Daily Brief

A newly identified data wiper malware, "PathWiper," targets critical infrastructure in Ukraine, aiming to disrupt operations. Cisco Talos researchers attribute the malware with high confidence to a Russia-linked advanced persistent threat (APT) group, relating it to previous similar attacks. PathWiper is executed through a Windows batch file and uses a VBScript to deploy the primary malware payload, designed to mimic legitimate administrative tools to avoid detection. The malware targets both local and network drives, dismounting volumes and overwriting crucial NTFS structures, rendering affected systems inoperable. Unlike other wiper attacks, PathWiper does not involve financial extortion; its primary goal is operational disruption. Cisco Talos has released file hashes and snort rules to help detect and mitigate the impact of PathWiper in compromised systems. Data wiper attacks have increased against Ukraine since the start of the conflict with Russia, with various named wipers including DoubleZero and HermeticWiper being deployed.

Two botnets have exploited a critical vulnerability, CVE-2025-24016, in Wazuh servers to deploy Mirai botnet variants for DDoS attacks. The exploited flaw, an unsafe deserialization allowing remote code execution, was patched by Wazuh in February 2025. Akamai discovered the exploitation shortly after the patch and proof-of-concept were released, noticing a reduced timeline between CVE publication and exploitation. The first botnet delivers a downloader shell script for the LZRD Mirai strain, used in previous IoT device attacks. The second botnet, identified by its use of Italian domain names, deploys the Resbot Mirai variant and targets Italian-speaking users. Analysis of associated infrastructure revealed multiple old and new vulnerabilities being targeted across various devices and routers. These attacks demonstrate the ongoing adaptation and propagation of Mirai botnets using newly disclosed exploits. This incident is part of a broader surge in cyber-attacks in the APAC region, pushed by geopolitical tensions and rising hacktivist activities.

Qilin ransomware, also known as Phantom Mantis, leverages vulnerabilities in Fortinet devices to bypass authentication and execute remote commands. Recent attacks have targeted high-profile entities including Yangfeng, Lee Enterprises, and significant public services in Australia and the UK, impacting operations and services. The exploited Fortinet vulnerabilities, CVE-2024-21762 and CVE-2024-55591, were previously identified and patched, but continue to be exploited in ransomware attacks. Threat actors currently focus on Spanish-speaking countries, with expectations of expanding the campaign globally without strict geographical or sector-based targeting. CVE-2024-55591 was previously used by other cybercriminal groups and in zero-day attacks, highlighting ongoing risks associated with these vulnerabilities. Despite patches issued by Fortinet and directives from CISA, many devices remain vulnerable, posing significant security risks. Other groups, such as the Chinese Volt Typhoon, have also exploited separate Fortinet flaws for espionage, emphasizing the critical nature of timely and comprehensive patch management.

Generative AI tools rapidly gained popularity across industries due to their potential to enhance productivity and streamline processes. Many organizations, concerned about sensitive data exposure, initially responded by blocking access to public AI applications, which proved ineffective as employees found workarounds. ThreatLabz observed a significant increase in AI and ML traffic within enterprises, detecting unauthorized use of over 800 AI applications despite official restrictions. Historical parallels with SaaS tools suggest that banning AI tools is not feasible; instead, providing secure, approved alternatives could better align with organizational needs and employee habits. Real-time visibility into AI application use is crucial for forming intelligent governance policies that are adaptable and based on zero-trust principles. Zscaler's approach includes context-aware policy enforcement, browser-isolation for sensitive transactions, and redirection to safer, organization-approved AI applications. Zscaler's data loss prevention tools have effectively blocked over 4 million potential data breaches, demonstrating the importance of managed solutions in preventing sensitive data exposure. Emphasizing both enablement and protection can facilitate safer, more productive AI adoption within corporate environments.

The U.S. Department of Justice aims to seize $7.74 million from North Korean IT worker schemes involved in money laundering. Three individuals, including citizens from North Korea, China, and a Hong Kong British national, were indicted for aiding North Korea in circumventing U.S. sanctions. North Korean IT workers secretly infiltrated U.S companies, including top Fortune 500 and cybersecurity firms, using fraudulent IDs. These workers employed tactics such as sharing workloads and using U.S.-based laptop farms to disguise their actual working locations. The schemes have reportedly netted approximately $88 million for North Korea over six years, with Treasury estimates suggesting annual figures in the hundreds of millions. Payments for these illicit activities were primarily made in stablecoins (like USDC and USDT), which were laundered back to North Korea. The FBI and other U.S. entities remain vigilant, adapting to new methods deployed by North Korean operatives to perpetuate these frauds.

India's CBI arrested four individuals and dismantled two call centers involved in a tech support scam targeting Japanese citizens. The searches were conducted across 19 locations in Delhi, Haryana, and Uttar Pradesh as part of Operation Chakra V. The scam involved impersonating tech support from multinational corporations to deceive victims into transferring funds to mule accounts. Collaboration with Microsoft and the National Police Agency of Japan was crucial in unraveling the scam’s operational structure. Authorities seized computers, storage devices, and other digital evidence, highlighting the use of advanced social engineering and technical subterfuge. The fraudulent operations used generative AI for creating malicious pop-ups and automating language translation to target Japanese victims better. Microsoft's efforts with the Japan Cybercrime Control Center have led to the takedown of approximately 66,000 malicious domains and URLs globally. The case underscores the necessity for continued global collaboration to address the increasing sophistication and connectivity of cybercriminal activities.

Organizations frequently face ransomware attacks, prompting difficult decisions about whether to pay the ransom or restore systems using backups. Many companies consult with specialists to strategize ransom negotiations or system recovery, though some handle the situation independently. It's crucial to assess and clean infected systems comprehensively to prevent secondary malware attacks even after paying ransom demands. Cyber insurance plays a significant role, often directing the recovery process and potentially increasing the ransom amount if disclosed during negotiations. Expert ransomware negotiators attempt to prolong discussions to reduce ransom amounts, leveraging the attackers' preference for quick settlements. Payment is typically demanded in bitcoin due to its perceived untraceability, although advances in crypto analysis have sometimes enabled fund recovery. The impact of paying ransoms extends beyond immediate financial loss, potentially funding further criminal activities and encouraging future attacks. Maintaining confidentiality about professional assistance and insurance details during negotiations is advised to prevent giving leverage to criminals.

AEV (Adversarial Exposure Validation) is a cutting-edge technology designed to emulate real cyber-attacks and expose potential security vulnerabilities. Developed to support Continuous Threat Exposure Management (CTEM), AEV helps identify, prioritize, and mitigate risks within organizational networks. The technology integrates elements of Automated Penetration Testing and Breach and Attack Simulation, evolving as a unified solution for offensive cybersecurity strategies. AEV provides organizations with insights on potential attack paths and remediation strategies, making it a vital tool for both red teams and blue teams. Red teams benefit from AEV by gaining an understanding of how attackers could link vulnerabilities to execute a full-scale breach, thereby enhancing their proactive security measures. For blue teams, AEV outlines which defenses are effective and which need reinforcement, improving overall security posture through ongoing, automated testing. Gartner® highlights the increasing overlap and convergence of capabilities in AEV technologies, suggesting a trend towards more integrated cybersecurity testing approaches. Organizations are encouraged to learn more about implementing AEV and its benefits at the upcoming Xposure, Pentera's Exposure Management Summit.

Law enforcement authorities from multiple countries arrested 20 suspects involved in the distribution of child sexual abuse material (CSAM). The operation, initiated by the Spanish National Police, began by targeting instant messaging groups spreading CSAM globally. Collaborative efforts included INTERPOL and Europol, facilitating the sharing of intelligence and coordination of arrests across continents. The international crackdown involved seizing significant amounts of digital evidence, including computers and mobile phones. Among those arrested were a teacher and a healthcare worker, highlighting the diverse backgrounds of individuals involved in these criminal activities. In addition, operations led to arrests in various countries, including 10 suspects in Latin America and others in Europe and the United States. Previous related operations this year resulted in over 79 arrests and the identification of hundreds of suspects and seized thousands of electronic devices. The operation underscored the continuing challenge of combating the global spread of CSAM and the effectiveness of international law enforcement cooperation in addressing these crimes.

PathWiper, a new data wiper malware, disrupted critical infrastructure in Ukraine, as confirmed by Cisco Talos. The malware was spread via a legitimate endpoint administration tool, suggesting attackers had admin access. The attack is attributed to a Russia-nexus APT actor due to similarities with previous malware and tactics used against Ukraine. PathWiper overwrites data including Master Boot Record and NTFS-related artifacts on identified drives, irreversibly destroying files. The malware mimics system operations and filenames to blend into normal administrative activities, making detection harder. It shares similarities with the HermeticWiper malware, linked to the Russia-associated Sandworm group. The ongoing development of wiper variants like PathWiper indicates persistent cybersecurity threats to Ukrainian infrastructure amid the Russia-Ukraine conflict.

The U.S. State Department is offering up to $10 million for information leading to the identification of individuals behind the RedLine malware, including developer Maxim Rudometov. RedLine, developed by Rudometov after fleeing Ukraine for Russia, has been implicated in global data theft affecting millions of computers since 2020. International law enforcement recently arrested associates in Belgium and pressed charges against Rudometov, revealing a long-term FBI investigation linking his digital footprint to criminal activities. The malware, sold through a malware-as-a-service model, enables other cybercriminals to launch their own theft campaigns. RedLine aids in the theft of personal and financial information, credentials, and cryptocurrency tokens, which are then sold on dark web markets. The malware is used in cyber intrusions possibly orchestrated by state-sponsored actors, possibly linked to Russian government interests. Recent data showed that NordVPN identified stolen data linked to RedLine being heavily traded on underground markets.

AT&T is investigating after millions of customer data entries were reportedly listed for sale on a cybercrime forum, potentially originating from a previous breach. The data for sale includes about 86 million unique customer records, featuring dates of birth, phone numbers, email addresses, physical addresses, and approximately 44 million plain-text social security numbers. This data dump was first listed on May 15 and reuploaded on June 3, with the vendor suggesting that the data is not from a new breach but does not specify the exact origin. The stolen data might be partially connected to a breach last year of more than 165 Snowflake customers, including AT&T, where call and text records of around 110 million customers were compromised. Additionally, more than 73 million records of AT&T customers previously stolen and sold by ShinyHunters in March 2024 relate to an even earlier theft from 2021. Industry experts highlight the significant risk this poses, with sufficient personal information compromised to facilitate identity fraud and other malicious activities. AT&T customers are advised to monitor their credit and watch for signs of identity theft or fraud.

The FBI warns that BADBOX 2.0, a malware campaign, has infected over 1 million consumer IoT devices globally. BADBOX 2.0 primarily targets Android-based smart TVs, streaming boxes, and other internet-connected devices manufactured in China. The malware converts infected devices into residential proxies used for various criminal activities, including unauthorized network access. Devices are infected either pre-purchase or through malicious applications from official and third-party app stores during the setup process. Despite a significant disruption attempt in Germany, the botnet continued to expand, infiltrating more mainstream brands and devices. A global operation involving multiple cybersecurity groups partially disrupted the botnet, but it continues to grow as more devices connect online. The FBI advises consumers to isolate suspected compromised devices and restrict their internet access to mitigate further risks.

Cellebrite has finalized a $170 million acquisition of Corellium, enhancing their capabilities in accessing encrypted devices. Corellium, renowned for its virtual iOS and Android systems, allows researchers to explore mobile systems for security weaknesses without risking the original device. The merger unites two prominent players in legal hacking and is poised to create one of the largest "white-hat" hacking enterprises globally. Chris Wade, co-founder of Corellium and a controversial figure previously pardoned by President Trump, will become Cellebrite's Chief Technical Officer. The acquisition aligns with Cellebrite's commitment to innovation and public safety, offering enhanced forensic exploration tools for law enforcement. The deal awaits approval from the Committee on Foreign Investment in the United States, with expectations to close by this summer. This strategic move is set to increase Cellebrite's clientele, already robust with contracts from Western law enforcement agencies.

President Trump’s nominee for national cyber director, Sean Cairncross, affirmed a pro-offensive stance against cyber threats from foreign adversaries during his Senate nomination hearing. Cairncross, previously a White House advisor and RNC official with limited cyber experience, defended the president's decision to reduce funding for the Cybersecurity and Infrastructure Security Agency (CISA). The proposed budget cuts include a $495 million reduction and the elimination of 1,083 jobs at CISA, raising concerns among senators about weakening the nation's cyber defenses. Senator Elissa Slotkin voiced significant concerns, comparing the situation to pre-9/11 security levels and questioning the justification behind the budget cuts given the increasing cyber threats. Meanwhile, Sean Plankey’s nomination for director of CISA was delayed, leaving the agency without a confirmed leader amid ongoing security concerns. Senator Ron Wyden has placed a hold on Plankey’s nomination, demanding the release of an unclassified report on the security of American telecommunications networks. Wyden’s office criticized the Trump administration for neglecting cybersecurity, highlighting several breaches and inadequate responses that could expose the U.S. to significant cyber risks.