Daily Brief

Interlock ransomware gang attacked Kettering Health, affecting its network and leaking stolen data. The attack on May 20 disrupted Kettering Health's operations, forcing a shutdown of its call center and some patient care systems. Over 941 GB of data was claimed stolen by the attackers, including sensitive information like bank and payroll details, and patient data. Kettering Health’s electronic health systems have been partially restored, but some applications like MyChart remain offline. The incident caused significant disruption, leading to cancellation of elective procedures although emergency services continued. Interlock, a relatively new cybercrime group identified in 2024, has previously targeted healthcare entities and employed advanced tactics such as deploying RATs. The healthcare provider has been working to manage the aftermath and secure patient data, providing a temporary phone line for urgent inquiries.

Researchers have developed a system to automatically detect, exploit, and remedy a persistent path traversal vulnerability first identified on GitHub in 2010. Despite multiple alerts over the years, the bug persisted in educational resources, professional tutorials, and was inadvertently spread through snippets on Stack Overflow and Large Language Models (LLMs). The flawed code pattern, known as CWE-22, could allow attackers to access directories or cause denial of service by traversing file paths. The new automated repair system tests GitHub repositories for the vulnerability, validates exploitability, and applies patches where possible. Initial tests involved prompting various versions of LLMs to write secure code, revealing that even targeted prompts frequently resulted in insecure code synthesis. Out of 40,546 projects analyzed, vulnerabilities were confirmed in 8,397, leading to the generation of 1,600 validated patches, with an 11 percent overall remediation rate among affected projects. The researchers faced challenges in responsible vulnerability disclosure, opting for private communications over public posts to avoid pre-emptive exploits. The study highlights the need for careful validation of AI-generated content and underscores how AI can be both a problem and a solution in cybersecurity.

The U.S. Department of State offers up to $10 million for tips on state-sponsored hackers linked to the RedLine malware. Rewards for Justice program aims to identify foreign actors involved in cyberattacks against U.S. infrastructure. The program operates under the 1984 Act to Combat International Terrorism, targeting individuals directing cyber operations for foreign governments. Russian national Maxim Alexandrovich Rudometov, linked with RedLine infostealer malware, was charged in the U.S. following Operation Magnus. Law enforcement disrupted RedLine and META malware-as-a-service platforms, which involved seizing key infrastructure and arresting suspects. Over $250 million has been paid to informants through the Rewards for Justice program, significantly aiding U.S. national security. ESET, a cybersecurity firm, helped in the crackdown and provided a scanner for potential victims of the malware.

Cisco has issued patches for a critical flaw in Identity Services Engine (ISE) deployments on AWS, Azure, and OCI, identified as CVE-2025-20286 with a CVSS score of 9.9. The vulnerability allows unauthenticated remote attackers to access sensitive data, execute administrative operations, alter configurations, or disrupt services. The flaw arises from shared static credentials among Cisco ISE instances on the same cloud platform and software release. Instances with the same release number across AWS, Azure, and OCI share identical credentials, though credentials do not cross-validate across different platforms or releases. There is known proof-of-concept exploit availability; however, there are no reports of actual malicious exploitation in the wild. Cisco advises that this issue solely affects cloud-based deployments of Cisco ISE's Primary Administration node; on-premises deployments remain unaffected. No direct workaround exists; Cisco recommends limiting access to authorized admins or resetting configurations to factory settings to mitigate the risk.

China's National Computer Virus Emergency Response Center accuses Taiwan of conducting weak cyberattacks for years, allegedly supported by the USA. The report targets Taiwan's Information, Communications and Electronic Force Command (ICEFCOM), established post-2016 with purported U.S. help to support Taiwan's independence. Taiwan and its ICEFCOM are accused of running five inefficient Advanced Persistent Threat (APT) groups that mostly exploit known vulnerabilities and lack advanced cyber skills. Described APT activities include phishing, installing malware, exfiltrating data, and attempting to infiltrate media outlets, although often falling into honeypots. The report mocks the effectiveness of Taiwanese cyber efforts, equating them to an ant trying to shake a tree and criticizes their reliance on public resources and poor anti-tracing measures. China's report also reflects broader geopolitical tensions and narratives, accusing U.S. influence of fostering pro-independence sentiments in Taiwan. The report is co-authored by notable Chinese security organizations and echoes previous sentiments that the U.S. has staged cyber incidents to discredit China.

IBM encountered a repeated outage impacting user access to its cloud management console, similar to an incident earlier in the week. The outage prevented users from managing cloud resources and viewing support cases, starting at 9:03 AM UTC and resolving by 1:20 PM UTC. IBM has not disclosed the cause of the outage, leaving customers with limited guidance on resolution and preventive measures. A critical vulnerability was also reported in IBM's security software, where a password was left exposed in a configuration file. The vulnerability, rated 9.6/10, affects IBM's QRadar and Cloud Pak for Security, posing a significant security risk to users. IBM issued advisories for additional QRadar vulnerabilities with varied severity ranging from moderate to high. Despite the severity, the flagged vulnerabilities were introduced in recent product updates, potentially limiting the number of affected users. Customers who have implemented the updates are advised to establish compensating controls or prepare for urgent patching efforts.

The FBI reports that Play ransomware groups have targeted over 900 organizations using double-extortion tactics. Play ransomware attackers exploit a critical flaw in the remote-access tool SimpleHelp, which if unpatched, allows them to execute malware remotely. Attack techniques involve psychological pressures such as direct phone threats to release stolen data if ransoms are not paid. Ransom notes now require victims to initiate contact, adding a layer of psychological manipulation by not stating ransom amounts upfront. Cybercriminals gain access via stolen credentials, exploiting outdated vulnerabilities in widely-used software, and through insecure remote access protocols. Each campaign features uniquely recompiled Play ransomware binaries for Windows and ESXi systems, evading typical hash-based anti-malware defenses. Agencies like the FBI and CISA, along with international partners, have updated advisories with new tactics and indicators to aid network defenders.

Ukrainian military intelligence successfully infiltrated and extracted over 4.4GB of data from Tupolev, a major Russian bomber manufacturer. The breach yielded sensitive information including employee personal data, engineering resumes, purchase records, and minutes from private meetings. In a symbolic gesture of defiance, the hackers also defaced Tupolev's website, replacing standard images with an owl gripping a bomber. This cyber-attack followed a physical drone attack on Russian airbases which used trucks to launch drones that targeted Russian aircraft, intensifying the conflict dynamics. The data obtained could significantly impact Russian strategic aviation operations, with Ukrainian intelligence commenting on the comprehensive nature of the data affecting both ground and aerial tactics. This incident demonstrates escalating cyber warfare capabilities, highlighting Ukrainian advances in cyber-attack strategies amidst ongoing conflict. Following the attacks, tensions escalate as President Putin vows retaliation, indicating potential further conflict engagement. Western governments, notably the U.S., continue to back Ukrainian cyber defenses, emphasizing a deep operational partnership and shared intelligence efforts.

Microsoft announced a new European Security Program in Berlin, designed to enhance cybersecurity across European Union countries, EFTA members, the UK, Monaco, and the Vatican. The initiative aims to counter increasing cyber threats from state-backed actors in nations like Russia, Iran, China, and North Korea, focusing on espionage activities through credential theft and exploiting vulnerabilities. The program leverages artificial intelligence to provide real-time threat insights and intelligence, enhancing detection and blocking of sophisticated cyber-attacks. Partnerships with organizations such as Europol, the CyberPeace Institute, LASR, and the Western Balkans Cyber Capacity Center will be strengthened under this new initiative. Microsoft also plans to deliver updates on foreign influence operations, including the use of deepfakes, and provide guidance for newly discovered vulnerabilities. The tech giant underscored its commitment by referencing its involvement in the takedown of the Lumma infostealer malware, which had significantly impacted several European countries. Microsoft's program expansion includes collaboration with internet service providers to enhance user-level remediation and cyber defense capabilities across Europe.

The FBI announced that the Play ransomware group has compromised approximately 900 organizations globally, including many critical infrastructure entities. This represents a significant increase from the 300 reported victims in October 2023, with affected regions spanning North America, South America, and Europe. The Play ransomware group, known for its recompiled malware, ensures difficult detection and prevention by security software. Victims have also experienced extortion through phone calls, where they are threatened with the leak of stolen data unless a ransom is paid. Play ransomware exploits include utilizing vulnerabilities in remote monitoring and management tools to facilitate remote code execution attacks on U.S. organizations. The group operates a ransomware-as-a-service model, stealing sensitive data before encrypting systems and then pressuring payments by threatening to publish the data online. The FBI, together with CISA and the Australian Cyber Security Centre, advises updating systems and software regularly, using MFA, maintaining offline backups, and developing recovery protocols. Noteworthy victims of this ransomware include major entities like Rackspace, Dallas County, and Krispy Kreme.

Ransomware group Interlock claimed responsibility for a cyberattack on Kettering Health in May, disrupting medical treatments and leaking 941 GB of sensitive data. Among the compromised data were ID cards, payment information, and detailed purchasing reports, spanning over 732,490 files and 20,418 folders. The cyber incident led to systemic outages, causing Kettering Health to cancel essential medical procedures, including chemotherapy and pre-surgery appointments. Kettering Health, which manages 14 medical centers and over 120 outpatient facilities, had to redirect emergency cases and revert to paper-based patient charting. Following the attack, the healthcare provider managed to restore major components of its electronic health record (EHR) system by June 2, improving patient care coordination. The attack is part of a broader trend, with 26 confirmed ransomware attacks on U.S. healthcare providers in the current year and 17 confirmed Interlock ransomware cases since October 2024. The healthcare network has so far refrained from confirming the validity of the data leak purported by Interlock.

Ukrainian police arrested a 35-year-old hacker accused of breaching approximately 5,000 hosting accounts to mine cryptocurrency. The breaches occurred at an international hosting company where the hacker unlawfully accessed client accounts and deployed virtual machines for mining, resulting in $4.5 million in damages. The hacker exploited server resources of the hosting company to perform unauthorized cryptocurrency mining since 2018. Investigation revealed that the hacker utilized open-source intelligence to identify and exploit vulnerabilities in international organizations. During the police raid, authorities confiscated various devices and evidence, including computer equipment, mobile phones, bank cards, and tools linked to cyber activities like data theft and remote access. Analysis of the seized materials indicated the hacker’s involvement in multiple hacker forums and possession of stolen email credentials and cryptocurrency wallets. The hacker now faces potential charges that could lead to 15 years of imprisonment under Ukrainian law, with ongoing investigations that might add further charges. Recommendations for IT teams to prevent similar incidents include using strong, unique passwords, multi-factor authentication, and regular monitoring of account activities.

Cisco has released patches for three vulnerabilities affecting its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP), which have public exploit codes available. The most severe vulnerability, CVE-2025-20286, identified in Cisco ISE, involves a critical static credential issue potentially compromising cloud deployments. This vulnerability allows unauthenticated attackers to access various administrative functions and sensitive data across cloud environments like AWS, Azure, and Oracle Cloud Infrastructure. Security researchers advise that only Cisco ISE deployments with the Primary Administration node on clouds are susceptible to this particular exploit. Cisco’s response includes providing hotfixes and advising administrators to execute a specific command to reset configurations to factory settings if unable to immediately apply the patches. Other patched vulnerabilities include an arbitrary file upload flaw in Cisco ISE and an information disclosure vulnerability in the Customer Collaboration Platform. Prior to these patches, in September, Cisco fixed a command injection vulnerability in ISE that allowed privilege escalation to root on unpatched systems.

Ukraine's Main Intelligence Directorate (GUR) reportedly penetrated the systems of Tupolev, a key Russian aerospace manufacturer, obtaining 4.4 gigabytes of sensitive data. The data breach included personal information of Tupolev employees, internal communications, procurement documents, and minutes from private meetings. The hack also involved defacement of Tupolev's official website, replacing its homepage with an image symbolic of Ukrainian prowess. Ukrainian intelligence claims the hack exposed vital details related to Russia's strategic aviation operations and could impact Russian defense capabilities. The breach is part of a broader series of cyber-attacks attributed to Ukrainian forces, targeting various Russian governmental and defense agencies since the conflict began. This cyber operation follows a physical drone attack by Ukraine on Russian airfields, highlighting a combined approach of physical and cyber warfare tactics by Ukraine.

U.S. law enforcement, led by the Secret Service and FBI, conducted an international operation seizing multiple domains of BidenCash, a notorious dark web market. The seized domains now redirect to a U.S. government site indicating their involvement in illegal carding activities. Dutch National Police and organizations like The ShadowServer Foundation and Searchlight Cyber supported the operation. BidenCash, which emerged in April 2022, was known for trading stolen credit card information and personal data, filling a gap left by previously shut down card markets. Recent leaks from BidenCash included databases containing over 4 million stolen credit card details, predominantly from U.S. cardholders. Despite occasional operational recoveries by such marketplaces, law enforcement actions have considerably disrupted illegal online card trading activities. The ongoing efforts by the Secret Service also include actions against physical skimming devices, preventing potential fraud amounting to millions.