Daily Brief

Qantas is currently being extorted following a cyberattack that exposed information for 6 million customers. The breached data includes names, email addresses, phone numbers, dates of birth, and frequent flyer numbers, but no financial or sensitive security details were compromised. Threat actors associated with the group Scattered Spider, known for sophisticated social engineering, are believed to be behind the attack. This group has previously targeted various sectors, including retail and insurance, and has recently focused on transportation and aviation industries. Qantas has engaged with the Australian Federal Police, Australian Cyber Security Centre, and other regulatory entities to investigate and manage the situation. Customers are advised to watch out for scams and phishing attempts utilizing the stolen data. Qantas emphasized it would not request sensitive information via unsecured communication. The attack was first detected due to abnormal activity in a third-party system used by a Qantas contact center.

'Batavia', an undocumented spyware, has been actively targeting numerous Russian industrial enterprises since at least July of the previous year. The spyware is spread through phishing emails featuring fake contract-related lures, significantly intensifying in activity since January 2025. Infected emails contain a malicious link disguised as a contract attachment, which downloads a harmful script that profiles the victim's system. Following the initial breach, Batavia deploys multiple payloads, including WebView.exe and javav.exe, which collect and exfiltrate data such as system logs, documents, and screenshots. The spyware presents fake contracts to distract victims while performing malicious activities in the background. Batavia's complex multi-stage attack involves data theft and system surveillance, suggesting the motive may be espionage focused on Russia’s industrial sector. The campaign's intensity and sophistication, including the use of a potential fourth payload, indicate a well-resourced actor likely targeting specific industrial insights.

Shellter Elite, a tool designed for penetration testing, was abused by hackers following a leak by a customer. The incident involves the use of Shellter Elite to deploy infostealer malware such as Rhadamanthys, Lumma, and Arechclient2. Multiple attacks have been traced to a single leaked copy of Shellter Elite v11.0, utilized since at least April. Distribution of the malware was facilitated through YouTube comments and phishing emails. Shellter responded by releasing an updated version (v11.1) and refining its customer vetting process to prevent future leaks. Elastic Security Labs detected the misuse but faced criticism from Shellter for not promptly notifying them. Shellter reaffirmed its commitment to not supporting criminal activities and expressed readiness to cooperate with law enforcement. This incident represents the first misuse of Shellter products under its tightened licensing introduced in February 2023.

Researchers have noted a 156% increase in cyberattacks targeting user logins, primarily due to advanced phishing kits and info-stealing malware. Identity-based attacks now constitute 59% of all security investigations, up significantly from the previous year. Financially motivated crimes such as business email compromise (BEC) and ransomware are becoming more prevalent due to these attacks. Phishing-as-a-Service platforms like Tycoon 2FA enable sophisticated attacks by providing pre-made phishing pages and tools to bypass multi-factor authentication for a monthly fee. The use of infostealers, which are cheaper than phishing services, allows criminals to purchase logs containing key credentials for as low as $10, though the efficacy of these stolen credentials is questionable due to their age. The ROI on identity-based attacks is exceptionally high, prompting hackers to continue and enhance these methods, undeterred by traditional protective measures. The adoption of passkeys, which utilize public key pairing and biometrics, is being accelerated to counteract the effectiveness of phishing and infostealers. eSentire emphasizes the need for organizations to adopt robust monitoring and rapid response strategies to mitigate the risks of identity-based attacks effectively.

U.S. authorities disrupted a North Korean scheme involving IT workers at over 100 U.S. companies using fake or stolen identities. These workers not only drew salaries but also engaged in stealing sensitive data and siphoned off over $900,000 in a crypto heist targeting a blockchain firm. The Justice Department conducted 21 searches across 14 states, adding to previous operations in an effort to curb these activities. At least one North Korean worker accessed sensitive data from a defense contractor in California, including ITAR-related information. U.S. government seized 21 web domains, 29 financial accounts, and nearly 200 laptops and remote access devices in the crackdown. The State Department offers rewards up to $5 million for information on disrupting financial operations linked to North Korean state-supported activities. North Koreans have used the identities of over 80 U.S. persons to fraudulently secure positions and channel funds to the Kim regime in North Korea.

Iranian hackers breached a U.S. water facility using a default password, affecting 7,000 users. The incident highlights the severe risks associated with default passwords in critical infrastructures. CISA has advised manufacturers to eliminate default credentials to enhance security. Default credentials, such as "admin/admin" or "1234", continue to be a major security gap exploited by attackers. Historical cyberattacks like the Mirai botnet, which disrupted major internet services, were facilitated by unchanged factory default passwords. The UK has implemented laws against shipping IoT devices with preset passwords to combat these risks. Manufacturers are encouraged to adopt secure-by-design best practices to minimize cyber vulnerabilities. IT professionals are urged to enforce strict password policies and implement solutions like Specops Password Policy to mitigate risks.

A Pakistan-linked hacking group, identified as TAG-140, is deploying a variant of the DRAT remote access trojan (RAT) to infiltrate Indian government, defense, and railway sectors. This group is associated with SideCopy and Transparent Tribe, using cloned Indian Ministry of Defence press release portals to launch attacks. The attacks employ sophisticated phishing techniques to deliver malware, focusing on data theft, surveillance, and disrupting critical services. Recorded Future's analysis highlights the evolution of TAG-140’s malware, noting increased flexibility and reduced obfuscation to improve attack reliability. DRAT V2, the updated malware tool, features enhanced post-exploitation capabilities, such as arbitrary shell command execution and C2 communication improvements. The adversary has broadened its target sectors to include maritime, oil and gas, and external affairs ministries, indicating a strategic expansion of their operational focus. Other campaign activities noted involve disseminating malicious PDFs targeting defense personnel and employing advanced evasion techniques to avoid detection.

A security research discovered a SQL vulnerability in a piece of stalkerware named Catwatchful which enabled access to a database containing 62,000 user accounts. The researcher, Eric Daigle, published a blog detailing his findings, commenting on the software's intended undetectability and how he managed to compromise it. Despite efforts by Daigle and TechCrunch, Catwatchful remained operational, setting up temporary sites and deploying patches to rectify the discovered SQL injection flaw. The incident also highlighted ongoing issues with software supply chain security, as researchers demonstrated how verification for IDE extensions can be easily spoofed. Swiss NGO Radix, linked to government agencies, was hit by ransomware but government systems remained uncompromised. The Common Vulnerabilities and Exposure (CVE) Program seeks participation from security experts and consumers to better align with real-world use cases and improve security norm establishment. A healthcare breach in the US involved Esse Health, affecting potentially 263,601 patients with compromised personal and healthcare related information.

Ingram Micro experienced a major system outage due to a ransomware attack, confirmed on July 3. The attack was claimed by SafePay ransomware crew, who cited network security misconfigurations at Ingram Micro. The disruption led to an inability for Ingram to process orders and manage licenses for products like Microsoft 365 and Dropbox. Ingram Micro took immediate steps to secure its systems, including taking certain systems offline and implementing mitigation measures. The company has initiated a thorough investigation with cybersecurity experts and has also notified law enforcement. SafePay's ransom note revealed that they accessed and encrypted sensitive data including financial statements, intellectual property, and customer files. The ransomware group threatened to publish the encrypted data on the web and has given Ingram a week to negotiate. SafePay suggested they exploited vulnerabilities through Ingram’s GlobalProtect VPN platform, although this remains unconfirmed.

Ingram Micro, a major global IT distributor, has been hit by a ransomware attack by the SafePay group, leading to extensive system outages. The cyberattack initiated early Thursday, shutting down Ingram Micro's internal systems, websites, and online ordering functions. Employees encountered ransom notes on their devices, though it remains unconfirmed whether data encryption occurred. The SafePay ransomware, recently emerging in November 2024, has added Ingram Micro to its 220+ victim list. Ingram Micro took precautionary steps by instructing employees to work remotely and avoid using the compromised GlobalProtect VPN. Despite ongoing IT disruptions, services like Microsoft 365, Teams, and SharePoint are reported to be functioning. As of the latest updates, Ingram Micro has neither publicly acknowledged the attack nor communicated it directly to their employees. Sources revealed the attackers might have accessed Ingram Micro’s network via compromised credentials on the GlobalProtect VPN platform.

Cybersecurity experts noted a 19-fold increase in the abuse of .es domains predominantly for credential phishing. Over 1,300 subdomains across 447 .es domains have been found hosting malicious web pages, 99% aimed at phishing. Most abuses attempt to steal Microsoft credentials, leveraging sophisticated email themes such as fake HR requests. A small percentage (1%) of these malicious campaigns involved distributing RATs like ConnectWise RAT and XWorm. The majority of these phishing pages are hosted on Cloudflare, taking advantage of its easy deployment features. The .es top-level domain, typically having more stringent registration requirements, is third most abused TLD after .com and .ru. The methods used are traditional, utilizing fake emails and randomly generated subdomains to host phishing sites. This trend in .es domain abuse is suggestive of becoming a habitual technique among a broad group of cybercriminals.

Taiwan's National Security Bureau (NSB) has issued a warning about security risks posed by Chinese-developed apps including TikTok, Weibo, and RedNote due to their data practices. The NSB, along with other Taiwanese security agencies, reviewed these apps and found significant issues such as excessive data collection and privacy infringements. Each app was evaluated against 15 security indicators, with RedNote violating all, and TikTok and Weibo breaching 13. Concerns highlighted include extensive data harvesting like facial recognition data, screenshots, clipboard contents, contact lists, and device information sent to servers in China. NSB emphasized the mandatory compliance of Chinese companies in sharing user data with the Chinese government, which poses a direct threat to the privacy of Taiwanese users. The advisory comes amidst global actions with countries like India and Canada implementing bans on Chinese apps, citing similar security concerns. NSB has urged the public and businesses in Taiwan to remain vigilant about mobile security and avoid downloading apps developed in China to safeguard personal and corporate data.

Threat actors are exploiting exposed Java Debug Wire Protocol (JDWP) interfaces for deploying cryptocurrency miners and gaining remote code execution capabilities. The malicious activity was discovered by Wiz researchers in their honeypot servers running TeamCity, which is especially vulnerable when operating in debug mode. JDWP, critical for debugging Java applications, lacks built-in authentication, exposing it to significant security risks if improperly managed or left exposed. Over 2,600 IP addresses, mainly from China, the U.S., Germany, Singapore, and Hong Kong, have been observed scanning for vulnerable JDWP endpoints. A new malware named Hpingbot, capable of targeting both Windows and Linux systems, has been detailed by NSFOCUS; it creates botnets for launching distributed denial-of-service (DDoS) attacks. Hpingbot is distinct because it is built from scratch, showing significant innovation by utilizing Pastebin for distributing loads and leveraging hping3 for DDoS attacks. Attackers are using weak SSH configurations to initially infiltrate systems with Hpingbot, further showcasing the critical need for strong cybersecurity practices around SSH.

A hacker known as "Rey," linked to the Hellcat Ransomware group, has allegedly breached Spanish telecom giant Telefónica, threatening to leak 106GB of data. Rey has already leaked a 2.6GB archive to validate their claims of the data breach which supposedly includes internal communications, customer records, and employee data. The breach reportedly occurred on May 30, facilitated by a misconfiguration in a Jira server previously compromised. Despite multiple inquiries by BleepingComputer, Telefónica has not acknowledged the recent breach, and one representative dismissed it as an extortion attempt with outdated data. Files in the leaked data include emails and invoices from Telefónica's operations across several countries, with some content dated as recent as 2021. The hacker has shifted to distributing the stolen data through various platforms, after initial takedown due to legal issues, increasing the risk of widespread data exposure.

Ingram Micro is facing a significant global outage affecting its websites and internal systems. The technology distribution giant has not disclosed the cause of the outage, prompting concerns about a possible cyberattack. The outage began on a Thursday morning, making it impossible for customers worldwide to place orders. Employees are also unable to access certain internal systems, further complicating operations. Visitors to the Ingram Micro website encounter messages indicating access restrictions or maintenance. Despite speculation of a ransomware attack amongst the online community, the exact nature of the incident remains unconfirmed. The extended unavailability of services is typical of a major breach, making this situation alarming for partners and businesses relying on Ingram Micro. The company has yet to respond officially about the ongoing issues or any steps being taken to resolve them.