Daily Brief

Water Curse, a new threat actor, uses GitHub repositories to deploy sophisticated multistage malware, which includes data theft and persistent access to infected systems. The campaign was first detected last month and employs weaponized repositories disguised as penetration testing tools. Malicious payloads, delivered via Visual Studio project files, initiate complex infection sequences using obfuscated VBS and PowerShell scripts. The techniques include anti-debugging, privilege escalation, and host defense suppression to maintain long-term access on compromised machines. Water Curse appears financially motivated, focusing on credential theft, session hijacking, and the resale of illicit access, impacting 76 GitHub accounts. The operation leverages legitimate infrastructure via services like Cloudflare and Telegram for stealthy, scalable attacks. Related malware activities, including AsyncRAT and various other trojans, have been used to target organizations globally since early 2024. The ongoing campaign also uses invoice-themed phishing lures in Europe to discretely deliver Sorillus RAT, reflecting a sophisticated blend of malicious techniques and tools.

BeyondTrust has patched a high-severity flaw in its Remote Support and Privileged Remote Access systems, identified as CVE-2025-5309, which allowed unauthenticated remote code execution. The vulnerability stemmed from a server-side template injection in the chat feature of the software, potentially letting attackers execute arbitrary code on the server. All cloud-based systems of RS/PRA were secured as of June 16, 2025, with a recommendation for on-premises users to manually apply the security patch if not using automatic updates. Temporary mitigation measures include enabling SAML authentication for the Public Portal and enforcing session keys usage while disabling the Representative List and Issue Submission Survey. BeyondTrust’s recent security breach involving zero-day vulnerabilities led to the compromise of 17 Remote Support SaaS instances and subsequent theft of an API key. U.S. Treasury Department networks were compromised by Chinese state-backed hackers using BeyondTrust vulnerabilities, affecting sensitive national security information.

New local privilege escalation vulnerabilities found in major Linux distributions could allow attackers to gain root privileges. The flaws, identified as CVE-2025-6018 and CVE-2025-6019, affect systems running openSUSE Leap 15 and SUSE Linux Enterprise 15 via PAM and libblockdev/udisks components. The udisks daemon vulnerability is concerning due to its default presence in nearly all Linux systems, making widespread exploitation possible. The Qualys Threat Research Unit, which discovered these vulnerabilities, has already developed and successfully tested proof-of-concept exploits. Security patches have been released and administrators are strongly urged to apply these immediately to prevent potential severe security breaches. Unpatched vulnerabilities can enable root access, agent tampering, persistence, and lateral movement across networked systems. Prior discoveries by Qualys researchers include multiple other critical Linux vulnerabilities, highlighting a recurring issue with default system configurations.

Multi-factor authentication (MFA) is underutilized globally with only 35% of businesses implementing it, exposing them to credential-based attacks. MFA implementation challenges include financial constraints, technical complexities, and user confusion due to multiple systems. Improper MFA setups increase help desk burdens and security risks, highlighted by the MGM Resorts attack where social engineering bypassed MFA securities. Specops Software offers solutions like Specops Secure Access, which simplifies MFA management across various platforms and enhances user authentication processes. Specops Secure Access integrates seamlessly with Active Directory, supporting scalability and redundancy, and offers innovative features such as MFA fatigue protection. The platform’s policy-driven approach tailors authentication measures based on location and network context to mitigate unauthorized access. Specops has played a critical role in recovery efforts, such as the Kalix municipality ransomware attack resolution through efficient password reset capabilities via MFA.

Iranian state-sponsored cyber activities have intensified since the conflict with Israel began, though their tactics remain unchanged. Amazon's Chief Information Security Officer (CISO), CJ Moses, observes increased efforts in espionage, data theft, and credential stealing without a pivot to more destructive attacks like wiper malware. Unlike Russian cyber operations during the Ukraine conflict, Iranian cyber strategies have not shifted towards destructive capabilities, focusing instead on maintaining access to critical networks and systems. Amazon's threat intel team has not detected any destructive cyberattacks by Iranian groups since the conflict's onset. Complementing traditional cyber threats, Moses highlighted how next-gen "script kiddies" are leveraging advanced AI to speed up attacks, transforming the landscape of cyber threats. AWS utilizes AI in network defense, running a network of AI-empowered honeypots (MadPot) to detect and analyze attacker behaviors more effectively. Despite the rapid evolution of AI in cyberattacks, Iranian groups have shown less interest in adopting agentic AI within their operations, contrasting with other criminal and nation-state actors monitored by Amazon.

Asana alerted users about a data exposure caused by a flaw in its Model Context Protocol (MCP) feature. The flaw allowed data from one organization’s Asana instance to be accessible to users of other organizations using the same MCP feature. This issue stemmed from a software bug, not from an external hack, occurring for over a month before detection. Exposed data could include task details, project metadata, team information, comments, and uploaded files, depending on user permissions. Asana, a project management SaaS platform, has over 130,000 paying customers worldwide. Affected entities are advised to review Asana logs, restrict LLM integration access, and pause certain AI functionalities until further assessments. Approximately 1,000 customers were reportedly impacted by this issue, with Asana now resuming normal operations after temporarily taking the MCP server offline.

Former CIA analyst Asif William Rahman, 34, has been sentenced to 37 months in prison for mishandling classified information. Rahman unlawfully retained and transmitted top secret National Defense Information to unauthorized individuals. He was arrested in Cambodia, having worked for the CIA since 2016 with access to Sensitive Compartmented Information. Court documents reveal Rahman took classified documents home, photographed them, and sent the images to others after editing to conceal their origin. Some leaked documents, which detailed potential military actions between Israel and Iran, were shared on the platform Telegram. Rahman attempted to cover his tracks by deleting approximately 1.5 GB of data and modifying journal entries related to U.S. policies. His case highlights the swift action by U.S. authorities to uphold national security and deter similar acts of betrayal.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reported active exploitation of a Linux kernel flaw, CVE-2023-0386. This vulnerability, with a CVSS score of 7.8, allows for privilege escalation via an improper ownership bug in OverlayFS. CVE-2023-0386 was patched early in 2023, yet it continues to be a threat as attackers exploit systems that remain unpatched. The flaw enables unauthorized users to escalate privileges by manipulating file ownership in the Linux kernel. Datadog's analysis describes the vulnerability as trivial to exploit, involving the creation and execution of a root-owned SUID binary in directories like "/tmp". Additional related vulnerabilities, GameOver(lay) CVEs-2023-32629 and CVE-2023-2640, were identified, affecting Unix systems with similar privilege escalation risks. Federal Civilian Executive Branch (FCEB) agencies are mandated to patch this vulnerability by July 8, 2025, to safeguard against these exploits.

Veeam has released an update to fix a critical flaw (CVE-2025-23121) with a 9.9 CVSS score in its Backup & Replication software, allowing remote code execution. This vulnerability affects all prior builds of version 12 up to 12.3.1.1139, with the fix applied in version 12.3.2. The flaw was identified and reported by security researchers from CODE WHITE GmbH and watchTowr. A previous patch designed to address a similar vulnerability (CVE-2025-23120) was reportedly bypassable, highlighting ongoing security challenges. Another related vulnerability (CVE-2025-24286) addressed allows backup operators to potentially execute arbitrary code. Additional patches include fixes for Veeam Agent for Microsoft Windows, addressing a separate vulnerability (CVE-2025-24287) that could allow local users to execute code with elevated privileges. Rapid7 reveals that more than 20% of its incident responses in 2024 involved exploiting Veeam software once attackers were inside the network. It is critical for users to update their software promptly to mitigate risks associated with these vulnerabilities.

Iran has significantly throttled internet speeds following escalated conflicts, purportedly to block Israeli cyber attacks. Iranian spokesperson cited internet stability as the reason for this action, describing the slowdown as "temporary, targeted, and controlled." NetBlocks reported a marked decline in Iranian internet traffic on the day of the implementation. The cyber exchanges include attacks on Iran's Bank Sepah by a pro-Israel group, Predatory Sparrow, impacting the bank’s online and ATM services. Predatory Sparrow accuses Bank Sepah of supporting Iran's controversial activities, including its missile and nuclear programs. Heightened cyber activity from Iranian state actors and affiliated hacktivist groups has been observed, targeting various regional entities. The Iranian government has also advised citizens to delete WhatsApp, claiming, without evidence, that it is being used by Israel for espionage. The U.S. Department of State is seeking information on Iranian hackers suspected of targeting critical infrastructure in the U.S. and other countries using specific malware tools.

President Trump has decided to delay the enforcement of a law mandating TikTok to sell its U.S. operations or cease operations, marking this as the third delay. The law, titled "Protecting Americans from Foreign Adversary Controlled Applications Act," was initially passed with strong bipartisan support and aimed to safeguard U.S. national security. The deadline for TikTok's divestiture was initially set for January 19th, 2025, but has been extended multiple times, now moving to June 19th. Trump cited the ongoing U.S.-China trade disputes as a significant barrier to finalizing the sale and indicated that a resolution could expedite the process. Despite potential national security concerns, Trump acknowledged a personal affinity for TikTok, highlighting its role in his political campaigns. Currently, there is no resolution on the trade issues, nor clarity on potential American buyers for TikTok, leaving significant uncertainty about the app's future and security implications.

AWS has achieved 100% multi-factor authentication (MFA) enforcement for root users across all account types. Announcement made by AWS Chief Information Security Officer Amy Herzog at the re:Inforce cloud security conference. New security measures and capabilities rolled out at the conference to enhance cloud security for customers. AWS Identity and Access Management Access Analyzer introduced, providing insights into internal access to critical resources. AWS Security Hub now offers enhanced data analysis tools to help prioritize and respond to security issues more effectively. GuardDuty Extended Threat Detection, optimized for container-based applications, adds improved threat detection capabilities. AWS introduces network security director in Shield to manage network security posture and mitigate threats like DDoS and SQL injections. The implementation supports AWS's commitment to the CISA Secure by Design pledge, despite challenges like budget cuts and key staff departures.

Paddle.com and its U.S. subsidiary agreed to pay $5 million to settle FTC allegations of enabling deceptive tech support scams, primarily targeting U.S. consumers, including older adults. The UK-based payment processor was accused of inadequate screening and fraud prevention, which allowed foreign operators to exploit the U.S. credit card system with tech support scams. Scammers, including known offenders like Restoro, Reimage, and PC Vark, used fake virus alerts impersonating major brands to sell unnecessary software or services. Paddle processed significant amounts for these operators, over $12.5 million for PC Vark and $37 million for Restoro and Reimage, despite high complaint and chargeback rates. Internal communications at Paddle indicated awareness of the fraudulent activities and their impact on vulnerable consumers but took measures to hide these activities to evade bank and network scrutiny. The FTC claimed Paddle acted as an unregistered payment facilitator, breaching Visa and Mastercard rules, and continued relations with high-risk clients for profit. As part of the settlement, Paddle must adhere to strict conditions, including avoiding processing payments for entities engaged in deceptive practices. The case highlights the importance of consumer vigilance against unsolicited tech support claims and the necessity for businesses to maintain rigorous compliance and detection systems to prevent fraud.

TaxOff exploited a zero-day vulnerability (CVE-2025-2783) in Google Chrome to deploy the Trinper backdoor. The attack targeted Russian organizations, leveraging phishing emails designed as invitations to specific forums to distribute malicious links. Google patched this vulnerability after it was reported by Kaspersky during Operation ForumTroll. Trinper features include keystroke recording, file gathering, and remote command execution via a C2 server. Positive Technologies uncovered a similar past attack, also initiated via a phishing email disguised as a conference invitation, leading to speculation about connections to other hacking groups. Variations in the attack methodologies include the use of different malware loaders like Donut and Cobalt Strike. The backdoor employs multithreading technology enhancing concealment and parallel data processing. Strategic use of zero-day vulnerabilities and sophisticated malware indicates the group’s intent for long-term access and data exfiltration from targeted systems.

Scania confirmed a cybersecurity breach where attackers accessed insurance claim documents through stolen external IT partner credentials. The attackers threatened to leak the stolen data unless their ransom demands were met. The compromised system, "insurance.scania.com," was provided by an external IT partner. The breach was detected after threat actors posted on a hacking forum about selling the stolen data. Stolen documents might contain sensitive personal, financial, or medical data, heavily impacting affected individuals. Attackers used a ProtonMail address to send extortion emails directly to several Scania employees. Scania has notified privacy authorities and stated the breach had limited impact, but investigations are ongoing.