Daily Brief

Daniil Kasatkin, a 26-year-old Russian professional basketball player, was arrested in France on charges related to ransomware negotiations. Kasatkin was detained at Charles de Gaulle Airport and is facing extradition to the US for "conspiracy to commit computer fraud." He is accused of being part of a ransomware gang that targeted approximately 900 entities, including US federal agencies, from 2020 to 2022. Kasatkin's legal team asserts his innocence, claiming he lacks computer skills and was possibly framed with a hacked or planted computer. The Russian embassy has voiced concerns over the French authorities denying them access to Kasatkin. His arrest could potentially damage his professional basketball career; he has already left his team, MBA Moscow, following the arrest. The US Department of Justice has yet to release statements or evidence substantiating the charges, and the French authorities are reportedly slow in assessing the evidence.

GreatFire.org, an anti-censorship group, accuses Tencent and Group-IB of trying to shut down its website FreeWeChat.com. FreeWeChat.com archives content believed to be censored from the popular messaging app WeChat, widely used in China. Tencent, through its legal representative Group-IB, allegedly lodged legal complaints citing trademark infringement, cybersquatting, and unfair competition. GreatFire refuted these claims on factual and legal grounds, but their hosting provider still complied with the takedown request. According to GreatFire, Group-IB's action serves Tencent's political interests under the guise of intellectual property rights protection. GreatFire continues to seek alternative hosting solutions and remains determined to keep the site live despite these challenges. Martin Johnson, co-founder of GreatFire, criticized the move as an attempt to censor their work through legal means rather than direct technological attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-5777, a critical security vulnerability in Citrix NetScaler ADC and Gateway, to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, deemed "Citrix Bleed 2" due to its similarities with the prior Citrix Bleed flaw, allows attackers to bypass authentication due to insufficient input validation. Real-world attacks on this vulnerability reportedly started around mid-June, exploiting devices as VPNs, proxies, or AAA virtual servers, which are central points for accessing networked environments. Data indicates the attacks are originating from malicious IP addresses across multiple countries, targeting a variety of global targets including the United States and European countries. While Citrix has yet to confirm these exploitations, independent security researchers and vendors have documented evidence of the attacks, which include links to RansomHub ransomware. CISA advises immediate upgrading to patched versions of the software and recommends forcibly terminating sessions authenticated via compromised setups. There's an urge for network admins to monitor logs for suspicious requests and unusual XML data, owing to the nature of the vulnerability which allows access to sensitive tokens and data without traditional malware traces. The threat is exacerbated in hybrid IT environments where compromised credentials can lead to broader network access and data breaches.

David Franklin Slater, a retired US Army lieutenant colonel and civilian employee of the US Air Force, has pleaded guilty to conspiring to transmit confidential national defense information. Slater shared classified information about the Russia-Ukraine war with a woman he met on a dating app who was identified as a foreigner and referred to as "co-conspirator 1" in court documents. The information disclosed included sensitive details about military targets and Russian military capabilities during the ongoing conflict. The communication between Slater and the woman occurred over email and an online messaging platform from February to April 2022, coinciding with the intensification of the Russia-Ukraine conflict. Despite signing a non-disclosure agreement that emphasized the severe consequences of negligent handling of sensitive compartmented information (SCI), Slater divulged such information to his online contact. Legal consequences for Slater could include up to 10 years in prison, three years of supervised release, and a fine of up to $250,000. The U.S. Attorney emphasized the gravity of Slater’s breach of duty in protecting national defense information, especially given his extensive military experience.

CISA has officially recognized the CVE-2025-5777, referred to as CitrixBleed 2, as a critical security flaw being actively exploited. CitrixBleed 2 allows remote attackers to read sensitive data from NetScaler devices set up as gateway servers without requiring authentication, posing serious security risks. Originally identified and patched by Citrix in June 2025, subsequent reports from researchers indicated that the patch was not widely applied, leading to active exploits. Security researcher Kevin Beaumont named the bug “CitrixBleed 2” due to its similarities to a previous critical vulnerability in the same NetScaler product. Despite Citrix’s initial claims of no evidence of exploitation, multiple security researchers and groups, including Greynoise and Akamai, have observed attempts and successes in exploiting this vulnerability. The vulnerability's simplicity in exploitation — targeting a specific URL path with no prior conditions — makes it accessible to a wide range of attackers. The potential impact includes unauthorized access to VPNs, internal networks, and sensitive data, creating substantial risks for federal enterprises and other organizations.

Microsoft has replaced the default JScript engine with JScript9Legacy in Windows 11 version 24H2 to enhance security and performance. The update addresses vulnerabilities in the old JScript, such as cross-site scripting (XSS) and memory corruption, which posed significant web threats. JScript9Legacy offers better compliance with modern JavaScript security standards and improved handling of scripts outside the browser. The transition requires no user action, as JScript9Legacy is enabled by default in the latest Windows version, ensuring seamless script execution. Legacy scripts will continue to operate without modification, and Microsoft offers support for any potential compatibility issues. This update also aligns with Microsoft's shift from Internet Explorer to the more secure Edge browser.

A Dutch court sentenced a former engineer of ASML and NXP to three years in prison for stealing semiconductor technology and sharing it with Russian contacts. The convict, reportedly a Russian named German Aksenov, transferred corporate data to Russia's FSB intelligence service, earning around €40,000. Legal proceedings revealed he used encrypted messaging apps and cloud storage to send technical semiconductor manufacturing files to an unnamed recipient in Russia. The files included sensitive information on equipment and processes required for setting up semiconductor production. Although accused of planning to assist in setting up a microchip production line, he was acquitted of this charge as no technical assistance was ultimately provided. NXP expressed satisfaction with the verdict, highlighting their zero-tolerance policy toward data theft and embezzlement. The court could not conclusively link the money received by the defendant to the sale of the stolen intellectual property.

Cybersecurity researchers identified a severe vulnerability in the mcp-remote open-source project, tracked as CVE-2025-6514, with a high CVSS score of 9.6. The flaw allows execution of arbitrary OS commands when the mcp-remote tool connects to an untrusted MCP server, creating potential for a full system compromise. mcp-remote facilitates communication between MCP clients and servers, widely used with over 437,000 downloads. Affected versions of the tool ranged from 0.0.5 to 0.1.15; the vulnerability was resolved in version 0.1.16 released on June 17, 2025. Impacted operating systems include Windows, macOS, and Linux, though the level of command execution control varies. To mitigate risks, users are urged to update mcp-remote to the latest version and ensure connections are made only to trusted MCP servers using HTTPS. This disclosure followed recent findings of other significant vulnerabilities within MCP tools and systems, underscoring ongoing security challenges in managing MCP server interactions.

Russian professional basketball player Daniil Kasatkin was arrested in France on charges related to his alleged involvement with a ransomware gang. The arrest was executed at Charles de Gaulle airport on June 21 after Kasatkin landed in France with his fiancée. Kasatkin is accused of acting as a negotiator for the ransomware gang, which is believed to have attacked over 900 companies, including two federal agencies. The U.S. is seeking extradition of Kasatkin to face charges including "conspiracy to commit computer fraud" and "computer fraud conspiracy." Kasatkin's lawyer claims his client's innocence, attributing the charges to a possibly compromised second-hand computer Kasatkin had purchased. The implicated ransomware gang closely resembles the activities of the notorious Conti group, known for targeting state governments and possibly federal agencies. This arrest comes amid other notable cybersecurity actions in France, including the arrest of four operators from the BreachForums hacking forum.

Four critical vulnerabilities, named PerfektBlue, were identified in the BlueSDK Bluetooth stack by OpenSynergy, affecting vehicles from Mercedes-Benz AG, Volkswagen, and Skoda. The vulnerabilities allow remote code execution and can potentially grant an attacker access to the vehicle’s infotainment system and other critical components. Although patches were released by OpenSynergy in September 2024, many automakers have yet to implement these updates. The PCA Cyber Security team discovered these vulnerabilities and demonstrated possible attacks, including the ability to track GPS coordinates and access phone contacts from the vehicle. Volkswagen acknowledged the issue and began investigations, noting that exploiting these vulnerabilities requires specific conditions, including proximity to the vehicle. PCA Cyber Security also hinted at another unnamed major automotive OEM affected by these issues, planning a full disclosure by November 2025. The impact of these vulnerabilities is significant as it highlights not just the potential control over in-vehicle systems but also worries about the slow response from automakers to patch known flaws.

Russia's State Duma has rejected a bill aimed at legalizing ethical hacking, citing national security concerns. Politicians expressed concerns that vulnerabilities discovered could be exploited by hostile nations if shared with foreign software companies. The bill lacked clarity on how existing laws would adapt to allow ethical hacking, including practices like penetration testing and bug bounties. Despite the rejection, established Russian cybersecurity firms can still conduct vulnerability research, but individual researchers face significant legal risks. Unauthorized access to computer systems, even for ethical purposes, can lead to prosecution under the Russian Criminal Code. Russia does not encourage cybercrime; however, it often overlooks activities targeting its adversaries, reflecting a culture of tacit approval. Ethical hacking in Russia is confined primarily to collaborations between cybersecurity companies and domestic software vendors under strict confidentiality and control measures. Russian researchers face limitations on probing foreign software due to sanctions, particularly following Russia's invasion of Ukraine.

Cryptocurrency enthusiasts are being targeted by a social engineering scam involving fake AI, gaming, and Web3 startup firms. Attackers create convincing profiles for these non-existent companies on social platforms like Telegram and Discord, attempting to lure victims into downloading malware-infected software. The scam uses sophisticated techniques like spoofed social media accounts and professional-looking websites hosting project documentation on platforms like GitHub and Notion. Users are deceived into downloading malicious software which then deploys stealers like Realst and AMOS, designed to extract sensitive information including crypto-wallet credentials. The malware campaign, active since at least March 2024, uses various themes and verified social media accounts to enhance credibility and entice potential victims. Victims who download and open the malicious files on Windows or macOS are subject to data theft that includes documents and crypto-wallet details. Darktrace's report reveals similarities between these operations and those of a known cybercrime group, though direct attribution remains uncertain.

The CJIS Security Policy sets stringent guidelines for handling sensitive law enforcement data, applicable to both government entities and private contractors. CJIS, established in the late 1990s, consolidates criminal databases across the U.S. to ensure uniform security standards in data handling. Compliance involves robust identity and access management protocols, including secure passwords, multifactor authentication, and strict access controls. Non-compliance can lead to severe consequences, such as significant data breaches exposing sensitive criminal information. Verizon’s Data Breach Investigation Report highlights that stolen credentials play a role in almost 45% of all breaches, underlining the importance of secure password policies. Specops Software offers tools that integrate with Active Directory to help organizations meet CJIS standards, streamline administrative tasks, and maintain audit-ready compliance. Entities needing to comply include any organization that might handle criminal justice information, not just police departments.

The UK National Crime Agency (NCA) arrested four individuals linked to cyberattacks on Marks & Spencer, Co-op, and Harrods. Arrestees include two 19-year-old men, a 17-year-old male, and a 20-year-old female from London and the West Midlands. Charges against the suspects include Computer Misuse Act offenses, blackmail, money laundering, and participating in organized crime. Electronic devices were seized during the arrests to find evidence and possible connections to other co-conspirators. The attacks impacted the retailers severely, with Marks & Spencer experiencing a significant data breach leading to forced password resets for customers. Financially, the incident is estimated to create a $402,000,000 profit loss for Marks & Spencer. The attackers, believed to be part of the Scattered Spider group, also targeted US insurance and transportation sectors. This article lays ground for continued international cooperation in investigating and obstructing cybercrime.

The UK National Crime Agency (NCA) detailed the arrest of four individuals linked to a major cyber attack on retailers Marks & Spencer, Co-op, and Harrods. Arrests include two men aged 19, a 17-year-old, and a 20-year-old woman, targeted for their suspected involvement in Computer Misuse Act offenses, blackmail, money laundering, and organized crime activities. The NCA conducted raids in the West Midlands and London, confiscating numerous electronic devices for forensic evaluation. The attacks, recognized as significant cyber events by the Cyber Monitoring Centre, inflicted financial damages estimated between £270 million and £440 million. The suspects are believed to be part of Scattered Spider, a decentralized group known for sophisticated social engineering and ransomware attacks. Scattered Spider, notorious within The Com collective, employs methods like phishing to secure unauthorized access to high-value targets across different sectors. The case remains a high priority for NCA, with ongoing international collaboration to bring the perpetrators to justice and prevent future incidents.