Daily Brief

Interpol, in collaboration with Asian countries, successfully conducted Operation Secure, arresting 32 individuals linked to infostealer malware. The operation led to the shutdown of 20,000 malicious domains and IP addresses, representing 79% of the targets identified. Authorities seized 41 servers and over 100 GB of data, disrupting numerous cybercrime operations. The multi-country effort involved contributions from 26 nations, focusing on tracking down servers, analyzing intelligence, and executing coordinated takedowns. In Vietnam, police apprehended a group leader, seizing cash, SIM cards, and documents indicating plans to sell corporate accounts. Additional raids in Sri Lanka and Nauru resulted in 14 arrests, with further investigations identifying 40 more victims of the malware. Hong Kong Police played a significant role, analyzing over 1,700 intelligence items and identifying 117 command-and-control servers. More than 216,000 individuals at risk from infostealer malware were notified and advised to take protective actions such as changing passwords and freezing accounts.

Prelude Security emphasizes the importance of quickly operationalizing threat intelligence to counteract ransomware and other cybersecurity threats effectively. Traditional methods of mapping threats to defensive measures are manual, slow, and can leave organizations vulnerable during critical periods. Effective use of threat intelligence requires rapid integration into security processes to preemptively address potential vulnerabilities and attack techniques. Many organizations fail to efficiently utilize high-quality intelligence due to lacking streamlined processes and tools for timely implementation. Mapping security configurations to frameworks like MITRE ATT&CK helps identify coverage gaps and optimize settings against known threats. Automation of threat mapping and security tool configuration can significantly reduce response times and enhance overall security efficacy. Prelude advocates for a proactive security posture, enabling continuous validation and optimization of defenses in real time to stay ahead of emerging threats. Joe Kaden at Prelude focuses on helping organizations streamline and operationalize their security practices to maximize the potential of their existing tools.

A recent cybersecurity alert detailed coordinated brute-force attacks on Apache Tomcat Manager interfaces, primarily used by large enterprises and SaaS providers. The attack utilized hundreds of unique IP addresses, many previously identified as malicious, to attempt unauthorized access by testing numerous credentials. GreyNoise cybersecurity analysts observed the malicious activity initiating from two separate campaigns starting June 5th, involving around 400 unique IPs focusing on Tomcat services. Most of these IP addresses originated from servers hosted by DigitalOcean, suggesting the misuse of legitimate cloud infrastructure for malicious purposes. Organizations with exposed Tomcat Manager interfaces are advised to strengthen authentication measures, monitor security logs, and block suspicious IPs to mitigate breach risks. While these attacks did not exploit specific vulnerabilities, Apache had previously patched several critical RCE vulnerabilities in Tomcat, highlighting ongoing security challenges. The attacks demonstrate a consistent interest from threat actors in exploiting web-based interfaces and underline the importance of robust cybersecurity defenses and prompt patch management.

International law enforcement action "Operation Secure" targeted global infostealer malware operations across 26 countries, resulting in 32 arrests. The action focused on dismantling criminal groups stealing financial and personal data, with significant data seizures and server takedowns. Vietnamese police arrested 18 individuals, including a leader of a cybercrime group involved in selling corporate accounts. Authorities identified 117 servers in Hong Kong used for phishing, online fraud, and social media scams. Private cybersecurity firms such as Kaspersky, Group-IB, and Trend Micro provided critical support and intelligence. Previous disruptions include a significant takedown involving the U.S. Department of Justice, the FBI, and Microsoft, which seized over 2,300 domains associated with Lumma Stealer. The same malware operations have been linked to major data breaches at companies like UnitedHealth, PowerSchool, and Snowflake.

GreyNoise reports a significant rise in brute-force attacks against Apache Tomcat Manager interfaces, identifying 295 malicious IPs involved. The attacks, observed on June 5, 2025, were predominantly from IPs based in the US, UK, Germany, the Netherlands, and Singapore, aiming to access exposed Tomcat services at scale. The trend reflects a coordinated attempt to exploit Tomcat Manager instances, with no specific vulnerability tied directly to these attempts, indicating a broader opportunistic threat. Alongside, Bitsight discovered over 40,000 security cameras publicly accessible via HTTP or RTSP, primarily in the telecom sector, showing a large-scale privacy breach risk. These wide-reaching security exposures suggest a need for increased cybersecurity vigilance, including strong authentication measures, access restrictions, and ongoing monitoring for suspicious activity. Both incidents highlight a persistent global challenge in securing both web interfaces and IoT devices against unauthorized access and exploitation.

INTERPOL’s Operation Secure dismantled over 20,000 malicious IP addresses tied to 69 malware variants between January and April 2025. Law enforcement from 26 countries collaborated to locate servers, map network infrastructures, and perform decisive takedowns. The coordinated international effort led to the successful takedown of 79% of targeted suspicious IPs and the seizure of 41 servers and over 100 GB of compromised data. Authorities arrested 32 suspects involved in diverse illegal cyber activities, including arrests in Vietnam, Sri Lanka, and Nauru. Hong Kong Police discovered 117 command-and-control servers used for initiating phishing scams, online fraud, and social media deception. Private sector collaboration, including from Group-IB, played a crucial role by providing essential intelligence on compromised user accounts and sensitive data. Compromised information typically facilitated secondary cybercrimes such as financial fraud, ransomware, and business email compromise (BEC) attacks. Operation Secure illustrates the increasing effectiveness of global cooperative efforts in combating sophisticated cybercrime networks.

DNS, foundational to internet functionality, translates domain names to IP addresses, facilitating user online interactions. Traditionally unsecured, DNS is susceptible to attacks, exposing users to service outages, data breaches, and redirections to malicious sites. Securing DNS isn't optional; it's a primary line of defense against various cyber threats, playing a role in early threat detection and response. ClouDNS enhances DNS security through DDoS protection, DNSSEC for authenticating DNS responses, and supports DNS over HTTPS/TLS to prevent interception. Implementing secure DNS practices such as DNS query encryption, and proper management of SPF, DKIM, and DMARC records are crucial for protecting data and maintaining domain reputation. DNS security offers a broad security perspective by acting as an early detection system, identifying potential intrusions and malicious activities at the initial stages. The article underscores the importance of DNS in digital infrastructure security, advocating for robust preventative measures to ensure operational continuity and data integrity.

Two key security vulnerabilities in SinoTrack GPS devices could lead to unauthorized tracking and control of vehicles. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory noting that attackers could exploit these flaws via a common web management interface. Attackers can access vehicle functions like location tracking and fuel pump disconnection by using default passwords. All versions of the SinoTrack IoT PC Platform are affected by these security vulnerabilities. Methods described for exploiting the vulnerabilities include using physically accessed or publicly posted device identifiers online. The security researcher, Raúl Ignacio Cruz Jiménez, emphasized the risks of remote execution and personal information theft due to the device’s inadequate security measures. No current fixes or patches are available for these vulnerabilities; SinoTrack has not yet responded to the issues. CISA advises changing the default passwords immediately and concealing device identifiers to mitigate risks until a fix is deployed.

Microsoft announced and then quickly modified a Patch Tuesday update for Windows 11 24H2 due to a compatibility issue affecting some devices. Affected devices were set to receive a revised update with the June 2025 security improvements shortly after the initial release. The incident raised concerns regarding the speed of addressing and acknowledging compatibility issues in major OS updates. The specific nature of the compatibility issue was not disclosed, but social media speculation suggested it might relate to CPU architecture differences. Although Microsoft intended the update to include critical security fixes, the flaw required a unique, expedited correction. Microsoft's rapid response to fix the issue was noted, though it brought up quality control questions about how such a significant error was missed. The company did not specify whether "by the end of the day" referred to Redmond local time or UTC.

River Island demonstrates effective security with a lean team of three, managing over 200 stores and an e-commerce platform without increasing headcount. Adopted Intruder’s exposure management platform to automate the visibility of their external attack surfaces, enhancing their security posture with continuous monitoring. Reduced tool redundancy by selecting integral and highly effective security tools, maximizing utility and minimizing operational inefficiency. Automated detection of emerging threats like Log4j, providing rapid responses and alleviating the need for manual scans, thus maintaining security with minimal resources. Enabled faster issue resolution by integrating their security systems with Jira, allowing direct task assignment to asset owners rather than centralizing through the security team. Implemented automated dashboards for cybersecurity reporting, reducing manual work and providing clear, real-time insights to leadership. The streamlined and automated systems not only saved time but also built trust with leadership, showing an effective balance between cybersecurity and resource management. Sunil Patel, River Island’s InfoSec Officer, illustrates that a small yet strategic security team can efficiently manage vast infrastructures and face modern cyber threats.

Microsoft issued patches for 67 vulnerabilities, including a zero-day in the WEBDAV protocol actively exploited by the Stealth Falcon group. The zero-day vulnerability (CVE-2025-33053) allows remote code execution and has been used against targets in Qatar, Saudi Arabia, and Turkey. Stealth Falcon used a phishing attack deploying a .url file to exploit this vulnerability for dropping the Horus Agent malware. This espionage campaign utilized the Mythic command-and-control framework, indicating sophisticated nation-state level operational tactics. In addition to WEBDAV, Microsoft also fixed other critical issues including a severe privilege escalation flaw in Power Automate and vulnerabilities in Windows KDC Proxy Service. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) mandated federal agencies to apply the necessary patches by July 2025 due to the severity of the exploits. The patch release also addressed a secure boot bypass bug that allows the execution of untrusted software during the boot process.

Badbox 2.0, initially disrupted in 2022, has resurged and evolved, targeting Android-based smart devices with pre-installed backdoors. Security collaborations, including the FBI and Google, continue efforts to curtail the botnet's impact by taking down its command and control infrastructure. Despite these efforts, the botnet made a comeback in 2025, now capable of infecting devices both before and after sale via firmware integration or dubious app installations. Predominantly affects low-cost, minimally supported Android devices manufactured in China, utilized in streaming boxes and infotainment systems. The botnet operation has shifted focus from ad fraud to leveraging infected devices for residential proxy services, allowing criminals to use legitimate IP addresses for malicious activities. The adoption of the new malware variant vo1d2 indicates a pivot in the botnet's operational tactics, featuring a dynamic domain generation algorithm. Security professionals express concerns over the potential release of Badbox 3, as ongoing demand for affordable Android devices sustains the threat landscape.

Microsoft identified 66 system flaws needing patches, including ten critical and two actively exploited vulnerabilities. The high-risk zero-day, CVE-2025-33053, actively exploited by Stealth Falcon, affects WebDAV and allows remote code execution through a one-click link. This zero-day vulnerability was used to target a Turkish defense company, inserting malware with a custom keylogger. Another exploited flaw, CVE-2025-5419, lies in the Chromium V8 JavaScript engine impacting Microsoft Edge, following a fresh Google patch. Microsoft also delivered critical patches for Windows SMB Client and Microsoft Office, with vulnerabilities that could potentially grant system privileges or unauthorized access. Comprehensive patches also include improvements for legacy and out-of-support software like Internet Explorer and Windows Server 2008. Adobe and other software vendors like SAP and Fortinet also released significant patches to address multiple vulnerabilities rated from critical to moderate.

DanaBot, a malware-as-a-service platform active since 2018, was compromised due to a vulnerability introduced in its June 2022 update. Researchers at Zscaler's ThreatLabz identified the flaw, dubbed 'DanaBleed,' which resulted from inadequate memory handling in the malware's command and control protocol. The exposed memory leak allowed researchers to access critical data about DanaBot’s operations and the cybercriminals behind it. Leveraging this intelligence, an international law enforcement initiative, "Operation Endgame," was launched, resulting in the dismantling of DanaBot's infrastructure. The operation led to the indictment of 16 individuals associated with DanaBot and the seizure of 650 domains and nearly $4,000,000 in cryptocurrency. Despite the core team's location in Russia and their evasion of arrest, the operation has significantly disrupted their operations, likely reducing their credibility in the cybercriminal community.

ConnectWise is updating digital code signing certificates for its software products, including ScreenConnect, Automate, and RMM, due to security concerns. The decision came after a third-party security researcher highlighted potential misuse related to ScreenConnect's configuration data handling. This proactive measure is a response to the researcher's warning, not due to a direct security incident or the recent nation-state cyberattack experienced last month. ConnectWise's certificates, originally set to be revoked, got an extension for the transition to new certificates effective until June 2025. Upcoming software updates will also address how configuration data is managed within the ScreenConnect application to enhance security. Users are advised to download updated software builds from ConnectWise's 'University page' to ensure compliance with the new security certifications. Cloud-hosted versions of the software will receive automatic updates, but users should verify their systems are current to avoid service interruptions.