Despite assurances from Radix about the security of partner data, impacted individuals are urged to remain vigilant against fraud attempts. This incident marks another significant data breach involving the Swiss government's data, following a previous breach in May 2023 by Play ransomware group. No immediate response was available from NCSC regarding the details of the stolen data as the investigation continues.

Europol announced the dismantling of a substantial cryptocurrency fraud network, implicating five individuals and laundering approximately €460 million from over 5,000 global victims. This large-scale operation involved cooperation between Spain's Guardia Civil and law enforcement from Estonia, France, and the U.S., with arrests made in the Canary Islands and Madrid. The syndicate employed a fraudulent investment strategy known as "pig butchering", involving social engineering techniques such as utilizing fake trading platforms and scripted communications to exploit victims. The illicit funds were funneled through a complex system using a Hong Kong-based corporation and banking network, with multiple accounts across various exchanges to obscure the money trail. The use of advanced technologies including artificial intelligence by criminal groups has escalated the sophistication and scale of such cyber-enabled frauds, posing unprecedented challenges to international law enforcement. INTERPOL's recent findings reveal that cybercrime constitutes over 30% of all reported crimes in some regions, underscoring the urgent need for enhanced legal and prosecutorial frameworks. The scam operations often entrap individuals in Southeast Asia under the guise of legitimate employment, subsequently coercing them into participating in internet scams.

The Canadian government has mandated Hikvision Canada Inc. to halt all operations, citing national security risks. This order was issued following a comprehensive National Security Review under the Investment Canada Act. No specific evidence was disclosed, but the decision is based on information from the national security and intelligence sectors. The government's directive also includes a prohibition on all governmental bodies and crown corporations from purchasing or using Hikvision equipment. Hikvision Canada, established in 2014, is known for its extensive range of security products and has faced prior scrutiny over potential espionage for the Chinese government. Hikvision has contested the Canadian government's decision, deeming it unjust and lacking evidence, transparency, and procedural fairness. The Canadian action specifically targets the use of Hikvision’s products by governmental entities and does not extend to products made by Hikvision’s affiliates outside of Canada. Canadian authorities advise the public to consider the government’s assessment when selecting surveillance technology.

Microsoft has identified a known issue causing delays in the distribution of June 2025 Windows security updates due to incorrect metadata timestamps. The problem affects both Windows 10 and Windows 11 systems that use quality update deferral policies allowing IT admins to delay installations. Although updates are intentionally delayed via deferral policies, the incorrect timestamp extends this delay unexpectedly, increasing the risk of exposure to cybersecurity threats. Typically, this issue will not change the quality or functionality of the updates but solely impacts the timing of when they are received. Microsoft advises IT administrators to either create expedited deployment policies or adjust the deferral settings to ensure timely delivery of the critical updates. The issue with the June 2025 updates arose despite earlier efforts by Microsoft to fix other update delivery issues across their Windows operating systems. Microsoft has stated they will not correct the erroneous metadata timestamp but will rely on suggested workarounds as the resolution.

Blind Eagle, identified as a persistent threat actor, exploits Russian bulletproof hosting service Proton66 to target Colombian banks through phishing and malware deployment. Trustwave SpiderLabs linked the threat actor to Proton66 by tracing digital assets and discovered an active cluster using Visual Basic Script (VBS) files for initial malware attacks. The attacker utilizes dynamic DNS services, rotating subdomains to avoid detection and continuously host malicious content, including phishing pages and VBS scripts. The VBS scripts serve as loaders for second-stage remote access trojans (RATs), such as AsyncRAT or Remcos RAT, leveraging encrypted executable files retrieved from remote servers. VBS, despite being considered outdated, remains effective for initial access on Windows systems due to its compatibility and stealthy operation. Phishing sites mimic legitimate Colombian financial entities to steal user credentials and sensitive information. Trustwave discovered a botnet panel associated with Blind Eagle’s infrastructure, indicating a sophisticated level of remote control over infected machines. Blind Eagle demonstrates adaptability in its operations, continuing its activities despite the deployment of security patches for exploited vulnerabilities.

Sinaloa drug cartel employed a cybercriminal to track and eliminate FBI informants using advanced surveillance technology. The hacker accessed mobile devices and Mexico City's camera systems to monitor and gather intelligence on FBI activities. A 2018 internal source revealed the cartel's tactics, including potential threats and assassinations of cooperating witnesses. An audit highlighted the FBI's policy gaps and inconsistent approach to managing Ubiquitous Technical Surveillance threats. Recent technological advancements have increased the ease of exploiting criminal investigation vulnerabilities. The Department of Justice has expressed urgent concerns and pushed for an improved strategy and training to mitigate these threats. The FBI has elevated the risk level of technical surveillance threats and is working on a mitigation plan, though initial drafts faced criticism for inadequacies. Recommendations include establishing a clearer authority line and leveraging FBI's existing UTS expertise more effectively.

Spanish authorities, aided by Europol and other international agencies, arrested five individuals linked to a $540 million cryptocurrency investment fraud. The criminal network is suspected of defrauding over 5,000 victims, utilizing complex money laundering techniques involving Asian obfuscation channels. The operation was part of a broader investigation with participation from law enforcement in Estonia, France, and the United States (HSI). The syndicate allegedly operated a sophisticated corporate and banking infrastructure in Hong Kong to manage the illicit funds through various global exchanges. Europol highlighted the increasing use of artificial intelligence in online scams, noting a separate incident where deepfake technology was used to promote fraudulent crypto investments. Recent reports by the FTC indicate a significant rise in online fraud in the U.S., with losses hitting a record $12.5 billion in 2024. The U.S. Department of Justice recently recovered $225 million from a related investment scam, showcasing the growing challenge and impact of cryptocurrency fraud.

The FBI has issued a warning about cybercriminals impersonating health fraud investigators to steal personal and health information from Americans. Scammers contact victims through emails and texts, pretending to be from trusted healthcare authorities, pressing them to reveal sensitive data. These deceptive messages often involve requests for reimbursement for supposed overpayments or services not covered by insurers. The FBI advises public to be wary of unsolicited communications asking for personal information, avoid clicking links in suspicious messages, and to use strong passwords and Multi-Factor Authentication. Verification with health insurers directly before sharing any data is recommended to avoid falling victim to these scams. According to the FTC, Americans lost nearly $3 billion to imposter scams in 2024, with a median loss of $800 affecting one in five victims. The FBI also reported a 33% increase in losses due to cybercrime in 2024, totaling $16.6 billion. The Department of Health and Human Services has noted similar schemes targeting the healthcare sector, including attacks on IT help desks and bank transaction redirections through social engineering.

Over 1,200 Citrix NetScaler ADC and Gateway appliances are vulnerable to a critical security flaw, CVE-2025-5777, named Citrix Bleed 2. This vulnerability allows threat actors to bypass authentication, hijack user sessions, steal session tokens, credentials, and access sensitive data by exploiting an out-of-bounds memory read issue. CitrixBleed vulnerability previously exploited in ransomware attacks and data breaches against governments in 2023 has similarities in how it targeted NetScaler devices. Citrix issued a security advisory urging customers to patch affected systems and terminate all active sessions to mitigate risks. According to the Shadowserver Foundation, over 2,100 appliances were still unpatched as of their recent analysis. ReliaQuest reported with medium confidence that this vulnerability is being actively exploited in targeted attacks, indicating post-exploitation activities like MFA bypass and suspicious session activities. Shadowserver also reported a separate vulnerability, CVE-2025-6543, affecting over 2,100 appliances and exploited in denial-of-service attacks. Citrix and cybersecurity firms urge the immediate application of patches and enhanced monitoring of NetScaler appliances to safeguard against potential exploits.

Identity-based cyber attacks are increasingly leveraging stolen credentials, with 83% involving compromised secrets. Non-Human Identities (NHIs) such as API keys and service accounts significantly outnumber human identities, presenting a major security challenge due to their sheer volume and lack of robust authentication methods. Traditional identity and access management fails to address the unique needs and risks associated with NHIs, leading to inconsistent policy enforcement and significant security vulnerabilities. Utilizing secrets like API keys and tokens as unique identifiers for NHIs allows for better visibility, traceability, and lifecycle management, aligning with Zero Trust security frameworks. However, the proliferation of NHIs and their secrets has led to increased risks of leaks and unauthorized access, with millions of secrets exposed annually in public repositories. GitGuardian offers a solution for comprehensive NHI inventory management by detecting, attributing, and governing the lifecycle of secrets across diverse environments. The platform aims to transform reactive security measures into proactive governance, reducing the risk of identity-based attacks by improving visibility and control over NHIs and their associated secrets.