Daily Brief

Security researchers have identified a new Secure Boot vulnerability, CVE-2025-3052, that allows attackers to disable system security features and install bootkit malware. The vulnerability stems from a BIOS-flashing utility signed with Microsoft's "UEFI CA 2011" certificate, affecting nearly all systems supporting Secure Boot. The flaw was exploited by modifying a user-writable NVRAM variable to disrupt the UEFI boot process and disable Secure Boot enforcement. Microsoft has responded by adding affected module hashes to the Secure Boot dbx revocation list as part of their June 2025 Patch Tuesday. Alongside CVE-2025-3052, another Secure Boot bypass, CVE-2025-4275, was disclosed and patched, indicating a growing trend in UEFI firmware vulnerabilities. Binarly, the company that disclosed the flaw, has released a proof-of-concept video demonstrating the vulnerability and stresses the importance of applying the updated dbx file immediately. IT organizations are encouraged to automate patch management processes to address vulnerabilities quickly and efficiently, reducing overhead and focusing on strategic tasks.

The Texas Department of Transportation (TxDOT) detected unusual activity on May 12 in its Crash Records Information System, which led to the discovery of a data breach. Nearly 300,000 crash reports were illicitly downloaded using a compromised user account, exposing sensitive information of Texas drivers. The exposed personal data includes driver’s license numbers, addresses, license plate numbers, and car insurance policy information, which can be used for fraud or identity theft. Although not legally required to notify affected individuals, TxDOT has proactively started sending letters to those whose information was involved in the breach. The type of data accessed can facilitate insurance fraud, false claims, and even sophisticated phishing attacks aiming to deceive victims with seemingly legitimate offers. The Texas Department of Public Safety is conducting an investigation to understand the full scope and method of the breach. Despite the breach, state officials have not offered credit monitoring or other protective services typically provided following significant data breaches.

Adobe has released updates fixing 254 vulnerabilities in its software products, predominantly affecting Adobe Experience Manager (AEM). A substantial portion of the vulnerabilities, specifically 225, were identified in AEM and affect both AEM Cloud Service as well as older versions up to 6.5.22. The vulnerabilities patched include critical issues that could allow attackers to execute arbitrary code, escalate privileges, or bypass security features. The most severe vulnerability addressed is a reflected XSS flaw in Adobe Commerce and Magento Open Source, with a CVSS score of 9.1, potentially leading to arbitrary code execution. Other critical fixes include improper authorization flaws and multiple code execution vulnerabilities in Adobe InCopy and Substance 3D Sampler. Adobe credits multiple security researchers for discovering and reporting these issues, highlighting the importance of collaborative security efforts. While there have been no reports of these vulnerabilities being exploited in the wild, Adobe strongly advises users to update their software to the latest versions to ensure protection.

Cybersecurity experts found over 20 configuration vulnerabilities in the Salesforce Industry Cloud, risking data exposure. These configuration issues span across various components including FlexCards, Data Mappers, and OmniScript among others. Although Salesforce addressed some vulnerabilities following responsible disclosure, the majority are left for customers to resolve. Identified CVEs such as CVE-2025-43967 and CVE-2025-43698 have been mitigated with new security settings Salesforce customers must activate. The security gaps could lead to significant compliance risks for organizations under regulations like HIPAA or GDPR. A separate zero-day SOQL injection vulnerability was also discovered, potentially allowing attackers to access and extract sensitive data. Salesforce claims that all identified issues have been resolved and patched, with no evidence of these vulnerabilities being exploited in customer environments. The company emphasizes the importance of customer-side configuration for optimal security and regulatory compliance.

Microsoft's June 2025 Patch Tuesday addressed 66 vulnerabilities, including ten deemed critical. The patch corrected one actively exploited zero-day and another vulnerability that was publicly disclosed. The actively exploited zero-day involved a remote code execution flaw in Web Distributed Authoring and Versioning (WEBDAV). The exploitation of this vulnerability allowed attackers to execute arbitrary code by having a user click a specially crafted URL. A publicly disclosed elevation of privilege vulnerability in Windows SMB Client was also fixed, which previously allowed attackers to gain SYSTEM privileges. Mitigation strategies for the SMB Client flaw included enforcing server-side SMB signing. Other tech companies have also released updates and advisories in the same period, indicating a broader focus on cybersecurity threats. Microsoft attributes the identification of these flaws to multiple security researchers and organizations.

FIN6, an e-crime group, is using Amazon Web Services to host fake resumes for phishing attacks on recruitment platforms like LinkedIn and Indeed. The group, operational since 2012, has shifted its focus from targeting point-of-sale systems to deploying malware, specifically More_eggs, through social engineering. More_eggs malware, developed by the Golden Chickens cybercrime group, allows for credential theft, system access, and ransomware attacks. The fake resumes are distributed through domains registered anonymously and protected by GoDaddy's privacy services, complicating attribution and takedown efforts. The phishing sites leverage built-in traffic filtering logic, delivering malicious content only to targets meeting specific criteria like using residential IP addresses. When opened by the targeted individuals, the ZIP file containing the resume triggers the deployment of the More_eggs malware. This sophisticated approach of using realistic job lures, CAPTCHA walls, and evasion techniques allows FIN6 to remain undetected by many security tools.

Microsoft is set to block additional file types in Outlook Web and the new Outlook for Windows to enhance security measures. The blocked file extensions, effective from early July 2025, will include .library-ms and .search-ms, previously exploited in phishing attacks. These file types have been used to exploit vulnerabilities and facilitate unauthorized access to user data, notably through NTLM hash exposure and malware deployment. The majority of users will not be impacted by this update as these file types are rarely used in regular communications. Organizations that rely on these file types can adjust their settings by modifying the OwaMailboxPolicy objects before the changes take effect. This security update is part of an ongoing effort by Microsoft to disable Office and Windows features that have been manipulated to launch cyber attacks. No specific actions will be required from users as the update will automatically apply to all Outlook Web Access (OWA) Mailbox policies.

The Texas Department of Transportation (TxDOT) experienced a significant data breach, with 300,000 crash records stolen from its database. The breach was detected on May 12, 2025, after unusual activity was observed in the Crash Records Information System (CRIS). A threat actor exploited compromised credentials to access and download nearly 300,000 crash reports, leading to unauthorized data extraction. Compromised data may increase the risk of social engineering, phishing, and scamming attacks against individuals whose information was part of the stolen records. TxDOT has started notifying potentially impacted individuals, advising them to be vigilant against identity theft and to monitor their credit reports for suspicious activities. No identity theft protection or credit monitoring services have been offered to the affected individuals by TxDOT, though a dedicated support line has been established. Additional security measures are being implemented by TxDOT to prevent future breaches, including disabling compromised accounts and blocking unauthorized access paths used by attackers.

Cybercriminals exploit a critical remote code execution vulnerability, CVE-2025-24016, in Wazuh, an open-source XDR and SIEM platform. The disclosed vulnerability is actively used in botnet attacks, affecting over 100,000 global enterprises, including Fortune 100 companies. Akamai researchers identified the initial exploitation attempts in March, highlighting the rapidly decreasing time-to-attack post-disclosure. The attackers leverage Mirai botnet variants to attack IoT devices, using both newly discovered and older vulnerabilities across different devices. Domains with Italian names were used in one of the botnets (Resbot), suggesting targeted attacks on Italian-speaking populations. Wazuh has released a patch (version 4.9.1 in October 2024), which mitigates these attacks, emphasizing the importance of timely updates. The presence of publicly shared proof-of-concept (PoC) exploit codes accelerates the propagation and success rate of these botnet attacks. Despite the patch, continuing attacks underscore the need for organizations to swiftly apply security updates to avoid exploitation.

FIN6, a known cybercriminal group, has adopted a strategy of impersonating job seekers to infiltrate and infect recruitment systems with malware. Recruiting specialists are being targeted through LinkedIn and Indeed, with seemingly benign interactions progressing to phishing emails containing malware-infected resume downloads. The malware, dubbed 'More Eggs,' is delivered through a JavaScript backdoor, enabling credential theft, ransomware attacks, and unauthorized system access. Attackers employ sophisticated methods including environmental fingerprinting and behavioral checks to ensure the malware is delivered only to intended targets and not to security researchers or unintended systems. Recruitment domains are anonymously registered and hosted on AWS, increasing the difficulty of detection by security tools due to the platform's trusted status. FIN6 is expanding its criminal activities from traditional financial fraud and PoS system compromises to advanced ransomware strategies and credential theft. Recruitment professionals are advised to verify candidate identities through direct contact with references, and to exercise caution when asked to download materials from external websites.

Ivanti released updates for three high-severity hardcoded key vulnerabilities in Workspace Control, affecting SQL credential security. These flaws, identifiable as CVE-2025-5353, CVE-2025-22455, and CVE-2025-22463, allow local authenticated attackers to decrypt stored credentials. Successful exploitation could lead to privilege escalation and system compromise, depending on the targeted account. No current evidence suggests these vulnerabilities have been exploited in the wild before their public disclosure. Ivanti emphasizes that the vulnerabilities were responsibly disclosed, and they are not aware of any exploits in customer environments prior to this disclosure. The affected product, Workspace Control, will reach end of life in December 2026, ceasing security patches and technical support thereafter. Ivanti previously addressed other critical vulnerabilities across different products, including a critical authentication bypass and zero-day flaws exploited by state-linked actors.

AI is increasingly utilized by IT security teams, with 90% adopting it to counter complex ransomware threats, as per Delinea's 2025 report. AI enhances SOC operations by analyzing alerts in real-time, prioritizing incidents, and enabling analysts to focus on strategic responses. AI tools are effective in detecting Indicators of Compromise by scanning large data sets and identifying potential ransomware threats swiftly. Phishing, a common ransomware tactic, is being countered by AI through email pattern analysis and real-time detection of suspicious activities. AI-driven improvements in identity and access management systems help automate critical functions and reduce the risk of unauthorized access. AI technologies are vital in preempting phishing attempts and improving security training through realistic simulations and response tracking. The adoption of AI is transforming cybersecurity from reactive to proactive, providing a strategic edge against ransomware attacks. For a comprehensive understanding of AI-influenced cybersecurity practices, the Delinea 2025 State of Ransomware Report offers expert insights and data.

A new Rust-based information stealer, Myth Stealer, is being spread via fraudulent gaming websites. Initially offered for free on Telegram, Myth Stealer has transitioned to a malware-as-a-service model and is capable of stealing passwords and autofill data from browsers like Chrome and Firefox. The malware deceives users with a fake setup window while executing malicious code in the background, employing anti-analysis techniques to evade detection. Telegram has shut down multiple channels used by the operators to advertise compromised accounts and share testimonials. Distribution methods include fake gaming sites on Blogger and cracked game cheating software, highlighting diverse attack vectors. Myth Stealer attempts to terminate processes on infected systems to steal data, which it then exfiltrates to a command and control server or via Discord webhooks. The malware's capabilities are being continuously updated, including new functionalities like screen capture and clipboard hijacking.

The report identifies a critical vulnerability in enterprise data security posed by AI systems, which act like digital agents, accessing and potentially exposing sensitive data. Varonis' research, involving 1,000 real-world IT environments, highlights that 99% of organizations have sensitive data that AI could inadvertently expose. The use of AI technologies can lead to unintentional data exposure due to a lack of understanding of AI permissions models and adequate data protection measures. AI-driven analytics tools and customer support bots could access or reveal internal sensitive data such as employee salaries, R&D insights, or source code with minimal user interaction. The integrity of data fed into AI systems, particularly Large Language Models (LLMs), is crucial; incorrect or manipulated data can have disastrous consequences. Varonis emphasizes the importance of implementing robust data security practices and proactive measures to safeguard data in the era of AI. The "State of Data Security Report" by Varonis sheds light on various risk aspects including cloud complexities, unsanctioned apps, and inadequate multifactor authentication practices contributing to the heightened risk landscape.

President Trump revoked an executive order by Biden focused on enhancing cybersecurity and reducing identity fraud. Trump's action removed mandates for digital ID usage, claiming they aided immigrants in committing fraud, a claim disputed by experts. Digital identity and cybersecurity experts argue that digital IDs are crucial for securing federal systems against sophisticated fraud rings and nation-state actors. Key criticisms include the rollback of required secure software development practices, making them voluntary, which may lead to slower adoption and increased risks. Cybersecurity professionals stress that ransomware gangs and foreign-government-sponsored goons primarily exploit stolen identities, not immigrants. The removal of these mandates is seen as a step back in fighting the advanced fraud and cyber threats facing the nation. Experts call for a national strategy on digital fraud and emphasize the importance of treating digital identity as critical infrastructure.