Daily Brief

Cybersecurity researchers have identified a new cryptojacking campaign, JINX-0132, exploiting vulnerabilities in DevOps web servers such as Docker, Gitea, and HashiCorp's tools. Attackers utilize misconfigurations and known vulnerabilities to install cryptocurrency mining malware on compromised systems. This campaign involves downloading mining tools directly from GitHub, hiding the attackers' tracks and complicating efforts to attribute the attacks. The misused resources from compromised Nomad instances could represent tens of thousands of dollars in computing costs per month. Vulnerabilities in Gitea allow remote code execution if attackers gain access under certain conditions, such as having permissions to create git hooks or if specific security features are disabled. HashiCorp Consul and Nomad servers are exploited by attackers who can register services and execute arbitrary code through unchecked health checks and job creation APIs. Global exposure of vulnerable systems includes over 5,300 Consul servers and more than 400 Nomad servers, primarily concentrated in high-tech regions and countries.

Security researchers disclosed vulnerabilities in preinstalled apps on Ulefone and Krüger&Matz smartphones. The flaws could enable any installed app to factory reset the device or manipulate encryption. One specific vulnerability, CVE-2024-13917, allows exploitation if the attacker knows the device's PIN. Another related issue, CVE-2024-13916, can be used to leak the PIN code, increasing the risk. The vulnerabilities were identified by Szymon Chadam and reported by CERT Polska. The current patch status of these security issues is not confirmed. Responses from Ulefone and Krüger&Matz regarding the issue are pending.

"Russian Market" has become a leading cybercrime marketplace for trading stolen credentials, gaining traction after the shutdown of Genesis Market. Despite 85% of the sold credentials being recycled, the marketplace offers items starting at $2, appealing to a broad cybercrime audience. The logs sold contain extensive personal data including passwords, credit card details, and session cookies from infected devices. Analysts note a significant proportion of the stolen data pertains to corporate systems, with 61% involving SaaS platform credentials and 77% including SSO credentials. The prevalent use of infostealers like Lumma and the emerging Acreed highlights a focus on enterprise targets, posing severe risks to corporate cybersecurity. Following law enforcement action against Lumma, Acreed has quickly risen in popularity, uploading over 4,000 logs in its first operational week on the Russian Market. Experts recommend organizations to reinforce vigilance and improve software security practices to mitigate risks posed by infostealers spreading via phishing and malvertising.

Qualcomm has released updates to fix three zero-day vulnerabilities in its Adreno GPU, exploited in targeted attacks. The vulnerabilities were responsibly reported by the Google Android Security team and confirmed by indications from Google Threat Analysis Group. The specific vulnerabilities, labeled CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038, were exploited in limited, selective scenarios. Patches for the affected GPU drivers were distributed to Original Equipment Manufacturers (OEMs) with an urgent recommendation to update devices immediately. Previous similar vulnerabilities in Qualcomm chipsets have been used by commercial spyware providers like Variston and Cy4Gate. In a related incident, a security flaw identified as CVE-2024-43047 was used by Serbian authorities to access and spy on Android devices owned by activists and journalists. The exact methods of exploitation and the attackers behind these current vulnerabilities remain undisclosed.

MainStreet Bancshares disclosed to the SEC that customer data was stolen during an attack on a third-party provider. Approximately 4.65 percent of MainStreet’s customer data was compromised in the breach. The company confirmed that its own technical infrastructure was not compromised, and there were no unauthorized transactions or financial losses. MainStreet activated its incident response process immediately upon learning of the breach and discontinued relations with the affected third-party provider. Measures were put in place on May 26, 2025, to monitor for any suspicious activity relating to the impacted customers, who were also notified and provided monitoring tools. Concurrently, U.S. banks are lobbying the SEC to relax rules requiring rapid public disclosure of cybersecurity incidents, arguing it can lead to premature reporting and potential misuse by criminals. The push against the SEC’s disclosure rules highlights ongoing tensions between regulatory requirements and industry concerns over publicity and operational impacts following a cyberattack.

Qualcomm patched three zero-day vulnerabilities in the Adreno GPU, affecting numerous chipsets, after targeted attacks. Two critical flaws and one high-severity vulnerability were identified, causing potential memory corruption due to improper command execution and use-after-free issues. These security issues were reported by the Google Android Security team and are suspected to be part of limited, targeted exploitation. Alongside GPU issues, Qualcomm also fixed a buffer over-read vulnerability in its Data Network Stack & Connectivity that could expose sensitive information. In a related incident, it was discovered that a previously fixed zero-day was exploited by Serbian authorities to unlock devices of activists and journalists, where NoviSpy spyware was subsequently installed. Qualcomm has consistently addressed various security flaws in its chipsets over the years to prevent attackers from accessing private data and system controls. Qualcomm strongly encourages OEMs to deploy the patches promptly to mitigate the exploitation risks.

Cyber threats have evolved, prompting industries to adapt heightened security strategies, including network detection and response (NDR). Financial services employ NDR to detect unauthorized data accesses, safeguard transactions, and uphold regulatory compliance due to their high exposure to targeted attacks. In the energy sector, NDR identifies potential threats early, monitoring both traditional IT and operational technology (OT) environments, crucial for maintaining infrastructure integrity. Transportation industries leverage NDR to ensure the safety and efficiency of increasingly interconnected systems, guarding against data breaches and operational disruptions. Government agencies utilize NDR to detect advanced persistent threats (APTs), support zero trust models, and provide data for threat attribution, critical for national security. Across these sectors, NDR provides essential visibility and monitoring capabilities that traditional security measures miss, handling everything from regulatory compliance to real-time threat detection. The effectiveness of NDR in detecting subtle, sophisticated threats reaffirms its growing importance in future security architectures for protecting critical infrastructures and sensitive data.

Cybersecurity researchers have identified a sophisticated spear-phishing campaign using the legitimate remote access tool NetBird to target CFOs and other financial executives in various industries globally. Attackers impersonate a recruiter from Rothschild & Co., enticing victims with a fake PDF attachment that leads to a Firebase app-hosted phishing URL. Victims are tricked into solving a CAPTCHA, which then decrypts and redirects them to download a malicious ZIP archive containing two stages of VBScript payloads. The malware installation process involves setting up NetBird and OpenSSH, creating a hidden account, enabling remote desktop, and ensuring persistence via system reboot settings. This comprehensive attack was first detected in mid-May 2025 and involves intricate social engineering and advanced evasion techniques, making it both stealthy and persistent. The malware campaign has been operational for about a year, leveraging legitimate software to maintain persistent access to victims' systems and evade detection. Related discoveries include the rise of phishing-as-a-service platforms facilitating cybercrime through user-friendly web panels and subscription models, escalating the risk and prevalence of phishing scams. Enterprises are urged to boost detection capabilities and invest in user training to combat evolving phishing tactics that exploit human vulnerabilities.

Despite an FBI-led takedown attempt, the Lumma infostealer malware continues its operations, with command and control servers still active. Check Point Research highlights that Lumma's data theft activities are not only persisting but expanding, fueling cybercrime markets. Psychological tactics used in law enforcement efforts aim to destabilize the trust between Lumma affiliates and their customers. The Czech government has accused Chinese APT31 of a prolonged espionage attack on its Ministry of Foreign Affairs, demanding cessation and responsibility from China. The FBI alerts U.S. law firms of a new phishing strategy by the Silent Ransomware Group, which involves fake IT calls and remote access to steal sensitive data. Reports indicate that an AI impersonation of the White House Chief of Staff has been used to solicit funds and privileged information from senior figures. The White House confirms the seriousness of its cybersecurity measures following these incidents and continues to investigate the deepfake situation involving a high-level staff member.

Technical details of a high-severity flaw in Cisco IOS XE have been released, increasing the risk of exploitation. The CVE-2025-20188 flaw could let attackers upload files and execute commands with root privileges on Wireless LAN Controllers. Cisco identified the issue due to a hard-coded JWT in their software, exploitable when the Out-of-Band AP Image Download feature is active. Researchers provided a detailed analysis but stopped short of releasing a complete exploit script, citing the potential for widespread attack. Horizon3 demonstrated how the exploit works, using hardcoded tokens and path traversal to manipulate device operations. Users are advised to upgrade to the patched version of the software or disable the vulnerable feature as immediate countermeasures. This flaw highlights the ongoing risks associated with hardcoded credentials and insufficient path validation in device security.

An anonymous whistleblower named GangExposed has revealed the identities and internal operations of leaders within the Conti and Trickbot ransomware groups. GangExposed released extensive data including chat logs, personal videos, and ransom negotiations, aiming to dismantle the criminal group responsible for extorting billions globally. Key figures identified include 36-year-old Vitaly Nikolaevich Kovalev, aka Stern, leader of Trickbot and Conti, confirmed by German police, and Vladimir Viktorovich Kvitko, known as Professor. Despite a $10 million U.S. government bounty on information, GangExposed claims no interest in the reward, focusing instead on disrupting the criminals' activities. Conti leaders reportedly relocated to Dubai in 2020, continuing their operations targeting Western entities while maintaining a network that includes luxury assets and corporate connections. GangExposed obtained information through darknet services and semi-closed databases, and aims to see key members sanctioned and listed on Interpol's wanted persons list. Speculations arise regarding GangExposed's motives, with some suggesting he might be a former insider seeking revenge or aiming to expose criminal activities through detailed leaks.

Two new vulnerabilities found in Linux core dump handlers can lead to sensitive data exposure, impacting systems including Ubuntu, RHEL, and Fedora. Identified as CVE-2025-5054 and CVE-2025-4598, these flaws arise from race conditions allowing local attackers to access password hashes. Exploitation enables attackers to read core dumps of SUID executables, potentially revealing user passwords and other confidential information. Red Hat labels CVE-2025-4598's exploit complexity as moderate, requiring control over a race condition and an unprivileged local account. Mitigation includes disabling core dump generation for SUID binaries via system configurations, reducing risk at the expense of detailed crash analysis. Proof-of-concept code developed by Qualys can exploit these vulnerabilities in controllable laboratory conditions but has limited real-world applicability. Enterprises recommended to enforce rapid patching and robust monitoring to protect against potential confidentiality breaches and compliance issues.

A multinational law enforcement effort has dismantled a network providing crypting services, aiding malware evasion from antivirus detection. The U.S. Department of Justice, in collaboration with Dutch and Finnish authorities, seized four key domains on May 27, 2025, crucial for cybercriminal operations, namely AvCheck[.]net, Cryptor[.]biz, and Crypt[.]guru. Operation Endgame, which commenced in 2024, targets the infrastructure supporting global cybercrime, marking this as its fourth major action. Undercover operations confirmed the seized domains were actively used in cybercrime activities, with services facilitated to obscure malware, thereby enabling unauthorized access to computer systems. These services allowed criminals to refine malware for enhanced evasion capabilities against advanced security systems and forensic analysis. PureCrypter, another malware-as-a-service (MaaS) stated to distribute information stealers, demonstrates ongoing advancements in evasion techniques, highlighting the necessity of this operation. The law enforcement action involved several countries, emphasizing a collaborative international effort to combat cyber threats effectively.

Two critical vulnerabilities, CVE-2025-48827 and CVE-2025-48828, were identified in vBulletin software, affecting versions 5.0.0 to 5.7.5 and 6.0.0 to 6.0.3. These flaws allow for API method invocation and remote code execution via template engine abuse and are rated 10.0 and 9.0 respectively on the CVSS v3 scale. The vulnerabilities were patched quietly in a previous update, but many forums remain vulnerable due to not updating their software. Active exploitation of these vulnerabilities has been observed, with attackers employing methods detailed by researcher Egidio Romano. Attackers have managed to execute remote, unauthenticated code on servers, potentially gaining shell access as the web server user. Exploitation attempts have been traced back to attackers in Poland, who have been trying to deploy PHP backdoors. Forum administrators are urged to apply the latest security updates or upgrade to the newest vBulletin release (version 6.1.1) which is not susceptible to these flaws.