Daily Brief

A 33-year-old man involved in the Ryuk ransomware operation was extradited to the United States from Kyiv as part of an international cybercrime investigation. Arrested in April 2025, the suspect specialized in initially accessing corporate networks, enabling further data theft and ransomware deployment by his accomplices. The international operation, starting in 2023, involved Ukrainian cyber police, the National Police, and other law enforcement agencies, targeting ransomware groups like LockerGoga, MegaCortex, Hive, and Dharma. The suspect was identified through a meticulous analysis of seized devices and information gathered from the ongoing investigation. Ryuk ransomware, active from 2018 to mid-2020 and later evolving into the Conti group, was notorious for attacks on diverse sectors, including healthcare, amassing an estimated $150 million. The case remains under further investigation, with potential updates from the Department of Justice pending.

Iran's government likely restricted national internet access in response to potential Israel-linked cyberattacks. Significant internet traffic drop observed by CloudFlare and NetBlocks starting late Wednesday. Tehran cited "prevention of enemy abuse" as the reason for the internet blackout, following disruptions at Bank Sepah. Predatory Sparrow, suspected to have Israeli support, claimed responsibility for attacking Bank Sepah and Iranian crypto exchange Nobitex. The internet blackout in Iran aligns with statements from an Israeli Defense Force commander hinting at cyber-offensive breakthroughs. Access to Iranian websites (.IR domain) is currently impossible, as confirmed by international checks. Earlier warning by Tehran for citizens to delete WhatsApp owing to surveillance concerns, which Meta has denied.

Cybersecurity experts from Qualys have identified two local privilege escalation (LPE) flaws in major Linux distributions that enable attackers to gain root privileges. CVE-2025-6018 impacts the PAM configuration in openSUSE Leap 15 and SUSE Linux Enterprise 15, allowing elevation to "allow_active" user status and the execution of restricted Polkit actions. CVE-2025-6019, found in libblockdev, can be exploited using the udisks daemon, which is included by default in most Linux systems, facilitating a full escalation to root access when combined with CVE-2025-6018. These vulnerabilities allow attackers with any active GUI or SSH session to quickly escalate their privileges and execute actions designated for physically present users. Attackers can potentially use such escalated privileges for broader malicious activities, such as altering security settings and installing backdoors for covert continued access. While Qualys has developed PoC exploits demonstrating the exploitability of these vulnerabilities on various systems including Ubuntu and Fedora, mitigation involves applying patches or modifying the Polkit rule requiring admin authentication. An additional related flaw (CVE-2025-6020) in Linux PAM’s pam_namespace module was also disclosed and resolved, highlighting continuous vulnerabilities in Linux privilege management components.

Pro-Israel hacking group "Predatory Sparrow" claimed responsibility for a cyberattack on Nobitex, Iran's largest cryptocurrency exchange, resulting in over $90 million in stolen cryptocurrencies. The attack led to the destruction of the stolen funds, which were directed to unusable addresses with embedded anti-IRGC messages, indicating a political motive rather than financial gain. Following the breach, Nobitex's website has been offline, and internal investigations are ongoing about the extent of data and security compromise. The hackers also threatened to release Nobitex's source code and internal information, intensifying the implications of the cyberattack. Blockchain analysis revealed that the stolen crypto was sent to vanity addresses, which are computationally infeasible to access, effectively burning the funds. This cyber incident follows a similar attack by the same group on the IRGC-controlled Bank Sepah, emphasizing a pattern of disruptive cyber tactics against Iranian interests. Researchers have connected Nobitex to the Iranian Revolutionary Guard Corps and high-ranking Iranian officials, which might have made it a specific target for these politically charged cyberattacks.

Researchers from Check Point uncovered a malware campaign disguising as Minecraft cheat tools on GitHub. Around 500 GitHub repositories were involved in distributing these Trojanized tools, which have affected over 1,500 devices so far. These malicious mods are linked to Russian-speaking malware developers part of the Stargazers Ghost Network. The malware conducts a multi-stage attack, starting with a Java-based loader that checks for a genuine environment, avoiding sandboxes and VMs. Subsequent stages of the malware steal Minecraft and Microsoft account credentials, as well as data from applications like Discord and Telegram. The final malware stage targets web browser credentials, cryptocurrency wallets, VPN configurations, and extensively collects data from the infected machine. This incident highlights the significant risks of downloading and using unofficial or pirated game mods and tools.

North Korean BlueNoroff hacking group utilized deepfake technology on Zoom calls to spread malware targeting Mac users. The intent behind the attacks is believed to be cryptocurrency theft, showing a continuance of the group's pattern. Attackers approached a tech firm employee through Telegram, misleading them to a deceptive Zoom meeting using familiar deepfake executive faces. During the Zoom session, technical issues were simulated, prompting the victim to download a malicious 'Zoom extension' that was actually malware. The attack involves a sophisticated chain wherein a seemingly innocent AppleScript disabled security logging and installed additional payloads to further compromise the system. Researchers warn that the increasing prevalence of macOS in enterprises is attracting more sophisticated malware attacks, underscoring the need for heightened Mac security awareness. The attackers have developed a proficient method of circumventing existing security measures by exploiting both technical and human vulnerabilities.

Asana identified and fixed a vulnerability in their Model Context Protocol (MCP) server, which had briefly allowed users to see data from other organizations. The issue led to a shutdown of the feature from June 5 to June 17 for maintenance and security checks. The MCP server, launched on May 1, enables users to connect Asana with external AI applications and use natural language to query enterprise data. The glitch was discovered on June 4, and Asana was proactive in communicating with affected customers and the public, though details on the number of impacted users were not disclosed. As a correction measure, Asana reset all connections to the MCP server, requiring organizations to manually reconnect to continue using the server. Security experts emphasized the importance of strict tenant isolation, least-privilege access, and thorough logging of LLM-generated queries to mitigate similar risks in future. No evidence suggests that the data exposure was maliciously exploited, but the incident underscores the inherent risks associated with innovative technologies.

A novel malware campaign, codenamed SERPENTINE#CLOUD by Securonix, utilizes Cloudflare Tunnel subdomains to host and disseminate Remote Access Trojans (RATs). Attackers distribute phishing emails with themes related to payments or invoices, containing malicious links to zipped documents that trigger the infection. The phishing emails lead to Windows shortcut (LNK) files that, once opened, initiate a complex infection sequence involving disguised Python-based shellcode loaders, which execute entirely in memory. The malware retrieves additional stages via WebDAV from a hosted Cloudflare Tunnel subdomain, using legitimate cloud services to evade detection and blocklisting mechanisms. The Securonix report highlights the shifting tactics of the threat actors, who now opt for LNK files instead of URL-based shortcuts, complicating defense against these attacks. Affected regions include the United States, United Kingdom, Germany, along with several other European and Asian countries. The identity and origin of the threat actors remain unclear, although their operations reflect a high level of English proficiency and sophisticated evasion techniques. The campaign demonstrates advanced techniques in social engineering and living-off-the-land strategies to ensure stealth and persistence.

A malware campaign named "Stargazers" targets Minecraft players, using fake mods and cheats to install infostealers on Windows devices. The campaign exploits Minecraft's large modding community and utilizes platforms like GitHub to distribute malicious mods to a broad audience. Detected by Check Point Research, the malicious operation has reached thousands of targets, indicated by numerous views on Pastebin links where malware payloads are hosted. The infostealers attempt to harvest Minecraft account tokens, Discord and Telegram tokens, and credentials from cryptocurrency wallets and various apps. The malware, undetectable by anti-virus engines, progresses through multiple stages, including a Java-based initial stealer and a more advanced .NET-based stealer named "44 CALIBER." Stolen data is exfiltrated using Discord webhooks, with some evidence pointing to Russian involvement in the campaign's operations. Check Point has released indicators of compromise to help identify and prevent attacks from this specific threat. Advice for Minecraft players includes using mods only from reputable sources and maintaining separate accounts for testing new mods.

A sophisticated malware campaign targeting Minecraft players has infected over 1,500 devices via malicious game mods on GitHub. The Java-based malware, dubbed as a part of the Stargazers Ghost Network, masquerades as popular Minecraft mods and cheats, deploying multi-stage attack vectors. Initial infection occurs when users download and execute a Java loader under the guise of enhancing gameplay, which then installs additional stealers when the game is launched. The malware specifically targets and steals Discord and Minecraft credentials, as well as data from Telegram, various web browsers, cryptocurrency wallets, and other applications. Captured data is transmitted back to the attackers through a Discord webhook, underscoring the sophistication and stealth of the operation. Researchers suggest the involvement of a Russian-speaking threat actor, evidenced by language artifacts and time-zone indicators in the code. This incident highlights the risks of downloading third-party mods and the effectiveness of gaming communities as vectors for malware distribution.

ChainLink Phishing subverts the typical phishing model by using trusted enterprise tools and reputable domains, making these attacks difficult to detect. Attackers utilize a series of credible-looking prompts on legitimate sites to deceive users into providing sensitive credentials, effectively bypassing conventional cyber defenses. These attacks exploit the central role of browsers in daily business operations, an area that has traditionally lacked adequate protection. Keep Aware introduces a browser-based phishing protection tool that analyzes user behavior, form submissions, and site context to combat these threats. Unlike traditional phishing methods which rely on recognizable red flags, ChainLink Phishing incorporates convincing methods such as CAPTCHAs and email authentication checks to appear legitimate. The security measures in most organizations fail to block these phishing attacks because they pass through trusted domains and do not trigger malware detection protocols. To address this sophisticated threat, there's a growing need to shift security focus from perimeter defense to real-time web page and user interaction analysis.

CISA has issued a warning to U.S. federal agencies about a critical vulnerability in the Linux kernel's OverlayFS subsystem, which could allow attackers to gain root privileges. The vulnerability, identified as CVE-2023-0386, was patched in January 2023, with public disclosure following two months later. Multiple proof-of-concept (PoC) exploits have been made available on GitHub since May 2023, facilitating easier exploitation of the vulnerability. Widely used Linux distributions such as Debian, Red Hat, Ubuntu, and Amazon Linux are affected if they are running on a kernel version lower than 6.2. CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies patch their systems by July 8 to safeguard against attacks exploiting this flaw, as per the Binding Operational Directive (BOD) 22-01 from November 2021. The recent warnings underline the importance of rapid and effective patch management to address vulnerabilities that are often targeted by malicious actors.

Episource, a U.S.-based healthcare services company, has reported a data breach impacting over 5 million people. The breach occurred following a cyberattack detected between January 27 and February 6, 2025, involving unauthorized data access and exfiltration. Sensitive health information was stolen, although no banking or payment information was compromised. The breach has been reported to the U.S. Department of Health and Human Services, affecting 5,418,866 individuals. Impacted parties are being notified directly by Episource; affected healthcare providers and insurers are not sending separate notices. Episource advises all impacted individuals to monitor their financial statements and health benefits for any unauthorized activity. The company is currently taking steps to secure its systems and prevent future incidents.

Veeam issued patches for a third critical remote code execution (RCE) bug within a year, identified as CVE-2025-23121, affecting domain-joined backup servers, advising urgent updates for users. The discovered RCE vulnerability, scoring a 9.9 CVSS v3, is linked to previous bugs CVE-2025-23120 and CVE-2024-40711, all highlighting underlying issues with the BinaryFormatter component. Despite Veeam's efforts to mitigate recurring deserialization flaws through an exclusion list approach, watchTowr researchers deemed the method insufficient for protecting against such vulnerabilities. External researchers criticized Veeam’s Chief Product Officer's claims of near-perfection in their mitigation tactics, uncovering additional exploitable elements easily. Veeam plans to eliminate the problematic BinaryFormatter in the forthcoming Version 13 of Backup & Replication, slated for a potential H2 2025 beta release, aiming to end this series of security vulnerabilities. The recent updates in B&R version 12.3.1.1139 not only address the newest critical RCE flaw but also resolve two other less severe executable issues. Several ransomware groups, including those behind Fog and Akira, capitalized on previous B&R vulnerabilities for attacks, with CISA confirming these vulnerabilities’ exploitation in ransomware operations.

FedRAMP authorization is crucial for startups targeting the federal market, establishing trust from the onset. As opposed to a checkbox task, obtaining FedRAMP approval is an organizational shift demanding a strategic, comprehensive approach to deep security. Startups should align with NIST 800-53 Rev. 5 Moderate baseline from the beginning to embed a security-first mindset and reduce later adjustments. Success in FedRAMP requires fostering a collaborative environment across functional teams, integrating security practices tightly within the organization. Maintain consistency in product architecture across commercial and federal sectors to minimize technical discrepancies and simplify audit processes. Consider the business implications of FedRAMP thoroughly; the process is costly and extends over a long period, needing strong commitment. Select partners strategically for navigating the FedRAMP landscape, ensuring they contribute effectively without compromising the process. Create robust internal capabilities to manage FedRAMP processes in-house, as outsourcing can lead to increased risk and costs.