Daily Brief

The Information Commissioner’s Office (ICO) reprimanded Greater Manchester Police (GMP) for losing critical CCTV footage. An individual held in custody for 48 hours in February 2021 was affected, during which the CCTV system recorded sensitive personal data. GMP was requested to retain this footage beyond the standard 90-day period but later discovered a two-hour gap in the recording. The lost footage was reported by GMP to the ICO, acknowledging a breach of data protection regulations. ICO’s investigation concluded that GMP failed to provide the required personal data without undue delay and lacked adequate technical measures to protect the data. In response to the breach, GMP has invested in better surveillance and security systems, and has revised internal oversight and governance procedures. This incident highlights significant concerns about data protection practices as UK police forces increasingly adopt advanced surveillance technologies like facial recognition.

The UK government announces a £1 billion investment in a new Cyber and Electromagnetic Command to bolster national defense capabilities. The initiative is a response to the evolving nature of warfare, highlighted by the ongoing conflict in Ukraine and the surge in daily cyber-attacks. This new Command will enhance the protection of military networks and adopt a more offensive role in cyberspace in collaboration with the National Cyber Force. Key operations include breaking into systems, jamming enemy equipment, and enhancing intelligence through signal decoding. The Ministry of Defence also plans to develop a Digital Targeting Web to link and coordinate attacks using British military assets, improving response times and operational efficiency. Recruitment focuses on high-skill individuals offering competitive salaries, with positions based at MoD Corsham and with the National Cyber Force in Lancashire. Defense Secretary John Healey emphasizes that modern conflicts require rapid, innovative, and well-connected forces to ensure victory against adversaries. The strategy includes using artificial intelligence to support operations, although the main focus remains on human expertise and capabilities.

Infosecurity Europe marks its 30th anniversary with an expanded program from 3-5 June at ExCeL London, aiming to address the escalation in global cyber threats through strategic insights and practical training. The event features nine content theatres, over 200 session hours, and approximately 250 speakers to tackle pressing cybersecurity challenges and emerging threats, attracting over 13,000 professionals. Highlights include keynotes from Professor Brian Cox on the intersection of science and trust, and former MP Rory Stewart on geopolitics and national security, alongside a strong focus on women in cybersecurity. New additions to the 2025 event include SANS Masterclasses offering hands-on training in critical areas like Cloud Security, and a dedicated AI & cloud security stage providing guidance on emerging technical vulnerabilities. Prominent sessions from government and industry leaders, such as from the UK's Department for Science, Innovation and Technology and analysts from Forrester, address future cybersecurity policies and investment priorities. The event emphasizes community and networking with events such as the Cyber House Party and a celebratory 30th anniversary bash, underscoring the importance of collaborative approaches to cybersecurity. Induction of Ciaran Martin into the Infosecurity Europe Hall of Fame and opportunities to interact with other cybersecurity veterans are also featured, enriching the learning and networking experience.

The U.S. Department of Treasury's OFAC has sanctioned Philippines-based Funnull Technology Inc. and its administrator for running romance baiting scams connected to cryptocurrency fraud. Funnull facilitated schemes causing over $200 million in reported losses to U.S. victims, with an average loss of $150,000 per individual. The Treasury accused the company of acquiring bulk IP addresses from major cloud services to host scam sites, using domain generation algorithms to evade detection. Funnull was implicated in a major supply chain attack on the Polyfill[.]io JavaScript library, raising initial suspicions in June 2024. Silent Push, a cybersecurity firm, linked Funnull’s infrastructure in 2025 to several cybercriminal activities including investment scams and suspicious online gambling operations. The U.S. FBI observed significant patterns in IP address activities linked to Funnull, indicating systematic migrations of domains across IP addresses. The sanctions include allegations that Funnull was involved in strategies like infrastructure laundering to assist cybercriminals in maintaining operational continuity for illegal activities.

ConnectWise, a tech company offering remote access software ScreenConnect, reported a cyberattack attributed to a potential nation-state actor. The security breach, confirmed on May 28, 2025, affected a limited number of ScreenConnect customers. Following the incident, ConnectWise engaged Google Mandiant for an extensive forensic analysis. Details such as the exact number of impacted customers and the identity of the threat actor remain undisclosed. Prior vulnerabilities CVE-2025-3935 were patched in late April, which might be connected to the recent cyberattack. ConnectWise has implemented advanced monitoring and security enhancements to prevent future incidents. No further suspicious activities have been observed post-attack, indicating current containment measures are effective. Similar vulnerabilities in the past were also exploited by cybercriminals and other nation-state actors from China, North Korea, and Russia.

Meta announced the disruption of three influence operations linked to Iran, China, and Romania, aimed at manipulating public discourse. A Romanian network sported 658 Facebook accounts and others on platforms like TikTok and YouTube, pushing localized content in Romania to appear credible. An Iranian operation targeted Azeri-speaking regions using 60 social media accounts and leaned on hashtags to integrate into broader conversations, labeled as Storm-2035. Chinese-linked activity used AI-generated profiles and account farms to target discourse in Myanmar, Japan, and Taiwan, criticizing local resistance and foreign relations. In total, operations involved a complex web of fake accounts across major social platforms, including Facebook, Instagram, and X, using various tactics to sway public opinion and regional political narratives. These disruptions are part of Meta’s ongoing efforts to maintain platform integrity and combat misinformation by leveraging advanced detection methods to identify and neutralize these campaigns before they gain traction.

SentinelOne experienced a significant service disruption affecting multiple products including threat intelligence and endpoint protection. The outage impacted commercial customer consoles, reducing visibility for managed response services. SentinelOne assured customers that endpoint protection remained active despite the outage. Early assessments by SentinelOne suggest the outage stemmed from cloud-related issues rather than a security breach. The company managed to restore all services by Thursday evening at 7:41 PM UTC. Several customers learned of the outage through social media before official communications were issued by SentinelOne. AWS reported a minor issue that lasted an hour, unrelated to the duration of SentinelOne's six-hour outage. SentinelOne's reliance on AWS for hosting services highlighted as a potential factor in the service disruption.

The U.S. Treasury has placed sanctions on Funnull Technology Inc, a company based in the Philippines, blocking all its properties and assets in the United States. Funnull Technology, managed by Chinese national Liu Lizhi, was involved in hosting infrastructure for widespread pig butchering scams, costing American victims over $200 million. These scams involved social engineering techniques, primarily romantic deceit, to build trust before fraudulently convincing victims to invest in fake schemes, often involving cryptocurrencies. Liu Lizhi was specifically sanctioned for his administrative role and for possessing documents detailing fraudulent activities and operations. In conjunction with the sanctions, the FBI issued warnings about Funnull's practices, including reselling IP addresses and internet infrastructure to cybercriminals for scam websites. The FBI highlighted that the sanctioned entity was linked to an alarming number of virtual currency investment scam sites reported to them. Additionally, the recent actions underline the ongoing efforts by U.S authorities to curb cybercrimes that not only target individual finance but also impair legitimate digital asset ecosystems.

Microsoft Authenticator app has started alerting users that its password autofill feature will be deprecated in July. Users are encouraged to export their passwords or switch to Microsoft Edge to retain autofill functionality. After the feature deprecation, passwords will be accessible through Microsoft Edge, which is integrated with additional security features like Microsoft Defender SmartScreen. The Authenticator app will continue to support secure sign-in features such as multi-factor authentication and biometric confirmations. Users can export their passwords in a CSV format and import them into another password manager if they do not wish to use Microsoft Edge. The move is part of Microsoft's broader strategy to streamline its services and enhance security by promoting its own web browser.

Microsoft's latest Patch Tuesday update for Windows 11 is failing to install on some virtual machines. Affected systems, primarily VMs including those on Azure and Citrix or Hyper-V, are displaying boot errors and entering recovery mode. The error involves the ACPI.sys file, crucial for power management and hardware resource control in Windows. Users impacted are mostly in enterprise setups; Windows 11 Home and Pro users are generally unaffected. No definitive workaround has been provided by Microsoft, except recommendations to avoid the update until a fix is implemented. This issue is part of a series of problematic updates from Microsoft, including a recent one causing issues with Remote Desktop sessions and another that potentially increases security vulnerabilities. Microsoft has acknowledged the issue and stated that engineers are working on resolving the problem.

Retired US Army Lt. Gen. H.R. McMaster testified to the U.S. House Homeland Security Committee, claiming Chinese espionage deep within U.S. networks indicates preparation for war. McMaster emphasized China's significant increase in defense spending and the development of a potential first-strike nuclear capability aimed at crippling U.S. critical infrastructure. Highlighted the role of Chinese surveillance tactics, including spy balloons, as a part of a broader intelligence collection strategy targeting U.S. communications. Wendi Whitmore of Palo Alto Networks corroborated the intense cyber threat from nations like China, mentioning her company blocks billions of cyberattacks daily, with a significant portion being novel attacks. Public-private partnerships, such as the proposed codification of CISA's JCDC, are deemed crucial for enhancing national cybersecurity readiness. Both McMaster and Whitmore underscored the urgent need for the U.S. to consider these escalating threats seriously to bolster defenses against potential large-scale conflicts.

ConnectWise confirmed a cyberattack by suspected state-sponsored actors, affecting a limited number of ScreenConnect customers. The attack was identified as suspicious activity in ConnectWise's environment, leading to an investigative partnership with Mandiant and coordination with law enforcement. The breach specifically impacted cloud-based ScreenConnect instances, discovered following ConnectWise's proactive security enhancements including increased monitoring and network security hardening. Customers discussed the incident and linked it to a CVE-2025-3935 vulnerability in ScreenConnect, a high-severity ViewState code injection flaw patched in April 24. The breach reportedly occurred in August 2024 but was not detected until May 2025, with threat actors potentially exploiting the system via stolen machine keys allowing remote code execution. ConnectWise has patched the vulnerability on its cloud-hosted platforms and has not observed further suspicious activity post-enhancements. The full extent of the data compromised and the specific number of affected customers remain undisclosed by ConnectWise.

Threat actors exploit Google Apps Script to create convincing phishing pages within Google's trusted domain. Cofense security researchers uncovered the attack scheme which mimics legitimate Google login screens to steal credentials. The phishing tactics involve emails that mimic invoices or tax communications, directing victims to these malicious pages. Once credentials are entered on the fake login page, victims are redirected to the actual service to reduce suspicion. The open nature of Google Apps Script allows attackers to change their phishing script remotely without issuing new links. Effective defense measures suggested include stricter email security settings and potentially blocking or flagging Google Apps Script URLs. This method of attack capitalizes on the trust afforded to Google’s domain, making it harder for typical security measures to flag the phishing attempt. Google has yet to respond to inquiries about implementing specific anti-abuse measures following these findings.

Thousands of Asus routers are compromised by a botnet named AyySSHush, as detected by the threat monitoring firm GreyNoise. The botnet exploits vulnerabilities in the routers to disable Trend Micro security features and gain backdoor access. Attackers are using brute-force attacks and authentication bypass bugs to achieve initial router access and execute arbitrary commands. Compromised routers have an SSH backdoor installed, making the botnet nearly invisible and persistent even after firmware updates. GreyNoise worked closely with governments and industry partners before disclosing these vulnerabilities months after their discovery. The specific router models affected are popular ones, namely RT-AC3100, RT-AC3200, and RT-AX55. GreyNoise notes similarities between this botnet and another campaign named ViciousTrap, mentioned by French research group Sekoia. Asus issued patches for the vulnerabilities, but affected devices still require a factory reset to completely eradicate the threat.

A flaw in Apple's Safari web browser enables fullscreen browser-in-the-middle (BitM) attacks, posing significant credential theft risks. Attackers exploit the Fullscreen API in Safari, allowing them to obscure browser guardrails and deceive users into revealing sensitive information. SquareX researchers observed that these attacks particularly endanger Safari users due to the browser's insufficient alert mechanisms when entering fullscreen mode. The technique involves tricking users via legitimate-looking but malicious websites, using tools like noVNC to superimpose an attacker-controlled browser window over the legitimate session. This type of attack does not trigger security alerts from endpoint detection and response systems (EDRs) or secure access service edge (SASE/SSE) because it abuses standard browser functionalities. Unlike Safari, browsers like Firefox and those based on Chromium signal to users when full screen mode is activated, adding a layer of security that Safari lacks. SquareX's disclosure to Apple received a "wontfix" response, with Apple suggesting their current fullscreen animation is an adequate indication for users. Apple has yet to offer a detailed public response to SquareX's findings or BleepingComputer's inquiry about their stance on the issue.