Daily Brief

Over 84,000 Roundcube webmail installations are at risk due to the CVE-2025-49113 vulnerability, which enables critical remote code execution. The flaw affects multiple versions of the Roundcube system, spanning from 1.1.0 to 1.6.10, and was recently patched as of June 1, 2025. Attackers have reverse-engineered the patch to create an exploit now being sold on underground forums, even though exploiting the flaw requires user authentication. Large-scale exposure of the vulnerability was reported, with the United States, India, and Germany having the highest number of vulnerable instances. The vulnerability was first reported by security researcher Kirill Firsov, who also detailed prevention methods on his blog amid concerns of ongoing attacks. Recommended immediate actions include updating to the latest Roundcube versions or implementing security measures like access restrictions and monitoring for signs of exploitation.

A critical vulnerability in a deprecated Google recovery form allowed phone number extraction via brute force. The flaw, discovered by BruteCat, exploited lacking anti-abuse protections in a JavaScript-disabled Google form. Hackers could retrieve phone numbers by rotating IPv6 addresses and bypassing captchas using BotGuard tokens. Attackers required just the user's profile name and hints of their phone number to initiate the brute force. The vulnerability posed severe risks for phishing and SIM swapping attacks targeting Google account holders. Google upgraded the flaw's severity upon discovery by BruteCat, eventually deprecating the vulnerable endpoint. Although the breach vector has been mitigated as of June 6, 2025, there is no evidence if it was maliciously exploited before the fix. The incident emphasizes the need for continuous security enhancements and monitoring even in legacy systems.

SentinelOne disclosed further details on a failed supply chain attack orchestrated by Chinese hackers targeting more than 70 global entities from June 2024 to March 2025. The cybersecurity firm, a major player in endpoint protection, identified two main attack clusters named 'PurpleHaze' and 'ShadowPad' aimed at sectors including government, telecom, and finance. The initial attack phase involved exploiting network vulnerabilities, particularly in devices like Ivanti Cloud Service Appliances and Check Point gateways. PurpleHaze cluster activity in October 2024 included scanning SentinelOne's servers and setting up fake domains to mimic its infrastructure, attempting to deploy the GOREshell backdoor using zero-day exploits. The later 'ShadowPad' attacks targeted an IT service provider linked to SentinelOne, deploying malware to attempt a supply chain breach via sophisticated malware obscured with ScatterBrain. Attack methods also involved using PowerShell scripts for delayed execution and data exfiltration, enhancing stealth and persistence in compromised networks. Despite these aggressive attempts, SentinelOne confirmed no breach of their systems was successful, underlining the persistent and sophisticated nature of state-sponsored cyber threats targeting critical global infrastructures.

United Natural Foods experienced a cyberattack on June 5, prompting system shutdowns to contain the breach. The attack led to operational disruptions, affecting the company's ability to fulfill orders to major retailers like Whole Foods and Walmart. In response to the intrusion, the company implemented its incident response plan and engaged third-party cybersecurity experts. The company has reported the incident to law enforcement and is actively working to mitigate and remediate the impacts. Despite not confirming, indications suggest the event was likely a ransomware attack, typical of recent patterns affecting the industry. The cyberattack continues to cause temporary business disruptions, which may influence food supply chains and increase consumer prices. United Natural Foods boasts a critical role in the North American market, supplying over 30,000 retailers and recording $8.2 billion in net sales for fiscal Q2.

Sensata Technologies experienced a ransomware attack on April 6, leading to a significant data breach. The company, which specializes in industrial technology for the automotive and aerospace sectors, confirmed the theft of personal data affecting both current and former employees and their dependents. Initial SEC filings in April acknowledged the attack, noting disruptions to shipping, manufacturing, and other business operations. Further investigations with external experts disclosed unauthorized access to Sensata’s network from March 28 to April 6, during which sensitive files were accessed and copied. On May 23, Sensata determined the exact nature of the stolen data, prompting notifications to the breached individuals about the exposure. Affected parties have been offered one year of free credit monitoring and identity theft protection services. As of now, no ransomware group has claimed responsibility for the incident. Sensata's annual revenue exceeds $4 billion, underlining the significant impact of the breach on a major player in the industrial technology field.

Blue Teams use structured playbooks for efficient incident response, detailing steps to identify, contain, and remediate security threats. Wazuh, an open-source security platform, enhances these playbooks by providing real-time threat detection, automated responses, and comprehensive incident management. Wazuh integrates SIEM and XDR capabilities, allowing the correlation and analysis of security data across various environments, crucial for effective incident responses. The article presents specific playbook examples where Wazuh detects common cyber threats such as credential dumping, web shell activity, data exfiltration, and brute-force attacks. Real-world scenarios demonstrate Wazuh's ability to monitor and respond to suspicious activities through log analysis, file integrity monitoring, and network activity tracking. Wazuh supports the entire incident response lifecycle, from preparation to recovery, with tools for early detection, analysis, containment, and post-incident learning. Integration capabilities of Wazuh with other security tools are highlighted, promoting a holistic approach to cybersecurity within Blue Team operations.

Over 70 organizations worldwide, including a South Asian government and a European media group, were targeted in cyber espionage operations linked to China. The attacks, spanning from July 2024 to March 2025, involved sectors such as manufacturing, government, finance, telecommunications, and research. SentinelOne identified activity by the threat group PurpleHaze, associated with known Chinese espionage groups APT15 and UNC5174. Initial breaches involved reconnaissance targeting SentinelOne’s servers and an IT services firm handling the company’s logistics. Six distinct activity clusters identified, dating back to June 2024, showcasing sophisticated methods such as the deployment of malware like ShadowPad. Tools and software developed by The Hacker's Choice were used maliciously for the first time in state-sponsored attacks. SentinelOne's continuous monitoring and attribution efforts indicate expansive and complex operations likely aiming for broader espionage activities beyond initially compromised entities.

Two distinct Mirai-based botnet variants target a critical deserialization flaw in Wazuh Server, identified as CVE-2025-24016. The Wazuh Server vulnerability allows remote code execution and affects all versions from 4.4.0; patched in version 4.9.1 released in February 2025. The first botnet utilizes a shell script to download and deploy the LZRD Mirai variant from an external server, affecting various device architectures. The second botnet, referred to as Resbot, similarly exploits CVE-2025-24016 using malicious scripts to target Italian-speaking users, spreading through domains with Italian names. Apart from CVE-2025-24016, these botnets leverage other vulnerabilities in devices like TP-Link routers and ZTE routers, among others. Propagation strategies include FTP spread over port 21, telnet scanning, and leveraging old source code for Mirai to create or repurpose botnets. These incidents highlight the rapid exploit timelines adopted by attackers and the continuing challenge of securing IoT and network infrastructure against DDoS attacks.

Blue Teams use structured playbooks to ensure consistent, timely responses to cyber threats, aligning with organizational policies. Playbooks outline the process from identifying and containing to remediating incidents, reducing the impact of cyberattacks. Core of Blue Team playbooks is Incident Response (IR), detailing actionable steps for specific threats. Wazuh is portrayed as a versatile security platform that integrates SIEM and XDR functionalities to assist Blue Teams in real-time threat detection and incident management. Through Wazuh, teams can detect and respond to various threats, including credential dumping, web shells, data exfiltration, and brute-force login attempts. The open-source nature of Wazuh supports extensive customization and community-driven updates. Wazuh enhances Blue Team capabilities by correlating security data across environments, which is critical in the detection and analysis phase of incident responses.

United Natural Foods (UNFI) experienced a significant cyberattack, prompting shutdowns of several systems. The disruption affected UNFI's operations, impacting the fulfillment and distribution of customer orders. UNFI, a major player in the grocery wholesale sector in North America, reported disruptions shortly after discovering the attack on June 5th. In response to the attack, UNFI implemented its incident response plan, which involved taking certain systems offline to contain the breach. The company has engaged external cybersecurity experts to investigate the incident and aid in recovery efforts. Despite system shutdowns, UNFI deployed workarounds to maintain some level of service and is working on safely restoring their systems. Law enforcement has been notified, and UNFI continues to assess and mitigate the cybersecurity incident's impacts.

Google has patched a zero-day vulnerability in Chrome, found in the V8 JavaScript engine, which was actively exploited. The security flaw could allow an attacker to exploit heap corruption via a meticulously crafted HTML page. Updated Chrome versions 137.0.7151.68/.69 have been released for Windows and macOS, with a version for Linux as well. Google's Threat Analysis Group discovered this flaw, highlighting the need for continuous monitoring and quick response. Users are advised to update their Chrome browsers immediately to mitigate potential risks. Multiple other CVE vulnerabilities were reported this week, impacting products from Cisco, VMware, and IBM, among others. Implementing Attack Surface Reduction (ASR) rules is advised to block common malware techniques effectively.

Shadow IT encompasses unsanctioned apps, dormant accounts, and unmanaged user identities that standard security solutions like CASBs and IdPs often miss. It includes risks such as over-permissioned SaaS tools, orphaned access rights, and applications created in platforms like Google Workspace without authorization. Shadow IT is not only a visibility problem but has evolved into a significant attack surface that can lead to inadvertent data breaches or leaks. Real-world examples of these risks include dormant access exploitable by attackers, AI reading sensitive company information, and ex-employees retaining admin access. Wing Security provides tools to automatically discover and manage software applications, users, and integrations, identifying permissions, MFA status, and potential security misconfigurations. By using Wing Security's platform, companies can unify their approach to SaaS security, correlate events across applications, and proactively tackle security issues. The technology aims to transform the unknown elements of software usage into monitored assets, allowing companies to secure their digital environments more comprehensively.

The UK's proposal to remotely disable stolen mobile phones relies on cooperation from major tech companies like Apple and Google, who are hesitant to participate. Mobile phones have a unique International Mobile Equipment Identity (IMEI), which can be used to blacklist stolen devices, preventing them from connecting to cell networks. Despite the technology being available to extend IMEI blocking to cloud services, effectively rendering stolen phones useless, Apple and Google have resisted implementing these measures. Apple argues that implementing IMEI blocking could lead to unintended security issues, such as increased risk of blackmail, while Google maintains that IMEI numbers should remain a unique identifier managed between carriers and subscribers. The reluctance of big tech companies to block stolen phones in cloud services is partly driven by economic incentives, as every connected device generates continuous revenue. Critics argue that this stance not only fosters a market for stolen phones but also ignores broader societal harm, including personal loss and potential increase in crimes like identity theft. The article suggests a need for systemic cooperation and significant investments in consumer-focused security systems to effectively combat digital identity theft and related crimes, but sees little motivation from the industry to initiate such changes.

SentinelLABS identified over 75 strategic victims worldwide, involving governments and critical sectors, targeted by suspected Chinese spies using malware. The espionage operation utilized ShadowPad and GOREVERSE for pre-positioning ahead of potential conflicts, indicating advanced preparation for espionage and disruption. Notable victims include a European media group and a South Asian government entity, both essential for China's strategic intelligence and potential disruption tactics. SentinelOne's own infrastructure was targeted, signaling their significance within the strategic framework of the espionage operations, possibly for a supply-chain attack similar to SolarWinds' breach. Investigators linked the campaign to Chinese cyberespionage groups APT15 and UNC5174, known for their extensive infiltration capabilities and governmental backing. Critical vulnerabilities CVE-2024-8963 and CVE-2024-8190 in Ivanti software were exploited for initial access, demonstrating the espionage's sophistication and timing with undisclosed vulnerabilities. Ongoing research and monitoring are still required as the campaign’s activities and further organizational breaches continue to be discovered, suggesting a potential increase in affected entities beyond the initial 75.

Executives and technologists often prioritize revenue and technological solutions, sidelining human risk management (HRM) in cybersecurity. Most data breaches are caused by human error, such as phishing or weak passwords, not by technology failures. Security leaders tend to focus on technology investments due to familiarity and confidence, neglecting the crucial aspect of cultural change. There is a persistent internal conflict within organizations between pushing for advanced technology and implementing effective HRM. Consulting firms frequently promote technology-heavy strategies over HRM, influencing leadership's cybersecurity decisions. Standards like NIST's Cybersecurity Framework and ISO 27001 offer guidance on integrating HRM and technology effectively. True organizational security requires a balanced focus on both technological tools and the people who use them. The challenge lies in leaders recognizing the importance of HRM and demanding a balanced approach amidst competing priorities.