Daily Brief

A serious vulnerability in ASUS Armoury Crate software, identified as CVE-2025-3464, poses a high security risk (8.8/10 severity score), allowing threat actors to gain SYSTEM level privileges on Windows devices. The flaw resides in the AsIO3.sys driver used by Armoury Crate for hardware management, which lacks proper OS-level access controls and relies on a hardcoded SHA-256 hash verification for authorization. Attackers can exploit this vulnerability by creating a hard link between a benign application and a malicious executable, bypassing the authorization to gain privileged access. This can lead to full operating system compromise as it gives attackers low-level system privileges, including direct access to physical memory and I/O ports. CVE-2025-3464 affects all Armoury Crate versions from 5.9.9.0 to 6.1.18.0; users are urged to update their software via the built-in update facility to mitigate the issue. Although there are no reports of active exploitation in the wild, the widespread use of Armoury Crate on computers globally increases the potential attack surface. Cisco Talos discovered and reported the vulnerability to ASUS; however, ASUS has not observed exploitation in the wild yet and strongly recommends users to apply the latest updates.

The U.S. Department of Justice has seized over $7.74 million in cryptocurrency and other digital assets linked to a North Korean IT worker scheme. North Korean IT workers used fake identities to infiltrate U.S. cryptocurrency companies, conducting business to evade sanctions and support Pyongyang's weapons programs. The scheme, tracked as Wagmole and UNC5267, involves the use of stolen identities, AI tools like ChatGPT, and has been operational since 2017. Key facilitators and operators within the network, including Christina Marie Chapman and Sim Hyon-Sop, facilitated laundering operations through laptop farms and direct cryptocurrency transactions. An analysis by cybersecurity firms identified multiple strategies by the workers, including exploiting corporate BYOD policies and leveraging remote work tools for illicit activities. The U.S. authorities continue to monitor and target the sophisticated operation to prevent further financial crimes and sanction violations by North Korea. The situation underscores the ongoing challenges in combating state-sponsored cybercrime and the need for enhanced cybersecurity measures in the private sector.

Canadian airline WestJet is experiencing intermittent service disruptions on its website and app due to a cybersecurity incident. The issues began on Friday, June 13, affecting internal systems and limiting user access to WestJet's digital resources. WestJet has engaged external cybersecurity experts and is cooperating with law enforcement and Transport Canada to address the incident. The airline has not yet confirmed if the disruptions are due to a malicious attack and cautions against speculation until more information is available. Despite the cybersecurity challenges, WestJet's flight operations continue without impact, ensuring safe and stable travel for passengers. WestJet advises customers and employees to exercise caution, particularly with personal information during this period. Frequent updates are promised as the investigation progresses, with customer service responding to inquiries and concerns as they arise. There is no connection between this incident and previous major disruptions within the airline industry related to software faults.

The Washington Post disclosed a security breach involving the email accounts of several journalists, suspected to be conducted by a foreign government. The breach was initially identified on a Thursday evening, with the internal investigation beginning soon after the detection. An internal memo informed employees about the unauthorized intrusion, specifically affecting a limited number of Microsoft accounts owned by journalists. Targeted journalists predominantly covered sensitive topics relating to national security, economic policy, and issues related to China. Past incidents mention that state-sponsored actors or advanced persistent threats (APTs), like those from China, have exploited vulnerabilities in Microsoft Exchange to conduct similar breaches. Microsoft had previously issued warnings regarding the exploitation of a critical privilege elevation bug in Exchange as a zero-day for NTLM relay attacks. Noteworthy is that no specific details about the perpetrators or technical specifics of the breach have been disclosed publicly by The Washington Post at this time.

Operation Deep Sentinel, led by Germany's BKA, targeted and shut down Archetyp, a significant dark web drug marketplace operational since 2020. The suspected administrator, a 30-year-old German national, was arrested in Barcelona; searches were also conducted in his properties in Hanover and Bucharest. Over 300 officers were involved in the takedown, resulting in multiple arrests and the confiscation of 47 smartphones, 45 computers, narcotics, and other assets. Archetyp boasted over 600,000 users and facilitated transactions worth at least €250 million; it offered over 17,000 listings from approximately 3,200 vendors. Authorities seized €7.8 million from Archetyp's largest vendor, highlighting the significant financial scale of its operations. The marketplace uniquely allowed transactions in Monero, a cryptocurrency known for its enhanced privacy features, complicating efforts to trace transactions. The coordinated effort involved multiple countries, including the Netherlands, Romania, Spain, Sweden, and the USA, underlining the collaborative nature of tackling sophisticated cybercrime networks.

Anubis ransomware, active since December 2024, affects sectors like healthcare and construction primarily in Australia, Canada, Peru, and the U.S. This ransomware-as-a-service (RaaS) features unique dual-threat capabilities: encrypting files and permanently deleting them with a wipe mode. Even if victims pay the ransom, file recovery is impossible because the wipe mode reduces file sizes to 0 KB without altering names or extensions. The Anubis affiliate program offers notable splits in ransom revenue, promoting further adoption and utilization among cybercriminals. Primary infection vectors include phishing emails, with subsequent privilege escalation, reconnaissance, and shadow volume deletion actions. Despite sharing a name, Anubis has no affiliation with the Android banking Trojan or the Python-based backdoor linked to the FIN7 group. Recorded Future reports unrelated cyber activities by FIN7, using new infrastructure to distribute malware through fake software update websites.

Kali Linux 2025.2, a popular cybersecurity tool distribution, has been released with significant updates including 13 new tools. The update features a rebranded car hacking toolkit renamed from CAN Arsenal to CARsenal, enhancing its usability. The Kali Menu has been reorganized according to the MITRE ATT&CK framework, facilitating easier tool location for cybersecurity professionals. Notable improvements in the user interface include updates to GNOME version 48 and KDE Plasma 6.3, aimed at enhancing performance and customization. The release introduces wireless capabilities for the TicWatch Pro 3, as part of its Kali NetHunter updates for penetration tests on smartwatches. Users can download new installs or update existing Kali Linux versions through provided ISO images or commands. The new features and tools are designed to support both red team and blue team operations more efficiently, aligning with contemporary cybersecurity frameworks like NIST CSF and MITRE ATT&CK.

Zoomcar disclosed a data breach affecting 8.4 million users due to unauthorized system access detected on June 9, 2025. Incident identified following a threat actor's email to company employees about the cyberattack. The breach compromised sensitive data of a subset of customers, though financial details and plaintext passwords were reportedly not exposed. Ongoing internal investigation to determine the full scope and impact; nature of the attack and responsible party still unconfirmed. No material disruption to Zoomcar's services has been reported following the breach. As a U.S.-listed company, Zoomcar is obligated to report the incident to the U.S. Securities and Exchange Commission. This breach occurs years after a prior incident in 2018 which compromised more extensive personal data and was later sold on an underground marketplace.

Salesforce's AI research finds LLM-based agents achieve only a 58% success rate in simple CRM tasks. Performance drops significantly to 35% when tasks require multiple steps, according to the CRM-focused benchmark tool, CRMArena-Pro. LLM agents exhibit a concerning lack of confidentiality awareness, negatively impacting their task performance. Salesforce's new benchmark includes rigorous testing using synthetic data to better simulate real CRM scenarios. Research highlights a gap between LLM agent capabilities and the complex demands of real-world enterprise applications. Concerns arise for developers and users about relying heavily on AI for efficiency improvements in business processes. The study indicates that while AI has potential, its current effectiveness in critical business functions remains limited.

Microsoft is rolling out a new Recall Export feature for Windows 11 users in the European Economic Area, allowing encrypted snapshots to be shared with external apps and websites. Users will receive a unique export code for decrypting data, which must be securely stored as Microsoft won't be able to retrieve it if lost. The Recall feature has been controversial due to privacy concerns; it logs user activity on desktops and was previously pulled from development. Exports can range from the last 7 to 30 days of activity, or include all data to date, with security authorization via Windows Hello. The feature is currently available to Windows Insiders in the Beta channel and will likely reach general users soon. Additional updates include resetting Recall data and limiting the storage duration of snapshots on new Copilot+ PCs to 90 days. Microsoft hints at further updates to Windows 10 features, including enhancements to the notification center's clock display.

Apple disclosed the active exploitation of a zero-click flaw in its Messages app, targeting civil society members. The CVE-2025-43200 vulnerability was weaponized using Paragon's Graphite mercenary spyware to infect journalists in Europe. Forensic evidence was uncovered by the Citizen Lab linked to the targeted attacks on Italian journalist Ciro Pellegrino and another prominent European journalist. The vulnerability was patched across multiple Apple systems including iOS, macOS, and watchOS in the latest updates. The exploit exemplifies sophisticated nation-state-level cyber espionage tactics that bypass conventional security measures. A large variety of other critical vulnerabilities across different platforms and software were also identified this week. Tips were shared on how individuals can protect themselves from less obvious tracking and surveillance methods on the web.

The cybersecurity landscape demands providers evolve from tactical one-off projects to strategic, continuous security management services. Emphasizing cybersecurity as a strategic business function rather than merely tactical support can significantly enhance client resilience and provider revenue. Effective cybersecurity management involves long-term partnerships, with services like ongoing compliance support and proactive risk management. The playbook introduces a tiered service model starting from basic risk assessments to comprehensive virtual CISO services, aligning with client maturity and needs. Providers can augment their role to trusted advisors through closer collaboration with client leadership and translating security insights into actionable business strategies. Barriers for providers include a lack of confidence in their expertise and the challenge of scaling services, which can be overcome with structured approaches and leveraging automation. The example of Burwood Group illustrates successful transformation from basic cybersecurity services to scalable, strategic offerings that significantly increased their revenue. Strategic, automated cybersecurity management not only secures clients but also ensures predictable, high-margin revenues for providers.

Law enforcement from six countries collaborated to dismantle Archetyp Market, a notorious darknet platform dealing in various drugs. The operation, named 'Operation Deep Sentinel', led by German police with support from Europol and Eurojust, resulted in the arrest of the marketplace's administrator and key associates. Investigators shut down the market's infrastructure in the Netherlands and arrested a 30-year-old German national in Barcelona believed to be the administrator. Archetyp Market, operational since May 2020, hosted over 3,200 vendors and had more than 17,000 listings, accumulating over 612,000 users and transacting over €250 million in Monero. Law enforcement seized significant assets including 47 smartphones, 45 computers, and various drugs, with a total worth of over €7.8 million. This follows another major operation, 'Operation RapTor', which targeted dark web vendors globally, underscoring a significant crackdown on digital drug trafficking networks. The takedown represents a severe disruption to one of the dark web's most extensive drug distribution networks, emphasizing enhanced international cooperation in combating cyber-enabled crimes.

A former GCHQ intern, Hasaan Arshad, was sentenced to 7.5 years for stealing classified information from the British intelligence agency during his placement. Arshad copied secret data to a mobile phone and external hard drives before his internship concluded in August 2022. He was charged with performing an unauthorized act that significantly risked national security, pleading guilty at the Old Bailey. The breach involved top-secret software development projects funded by taxpayers, which Arshad accessed out of curiosity and a desire to continue work independently. Prosecutors highlighted the severe potential damage to national security due to the unauthorized transfer of information to insecure personal devices. In addition to the data breach, Arshad was found guilty of possessing indecent images of children, receiving separate sentences for these offenses. The judge acknowledged Arshad's neurodiversity but emphasized that it did not diminish his awareness of the risks involved in his actions.

Microsoft recently confirmed that their June 2025 security updates for Windows Server are causing DHCP service issues, including service freezes. The issues affect the Dynamic Host Configuration Protocol (DHCP) Server service, which is vital for automating network configurations such as IP address assignments. This problem particularly impacts the renewal processes of unicast IP addresses, hindering their correct application across network devices. Microsoft has acknowledged the problem and is preparing a solution, promising more information and a resolution in the coming days. This situation follows other Patch Tuesday efforts by Microsoft in June, where fixes for domain controller accessibility and authentication issues were also released. The issue underscores the critical nature of diligent software update and patch management processes, especially in complex IT environments. Microsoft's recent pattern includes several rapid-response updates to address unexpected bugs from earlier patches, highlighting ongoing challenges in software maintenance.