Daily Brief

Microsoft issued patches for 67 vulnerabilities, including a zero-day in the WEBDAV protocol actively exploited by the Stealth Falcon group. The zero-day vulnerability (CVE-2025-33053) allows remote code execution and has been used against targets in Qatar, Saudi Arabia, and Turkey. Stealth Falcon used a phishing attack deploying a .url file to exploit this vulnerability for dropping the Horus Agent malware. This espionage campaign utilized the Mythic command-and-control framework, indicating sophisticated nation-state level operational tactics. In addition to WEBDAV, Microsoft also fixed other critical issues including a severe privilege escalation flaw in Power Automate and vulnerabilities in Windows KDC Proxy Service. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) mandated federal agencies to apply the necessary patches by July 2025 due to the severity of the exploits. The patch release also addressed a secure boot bypass bug that allows the execution of untrusted software during the boot process.

Badbox 2.0, initially disrupted in 2022, has resurged and evolved, targeting Android-based smart devices with pre-installed backdoors. Security collaborations, including the FBI and Google, continue efforts to curtail the botnet's impact by taking down its command and control infrastructure. Despite these efforts, the botnet made a comeback in 2025, now capable of infecting devices both before and after sale via firmware integration or dubious app installations. Predominantly affects low-cost, minimally supported Android devices manufactured in China, utilized in streaming boxes and infotainment systems. The botnet operation has shifted focus from ad fraud to leveraging infected devices for residential proxy services, allowing criminals to use legitimate IP addresses for malicious activities. The adoption of the new malware variant vo1d2 indicates a pivot in the botnet's operational tactics, featuring a dynamic domain generation algorithm. Security professionals express concerns over the potential release of Badbox 3, as ongoing demand for affordable Android devices sustains the threat landscape.

Microsoft identified 66 system flaws needing patches, including ten critical and two actively exploited vulnerabilities. The high-risk zero-day, CVE-2025-33053, actively exploited by Stealth Falcon, affects WebDAV and allows remote code execution through a one-click link. This zero-day vulnerability was used to target a Turkish defense company, inserting malware with a custom keylogger. Another exploited flaw, CVE-2025-5419, lies in the Chromium V8 JavaScript engine impacting Microsoft Edge, following a fresh Google patch. Microsoft also delivered critical patches for Windows SMB Client and Microsoft Office, with vulnerabilities that could potentially grant system privileges or unauthorized access. Comprehensive patches also include improvements for legacy and out-of-support software like Internet Explorer and Windows Server 2008. Adobe and other software vendors like SAP and Fortinet also released significant patches to address multiple vulnerabilities rated from critical to moderate.

DanaBot, a malware-as-a-service platform active since 2018, was compromised due to a vulnerability introduced in its June 2022 update. Researchers at Zscaler's ThreatLabz identified the flaw, dubbed 'DanaBleed,' which resulted from inadequate memory handling in the malware's command and control protocol. The exposed memory leak allowed researchers to access critical data about DanaBot’s operations and the cybercriminals behind it. Leveraging this intelligence, an international law enforcement initiative, "Operation Endgame," was launched, resulting in the dismantling of DanaBot's infrastructure. The operation led to the indictment of 16 individuals associated with DanaBot and the seizure of 650 domains and nearly $4,000,000 in cryptocurrency. Despite the core team's location in Russia and their evasion of arrest, the operation has significantly disrupted their operations, likely reducing their credibility in the cybercriminal community.

ConnectWise is updating digital code signing certificates for its software products, including ScreenConnect, Automate, and RMM, due to security concerns. The decision came after a third-party security researcher highlighted potential misuse related to ScreenConnect's configuration data handling. This proactive measure is a response to the researcher's warning, not due to a direct security incident or the recent nation-state cyberattack experienced last month. ConnectWise's certificates, originally set to be revoked, got an extension for the transition to new certificates effective until June 2025. Upcoming software updates will also address how configuration data is managed within the ScreenConnect application to enhance security. Users are advised to download updated software builds from ConnectWise's 'University page' to ensure compliance with the new security certifications. Cloud-hosted versions of the software will receive automatic updates, but users should verify their systems are current to avoid service interruptions.

Security researchers have identified a new Secure Boot vulnerability, CVE-2025-3052, that allows attackers to disable system security features and install bootkit malware. The vulnerability stems from a BIOS-flashing utility signed with Microsoft's "UEFI CA 2011" certificate, affecting nearly all systems supporting Secure Boot. The flaw was exploited by modifying a user-writable NVRAM variable to disrupt the UEFI boot process and disable Secure Boot enforcement. Microsoft has responded by adding affected module hashes to the Secure Boot dbx revocation list as part of their June 2025 Patch Tuesday. Alongside CVE-2025-3052, another Secure Boot bypass, CVE-2025-4275, was disclosed and patched, indicating a growing trend in UEFI firmware vulnerabilities. Binarly, the company that disclosed the flaw, has released a proof-of-concept video demonstrating the vulnerability and stresses the importance of applying the updated dbx file immediately. IT organizations are encouraged to automate patch management processes to address vulnerabilities quickly and efficiently, reducing overhead and focusing on strategic tasks.

The Texas Department of Transportation (TxDOT) detected unusual activity on May 12 in its Crash Records Information System, which led to the discovery of a data breach. Nearly 300,000 crash reports were illicitly downloaded using a compromised user account, exposing sensitive information of Texas drivers. The exposed personal data includes driver’s license numbers, addresses, license plate numbers, and car insurance policy information, which can be used for fraud or identity theft. Although not legally required to notify affected individuals, TxDOT has proactively started sending letters to those whose information was involved in the breach. The type of data accessed can facilitate insurance fraud, false claims, and even sophisticated phishing attacks aiming to deceive victims with seemingly legitimate offers. The Texas Department of Public Safety is conducting an investigation to understand the full scope and method of the breach. Despite the breach, state officials have not offered credit monitoring or other protective services typically provided following significant data breaches.

Adobe has released updates fixing 254 vulnerabilities in its software products, predominantly affecting Adobe Experience Manager (AEM). A substantial portion of the vulnerabilities, specifically 225, were identified in AEM and affect both AEM Cloud Service as well as older versions up to 6.5.22. The vulnerabilities patched include critical issues that could allow attackers to execute arbitrary code, escalate privileges, or bypass security features. The most severe vulnerability addressed is a reflected XSS flaw in Adobe Commerce and Magento Open Source, with a CVSS score of 9.1, potentially leading to arbitrary code execution. Other critical fixes include improper authorization flaws and multiple code execution vulnerabilities in Adobe InCopy and Substance 3D Sampler. Adobe credits multiple security researchers for discovering and reporting these issues, highlighting the importance of collaborative security efforts. While there have been no reports of these vulnerabilities being exploited in the wild, Adobe strongly advises users to update their software to the latest versions to ensure protection.

Cybersecurity experts found over 20 configuration vulnerabilities in the Salesforce Industry Cloud, risking data exposure. These configuration issues span across various components including FlexCards, Data Mappers, and OmniScript among others. Although Salesforce addressed some vulnerabilities following responsible disclosure, the majority are left for customers to resolve. Identified CVEs such as CVE-2025-43967 and CVE-2025-43698 have been mitigated with new security settings Salesforce customers must activate. The security gaps could lead to significant compliance risks for organizations under regulations like HIPAA or GDPR. A separate zero-day SOQL injection vulnerability was also discovered, potentially allowing attackers to access and extract sensitive data. Salesforce claims that all identified issues have been resolved and patched, with no evidence of these vulnerabilities being exploited in customer environments. The company emphasizes the importance of customer-side configuration for optimal security and regulatory compliance.

Microsoft's June 2025 Patch Tuesday addressed 66 vulnerabilities, including ten deemed critical. The patch corrected one actively exploited zero-day and another vulnerability that was publicly disclosed. The actively exploited zero-day involved a remote code execution flaw in Web Distributed Authoring and Versioning (WEBDAV). The exploitation of this vulnerability allowed attackers to execute arbitrary code by having a user click a specially crafted URL. A publicly disclosed elevation of privilege vulnerability in Windows SMB Client was also fixed, which previously allowed attackers to gain SYSTEM privileges. Mitigation strategies for the SMB Client flaw included enforcing server-side SMB signing. Other tech companies have also released updates and advisories in the same period, indicating a broader focus on cybersecurity threats. Microsoft attributes the identification of these flaws to multiple security researchers and organizations.

FIN6, an e-crime group, is using Amazon Web Services to host fake resumes for phishing attacks on recruitment platforms like LinkedIn and Indeed. The group, operational since 2012, has shifted its focus from targeting point-of-sale systems to deploying malware, specifically More_eggs, through social engineering. More_eggs malware, developed by the Golden Chickens cybercrime group, allows for credential theft, system access, and ransomware attacks. The fake resumes are distributed through domains registered anonymously and protected by GoDaddy's privacy services, complicating attribution and takedown efforts. The phishing sites leverage built-in traffic filtering logic, delivering malicious content only to targets meeting specific criteria like using residential IP addresses. When opened by the targeted individuals, the ZIP file containing the resume triggers the deployment of the More_eggs malware. This sophisticated approach of using realistic job lures, CAPTCHA walls, and evasion techniques allows FIN6 to remain undetected by many security tools.

Microsoft is set to block additional file types in Outlook Web and the new Outlook for Windows to enhance security measures. The blocked file extensions, effective from early July 2025, will include .library-ms and .search-ms, previously exploited in phishing attacks. These file types have been used to exploit vulnerabilities and facilitate unauthorized access to user data, notably through NTLM hash exposure and malware deployment. The majority of users will not be impacted by this update as these file types are rarely used in regular communications. Organizations that rely on these file types can adjust their settings by modifying the OwaMailboxPolicy objects before the changes take effect. This security update is part of an ongoing effort by Microsoft to disable Office and Windows features that have been manipulated to launch cyber attacks. No specific actions will be required from users as the update will automatically apply to all Outlook Web Access (OWA) Mailbox policies.

The Texas Department of Transportation (TxDOT) experienced a significant data breach, with 300,000 crash records stolen from its database. The breach was detected on May 12, 2025, after unusual activity was observed in the Crash Records Information System (CRIS). A threat actor exploited compromised credentials to access and download nearly 300,000 crash reports, leading to unauthorized data extraction. Compromised data may increase the risk of social engineering, phishing, and scamming attacks against individuals whose information was part of the stolen records. TxDOT has started notifying potentially impacted individuals, advising them to be vigilant against identity theft and to monitor their credit reports for suspicious activities. No identity theft protection or credit monitoring services have been offered to the affected individuals by TxDOT, though a dedicated support line has been established. Additional security measures are being implemented by TxDOT to prevent future breaches, including disabling compromised accounts and blocking unauthorized access paths used by attackers.

Cybercriminals exploit a critical remote code execution vulnerability, CVE-2025-24016, in Wazuh, an open-source XDR and SIEM platform. The disclosed vulnerability is actively used in botnet attacks, affecting over 100,000 global enterprises, including Fortune 100 companies. Akamai researchers identified the initial exploitation attempts in March, highlighting the rapidly decreasing time-to-attack post-disclosure. The attackers leverage Mirai botnet variants to attack IoT devices, using both newly discovered and older vulnerabilities across different devices. Domains with Italian names were used in one of the botnets (Resbot), suggesting targeted attacks on Italian-speaking populations. Wazuh has released a patch (version 4.9.1 in October 2024), which mitigates these attacks, emphasizing the importance of timely updates. The presence of publicly shared proof-of-concept (PoC) exploit codes accelerates the propagation and success rate of these botnet attacks. Despite the patch, continuing attacks underscore the need for organizations to swiftly apply security updates to avoid exploitation.

FIN6, a known cybercriminal group, has adopted a strategy of impersonating job seekers to infiltrate and infect recruitment systems with malware. Recruiting specialists are being targeted through LinkedIn and Indeed, with seemingly benign interactions progressing to phishing emails containing malware-infected resume downloads. The malware, dubbed 'More Eggs,' is delivered through a JavaScript backdoor, enabling credential theft, ransomware attacks, and unauthorized system access. Attackers employ sophisticated methods including environmental fingerprinting and behavioral checks to ensure the malware is delivered only to intended targets and not to security researchers or unintended systems. Recruitment domains are anonymously registered and hosted on AWS, increasing the difficulty of detection by security tools due to the platform's trusted status. FIN6 is expanding its criminal activities from traditional financial fraud and PoS system compromises to advanced ransomware strategies and credential theft. Recruitment professionals are advised to verify candidate identities through direct contact with references, and to exercise caution when asked to download materials from external websites.