Daily Brief

Cybersecurity researchers have uncovered a new campaign exploiting a critical vulnerability in Langflow to distribute Flodrix botnet malware. The vulnerability, identified as CVE-2025-3248, enables remote code execution due to missing authentication and was patched in March 2025. Attackers target unpatched Langflow servers using proof-of-concept code to conduct reconnaissance and install the Flodrix malware. Once Flodrix is installed, it connects to a remote server and receives commands to carry out DDoS attacks against selected IP addresses. The malware supports connections over both TCP and the TOR network, increasing its stealth and complicating its traceability. Researchers note that the attackers are profiling vulnerable servers to identify high-value targets for future infections. This version of Flodrix, evolved from the LeetHozer botnet, features capabilities that minimize forensic traces and enhance attack obfuscation. Trend Micro highlights that this campaign is actively developing, indicating potential future enhancements and risks.

CISA added a TP-Link router flaw, CVE-2023-33538, to its KEV catalog due to active exploitation. The flaw is a command injection vulnerability in certain TP-Link router models that allows arbitrary command execution. There is no public information currently available about specific exploitation tactics in the wild. TP-Link routers affected might be at their end-of-life, increasing risks; CISA recommends discontinuation if no updates are available. The issue intersects with Palo Alto Networks' findings on malware FrostyGoop, although no direct exploitation of this CVE was evidenced in the mentioned malware attack. Meanwhile, a separate vulnerability in Zyxel firewalls is being exploited to create DDoS botnets; multiple countries are affected. Agencies have a deadline until July 7, 2025, to remediate the TP-Link router vulnerability. GreyNoise observes significant recent exploit attempts targeting the Zyxel flaw, urging updates and vigilant monitoring.

Meta Platforms announced the introduction of ads on WhatsApp, specifically in the app's Updates tab through the Status feature. The company emphasizes privacy, ensuring that personal messages, calls, and statuses continue to feature end-to-end encryption. Ad targeting will use limited user data such as location, language, and interaction with ads, drawn from broader Meta account settings if the user has integrated WhatsApp into the Meta Accounts Center. Meta reassures users about not selling or sharing their phone numbers with marketers, and ad targeting will not involve tapping into personal communications. The introduction of ads on WhatsApp marks a significant shift since Meta's acquisition of the platform in 2014 for $19.3 billion, following the initial announcement in 2018 but delayed in implementation. Concerns continue to be voiced by privacy advocates, including criticism from the Mozilla Foundation regarding Meta’s handling of user data visibility on its AI chatbot. The privacy-oriented approach to advertising on WhatsApp is part of Meta's broader strategy to monetize its services while attempting to maintain user trust and privacy.

Google has issued a high alert for the insurance sector against Scattered Spider, a cybercrime group previously targeting retailers in the US and UK. Recent ransomware attacks have afflicted multiple US insurance companies, marked by system outages and compromised customer access. Scattered Spider typically initiates attacks through social engineering, exploiting help desks and call centers with fake support calls. Deployed ransomware includes the DragonForce variant, used notably in attacks on the insurance industry following retail sector breaches. Google Threat Intelligence Group advises insurers to heighten security measures, suggesting video verification or challenge-response techniques for caller identification. Networks of Erie Insurance and Philadelphia Insurance Companies experienced significant outages, suspected to be linked to Scattered Spider’s activities. Both insurance companies are working with cybersecurity experts and law enforcement to investigate and manage the incidents.

Scattered Spider, a versatile hacker group, is now aggressively targeting U.S. insurance companies after previously focusing on U.K. retail businesses. Google Threat Intelligence Group reports multiple breaches in the U.S. insurance sector that showcase typical tactics of Scattered Spider, including sophisticated social engineering. The group is known for using varied aliases like 0ktapus and UNC3944, and employs methods such as phishing, SIM-swapping, and MFA fatigue to initiate breaches. Post-breach tactics include deploying ransomware such as RansomHub and DragonForce, which can severely disrupt affected organizations. To safeguard against these cyber threats, companies are advised to segregate identities, implement strong authentication measures, and educate employees on recognizing impersonation attempts across communication platforms. NCSC has issued guidelines for organizations to improve cybersecurity defenses, focusing on enhanced authentication processes and monitoring of unusual access patterns. The shift in focus to the insurance industry suggests a need for heightened security vigilance and advanced defense strategies in this sector.

Extortionists have allegedly stolen 52.4 GB of data, approximately 42,204 files, from Freedman HealthCare, planning to release the information early Tuesday. Freedman HealthCare is a significant player in healthcare data management, working with states and healthcare providers to manage sensitive information such as insurance statuses and healthcare claims. If verified, this data breach could potentially expose sensitive financial and health information of millions of Americans, including those in California, Delaware, and Rhode Island. The data theft was claimed by World Leaks on their shame site, a group formerly known as Hunters International, which has shifted focus from ransomware to pure data theft and extortion. Previously, World Leaks has been involved in other high-profile thefts, including health insurance information from cancer patients and sensitive images from a plastic surgery center. The potential data breach poses a significant threat to the integrity of several state-run health databases and might represent one of the larger healthcare data incidents recently.

A serious vulnerability in ASUS Armoury Crate software, identified as CVE-2025-3464, poses a high security risk (8.8/10 severity score), allowing threat actors to gain SYSTEM level privileges on Windows devices. The flaw resides in the AsIO3.sys driver used by Armoury Crate for hardware management, which lacks proper OS-level access controls and relies on a hardcoded SHA-256 hash verification for authorization. Attackers can exploit this vulnerability by creating a hard link between a benign application and a malicious executable, bypassing the authorization to gain privileged access. This can lead to full operating system compromise as it gives attackers low-level system privileges, including direct access to physical memory and I/O ports. CVE-2025-3464 affects all Armoury Crate versions from 5.9.9.0 to 6.1.18.0; users are urged to update their software via the built-in update facility to mitigate the issue. Although there are no reports of active exploitation in the wild, the widespread use of Armoury Crate on computers globally increases the potential attack surface. Cisco Talos discovered and reported the vulnerability to ASUS; however, ASUS has not observed exploitation in the wild yet and strongly recommends users to apply the latest updates.

The U.S. Department of Justice has seized over $7.74 million in cryptocurrency and other digital assets linked to a North Korean IT worker scheme. North Korean IT workers used fake identities to infiltrate U.S. cryptocurrency companies, conducting business to evade sanctions and support Pyongyang's weapons programs. The scheme, tracked as Wagmole and UNC5267, involves the use of stolen identities, AI tools like ChatGPT, and has been operational since 2017. Key facilitators and operators within the network, including Christina Marie Chapman and Sim Hyon-Sop, facilitated laundering operations through laptop farms and direct cryptocurrency transactions. An analysis by cybersecurity firms identified multiple strategies by the workers, including exploiting corporate BYOD policies and leveraging remote work tools for illicit activities. The U.S. authorities continue to monitor and target the sophisticated operation to prevent further financial crimes and sanction violations by North Korea. The situation underscores the ongoing challenges in combating state-sponsored cybercrime and the need for enhanced cybersecurity measures in the private sector.

Canadian airline WestJet is experiencing intermittent service disruptions on its website and app due to a cybersecurity incident. The issues began on Friday, June 13, affecting internal systems and limiting user access to WestJet's digital resources. WestJet has engaged external cybersecurity experts and is cooperating with law enforcement and Transport Canada to address the incident. The airline has not yet confirmed if the disruptions are due to a malicious attack and cautions against speculation until more information is available. Despite the cybersecurity challenges, WestJet's flight operations continue without impact, ensuring safe and stable travel for passengers. WestJet advises customers and employees to exercise caution, particularly with personal information during this period. Frequent updates are promised as the investigation progresses, with customer service responding to inquiries and concerns as they arise. There is no connection between this incident and previous major disruptions within the airline industry related to software faults.

The Washington Post disclosed a security breach involving the email accounts of several journalists, suspected to be conducted by a foreign government. The breach was initially identified on a Thursday evening, with the internal investigation beginning soon after the detection. An internal memo informed employees about the unauthorized intrusion, specifically affecting a limited number of Microsoft accounts owned by journalists. Targeted journalists predominantly covered sensitive topics relating to national security, economic policy, and issues related to China. Past incidents mention that state-sponsored actors or advanced persistent threats (APTs), like those from China, have exploited vulnerabilities in Microsoft Exchange to conduct similar breaches. Microsoft had previously issued warnings regarding the exploitation of a critical privilege elevation bug in Exchange as a zero-day for NTLM relay attacks. Noteworthy is that no specific details about the perpetrators or technical specifics of the breach have been disclosed publicly by The Washington Post at this time.

Operation Deep Sentinel, led by Germany's BKA, targeted and shut down Archetyp, a significant dark web drug marketplace operational since 2020. The suspected administrator, a 30-year-old German national, was arrested in Barcelona; searches were also conducted in his properties in Hanover and Bucharest. Over 300 officers were involved in the takedown, resulting in multiple arrests and the confiscation of 47 smartphones, 45 computers, narcotics, and other assets. Archetyp boasted over 600,000 users and facilitated transactions worth at least €250 million; it offered over 17,000 listings from approximately 3,200 vendors. Authorities seized €7.8 million from Archetyp's largest vendor, highlighting the significant financial scale of its operations. The marketplace uniquely allowed transactions in Monero, a cryptocurrency known for its enhanced privacy features, complicating efforts to trace transactions. The coordinated effort involved multiple countries, including the Netherlands, Romania, Spain, Sweden, and the USA, underlining the collaborative nature of tackling sophisticated cybercrime networks.

Anubis ransomware, active since December 2024, affects sectors like healthcare and construction primarily in Australia, Canada, Peru, and the U.S. This ransomware-as-a-service (RaaS) features unique dual-threat capabilities: encrypting files and permanently deleting them with a wipe mode. Even if victims pay the ransom, file recovery is impossible because the wipe mode reduces file sizes to 0 KB without altering names or extensions. The Anubis affiliate program offers notable splits in ransom revenue, promoting further adoption and utilization among cybercriminals. Primary infection vectors include phishing emails, with subsequent privilege escalation, reconnaissance, and shadow volume deletion actions. Despite sharing a name, Anubis has no affiliation with the Android banking Trojan or the Python-based backdoor linked to the FIN7 group. Recorded Future reports unrelated cyber activities by FIN7, using new infrastructure to distribute malware through fake software update websites.

Kali Linux 2025.2, a popular cybersecurity tool distribution, has been released with significant updates including 13 new tools. The update features a rebranded car hacking toolkit renamed from CAN Arsenal to CARsenal, enhancing its usability. The Kali Menu has been reorganized according to the MITRE ATT&CK framework, facilitating easier tool location for cybersecurity professionals. Notable improvements in the user interface include updates to GNOME version 48 and KDE Plasma 6.3, aimed at enhancing performance and customization. The release introduces wireless capabilities for the TicWatch Pro 3, as part of its Kali NetHunter updates for penetration tests on smartwatches. Users can download new installs or update existing Kali Linux versions through provided ISO images or commands. The new features and tools are designed to support both red team and blue team operations more efficiently, aligning with contemporary cybersecurity frameworks like NIST CSF and MITRE ATT&CK.

Zoomcar disclosed a data breach affecting 8.4 million users due to unauthorized system access detected on June 9, 2025. Incident identified following a threat actor's email to company employees about the cyberattack. The breach compromised sensitive data of a subset of customers, though financial details and plaintext passwords were reportedly not exposed. Ongoing internal investigation to determine the full scope and impact; nature of the attack and responsible party still unconfirmed. No material disruption to Zoomcar's services has been reported following the breach. As a U.S.-listed company, Zoomcar is obligated to report the incident to the U.S. Securities and Exchange Commission. This breach occurs years after a prior incident in 2018 which compromised more extensive personal data and was later sold on an underground marketplace.

Salesforce's AI research finds LLM-based agents achieve only a 58% success rate in simple CRM tasks. Performance drops significantly to 35% when tasks require multiple steps, according to the CRM-focused benchmark tool, CRMArena-Pro. LLM agents exhibit a concerning lack of confidentiality awareness, negatively impacting their task performance. Salesforce's new benchmark includes rigorous testing using synthetic data to better simulate real CRM scenarios. Research highlights a gap between LLM agent capabilities and the complex demands of real-world enterprise applications. Concerns arise for developers and users about relying heavily on AI for efficiency improvements in business processes. The study indicates that while AI has potential, its current effectiveness in critical business functions remains limited.