Daily Brief

Iranian APT35 group, linked to the Islamic Revolutionary Guard Corps, targets Israeli tech professionals and academics with sophisticated phishing schemes. Victims receive communications via email and WhatsApp, directing them to fake Gmail and Google Meet login pages. The attacks, attributed to the threat cluster Educated Manticore, employ AI to craft messages that leverage current geopolitical tensions. The phishing tools used include a React-based Single Page Application, real-time data theft via WebSocket connections, and a passive keylogger. As part of the social engineering strategy, attackers build trust over time before sharing malicious links designed to harvest credentials and bypass two-factor authentication. The fake sites closely mimic legitimate Google platforms, increasing their deceptive appearance and effectiveness in credential theft. Ongoing since mid-June 2025, these attacks reflect heightened cyber efforts following the recent escalation in Iran-Israel tensions. Check Point emphasizes the persistence and adaptability of Educated Manticore despite increased efforts to take down their operations.

The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation of a critical vulnerability in AMI's MegaRAC BMC firmware, which is used for remote server management. The flaw, identified as CVE-2024-54085, allows unauthenticated attackers to bypass security measures, take control of servers, deploy malware, and cause physical damage to server components. This vulnerability impacts several server vendors including HPE, Asus, and ASRock, affecting cloud service providers and data centers globally. Security firm Eclypsium discovered the vulnerability while analyzing previous patches for another security issue and noted that the exploit development is relatively straightforward due to unencrypted firmware binaries. More than 1,000 servers were found to be potentially exposed to this threat as of March, when AMI issued patches to mitigate the vulnerability. CISA has added this bug to its Known Exploited Vulnerabilities catalog and mandates Federal Civilian Executive Branch agencies to patch affected systems within three weeks. While the directive specifically targets federal agencies, CISA advises all network defenders to prioritize patching this severe vulnerability to prevent potential breaches and significant operational risk.

Iceland, a UK-based frozen food retailer, is trialing facial recognition technology (FRT) at several stores to reduce crime. The technology, provided by Facewatch, has been employed at two pilot locations and is targeted to expand. FRT connects to a database containing images of individuals suspected of prior crimes at participating stores, aiming to enhance security. If no match occurs within the system, the technology deletes the unverified images to protect shopper privacy. Iceland's CEO, Richard Walker, defends the use of FRT, citing protection against organized retail crime and the need to safeguard store employees. Privacy advocacy groups express concerns, suggesting FRT infringes on personal privacy and treats all customers as suspects. The Information Commissioner's Office advises that the use of FRT should be balanced, adhering to privacy rights and ensuring compliance with data protection laws. Instances of mistaken identity and improper management of personal data have been reported, raising questions about the technology’s deployment and oversight.

Iranian cyber group Charming Kitten began a spear-phishing campaign targeting Israeli journalists, cybersecurity experts, and university professors in computer science. The phishing campaign was initiated by Iran's Islamic Revolutionary Guard Corps following air strikes by Israel against Iran. Over 130 unique domains were created for the campaign, each targeting individual victims, with the aim of stealing credentials. Fake communications were sent via email and WhatsApp, impersonating analysts from Israeli cybersecurity firms and discussing topics like cyberthreats to energy infrastructure. Some phishing messages suggested in-person meetings to discuss cybersecurity strategies, potentially extending the threats beyond cyberspace. Phishing sites mimicked Gmail login pages and Google Meet invitations, aiming to capture victims' credentials and enable full account takeovers. Check Point Research has listed all domains involved and other indicators of compromise in a detailed report.

Cybersecurity experts have identified an ongoing series of cyber attacks on financial institutions across Africa since July 2023. Attackers utilize a combination of open-source and public tools to forge initial access then potentially sell this access on dark web forums. Palo Alto Networks’ Unit 42, which monitors these incidents, has named the campaign CL-CRI-1014, indicating criminal motives behind the attacks. The criminal actors employ tools such as PoshC2 for command control, Chisel for tunneling, and Classroom Spy for remote administration, often disguising these tools as legitimate software like Microsoft Teams. Techniques for initial network breaches remain unclear, but subsequent actions involve deploying further malware, stealing credentials, and establishing control over networked machines. Security firms also noted previous similar incidents, including a campaign named DangerousSavanna targeting financial sectors in several other African countries. Additional global cybersecurity concerns were raised with the emergence of a new ransomware group, Dire Wolf, affecting multiple sectors across various countries.

CISA added three vulnerabilities to its KEV catalog, indicating active exploitations in technology products from AMI MegaRAC, D-Link, and Fortinet. Eclypsium disclosed a significant flaw in AMI MegaRAC firmware, potentially allowing widespread malicious activities like malware deployment and firmware tampering. D-Link DIR-859 routers, which are no longer supported as of December 2020, will not receive patches for the exploited vulnerabilities, increasing risks for users. CVE-2024-0769, identified in the D-Link router, was used in attacks aiming to extract user details such as account names and passwords. Attackers have utilized CVE-2019-6693 in Fortinet's FortiOS for initial access in the Akira ransomware attacks, showcasing the severity of the threat. Federal agencies are mandated to implement necessary mitigation measures by July 2025 as per the new directive to safeguard against these vulnerabilities.

WhatsApp has launched a new AI feature called Message Summaries to help users preview unread messages quickly. The feature uses Meta AI to provide summaries and is initially available in English to U.S. users, with future plans for global expansion. Message Summaries is optional, disabled by default, and can be activated or customized with "Advanced Chat Privacy" settings. The technology, Private Processing, ensures AI processing is done securely without exposing message contents to third parties, including Meta. Private Processing operates within a confidential virtual machine (CVM) and establishes a secure link between the user's device and the Trusted Execution Environment (TEE) using Oblivious HTTP (OHTTP). WhatsApp and Meta cannot access the actual messages due to this technology, enhancing user privacy. The introduction coincides with heightened security scrutiny, evidenced by the U.S. House of Representatives banning WhatsApp on government-issued devices.

British national Kai West, alias "IntelBroker," charged in the U.S. for cybercrimes causing $25 million in damages. West allegedly stole and sold sensitive data from government agencies, companies, and critical infrastructure globally. The data included health records, telecommunications, and cybersecurity firms’ internal files, among others. Breaches linked to West include major entities like Europol, General Electric, and AMD. U.S. Department of Justice claims the damages affected dozens of victims; IntelBroker faces a potential 25-year prison term. West's identity was confirmed by an FBI agent purchasing a stolen API key, which led to tracing his financial transactions. The FBI's investigation tied West to the IntelBroker persona using digital and physical evidence, including invoices and a UK driver's license. IntelBroker had administrative roles at BreachForums, a notable hacking forum, before stepping down recently.

Threat actors have modified the authenticode signature of ConnectWise ScreenConnect installers to create signed malware capable of remote access. The altered configurations within the software's certificate table allow the malware to retain its valid digital signature. G DATA cybersecurity researchers identified these malicious binaries, noting only the certificate table varied across files with the same hash values. Victims reported falling for phishing tactics involving PDFs or links on Canva that directed to the malicious executable hosted on Cloudflare’s R2 servers. The infected ScreenConnect client was disguised with UI elements like a fake Windows Update screen to deceive users. ConnectWise revoked the certificates used in these attacks following contact from G DATA, who labeled the malware under two classifications: Win32.Backdoor.EvilConwi.* and Win32.Riskware.SilentConwi.*. Another similar misuse involved trojanized SonicWall NetExtender VPN clients aimed at stealing login credentials. ScreenConnect and SonicWall users are urged to download software exclusively from official sources to avoid such security risks.

Citrix released emergency patches for two critical vulnerabilities affecting NetScaler ADC and Gateway products, with one already exploited as a zero-day. The new vulnerability, tracked as CVE-2025-6543, features a 9.2 severity score and allows for unintended control flow and potential denial of service. CVE-2025-6543 exploitation led to unauthorized access before Citrix could distribute fixes, indicating attacks beyond simple denial-of-service outcomes. Security experts observed that patching might not remove potential backdoors installed during the exploitation period, posing ongoing risks. The earlier vulnerability, CVE-2025-5777, also critical, could permit attackers to read session tokens or sensitive data without authentication. Charles Carmakal from Mandiant Consulting emphasized the necessity of not only patching but also terminating active sessions to fully mitigate risks, learning from past exploitations leading to espionage or ransomware deployment. Citrix has been slow to respond to inquiries about the specifics of the exploits and the extent of the breaches or the measures needed beyond patching.

Hackers use Microsoft's ClickOnce tool and AWS services in a malicious campaign called OneClik targeting the energy sector. OneClik campaign uses custom Golang backdoors and .NET-based loaders to deploy malware and maintain stealth. The malware, named RunnerBeacon, utilizes AWS Cloudfront, API Gateway, and Lambda to mask command and control communications. Researchers at Trellix traced the malware’s evasion techniques and sophisticated payloads designed to avoid analysis and detection. OneClik campaign likely linked to a China-affiliated state actor, based on techniques and similarities to past campaigns. The malware design and operations mirror tactics in previous China-linked attacks involving cloud services and custom malware. Trellix has released indicators of compromise to aid detection and defense against OneClik and similar threats.

North Korean operatives target job seekers, especially developers, with malware-laden npm packages. The malware campaign, dubbed 'Contagious Interview', involves attackers posing as recruiters on LinkedIn. Malicious npm packages have been downloaded over 4,000 times, with six still available. These packages install the BeaverTail info-stealer and InvisibleFerret backdoor along with other payloads. The malware executes multiple stages, starting from HexEval Loader to a complex keylogger only in specific cases. IT professionals are advised to execute unfamiliar code in isolated environments like containers to mitigate risks. Past incidents indicate that this type of targeted malware distribution has been a recurring strategy by the DPRK.

Amazon has integrated AI in Ring devices to optimize home security notifications via a new feature called Video Descriptions. This beta feature is available for Ring Home Premium subscribers in the US and Canada and is designed to generate text descriptions detailing the motion activities monitored by Ring cameras and doorbells. Users must manually activate this feature through the Ring app to receive enhanced notifications, such as specific descriptions of individuals and activities around their property. The AI is configured to learn users' home routines, identify anomalies, and notify homeowners only when unusual activities occur, aiming to reduce frequent, irrelevant alerts. However, there are significant privacy concerns associated with this technology, particularly regarding how it stores and secures these detailed descriptions of daily routines and potential misuse by unauthorized parties. Previous incidents have involved unauthorized access to Ring accounts and misuse of the device's cameras, raising skepticism and further questioning the privacy measures implemented by Ring. Additionally, Ring has faced legal consequences in the past, including a substantial payout to settle allegations of inadequate security measures that allowed unwanted spying through its cameras.

A recent study highlights a significant increase in academic computer vision research contributing to surveillance technology, with a fivefold rise in relevant patents since the 1990s. Analysis conducted by researchers from Stanford University and Trinity College Dublin involved over 19,000 research papers and 23,000 patents. Approximately 90% of the analyzed academic papers and 86% of the patents involved human data extraction, often referring to humans as "objects." The study, published in Nature, indicates that the normalization of human surveillance is widespread across the field, with a tendency to use ambiguous language that masks surveillance implications. Jathan Sadowski emphasizes that the advancement of computer vision in surveillance is influenced by substantial corporate and military interests rather than coincidental. Sadowski calls for more critical inquiry and policy-making to address the ethical and political dimensions of this technology, suggesting it fuels the military-industrial surveillance complex. The findings suggest a need for a shift in how computer vision research is conducted and utilized, with an emphasis on ethical considerations and transparency.

88% of surveyed security leaders express concern over supply chain risks, but less than half adequately monitor their external suppliers’ security. Roughly 79% of organizations oversee less than half of their nth-party supply chain through cybersecurity programs, leading to significant blind spots. 36% of businesses have only 1-10% of their supply chain protected, despite experiencing a material impact from incidents within the past year. Third-party breaches doubled globally last year, representing 30% of total attacks, according to Verizon’s 2024 data breach report. Only 56% of organizations perform risk assessments on all supply chain members, and often struggle with getting reliable responses due to self-reporting inaccuracies. A common tactic to mitigate supply chain threats includes acquiring cyber insurance, with 63% of organizations covered for such events. Companies are advised to evolve from traditional third-party risk management to a more resilient approach, focusing on real-time risk identification and response. The report encourages organizations to invest in comprehensive supply chain cybersecurity strategies to combat growing external threats.