Daily Brief

The FBI has issued a warning about new cyber scams involving NFT airdrops on the Hedera Hashgraph network. Cybercriminals are distributing fake NFTs and tokens to wallet addresses, tricking users into visiting phishing sites. Victims are deceived into submitting sensitive information such as passwords and wallet seed phrases, leading to wallet hijacking and theft. Hedera Hashgraph, differing from traditional blockchain technology, uses a hashgraph system for faster and more efficient operations. Scammers utilize multiple channels including phishing emails, social media ads, and fake websites to promote their fraudulent schemes. The FBI advises verifying the legitimacy of any airdrop alerts through official channels and never sharing sensitive credentials. Regular monitoring of cryptocurrency accounts for any signs of unauthorized access or transactions is recommended. Victims of such scams should contact their account providers and report the incidents to the FBI's Internet Crime Complaint Center.

Google's Threat Intelligence Group has identified a vishing (voice phishing) group, known as UNC6040, specializing in Salesforce data breaches for financial gain. UNC6040 tricks English-speaking employees via phone calls, posing as IT support, to gain unauthorized access to Salesforce environments using a deceptive version of the Data Loader app. The threat actors manipulate victims to authorize a modified Data Loader app under a different name, thus accessing sensitive data and exfiltrating it. After the initial data breach, UNC6040 utilizes the stolen data to move laterally through networks, accessing platforms like Okta, Workplace, and Microsoft 365. Several months post-compromise, UNC6040 engages in extortion attempts, claiming ties to ShinyHunters to pressure victims. Salesforce warned its users in March 2025 about similar social engineering tactics used by other threat actors to steal credentials and add malicious apps. The extensive duration between the initial breach and the extortion indicates the potential for widespread impact on multiple victim organizations.

The Google Threat Intelligence Group has identified a cybercrime group, designated as UNC6040, which is exploiting Salesforce users through fake IT support calls. Approximately 20 organizations across sectors like hospitality, retail, and education in the Americas and Europe have fallen victim to this scam. The attackers impersonate IT support personnel and coax employees into installing a malicious version of the Salesforce Data Loader, enabling them to exfiltrate sensitive data. To execute these attacks, UNC6040 provides victims with an eight-digit connection code during support calls, linking the malicious Data Loader to the victim’s Salesforce environment. The same infrastructure used by UNC6040 also hosted phishing panels aimed at deceiving users into submitting credentials and multifactor authentication codes. After initial data theft, the attackers engaged in lateral movement within the networks, accessing platforms like Okta, Workplace, and Microsoft 365 for further information theft. Some victims faced extortion months after the initial breach, indicating possible collaboration between UNC6040 and other cybercriminal entities. Salesforce has issued guidance on mitigating such attacks, emphasizing the risks of voice phishing aimed at stealing MFA tokens and installing unauthorized applications.

Lee Enterprises experienced a ransomware attack in February 2025, compromising the personal information of 39,779 individuals. The breached data includes sensitive details such as Social Security numbers and full names. The cyberattack caused significant operational disruptions, including network shutdowns, affecting newspaper printing and delivery across the U.S. Hackers from the Qilin ransomware group claimed responsibility, alleging they stole 120,000 documents and 350 GB of data. Lee Enterprises previously faced a network breach in 2020 by Iranian hackers aimed at spreading disinformation. The recent security breach has been publicly disclosed in a filing with Maine's Attorney General's office and the SEC. Lee Enterprises is currently investigating the legitimacy of the claims of stolen data posted on the dark web.

Google's Threat Intelligence Group observed social engineering attacks by the group identified as UNC6040, claiming ties to ShinyHunters. Attackers target multinational companies, tricking English-speaking employees into using a compromised Salesforce Data Loader application. The malicious actors impersonate IT support to facilitate the installation of the Data Loader, which then accesses sensitive data on Salesforce and connected cloud platforms like Okta and Microsoft 365. UNC6040 exploits this access to exfiltrate data, which includes sensitive communications and authorization tokens, among others. After data theft, the actors attempt lateral movements within networks, accessing further sensitive data across platforms. Detection systems have managed to halt some of these data theft activities by revoking access after detecting unauthorized activity. Following the initial breach, data exfiltration activities can lead to extortion, with delayed demands for ransom to prevent data leaks. Google recommends enhanced security measures including restricted API permissions and blocking access from known commercial VPNs to mitigate such threats.

AS-REP Roasting targets Active Directory user objects lacking Kerberos pre-authentication, exposing systems to unauthorized access. Malicious tools like Rubeus and Impacket exploit this vulnerability, bypassing the normal encryption-based authentication mechanism. Cybersecurity agencies list AS-REP Roasting as a prevalent method among 17 common techniques used to target Active Directory. Stolen credentials play a significant role in data breaches, with 44.7% of such incidents involving compromised passwords, per Verizon's Data Breach Investigation Report. Detection and mitigation involve identifying vulnerable accounts, enforcing Kerberos pre-authentication, and monitoring network events for signs of attacks. Implementing strong password policies and maintaining high security standards are crucial to defending against AS-REP Roasting and enhancing overall system security. Specops Password Policy aids in managing and securing passwords by blocking compromised passwords and enforcing robust password policies, thereby bolstering defense mechanisms against such attacks.

Regional newspaper publisher Lee Enterprises reported a data theft involving the personal information of approximately 40,000 individuals. The compromised data included first and last names, social security numbers, and did not specifically target newspaper subscribers but certain employees. The cyberattack was first detected on February 3, with unauthorized data access starting two days prior. A third-party vendor was engaged for a comprehensive review, concluding on or about May 28, that personal information of affected individuals was included in the accessed data. Following the attack, Lee Enterprises took measures to enhance security, notified the FBI, and pledged cooperation with any subsequent investigations to hold the perpetrators accountable. The incident has been classified as a cybersecurity attack involving data encryption and exfiltration, potentially impacting the company’s future financial performance despite having cyber insurance. Operational disruptions varied across the company’s vast portfolio of over 70 daily newspapers, with some publications ceasing production temporarily while others managed reduced outputs.

Chaos RAT, a remote access trojan, targets both Windows and Linux platforms, distributed as a fake network troubleshooting tool. The malware, originally developed in 2017, became prominent in malicious activities beginning December 2022, focusing on web applications for cryptocurrency mining. It uses phishing emails for distribution, employing malicious links or attachments that introduce a script to automate persistent attacks. Capabilities include launching reverse shells, managing files, capturing screenshots, gathering system info, and executing shutdown or URL access commands. Recent updates to Chaos RAT include fixing vulnerabilities that could allow for command injection and cross-site scripting attacks. Security researchers warn that the RAT's open-source nature allows it to be easily adapted and masked by APT groups, complicating attribution efforts. Concurrently, a similar campaign targets Trust Wallet users with counterfeit desktop applications aiming to steal credentials and wallet data.

Traditional Data Leakage Prevention (DLP) tools are inadequate for today's SaaS environments due to the shift in how data is managed and accessed. Legacy DLP systems focus on monitoring data that moves across endpoints or networks, a method unsuited for the non-traditional modes of data flow in modern SaaS platforms like Google Workspace and Salesforce. The white paper highlights the necessity for a shift towards browser-centric DLP solutions, stressing that the majority of sensitive data interactions now occur directly in-browser. Browser-native security focuses on the actual interaction point — the browser — hence providing more effective protection against data breaches in real-time communication and collaboration tools. The paper argues that updating security strategies to include browser-centric DLP is crucial, given the rapid evolution and adoption of SaaS applications and AI tools in business processes. The browser is identified as the new frontline in data security, necessitating an urgent reevaluation of traditional DLP approaches to address modern security needs effectively.

Several malicious packages found in npm, Python, and Ruby repositories designed to steal cryptocurrency, erase codebases, and exfiltrate sensitive data. The packages exploit the open-source supply chain, underscoring the ongoing threat to ecosystems widely utilized in software development. Malicious Ruby gems clone a legitimate Telegram notification plugin but redirect data to a command-and-control server controlled by the attacker. An npm package named "xlsx-to-json-lh", which typosquats a legitimate tool, contains a payload that can delete project directories when triggered. Packages in the Python repository, PyPI, target Solana private keys and Python scripts, demonstrating sophisticated means to exfiltrate data. The attackers exploit timely geopolitical events, such as the ban on Telegram in Vietnam, to spread malware under the guise of providing proxy services. The campaigns also target developers by using typosquatting and polished documentation to appear legitimate, aiming to infiltrate CI/CD environments. The use of AI toolkits as a vector for infostealers showcases the evolving tactics of threat actors to bypass emerging security defenses.

A hacker using GitHub repositories has been targeting fellow hackers, gamers, and cybersecurity researchers with backdoored source code. Sophos researchers identified malicious backdoors in the Sakura RAT, hosted on GitHub, designed to install malware when the code is compiled. The malicious repositories include scripts and files with obfuscated payloads intended to disguise the backdoor installations and facilitate remote access and data theft. Automated commits and appearances of active development are used by the hacker to lend credibility to these GitHub projects. Victims are lured via YouTube, Discord, and cybercrime forums to download game cheats, mod tools, and exploits which then trigger multi-step infection processes. These infections lead to the execution of info-stealers and remote access trojans, capable of extensive data theft and system manipulation. Due diligence such as scrutinizing source code and build events is crucial before engaging with open-source projects to prevent unwitting malware installation.

The UK Ministry of Defence announced the integration of the Cyber and Electromagnetic (CyberEM) military domain, highlighting its critical role in modern warfare and national defense. The newly formed CyberEM Command will focus on streamlining and enhancing defensive and offensive cyber operations alongside the existing National Cyber Force. The Strategic Defence Review (SDR) portrays CyberEM as the enabling domain that unifies all other military domains, essential for the UK's war-fighting capabilities. Part of the initiative includes a Digital Targeting Web that aims to interconnect all UK military assets for coordinated and precise attacks on targets like warships using advanced technologies like satellites. Existing specialized groups such as the Army's Cyber and Electromagnetic Effects Group and the Royal Navy's Information Warfare Group are noted as current centers of excellence but require further integration to avoid operational inefficiencies. The CyberEM Command is positioned to take a leading role in defining and directing cyber operations across the UK’s military, also setting resilience standards and contributing to NATO efforts. A significant budget allocation of over £1 billion is earmarked to operationalize the CyberEM Command, stressing its crucial role in revamping the UK's military posture towards greater war-fighting readiness.

Mikko Hyppönen, a veteran in cybersecurity, is transitioning to work with anti-drone technology due to the ongoing war in Ukraine. Hyppönen, previously associated with F-Secure, has accepted a position at Sensofusion, a company specializing in drone detection and neutralization systems. He expressed concerns about his proximity to Russia and the significance of drone warfare highlighted by Ukraine’s use of automated drones against Russian targets. At Sensofusion, Hyppönen will work with Airfence technology, which detects drones and can disable them in coordination with military radar systems. He believes that the evolution of drones into fully autonomous weapons could lead to "killer robots," emphasizing the need for robust anti-drone defenses. Hyppönen described the security challenges with drones as a "cat and mouse" game, comparing it to cybersecurity. He plans to officially pivot his career after his final appearance at an annual hacker event in Las Vegas, highlighting his belief in the greater current relevance of anti-drone technology over traditional cybersecurity.

HPE has issued security patches for eight vulnerabilities in its StoreOnce backup solutions, potentially leading to remote code execution and authentication bypass. The highlighted vulnerability, CVE-2025-37093, with a CVSS score of 9.8, affects all versions of the software prior to 4.3.11 and enables an authentication bypass. The flaw could allow an attacker to perform actions such as remote code execution, information disclosure, and arbitrary file deletion with root access. These vulnerabilities were reported to HPE on October 31, 2024, by an anonymous researcher via the Zero Day Initiative. The problematic authentication was due to improper implementation of the machineAccountCheck method. No active exploitations of these vulnerabilities have been reported; however, updating to the latest software versions is vital for security. HPE also addressed other critical-severity issues in its products, including HPE Telco Service Orchestrator and OneView, related to vulnerabilities in Apache components.

KiranaPro, an Indian grocery ordering app, experienced a severe cyberattack that resulted in the deletion of its GitHub and AWS resources. CEO Deepak Ravindran attributed the attack to a malicious insider with a personal grudge, emphasizing that the act was targeted and deliberate. The attack crippled the app, rendering it inoperable and affecting the daily operations which support over 2,000 orders and numerous local store owners. In response to the incident, sensitive customer data was compromised and critical infrastructure critical for the app’s function was destroyed. Ravindran announced plans to enhance security measures to fortify the app's systems against future incidents and vowed to publicly expose the perpetrator. The incident underscores the challenges businesses face when insiders who have access to critical systems and data turn malicious. There was no mention of preventive strategies such as external backups or multi-factor deletions being in place, which might have mitigated the damage.