Daily Brief

Nicholas Michael Kloster, a 32-year-old from Kansas City, has pleaded guilty to hacking into the networks of multiple organizations in an attempt to sell his cybersecurity services. Kloster was indicted for illegally accessing systems of three entities in 2024, which include a health club chain in Missouri, a Missouri nonprofit, and a former employer. During the breach, Kloster accessed sensitive systems, modified user permissions, and deployed a VPN to maintain system access. He tried to leverage his unauthorized access by offering his services to fix these very vulnerabilities, effectively using the breaches as a sales pitch for his cybersecurity consulting. Besides hacking, Kloster engaged in other criminal activities like reducing his gym membership fees, stealing a staff member's name tag, and misusing credit card information from his former employer. The consequences he faces include up to five years in federal prison without parole, a fine of up to $250,000, three years of supervised release, and restitution orders. The case highlights significant legal and ethical issues concerning unauthorized cybersecurity demonstrations and the misuse of accessed data for personal gain.

Scattered Spider, a criminal collective active since 2022, recently targeted prominent U.S. insurance firms such as Aflac and Philadelphia Insurance Companies, resulting in significant data theft and operational disruptions. These incidents share techniques with Scattered Spider's prior high-profile attacks on entities like Caesars, MGM Resorts, and Transport for London, often involving the manipulation of help desk processes to facilitate unauthorized access. The group uses a range of tactics including credential phishing, SIM swapping, push bombing, and direct MFA code solicitation, illustrating a shift towards identity-based breaches. Recent patterns suggest an escalating focus on retailers, with attacks on UK's Marks and Spencer and Co-op causing massive financial losses and operational hurdles. Push Security highlights the importance of adopting browser-based identity verification tools to mitigate such threats and enhance help desk security protocols. Despite some criminal arrests, similar attack techniques continue to be adopted by various criminal organizations, indicating a pervasive challenge across the cyber landscape.

Cisco has patched two significant security vulnerabilities in their Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), both rated with a CVSS score of 10.0. The vulnerabilities, identified as CVE-2025-20281 and CVE-2025-20282, could allow unauthorized attackers to execute commands as the root user. CVE-2025-20281 involves insufficient validation of user-supplied input via crafted API requests that could lead to elevated privileges. CVE-2025-20282 is triggered by inadequate file validation checks, allowing malicious files to be placed and executed in privileged directories. These critical flaws enable unauthenticated attackers to potentially gain root access and execute arbitrary commands on the affected systems. No workarounds are available, making it crucial for users to apply the provided updates promptly to mitigate risks. Security researchers Bobby Gould and Kentaro Kawane are credited with the discovery and reporting of these vulnerabilities. There have been no reported exploitations in the wild; however, quick remediation is advised to prevent potential security breaches.

ClickFix social engineering attacks exploiting fake CAPTCHA verifications saw a 517% increase in recent months. These attacks lead to various cybersecurity threats, including infostealers, ransomware, and remote access trojans. Victims are deceived into executing malicious scripts through error messages or fake CAPTCHA checks in Windows or macOS. The highest incidence of ClickFix attacks has been recorded in Japan, Peru, Poland, Spain, and Slovakia. Follow-on threats like FileFix are emerging, exploiting similar tactics through Windows File Explorer. FileFix tricks users into executing hidden PowerShell commands, masked behind seemingly benign file paths. Phishing campaigns leveraging SharePoint links pose additional threats due to lower detection rates by cybersecurity software.

An ongoing phishing campaign is exploiting the "Direct Send" feature in Microsoft 365, designed for sending emails from devices like printers and scanners without needing authentication. Varonis’ Managed Data Detection and Response (MDDR) team discovered the campaign targeting more than 70 organizations across various industries, primarily in the United States. Attackers are using PowerShell to send deceptive emails appearing as internal communications, thereby bypassing standard email authentication checks such as SPF, DKIM, and DMARC. The phishing emails typically mimic voicemail or fax notifications with PDF attachments instructing recipients to scan a QR code, leading to a phishing site aiming to steal Microsoft credentials. Despite the emails failing authentication checks, they are treated as trusted because they are routed through the organization's internal smart host. Microsoft has introduced a "Reject Direct Send" setting to help mitigate such attacks, and Varonis recommends implementing strict email authentication policies and training for employees. Phishing tactics in the campaign include branded PDFs and QR codes instead of direct links, making detection and prevention more challenging.

Glasgow City Council's digital services were crippled following a cyberattack on June 19, 2025, involving a supply chain issue affecting a third-party contractor's supplier. Although data theft has not been confirmed, the council is operating cautiously under the assumption that data may have been stolen. The attack disrupted numerous digital services including online forms, calendars, and various resident portals for planning, parking, pensions, and registrar appointments. No financial systems were compromised, and banking data is considered secure; however, access to many services remains restricted to prevent further issues. An investigation is underway, conducted in coordination with Police Scotland, the Scottish Cyber Coordination Centre (SC3), and the National Cyber Security Centre. The council has notified the UK's data protection watchdog due to the potential breach involving customer data from web forms. Residents have been advised to be vigilant against phishing attacks and to report any suspicious activities, especially involving requests for sensitive personal information. This incident adds to a series of public sector cyber disruptions across the UK, with similar recent attacks affecting West Lothian Council and Oxford City Council.

The NHS confirmed a patient died due to delays caused by a ransomware attack on Synnovis, a pathology services provider. The cyberattack resulted in significant disruption, affecting multiple NHS trusts and leading to thousands of canceled appointments. An investigation attributed long waiting times for critical blood test results as a contributing factor to the patient's death. Overall, 170 patients experienced varying degrees of harm as a result of the cyberattack, with most classified as "low harm." Synnovis CEO expressed condolences, acknowledging the cyberattack as a contributing factor to the fatal incident. Previous cases and research suggest potential fatal outcomes linked to ransomware disruptions in healthcare, with contentions around the exact impact. The Qilin cybercrime group, known for targeting healthcare facilities, claimed responsibility for this and other similar attacks globally. The incident has highlighted ongoing vulnerabilities in healthcare cybersecurity, prompting calls for enhanced protection measures.

SaaS platforms, while advantageous for business operations and collaboration, lack comprehensive data protection, leaning heavily on a shared responsibility model. Traditional data protection strategies in SaaS environments are often outdated or overly simplistic, failing to ensure resilience against inadvertent data deletions and misconfigurations caused by human error. Compliance and regulatory challenges are escalating with stringent frameworks like GDPR and HIPAA, pressing the need for robust data management tools beyond native SaaS capabilities. Data loss incidents extend impacts beyond IT, affecting customer service, revenue generation, and stakeholder trust, with recovery often cumbersome and slow. Internal threat landscapes are broadening, as dispersed team environments and complex access permissions increase data vulnerability within enterprises. Cyberthreats continue to evolve, exploiting SaaS vulnerabilities and leading to substantial downtime and financial losses for affected organizations. Speed and efficiency in recovery from data disruptions, such as ransomware or natural disasters, define the success of a business during crises. Establishing modern data resilience requires a proactive mindset and adoption of platforms designed for robust data security and management, like Veeam Data Cloud.

The UK is purchasing 12 F-35A fighter jets, which are capable of carrying nuclear weapons, to strengthen NATO's deterrent capabilities. These aircraft are not compatible with the RAF's current refueling tankers, necessitating reliance on allied tanker support for operations. Unlike the F-35B models, which can operate from aircraft carriers, the F-35A variants require conventional runways for take-off and landing. The F-35A's longer range and additional fuel capacity compared to the F-35B model enhance its suitability for extended training and operational missions. The UK's Ministry of Defence has faced criticism and unanswered questions regarding procurement details and the strategic rationale behind choosing F-35A over additional F-35Bs. Current plans indicate that these jets will primarily serve in training roles, with their capacity to carry nuclear arms serving as a secondary function. Critics argue that the F-35A purchase may be a temporary solution pending the development of the next-generation Tempest fighter, which promises greater range and payload capacity.

Iranian APT35 group, linked to the Islamic Revolutionary Guard Corps, targets Israeli tech professionals and academics with sophisticated phishing schemes. Victims receive communications via email and WhatsApp, directing them to fake Gmail and Google Meet login pages. The attacks, attributed to the threat cluster Educated Manticore, employ AI to craft messages that leverage current geopolitical tensions. The phishing tools used include a React-based Single Page Application, real-time data theft via WebSocket connections, and a passive keylogger. As part of the social engineering strategy, attackers build trust over time before sharing malicious links designed to harvest credentials and bypass two-factor authentication. The fake sites closely mimic legitimate Google platforms, increasing their deceptive appearance and effectiveness in credential theft. Ongoing since mid-June 2025, these attacks reflect heightened cyber efforts following the recent escalation in Iran-Israel tensions. Check Point emphasizes the persistence and adaptability of Educated Manticore despite increased efforts to take down their operations.

The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation of a critical vulnerability in AMI's MegaRAC BMC firmware, which is used for remote server management. The flaw, identified as CVE-2024-54085, allows unauthenticated attackers to bypass security measures, take control of servers, deploy malware, and cause physical damage to server components. This vulnerability impacts several server vendors including HPE, Asus, and ASRock, affecting cloud service providers and data centers globally. Security firm Eclypsium discovered the vulnerability while analyzing previous patches for another security issue and noted that the exploit development is relatively straightforward due to unencrypted firmware binaries. More than 1,000 servers were found to be potentially exposed to this threat as of March, when AMI issued patches to mitigate the vulnerability. CISA has added this bug to its Known Exploited Vulnerabilities catalog and mandates Federal Civilian Executive Branch agencies to patch affected systems within three weeks. While the directive specifically targets federal agencies, CISA advises all network defenders to prioritize patching this severe vulnerability to prevent potential breaches and significant operational risk.

Iceland, a UK-based frozen food retailer, is trialing facial recognition technology (FRT) at several stores to reduce crime. The technology, provided by Facewatch, has been employed at two pilot locations and is targeted to expand. FRT connects to a database containing images of individuals suspected of prior crimes at participating stores, aiming to enhance security. If no match occurs within the system, the technology deletes the unverified images to protect shopper privacy. Iceland's CEO, Richard Walker, defends the use of FRT, citing protection against organized retail crime and the need to safeguard store employees. Privacy advocacy groups express concerns, suggesting FRT infringes on personal privacy and treats all customers as suspects. The Information Commissioner's Office advises that the use of FRT should be balanced, adhering to privacy rights and ensuring compliance with data protection laws. Instances of mistaken identity and improper management of personal data have been reported, raising questions about the technology’s deployment and oversight.

Iranian cyber group Charming Kitten began a spear-phishing campaign targeting Israeli journalists, cybersecurity experts, and university professors in computer science. The phishing campaign was initiated by Iran's Islamic Revolutionary Guard Corps following air strikes by Israel against Iran. Over 130 unique domains were created for the campaign, each targeting individual victims, with the aim of stealing credentials. Fake communications were sent via email and WhatsApp, impersonating analysts from Israeli cybersecurity firms and discussing topics like cyberthreats to energy infrastructure. Some phishing messages suggested in-person meetings to discuss cybersecurity strategies, potentially extending the threats beyond cyberspace. Phishing sites mimicked Gmail login pages and Google Meet invitations, aiming to capture victims' credentials and enable full account takeovers. Check Point Research has listed all domains involved and other indicators of compromise in a detailed report.

Cybersecurity experts have identified an ongoing series of cyber attacks on financial institutions across Africa since July 2023. Attackers utilize a combination of open-source and public tools to forge initial access then potentially sell this access on dark web forums. Palo Alto Networks’ Unit 42, which monitors these incidents, has named the campaign CL-CRI-1014, indicating criminal motives behind the attacks. The criminal actors employ tools such as PoshC2 for command control, Chisel for tunneling, and Classroom Spy for remote administration, often disguising these tools as legitimate software like Microsoft Teams. Techniques for initial network breaches remain unclear, but subsequent actions involve deploying further malware, stealing credentials, and establishing control over networked machines. Security firms also noted previous similar incidents, including a campaign named DangerousSavanna targeting financial sectors in several other African countries. Additional global cybersecurity concerns were raised with the emergence of a new ransomware group, Dire Wolf, affecting multiple sectors across various countries.

CISA added three vulnerabilities to its KEV catalog, indicating active exploitations in technology products from AMI MegaRAC, D-Link, and Fortinet. Eclypsium disclosed a significant flaw in AMI MegaRAC firmware, potentially allowing widespread malicious activities like malware deployment and firmware tampering. D-Link DIR-859 routers, which are no longer supported as of December 2020, will not receive patches for the exploited vulnerabilities, increasing risks for users. CVE-2024-0769, identified in the D-Link router, was used in attacks aiming to extract user details such as account names and passwords. Attackers have utilized CVE-2019-6693 in Fortinet's FortiOS for initial access in the Akira ransomware attacks, showcasing the severity of the threat. Federal agencies are mandated to implement necessary mitigation measures by July 2025 as per the new directive to safeguard against these vulnerabilities.