Daily Brief

More than 1,000 small office and home office (SOHO) devices have been compromised in a China-affiliated espionage campaign named LapDogs. The devices were infected with a custom backdoor named ShortLeash, which masquerades as an Nginx web server and impersonates the Los Angeles Police Department. Infections are widespread across the United States, Southeast Asia, Japan, South Korea, Hong Kong, and Taiwan, impacting sectors like IT, networking, real estate, and media. The campaign employs N-day vulnerabilities for initial access and has been active since at least September 6, 2023, with ongoing attacks. LapDogs operates through devices and services by manufacturers such as Ruckus Wireless, ASUS, Buffalo Technology, Cisco-Linksys, and others. ShortLeash maintains persistence by embedding as a service file in the system directory, ensuring it remains active even after device reboots. There are similarities between LapDogs and another cluster called PolarEdge, though they are considered separate entities due to differences in infection and persistence tactics. The LapDogs network is linked to Chinese hacking group UAT-5918, indicating its use in targeted operations against Taiwanese targets.

Pen Test Partners transformed a 2016 Renault Clio into a controller for the video game SuperTuxKart by manipulating Controller Area Network (CAN) data. The experiment aimed to provide a creative demonstration of handling and manipulating CAN data for automotive cybersecurity training. CAN data, which signals vehicle operations such as braking and acceleration, was decoded and mapped to game controls using Python. Challenges included adjusting the CAN bus to improve game control responsiveness and setting realistic in-game steering limits to avoid tire wear. Technical hurdles such as battery drainage, system crashes, and the vehicle's engine auto-shutoff feature were managed during the demonstration. Additionally, certain in-game functionalities like using items could not be integrated as they do not utilize CAN data signals. Overall, this project showcased an inventive application of vehicle data handling and cybersecurity principles in a gamified environment.

A new vulnerability in Citrix NetScaler ADC and Gateway systems, known as "Citrix Bleed 2" (CVE-2025-5777), is likely being exploited. Cybersecurity firm ReliaQuest observed an increase in suspicious activity hinting at targeted attacks exploiting this flaw. Citrix Bleed 2 enables unauthorized access to sensitive data such as session tokens and credentials, potentially allowing attackers to hijack user sessions and sidestep multi-factor authentication. Although Citrix released patches for the vulnerability on June 17, 2025, there is medium confidence among experts that the vulnerability has been exploited in the wild prior to widespread patching. Citrix advised users to terminate all ICA and PCoIP sessions after applying updates to prevent access to possibly compromised sessions. Users unable to immediately install the security patches are recommended to limit external access to affected NetScaler devices through network ACLs or firewalls. Critical response actions include reviewing suspicious activity in active sessions and using specific commands to terminate these sessions securely.

ReliaQuest has observed an increase in suspicious activity indicating potential exploitation of the Citrix Bleed 2 vulnerability (CVE-2025-5777). This vulnerability involves an out-of-bounds memory read, allowing unauthenticated attackers to steal session tokens and credentials, effectively hijacking user sessions and bypassing multi-factor authentication. Citrix addressed the vulnerability with a security update on June 17, 2025, but recent signs suggest that attackers are actively exploiting it. Beaumont initially named and highlighted the similarity of CVE-2025-5777 to a previous vulnerability, emphasizing the high risk of exploitation. Citrix recommends terminating all active ICA and PCoIP sessions after applying the security updates to prevent misuse of possibly hijacked sessions. Administrators should monitor and review active sessions for any unusual activity before terminating them to ensure security. In cases where immediate update installation is not feasible, it is advised to limit external access to the vulnerable Citrix devices through network ACLs or firewall rules.

Ahold Delhaize, a major global grocery and retail company, reported a significant data breach affecting approximately 2.2 million people, involving personal, financial, and health details. The breach occurred during a cyberattack in November and disrupted operations across various Ahold Delhaize brands including Food Lion and Stop & Shop. The breach primarily involved current and former employee data, but there's no mention of customer data theft in the disclosed notifications. Affected individuals, notably in the US, have been offered free credit monitoring and identity protection services for two years. The nature of the cyberattack is suspected to be ransomware, with the group "INC Ransom" claiming responsibility and leaking documents online. Ahold Delhaize has engaged external cybersecurity experts to secure the affected systems and continues to investigate and fortify their digital security measures. This breach adds to the ongoing challenges faced by the retail sector with cybersecurity experts highlighting the substantial financial and operational impacts of cyberattacks.

Mustang Panda, linked to China, has launched a cyber espionage campaign aimed at the Tibetan community. Spear-phishing emails with content related to Tibet were used to distribute malware including PUBLOAD and Pubshell. IBM X-Force identified the threat under the name Hive0154, with observed tactics including DLL side-loading for malware deployment. The campaign employs decoy documents and executable files to infect systems and facilitate remote access via a lightweight backdoor known as Pubshell. Mustang Panda’s activities span across various nations targeting government and military sectors with similar weaponized files delivered through Google Drive. Recent iterations of their attacks also utilized a USB worm called HIUPAN for spreading malwares through removable drives. Security experts noted the sophistication, development frequency, and extensive malware toolset of Mustang Panda, emphasizing ongoing threats to East Asia-based organizations.

Security operations centers (SOCs) are facing increasing threats with limited budgets, necessitating more efficient operations. Agentic AI SOC Analysts automate routine tasks, reduce false positives, and enable reallocation of human analysts to more critical tasks, aligning with business goals of resilience and efficient growth. The global shortage of skilled cybersecurity workers, estimated at 4 million, exacerbates the need for AI in improving SOC productivity and effectiveness. AI-driven analysts can help reduce false positive alerts by up to 90%, allowing human analysts to focus on high-risk activities and strategic initiatives. By automating tasks like log analysis and evidence linking, AI SOC Analysts boost investigation speeds and the overall throughput of security teams. Advanced AI systems continuously learn and adapt, improving the accuracy of threat investigations and reducing false positives over time. Prophet Security's agentic AI platform helps integrate AI capabilities into existing security stacks, enhancing return on investment (ROI) and training junior analysts through consistent, methodical investigative processes. Organizations leveraging AI-driven SOC analysts can significantly improve key SOC performance metrics, directly impacting their security posture and business outcomes.

A Chinese hacking group, Silver Fox, used fake websites to distribute malware, targeting Chinese language speakers. The malicious software involved includes the Sainbox RAT, a variant of Gh0st RAT, and the Hidden rootkit, derived from an open-source project. The campaign employed fake websites mimicking popular software platforms such as WPS Office and Sogou to attract victims. Infected MSI installers from these sites deploy a legitimate file, which then loads a malicious DLL to execute the malware. This method of attack has been used by Silver Fox before, as noted in previous campaigns targeting similar demographic profiles with similar tools. The Sainbox RAT contained within the malware provides data theft and download capabilities, while the Hidden rootkit focuses on concealing malicious activity. Netskope researchers have analyzed the techniques, linking this activity to prior incidents tied to the same group with medium confidence.

Ahold Delhaize, a major global food retailer, experienced a ransomware attack in November, affecting its U.S. operations. Personal, financial, and health information of approximately 2.2 million people was compromised during the breach. The data breach included internal records and varied personal information from employment files within Ahold Delhaize USA companies. The INC Ransom ransomware group, a known RaaS operation targeting both public and private sectors globally, is believed to be behind the attack. The breach affected several Ahold Delhaize USA brands, impacting certain pharmacies and e-commerce operations. Ahold Delhaize has not yet confirmed if customer information was directly affected but has disclosed the breach details to Maine's Attorney General. This incident adds to INC Ransom's growing list of victims, evidencing a focus shift to U.S.-based organizations, particularly in healthcare.

Threat intelligence firm GreyNoise has observed a significant increase in scanning activities targeting MOVEit Transfer, a popular secure file transfer system, beginning on May 27, 2025. The number of scanning IPs surged from fewer than 10 daily to over 300 IPs on some days, indicating potential preparations for a mass exploitation campaign. MOVEit Transfer, widely used by businesses and government bodies to transmit sensitive data, has become increasingly targeted due to its high-value information handling. In recent scans, 682 unique IPs were flagged for suspicious activities, with a majority located in the United States, Germany, and other countries. GreyNoise reported attempts to exploit previously known vulnerabilities in MOVEit Transfer, specifically CVE-2023-34362 and CVE-2023-36934, warning that these could be leveraged in attacks similar to past ransomware campaigns by Cl0p. Recommendations for organizations include checking internet-exposed components of MOVEit systems, monitoring for anomalies in logs since late May, and promptly updating software to mitigate threats.

OneClik malware leverages Microsoft ClickOnce deployment technology and Golang backdoors for attacks on the energy sector. The campaign shows signs of association with Chinese-affiliated threat actors, utilizing tactics that avoid detection by blending with legitimate cloud and enterprise tools. Phishing attacks implement a .NET-based loader, OneClikNet, to deploy RunnerBeacon, a sophisticated Go-based backdoor that communicates with obscured AWS-hosted infrastructure. RunnerBeacon supports multiple command and control communication protocols, has anti-analysis features and provides capabilities for lateral movement within infected systems. Notable similarities between RunnerBeacon and known Cobalt Strike beacons suggest that it may be an evolved or modified variant of these tools. Multiple versions of the OneClik malware have been observed, demonstrating ongoing development and improvement in evasive capabilities. No formal attribution to a specific threat actor; previous similar techniques linked to actors from China and North Korea. Related global cybersecurity efforts also identify different malicious campaigns exploiting ClickOnce and vulnerabilities in web-based email platforms by threat actors like APT-Q-14.

UNFI has successfully restored its core systems after a cyberattack disrupted its electronic ordering and invoicing systems. The company experienced reduced sales volume and elevated operational costs as it worked to provide solutions for its customers. The cyberattack, publicly revealed after disruptions became evident on social media, did not involve a breach of personal or protected health information. UNFI anticipates the financial impact of the incident might affect its net income and adjusted EBITDA for the fiscal fourth quarter of 2025. The company is backed by cybersecurity insurance, expected to cover the incident adequately, with the claim process extending into the fiscal year 2026. In response to the attack, UNFI has engaged external cybersecurity experts and notified law enforcement. The attack led to significant disruptions, with some systems taken offline and employees' shifts canceled. Despite not disclosing specific details of the attack or any ransomware links, UNFI confirms ongoing recovery and normalization of its delivery services.

Hawaiian Airlines, a major U.S. carrier, is currently investigating a recent cyberattack that targeted some of its IT systems. Despite the cyberattack, the airline has confirmed that flight operations and safety remain unaffected. The airline has engaged external cybersecurity experts and relevant authorities to assist in assessing the impact and to facilitate restoration of the affected systems. A notification on both Hawaiian Airlines and Alaska Airlines websites assures customers that the service and safety levels remain stable. The Federal Aviation Authority (FAA) is closely monitoring the situation and has also confirmed that there are no safety impacts. The specifics of the cyberattack, such as whether it involved ransomware or was a preventive shutdown in response to a detected breach, have not yet been disclosed by the airline. This incident follows a similar cyberattack on WestJet, indicating a potential pattern or vulnerability within the aviation sector related to cyber threats. Hawaiian Airlines continues to work on restoring full functionality and promises updates as further details become available.

Kai West, alias IntelBroker and Kyle Northern, a 25-year-old UK national, charged with multiple cybercrimes, including data theft causing significant financial damage. FBI traced Bitcoin wallet and personal email usage to identify West as the perpetrator behind the breaches. IntelBroker allegedly compromised over 40 victims globally, including major corporations like Nokia, Apple, and the US Army, leading to at least $25 million in damages. Data stolen included sensitive healthcare information, impacting patient care after a breach in March 2023. West’s activities primarily facilitated through BreachForums, a site known for cybercrime activities, where he acted as an administrator. Arrest occurred in Paris with four other BreachForums administrators; US authorities are now pursuing West’s extradition. Some charges against West carry penalties up to 20 years in prison if found guilty.

Miroslav Homer, a Czech developer and pen-tester, discussed strategic vulnerabilities related to heavy dependence on Microsoft and other U.S. cloud services. Homer urges reconsidering digital sovereignty and reducing reliance on American technology giants to mitigate security and operational risks. He uses incidents, such as Microsoft's alleged blocking of an email account belonging to the ICC Chief Prosecutor, to highlight potential disruptions. The article assesses the risks statistically, using Return on Security Investment and compares it to events like Crowdstrike’s outage, illustrating substantial potential financial impacts. Homer critiques the general lack of technological literacy among key decision-makers and stresses the importance of understanding the financial implications of tech dependencies. The prevalence of Android and its tie to Google accounts is cited as another example of overwhelming dependency on U.S. tech firms. Homer seeks to challenge prevailing mindsets and assumptions about technology choices in business through quantitative risk evaluation.