Daily Brief

Ivanti released updates for three high-severity hardcoded key vulnerabilities in Workspace Control, affecting SQL credential security. These flaws, identifiable as CVE-2025-5353, CVE-2025-22455, and CVE-2025-22463, allow local authenticated attackers to decrypt stored credentials. Successful exploitation could lead to privilege escalation and system compromise, depending on the targeted account. No current evidence suggests these vulnerabilities have been exploited in the wild before their public disclosure. Ivanti emphasizes that the vulnerabilities were responsibly disclosed, and they are not aware of any exploits in customer environments prior to this disclosure. The affected product, Workspace Control, will reach end of life in December 2026, ceasing security patches and technical support thereafter. Ivanti previously addressed other critical vulnerabilities across different products, including a critical authentication bypass and zero-day flaws exploited by state-linked actors.

AI is increasingly utilized by IT security teams, with 90% adopting it to counter complex ransomware threats, as per Delinea's 2025 report. AI enhances SOC operations by analyzing alerts in real-time, prioritizing incidents, and enabling analysts to focus on strategic responses. AI tools are effective in detecting Indicators of Compromise by scanning large data sets and identifying potential ransomware threats swiftly. Phishing, a common ransomware tactic, is being countered by AI through email pattern analysis and real-time detection of suspicious activities. AI-driven improvements in identity and access management systems help automate critical functions and reduce the risk of unauthorized access. AI technologies are vital in preempting phishing attempts and improving security training through realistic simulations and response tracking. The adoption of AI is transforming cybersecurity from reactive to proactive, providing a strategic edge against ransomware attacks. For a comprehensive understanding of AI-influenced cybersecurity practices, the Delinea 2025 State of Ransomware Report offers expert insights and data.

A new Rust-based information stealer, Myth Stealer, is being spread via fraudulent gaming websites. Initially offered for free on Telegram, Myth Stealer has transitioned to a malware-as-a-service model and is capable of stealing passwords and autofill data from browsers like Chrome and Firefox. The malware deceives users with a fake setup window while executing malicious code in the background, employing anti-analysis techniques to evade detection. Telegram has shut down multiple channels used by the operators to advertise compromised accounts and share testimonials. Distribution methods include fake gaming sites on Blogger and cracked game cheating software, highlighting diverse attack vectors. Myth Stealer attempts to terminate processes on infected systems to steal data, which it then exfiltrates to a command and control server or via Discord webhooks. The malware's capabilities are being continuously updated, including new functionalities like screen capture and clipboard hijacking.

The report identifies a critical vulnerability in enterprise data security posed by AI systems, which act like digital agents, accessing and potentially exposing sensitive data. Varonis' research, involving 1,000 real-world IT environments, highlights that 99% of organizations have sensitive data that AI could inadvertently expose. The use of AI technologies can lead to unintentional data exposure due to a lack of understanding of AI permissions models and adequate data protection measures. AI-driven analytics tools and customer support bots could access or reveal internal sensitive data such as employee salaries, R&D insights, or source code with minimal user interaction. The integrity of data fed into AI systems, particularly Large Language Models (LLMs), is crucial; incorrect or manipulated data can have disastrous consequences. Varonis emphasizes the importance of implementing robust data security practices and proactive measures to safeguard data in the era of AI. The "State of Data Security Report" by Varonis sheds light on various risk aspects including cloud complexities, unsanctioned apps, and inadequate multifactor authentication practices contributing to the heightened risk landscape.

President Trump revoked an executive order by Biden focused on enhancing cybersecurity and reducing identity fraud. Trump's action removed mandates for digital ID usage, claiming they aided immigrants in committing fraud, a claim disputed by experts. Digital identity and cybersecurity experts argue that digital IDs are crucial for securing federal systems against sophisticated fraud rings and nation-state actors. Key criticisms include the rollback of required secure software development practices, making them voluntary, which may lead to slower adoption and increased risks. Cybersecurity professionals stress that ransomware gangs and foreign-government-sponsored goons primarily exploit stolen identities, not immigrants. The removal of these mandates is seen as a step back in fighting the advanced fraud and cyber threats facing the nation. Experts call for a national strategy on digital fraud and emphasize the importance of treating digital identity as critical infrastructure.

A white-hat hacker identified a security vulnerability in Google’s authentication process, enabling a brute-force attack to access user phone numbers. The exploit required only the victim's email address to reveal the phone number linked to the Google account. The hacker, known as Brutecat, utilized Google Looker Studio and cloud computing resources to exploit the system and obtain phone numbers quickly. Google's account recovery provided partial phone number hints that were susceptible to brute-forcing, particularly due to suboptimal JavaScript reliance for its anti-abuse systems. The exploitation process involved creating a Looker Studio document and transferring its ownership to the victim’s account, revealing the victim's phone number without their interaction. Google initially awarded the researcher $5,000 for the discovery, which was considered low given the potential impact of the exploit. Google has since patched the vulnerability and emphasized the importance of collaboration with the security research community to uphold user safety.

Five men from China, the United States, and Turkey have pleaded guilty to laundering nearly $37 million stolen from U.S. citizens through cryptocurrency investment scams originating in Cambodia. Victims were contacted via unsolicited messages through social media, phone calls, texts, and online dating services and deceived into investing in fraudulent digital asset opportunities. The illicit funds, totaling over $36.9 million, were funneled from U.S. bank accounts to a Bahamian account held by Axis Digital Limited, a company established specifically for these fraudulent operations. Key players included Joseph Wong, who led a Los Angeles-based network of money launderers; Jose Somarriba and Shengsheng He, who founded Axis Digital; and Jingliang Su, who facilitated converting and transferring the victim funds using cryptocurrency. Suspects laundered the stolen amounts through various shell companies, U.S. and international bank accounts, and digital asset wallets, converting much of these funds to Tether (USDT) and moving them to a wallet in Cambodia. Consequences for those involved include possible sentences of up to 20 years for money laundering conspiracy and up to five years for operating an unlicensed money services business. This case highlights a concerning trend reported by the FBI, with over $6.5 billion lost to investment scams in one year alone, marking a significant increase from previous figures.

Modern enterprises increasingly rely on non-human identities (NHIs) like API keys and OAuth tokens, frequently outnumbering human users. A report indicated that 46% of organizations have suffered compromises related to NHI accounts, spotlighting significant security vulnerabilities. The proliferation of cloud services and automation technologies has prompted a rapid increase in NHIs, complicating their management and security. Over 80% of organizations plan to enhance their investment in securing NHIs, reflecting growing awareness of their critical role and associated risks. NHIs often lack robust security measures such as multi-factor authentication (MFA), making them susceptible to attacks and secret leakages. NHIs can accrue excessive permissions and static credentials, further expanding the potential attack surface for cyber adversaries. CISOs are challenged with implementing effective security protocols for NHIs to mitigate risks and ensure safe operations across digital environments. An upcoming webcast is scheduled to address strategies for managing both human and non-human identities within unified systems to reduce risks and complexity.

Marks & Spencer has partially restored its online ordering capabilities, 46 days following a significant cyberattack that occurred in April. Initially unaffected, the service disruption expanded, leading to the suspension of online and app orders. The attack purportedly involved DragonForce ransomware, and resulted in the theft of customer data, the details of which remain undisclosed. The UK retailer now offers online purchases of select fashion ranges in England, Scotland, and Wales, though deliveries are delayed and service options like Click & Collect are still unavailable. M&S estimates a £300 million ($404.7 million) operating profit loss for the next financial year due to the cyber incident, although it plans countermeasures through cost-cutting, insurance claims, and trading actions. Despite a stark drop in share price immediately following the attack, news of the returning online service caused a 3% increase in M&S's stock value. The company hints at using this crisis to accelerate its digital transformation, with further normal service restoration expected gradually.

A security flaw in Google's account recovery feature allowed for the potential exposure of linked recovery phone numbers. The vulnerability was identified by Singaporean researcher "brutecat" in the non-JavaScript version of the Google username recovery page, which lacked sufficient anti-abuse protections. By bypassing CAPTCHA-based rate limits, an attacker could determine all possible phone number combinations for a Google account quickly. Additional exploits could unveil the country code of the phone number and the user's full name using Google's Forgot Password feature and Looker Studio documents. The flaw could lead to SIM-swapping attacks, risking the takeover of any accounts connected to the compromised phone number. Following responsible disclosure in April 2025, Google awarded the researcher a $5,000 bug bounty and resolved the issue by removing the vulnerable username recovery page. Prior disclosures by the same researcher uncovered similar issues revealing YouTube channel owners' email addresses and monetization details via YouTube's API flaws.

Researchers accessed live feeds of 40,000 IoT cameras globally, exposing datacenters, healthcare facilities, and more. The majority of vulnerabilities were found in the U.S., with 14,000 camera feeds exposed, posing espionage threats. DHS had previously warned about the espionage risks associated with poorly secured cameras, especially Chinese-made ones. Bitsight identified both HTTP and RTSP camera technologies as avenues for unauthorized accessing of sensitive live feeds. Security gaps allow easy access without sophisticated tools; in some cases, only a web browser is needed. The exposed cameras not only compromise national security but also provide criminal opportunities, giving insights into retail and residential patterns. The findings raise concerns about the lack of default encryption and security controls in IoT devices, particularly in critical infrastructure. Bitsight also noted the presence of a cybercriminal community online that exchanges information about accessible cameras.

Rare Werewolf APT, previously known as Rare Wolf, conducts cyberattacks on Russian and CIS countries' enterprises, leveraging legitimate third-party software. The group utilizes command files and PowerShell scripts to infect systems, siphon credentials, and deploy XMRig cryptocurrency miners. Primary attack vectors include phishing emails with password-protected archives that deliver malware and legitimate applications like 4t Tray Minimizer. Other tools deployed post-infection include Mipko Employee Monitor, WebBrowserPassView, and Defender Control for further data theft and antivirus disabling. Attacks feature unique operational details, such as scheduled wake-up of compromised systems at 1 a.m. and shut down by 5 a.m., post-data theft. Hundreds of users across industrial and educational sectors in Russia, Belarus, and Kazakhstan have been affected. The usage of legitimate tools complicates the detection and attribution of malicious activities carried out by the group. Similar attacks by another group, DarkGaboon, were mentioned, utilizing LockBit 3.0 ransomware in a parallel but separate campaign targeting Russian entities.

Apple has introduced a new open-source containerization framework designed to run Linux container images on Macs, improving performance and security. The framework allows each Linux container to operate within its own lightweight virtual machine (VM), enhancing operational efficiency and security by minimizing shared resources. This development targets developers who prefer Mac hardware but need to deploy applications in a Linux environment, providing a stable and optimized solution that utilizes Apple's Swift programming language and is tailored for Apple Silicon chips. Existing tools like Docker and Podman have offered similar capabilities, but Apple's solution promises better integration and performance on Mac systems. The new containerization approach uses a minimal root filesystem and an optimized Linux kernel to achieve faster start times and a smaller attack surface for security. Apple’s documentation highlights unique features such as dedicated IP addresses for each container, eliminating the need for individual port forwarding and supporting quicker setup and management. However, the framework's full capabilities will only be unlocked with the future macOS 26 Tahoe release, suggesting limited functionality with the current macOS 15 Sequoia. The framework is still in development, with upcoming updates expected to introduce features like memory ballooning, which allows VMs to adjust memory dynamically.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added critical security vulnerabilities related to Erlang/Open Telecom Platform (OTP) SSH and Roundcube to its Known Exploited Vulnerabilities catalog. These vulnerabilities are actively exploited, but specific details about the exploitation techniques and the perpetrators remain undisclosed. Recent reports by ESET identified that a Russia-linked group, APT28, exploited similar vulnerabilities to target Eastern European governmental and defense sectors. It is uncertain if the newly reported abuses of CVE-2024-42009 relate directly to APT28’s activities or a different threat. There are currently 340 Erlang servers exposed, with a risk not all being susceptible to the reported flaw. CVE-2025-32433 has seen rapid follow-ups with several proof-of-concept exploits being made publicly available soon after its disclosure. Federal Civilian Executive Branch (FCEB) agencies must implement resolutions for these vulnerabilities by June 30, 2025, to mitigate risks adequately. In a related security issue, Patchstack has highlighted an uncorrected severe vulnerability in the PayU CommercePro plugin for WordPress, impacting over 5,000 active installations and allowing account takeovers without authentication.

Arkana Security briefly advertised over 569 GB of purportedly "new" Ticketmaster data for sale, which was actually from a previous 2024 Snowflake data theft. The data was previously compromised during attacks by the threat group ShinyHunters, using stolen Snowflake credentials to access and extort multiple companies. Screenshots and file names from the Arkana post matched the data stolen in 2024, debunking claims of a new breach. The extortion attempt included marketing print-at-home and celebrity concert tickets to pressure victims. The origin and current possession of the resold data by Arkana remain unclear, with potential ties to ShinyHunters or other associated actors. The listing for the Ticketmaster data was removed from Arkana's site as of June 9, indicating a possible cessation or shift in their strategy. ShinyHunters, known for numerous high-profile breaches, has seen several associated threat actors arrested, raising questions about the current composition and operations of the group. Ticketmaster and Arkana did not respond to inquiries regarding the data listing, leaving some details unconfirmed.