Daily Brief

A Chinese hacking group, Silver Fox, used fake websites to distribute malware, targeting Chinese language speakers. The malicious software involved includes the Sainbox RAT, a variant of Gh0st RAT, and the Hidden rootkit, derived from an open-source project. The campaign employed fake websites mimicking popular software platforms such as WPS Office and Sogou to attract victims. Infected MSI installers from these sites deploy a legitimate file, which then loads a malicious DLL to execute the malware. This method of attack has been used by Silver Fox before, as noted in previous campaigns targeting similar demographic profiles with similar tools. The Sainbox RAT contained within the malware provides data theft and download capabilities, while the Hidden rootkit focuses on concealing malicious activity. Netskope researchers have analyzed the techniques, linking this activity to prior incidents tied to the same group with medium confidence.

Ahold Delhaize, a major global food retailer, experienced a ransomware attack in November, affecting its U.S. operations. Personal, financial, and health information of approximately 2.2 million people was compromised during the breach. The data breach included internal records and varied personal information from employment files within Ahold Delhaize USA companies. The INC Ransom ransomware group, a known RaaS operation targeting both public and private sectors globally, is believed to be behind the attack. The breach affected several Ahold Delhaize USA brands, impacting certain pharmacies and e-commerce operations. Ahold Delhaize has not yet confirmed if customer information was directly affected but has disclosed the breach details to Maine's Attorney General. This incident adds to INC Ransom's growing list of victims, evidencing a focus shift to U.S.-based organizations, particularly in healthcare.

Threat intelligence firm GreyNoise has observed a significant increase in scanning activities targeting MOVEit Transfer, a popular secure file transfer system, beginning on May 27, 2025. The number of scanning IPs surged from fewer than 10 daily to over 300 IPs on some days, indicating potential preparations for a mass exploitation campaign. MOVEit Transfer, widely used by businesses and government bodies to transmit sensitive data, has become increasingly targeted due to its high-value information handling. In recent scans, 682 unique IPs were flagged for suspicious activities, with a majority located in the United States, Germany, and other countries. GreyNoise reported attempts to exploit previously known vulnerabilities in MOVEit Transfer, specifically CVE-2023-34362 and CVE-2023-36934, warning that these could be leveraged in attacks similar to past ransomware campaigns by Cl0p. Recommendations for organizations include checking internet-exposed components of MOVEit systems, monitoring for anomalies in logs since late May, and promptly updating software to mitigate threats.

OneClik malware leverages Microsoft ClickOnce deployment technology and Golang backdoors for attacks on the energy sector. The campaign shows signs of association with Chinese-affiliated threat actors, utilizing tactics that avoid detection by blending with legitimate cloud and enterprise tools. Phishing attacks implement a .NET-based loader, OneClikNet, to deploy RunnerBeacon, a sophisticated Go-based backdoor that communicates with obscured AWS-hosted infrastructure. RunnerBeacon supports multiple command and control communication protocols, has anti-analysis features and provides capabilities for lateral movement within infected systems. Notable similarities between RunnerBeacon and known Cobalt Strike beacons suggest that it may be an evolved or modified variant of these tools. Multiple versions of the OneClik malware have been observed, demonstrating ongoing development and improvement in evasive capabilities. No formal attribution to a specific threat actor; previous similar techniques linked to actors from China and North Korea. Related global cybersecurity efforts also identify different malicious campaigns exploiting ClickOnce and vulnerabilities in web-based email platforms by threat actors like APT-Q-14.

UNFI has successfully restored its core systems after a cyberattack disrupted its electronic ordering and invoicing systems. The company experienced reduced sales volume and elevated operational costs as it worked to provide solutions for its customers. The cyberattack, publicly revealed after disruptions became evident on social media, did not involve a breach of personal or protected health information. UNFI anticipates the financial impact of the incident might affect its net income and adjusted EBITDA for the fiscal fourth quarter of 2025. The company is backed by cybersecurity insurance, expected to cover the incident adequately, with the claim process extending into the fiscal year 2026. In response to the attack, UNFI has engaged external cybersecurity experts and notified law enforcement. The attack led to significant disruptions, with some systems taken offline and employees' shifts canceled. Despite not disclosing specific details of the attack or any ransomware links, UNFI confirms ongoing recovery and normalization of its delivery services.

Hawaiian Airlines, a major U.S. carrier, is currently investigating a recent cyberattack that targeted some of its IT systems. Despite the cyberattack, the airline has confirmed that flight operations and safety remain unaffected. The airline has engaged external cybersecurity experts and relevant authorities to assist in assessing the impact and to facilitate restoration of the affected systems. A notification on both Hawaiian Airlines and Alaska Airlines websites assures customers that the service and safety levels remain stable. The Federal Aviation Authority (FAA) is closely monitoring the situation and has also confirmed that there are no safety impacts. The specifics of the cyberattack, such as whether it involved ransomware or was a preventive shutdown in response to a detected breach, have not yet been disclosed by the airline. This incident follows a similar cyberattack on WestJet, indicating a potential pattern or vulnerability within the aviation sector related to cyber threats. Hawaiian Airlines continues to work on restoring full functionality and promises updates as further details become available.

Kai West, alias IntelBroker and Kyle Northern, a 25-year-old UK national, charged with multiple cybercrimes, including data theft causing significant financial damage. FBI traced Bitcoin wallet and personal email usage to identify West as the perpetrator behind the breaches. IntelBroker allegedly compromised over 40 victims globally, including major corporations like Nokia, Apple, and the US Army, leading to at least $25 million in damages. Data stolen included sensitive healthcare information, impacting patient care after a breach in March 2023. West’s activities primarily facilitated through BreachForums, a site known for cybercrime activities, where he acted as an administrator. Arrest occurred in Paris with four other BreachForums administrators; US authorities are now pursuing West’s extradition. Some charges against West carry penalties up to 20 years in prison if found guilty.

Miroslav Homer, a Czech developer and pen-tester, discussed strategic vulnerabilities related to heavy dependence on Microsoft and other U.S. cloud services. Homer urges reconsidering digital sovereignty and reducing reliance on American technology giants to mitigate security and operational risks. He uses incidents, such as Microsoft's alleged blocking of an email account belonging to the ICC Chief Prosecutor, to highlight potential disruptions. The article assesses the risks statistically, using Return on Security Investment and compares it to events like Crowdstrike’s outage, illustrating substantial potential financial impacts. Homer critiques the general lack of technological literacy among key decision-makers and stresses the importance of understanding the financial implications of tech dependencies. The prevalence of Android and its tie to Google accounts is cited as another example of overwhelming dependency on U.S. tech firms. Homer seeks to challenge prevailing mindsets and assumptions about technology choices in business through quantitative risk evaluation.

Over 740 printer models from Brother, Fujifilm, Toshiba, and Konica Minolta are susceptible to admin password exposure due to a manufacturing flaw. The vulnerability, identified as CVE-2024-51978, involves a predictable default admin password generated using a reversible algorithm based on the printer's serial number. The security flaw allows remote attackers to log into the printers as administrators by calculating the default password, leading to potential unauthorized access and control. Although firmware updates rectify many associated vulnerabilities, CVE-2024-51978 cannot be resolved in existing models because it's tied to the hardware's manufacturing process. Rapid7, a security research firm, discovered the issue and worked with JPCERT/CC to coordinate a disclosure process with affected manufacturers starting in May 2024. Users of affected models are urged to change their default admin password immediately and update their printer firmware, despite limitations in fully remediating the flaw. It is recommended that access to the printer’s admin interfaces is restricted, especially over unsecured protocols and external networks, to prevent unauthorized access.

Cisco has released patches for two critical vulnerabilities, CVE-2025-20281 and CVE-2025-20282, in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) components. Both vulnerabilities allow unauthenticated remote attackers to execute code on affected systems with root privileges, with severity ratings initially set at a maximum of 10/10. CVE-2025-20281 affects ISE and ISE-PPIC versions 3.3 and 3.4, enabling specially crafted API requests that bypass authentication. CVE-2025-20282, exclusively impacting version 3.4, involves inadequate file validation checks, allowing the uploading and execution of malicious files. There are no documented active exploits for these vulnerabilities; however, details are restricted to prevent potential misuse. Cisco advises immediate patch application; available updates include version 3.3 patch 6 or 3.4 patch 2 for CVE-2025-20281 and only version 3.4 patch 2 for CVE-2025-20282, with no alternative mitigations. Versions prior to 3.2 of ISE and ISE-PIC are not affected by these particular vulnerabilities but remain susceptible to other security risks.

Cybersecurity experts uncovered a critical flaw in the Open VSX Registry, which could potentially allow attackers to control the Visual Studio Code extensions marketplace. The vulnerability allows for the publishing of malicious updates to extensions, impacting millions of developer machines globally. The Eclipse Foundation, which maintains the Open VSX Registry, implemented several rounds of fixes following a responsible disclosure on May 4, 2025. This registry is widely integrated into various code editors like Cursor and Google Cloud Shell Editor, heightening the risk of a supply chain attack. The flaw originated from a GitHub Actions workflow in the publish-extensions repository that uses privileged credentials, thus exposing a secret token during auto-publish tasks. Attackers exploiting this vulnerability could gain the ability to publish new or modify existing extensions, inserting malicious code and compromising developer systems. The severity of this threat has led MITRE to add a new "IDE Extensions" technique in its ATT&CK framework in April 2025, highlighting the potential for abuse in IDE extensions.

A 27-year-old ex-student was arrested by New South Wales police for hacking into Western Sydney University and stealing data. The hacking began in 2021, initially aimed at obtaining cheaper parking, but escalated to compromising the university's systems and threatening to sell student information on the dark web. The university disclosed multiple security breaches affecting thousands of students and staff, with unauthorized access incidents reported from 2023 to 2025. During the police raid at the former student's home in Kingswood, investigators seized computer equipment and mobile devices that may contain evidence. The former student, identified as Birdie Kingston, is charged with 20 offenses, including unauthorized access, data theft, and system compromise. Over the years, Kingston allegedly stole over 100GB of confidential data, altered academic results, and demanded a ransom payment in cryptocurrency. The incidents reported include unauthorized access to Microsoft Office 365 and compromise of a single sign-on system, affecting around 17,500 individuals in total.

Cisco has disclosed two critical remote code execution vulnerabilities in its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC), with the highest severity score of 10.0. The vulnerabilities, identified as CVE-2025-20281 and CVE-2025-20282, allow unauthenticated remote attackers to execute arbitrary code and commands with root privileges. CVE-2025-20281 is caused by insufficient input validation in an exposed API, while CVE-2025-20282 results from inadequate file validation in an internal API. These vulnerabilities could lead to a complete system compromise, enabling full remote takeover of the network security platform without any user interaction. Cisco strongly advises users to apply the latest patches immediately, with no available workarounds to mitigate the risks associated with these flaws. The company also addressed a separate medium-severity authentication bypass issue impacting all versions of ISE through the 3.4 branch, recommending updates to secure systems. Cisco reported no active exploitation of these flaws yet, but the potential impact and ease of exploitation make rapid patching imperative for affected organizations.

Nicholas Michael Kloster, a 32-year-old from Kansas City, has pleaded guilty to hacking into the networks of multiple organizations in an attempt to sell his cybersecurity services. Kloster was indicted for illegally accessing systems of three entities in 2024, which include a health club chain in Missouri, a Missouri nonprofit, and a former employer. During the breach, Kloster accessed sensitive systems, modified user permissions, and deployed a VPN to maintain system access. He tried to leverage his unauthorized access by offering his services to fix these very vulnerabilities, effectively using the breaches as a sales pitch for his cybersecurity consulting. Besides hacking, Kloster engaged in other criminal activities like reducing his gym membership fees, stealing a staff member's name tag, and misusing credit card information from his former employer. The consequences he faces include up to five years in federal prison without parole, a fine of up to $250,000, three years of supervised release, and restitution orders. The case highlights significant legal and ethical issues concerning unauthorized cybersecurity demonstrations and the misuse of accessed data for personal gain.

Scattered Spider, a criminal collective active since 2022, recently targeted prominent U.S. insurance firms such as Aflac and Philadelphia Insurance Companies, resulting in significant data theft and operational disruptions. These incidents share techniques with Scattered Spider's prior high-profile attacks on entities like Caesars, MGM Resorts, and Transport for London, often involving the manipulation of help desk processes to facilitate unauthorized access. The group uses a range of tactics including credential phishing, SIM swapping, push bombing, and direct MFA code solicitation, illustrating a shift towards identity-based breaches. Recent patterns suggest an escalating focus on retailers, with attacks on UK's Marks and Spencer and Co-op causing massive financial losses and operational hurdles. Push Security highlights the importance of adopting browser-based identity verification tools to mitigate such threats and enhance help desk security protocols. Despite some criminal arrests, similar attack techniques continue to be adopted by various criminal organizations, indicating a pervasive challenge across the cyber landscape.