Daily Brief

An anonymous whistleblower named GangExposed has revealed the identities and internal operations of leaders within the Conti and Trickbot ransomware groups. GangExposed released extensive data including chat logs, personal videos, and ransom negotiations, aiming to dismantle the criminal group responsible for extorting billions globally. Key figures identified include 36-year-old Vitaly Nikolaevich Kovalev, aka Stern, leader of Trickbot and Conti, confirmed by German police, and Vladimir Viktorovich Kvitko, known as Professor. Despite a $10 million U.S. government bounty on information, GangExposed claims no interest in the reward, focusing instead on disrupting the criminals' activities. Conti leaders reportedly relocated to Dubai in 2020, continuing their operations targeting Western entities while maintaining a network that includes luxury assets and corporate connections. GangExposed obtained information through darknet services and semi-closed databases, and aims to see key members sanctioned and listed on Interpol's wanted persons list. Speculations arise regarding GangExposed's motives, with some suggesting he might be a former insider seeking revenge or aiming to expose criminal activities through detailed leaks.

Two new vulnerabilities found in Linux core dump handlers can lead to sensitive data exposure, impacting systems including Ubuntu, RHEL, and Fedora. Identified as CVE-2025-5054 and CVE-2025-4598, these flaws arise from race conditions allowing local attackers to access password hashes. Exploitation enables attackers to read core dumps of SUID executables, potentially revealing user passwords and other confidential information. Red Hat labels CVE-2025-4598's exploit complexity as moderate, requiring control over a race condition and an unprivileged local account. Mitigation includes disabling core dump generation for SUID binaries via system configurations, reducing risk at the expense of detailed crash analysis. Proof-of-concept code developed by Qualys can exploit these vulnerabilities in controllable laboratory conditions but has limited real-world applicability. Enterprises recommended to enforce rapid patching and robust monitoring to protect against potential confidentiality breaches and compliance issues.

A multinational law enforcement effort has dismantled a network providing crypting services, aiding malware evasion from antivirus detection. The U.S. Department of Justice, in collaboration with Dutch and Finnish authorities, seized four key domains on May 27, 2025, crucial for cybercriminal operations, namely AvCheck[.]net, Cryptor[.]biz, and Crypt[.]guru. Operation Endgame, which commenced in 2024, targets the infrastructure supporting global cybercrime, marking this as its fourth major action. Undercover operations confirmed the seized domains were actively used in cybercrime activities, with services facilitated to obscure malware, thereby enabling unauthorized access to computer systems. These services allowed criminals to refine malware for enhanced evasion capabilities against advanced security systems and forensic analysis. PureCrypter, another malware-as-a-service (MaaS) stated to distribute information stealers, demonstrates ongoing advancements in evasion techniques, highlighting the necessity of this operation. The law enforcement action involved several countries, emphasizing a collaborative international effort to combat cyber threats effectively.

Two critical vulnerabilities, CVE-2025-48827 and CVE-2025-48828, were identified in vBulletin software, affecting versions 5.0.0 to 5.7.5 and 6.0.0 to 6.0.3. These flaws allow for API method invocation and remote code execution via template engine abuse and are rated 10.0 and 9.0 respectively on the CVSS v3 scale. The vulnerabilities were patched quietly in a previous update, but many forums remain vulnerable due to not updating their software. Active exploitation of these vulnerabilities has been observed, with attackers employing methods detailed by researcher Egidio Romano. Attackers have managed to execute remote, unauthenticated code on servers, potentially gaining shell access as the web server user. Exploitation attempts have been traced back to attackers in Poland, who have been trying to deploy PHP backdoors. Forum administrators are urged to apply the latest security updates or upgrade to the newest vBulletin release (version 6.1.1) which is not susceptible to these flaws.

ConnectWise, an IT management software vendor, confirmed a security breach by a sophisticated nation-state actor impacting a limited number of customers using ScreenConnect, a remote access tool. The breach, initially disclosed in a May 28 advisory, involved unauthorized access to the IT environments and subsequent breaches at customer sites. Major clients like Panasonic, Swarovski, Aflac, and Honeywell are users of ScreenConnect, highlighting the potential impact of such a supply-chain attack on businesses. Immediately post-discovery, ConnectWise engaged Mandiant, a reputable forensic investigation firm, intensifying scrutiny and security measures across its networks to prevent further unauthorized activities. The breach details remain partially undisclosed; however, the vulnerability CVE-2025-3935 in ScreenConnect, patched prior to the breach, was suggested as a potential exploit used by attackers. One affected customer shared their frustration on Reddit, indicating that the breach notification was vague and delayed, stating it occurred in November 2024 and is under FBI investigation. Despite not observing further suspicious activities post-remediation, the long-term implications for ConnectWise and its clients over the breach, particularly concerning trust and security, remain significant.

Nathan Vilas Laatsch, a 28-year-old IT specialist at the Defense Intelligence Agency, was apprehended for attempting to pass classified documents to what he believed was a foreign government. Laatsch, disillusioned with current U.S. administration values, claimed he wanted to act in support of traditional U.S. ideals by sharing top secret information. Initially contacting a foreign entity in March, Laatsch was unaware that his communications were intercepted by the FBI, who then posed as representatives from the foreign government. Over several days, Laatsch transcribed sensitive information onto a USB drive at his workplace, intending to drop it in a public park for retrieval by supposed foreign agents. During the orchestrated drop on May 1, FBI agents recovered the USB drive, finding it contained files classified up to the top secret level. Following a second attempted information drop, where Laatsch transmitted notes concealed within his clothing, he was arrested by the FBI on May 29. Facing serious charges, Laatsch expressed a preference for foreign citizenship as compensation for his actions but stated financial compensation was not his primary motive. FBI director Kash Patel highlighted the case as a stark reminder of the ongoing threat posed by insider risks to national security.

The Fred Hutchinson Cancer Center in Seattle agreed to a $52.5 million settlement following a cyberattack in November 2023. Personal and sensitive data of cancer patients were stolen, including health diagnoses, treatments, and insurance information. Cybercriminals used the stolen data to threaten patients with swatting attacks unless they paid to prevent the sale of their data. The settlement includes cash compensation to affected parties, investments in security infrastructure, and funds for medical fraud monitoring. Around 140,000 people applied for the settlement benefits by the specified deadline, with individual payments up to $5,000 based on material losses. Despite severe tactics by the attackers, Fred Hutch did not pay any ransom and claims no patient data has been sold post-attack. The attack was executed by exploiting the CitrixBleed vulnerability; the responsible group, Hunters International, claimed the attack among others.

An international law enforcement collaboration successfully dismantled AVCheck, a prominent counter antivirus service utilized by cybercriminals. AVCheck allowed attackers to check if their malware would be detected by commercial antivirus programs prior to broader deployment. Authorities have also linked AVCheck to crypting services like Cryptor.biz and Crypt.guru, essential for obfuscating malware to evade detection. The seizure of AVCheck and related crypting services is a strategic move to disrupt cybercriminal activities at early stages, aiming to reduce potential victimization. The operation involved undercover agents purchasing from AVCheck to establish its role in facilitating cybercrimes, which included connections to known ransomware attacks on American targets. This bust was part of Operation Endgame, which also saw the seizure of 300 servers and 650 domains utilized in various ransomware operations. The takedown underscored the intricate ecosystems supporting malware operations and the importance of international cooperation in tackling advanced cyber threats.

Meta, formerly known as Facebook, has formed a partnership with defense firm Anduril Industries for the development of extended reality (XR) products. The collaboration follows Meta's extensive investments totaling $80 billion in virtual, augmented, and mixed reality technologies since acquiring Oculus in 2014. Meta's Reality Labs division has reported significant financial losses, approximating $4.2 billion in Q1 2025 alone, and consistent losses in preceding quarters. This strategic move into defense aims to produce augmented and virtual reality tools that enhance battlefield intelligence and decision-making for the U.S. military. The partnership leverages Anduril's Lattice platform, which integrates AI to provide real-time data and insights to soldiers through AR/VR interfaces. This venture is seen as an opportunity to rejuvenate Meta's struggling tech initiatives and potentially yield returns on their hefty VR investments amid the challenging consumer tech market. Both companies emphasize the dual-use nature of the technology, aiming to support national security and redefine the capabilities of American servicemembers.

Germany's Federal Criminal Police Office (BKA) has identified 36-year-old Russian Vitaly Nikolaevich Kovalev as the leader of the cybercrime gangs TrickBot and Conti. Kovalev, also known as "Stern," is believed to have founded the TrickBot group and was previously charged in a U.S. operation along with six other Russians. The cybercrime operations included the use of various malware such as Trickbot, Ryuk, and Conti affecting hundreds of thousands of systems globally including hospitals and public facilities. Germany has issued an Interpol red notice for Kovalev and suspects he currently resides in Russia. In February 2023, Kovalev's role was detailed further following leaks (TrickLeaks and ContiLeaks) which exposed internal communications and identities of gang members. Following the exposure, the Conti gang was reportedly disbanded, with members migrating to other cybercrime groups. German authorities have described the TrickBot group as highly organized, project-oriented, and consisting of over 100 members at its peak.

EDDIESTEALER is a novel Rust-based malware distributed through deceptive CAPTCHA verification pages, tricking users into downloading it via a PowerShell script. Attackers compromise legitimate websites and insert malicious JavaScript that prompts bogus CAPTCHA verifications, leading victims to initiate the download process themselves. The malware targets a range of data including credentials, cryptocurrency wallets, browser information, and more from various applications including FTP clients and messaging apps. EDDIESTEALER is designed to bypass specific browser security features, allows configuration changes by the command-and-control operator, and uses encrypted communications to exfiltrate data. Elastic Security Labs highlights the increasing use of Rust in malware development for its capabilities to enhance stealth and resilience against detection. The article also discusses other related malware campaigns targeting multiple platforms, indicating a broader trend of sophisticated cyberattacks involving data theft. Security disclosures reveal various tactics like browser redirections and device-specific exploits used to spread different types of info-stealing malware across operating systems.

Global survey of 500 CISOs by Pentera reveals maturing yet incomplete exposure management practices in cyber security. Modern attack surfaces have expanded dramatically with cloud-native architectures, API integrations, and IoT devices, increasing complexity and vulnerability. Nearly half of the CISOs report a growing number of security tools, highlighting that increased complexity often aids attackers. The 2025 State of Pentesting report indicates key at-risk areas: cloud infrastructure, APIs, endpoints, and IoT systems are critical focal points for pentesting. Data suggests that web-facing assets remain highly vulnerable, despite being the most tested and frequently breached components. Internal networks, endpoints, and applications show comparatively lower breach rates, indicating more successful management and focused security efforts. The report highlights a concerning gap in API security, showing a discrepancy between perceived security and actual breach incidents. The overarching theme of the report emphasizes the evolution towards strategic, impact-focused exposure management over traditional vulnerability management.

A group of China-linked hackers, known as Earth Lamia, have been actively exploiting vulnerabilities in SAP NetWeaver and Microsoft SQL Servers across Asia and Brazil. This collective leverages SQL injection vulnerabilities and known security flaws to breach systems primarily in India, Indonesia, Malaysia, the Philippines, Thailand, and Vietnam. The hacking efforts include the deployment of tools like Cobalt Strike, Supershell, and proxy tunnels using Rakshasa and Stowaway. Also used are privilege escalation tools like GodPotato and JuicyPotato. Attack techniques also involve the employment of network scanning utilities and manipulating Windows event logs to cover tracks. Some unsuccessful attempts were made to deploy the Mimic ransomware in Indian networks, with subsequent efforts to delete the ransomware binaries post-deployment. Recently disclosed vulnerabilities include CVE-2025-31324, a critical flaw in SAP NetWeaver, which was used to establish remote control over affected systems. The group’s target industries have evolved from financial services, to logistics and online retail, and most recently to IT companies, universities, and government organizations. Earth Lamia is noted for its continuing development of backdoors and hacking tools, including an updated version of the PULSEPACK backdoor that now employs WebSocket for C2 communications.

MultiCare's CISO, Jason Elrod, has reshaped the IT security approach within the healthcare sphere, focusing on enabling modern care rather than just gatekeeping. Legacy IT systems and stringent protection measures hindered innovation and care delivery, demanding a shift to more responsive and enabling IT practices. Identity-based microsegmentation was implemented through Elisity, changing the security dynamic by focusing on individual identity controls rather than traditional network segmentations. Skepticism from technical teams initially greeted the new microsegmentation strategy, but practical outcomes altered their viewpoint and demonstrated effectiveness. This strategic shift bolstered collaboration between IT and security teams, transforming internal dynamics and reducing operational friction while improving security measures. As part of broader sector movements, similar integration between security and IT is crucial for operational efficiency and competitive advantage, particularly in health care. This transition supports the ongoing digital transformation initiatives across the healthcare industry by allowing smoother, safer patient care and advanced compliance management.

Cybercriminals are using fake AI software installers to disseminate ransomware and other harmful malware via seemingly legitimate websites. Cisco Talos has identified threats involving poisoned installers mimicking real AI vendor sites with slightly altered domain names. The illegitimate software includes varieties of malware such as CyberLock ransomware, RATs, stealers, and a newly discovered malware called “Numero.” A Vietnam-based threat group was reported by Mandiant to utilize social media ads leading to malicious websites that steal credentials and digital wallets. "NovaLeads AI" executable, a fake AI tool, contains PowerShell-based CyberLock ransomware demanding $50,000 in Monero and encrypts sensitive files. Another malware variant, Lucky_Gh0$t, is disguised as a ChatGPT installer, capable of evading antivirus detection and encrypts data using AES-256 and RSA-2048. “Numero” malware, linked to a fake AI video creation tool installer, runs a script that repetitively corrupts the Windows OS, rendering it unusable. Researchers emphasize caution when downloading AI tools and advise verification of the source to avoid these malware threats.