Daily Brief

A white-hat hacker identified a security vulnerability in Google’s authentication process, enabling a brute-force attack to access user phone numbers. The exploit required only the victim's email address to reveal the phone number linked to the Google account. The hacker, known as Brutecat, utilized Google Looker Studio and cloud computing resources to exploit the system and obtain phone numbers quickly. Google's account recovery provided partial phone number hints that were susceptible to brute-forcing, particularly due to suboptimal JavaScript reliance for its anti-abuse systems. The exploitation process involved creating a Looker Studio document and transferring its ownership to the victim’s account, revealing the victim's phone number without their interaction. Google initially awarded the researcher $5,000 for the discovery, which was considered low given the potential impact of the exploit. Google has since patched the vulnerability and emphasized the importance of collaboration with the security research community to uphold user safety.

Five men from China, the United States, and Turkey have pleaded guilty to laundering nearly $37 million stolen from U.S. citizens through cryptocurrency investment scams originating in Cambodia. Victims were contacted via unsolicited messages through social media, phone calls, texts, and online dating services and deceived into investing in fraudulent digital asset opportunities. The illicit funds, totaling over $36.9 million, were funneled from U.S. bank accounts to a Bahamian account held by Axis Digital Limited, a company established specifically for these fraudulent operations. Key players included Joseph Wong, who led a Los Angeles-based network of money launderers; Jose Somarriba and Shengsheng He, who founded Axis Digital; and Jingliang Su, who facilitated converting and transferring the victim funds using cryptocurrency. Suspects laundered the stolen amounts through various shell companies, U.S. and international bank accounts, and digital asset wallets, converting much of these funds to Tether (USDT) and moving them to a wallet in Cambodia. Consequences for those involved include possible sentences of up to 20 years for money laundering conspiracy and up to five years for operating an unlicensed money services business. This case highlights a concerning trend reported by the FBI, with over $6.5 billion lost to investment scams in one year alone, marking a significant increase from previous figures.

Modern enterprises increasingly rely on non-human identities (NHIs) like API keys and OAuth tokens, frequently outnumbering human users. A report indicated that 46% of organizations have suffered compromises related to NHI accounts, spotlighting significant security vulnerabilities. The proliferation of cloud services and automation technologies has prompted a rapid increase in NHIs, complicating their management and security. Over 80% of organizations plan to enhance their investment in securing NHIs, reflecting growing awareness of their critical role and associated risks. NHIs often lack robust security measures such as multi-factor authentication (MFA), making them susceptible to attacks and secret leakages. NHIs can accrue excessive permissions and static credentials, further expanding the potential attack surface for cyber adversaries. CISOs are challenged with implementing effective security protocols for NHIs to mitigate risks and ensure safe operations across digital environments. An upcoming webcast is scheduled to address strategies for managing both human and non-human identities within unified systems to reduce risks and complexity.

Marks & Spencer has partially restored its online ordering capabilities, 46 days following a significant cyberattack that occurred in April. Initially unaffected, the service disruption expanded, leading to the suspension of online and app orders. The attack purportedly involved DragonForce ransomware, and resulted in the theft of customer data, the details of which remain undisclosed. The UK retailer now offers online purchases of select fashion ranges in England, Scotland, and Wales, though deliveries are delayed and service options like Click & Collect are still unavailable. M&S estimates a £300 million ($404.7 million) operating profit loss for the next financial year due to the cyber incident, although it plans countermeasures through cost-cutting, insurance claims, and trading actions. Despite a stark drop in share price immediately following the attack, news of the returning online service caused a 3% increase in M&S's stock value. The company hints at using this crisis to accelerate its digital transformation, with further normal service restoration expected gradually.

A security flaw in Google's account recovery feature allowed for the potential exposure of linked recovery phone numbers. The vulnerability was identified by Singaporean researcher "brutecat" in the non-JavaScript version of the Google username recovery page, which lacked sufficient anti-abuse protections. By bypassing CAPTCHA-based rate limits, an attacker could determine all possible phone number combinations for a Google account quickly. Additional exploits could unveil the country code of the phone number and the user's full name using Google's Forgot Password feature and Looker Studio documents. The flaw could lead to SIM-swapping attacks, risking the takeover of any accounts connected to the compromised phone number. Following responsible disclosure in April 2025, Google awarded the researcher a $5,000 bug bounty and resolved the issue by removing the vulnerable username recovery page. Prior disclosures by the same researcher uncovered similar issues revealing YouTube channel owners' email addresses and monetization details via YouTube's API flaws.

Researchers accessed live feeds of 40,000 IoT cameras globally, exposing datacenters, healthcare facilities, and more. The majority of vulnerabilities were found in the U.S., with 14,000 camera feeds exposed, posing espionage threats. DHS had previously warned about the espionage risks associated with poorly secured cameras, especially Chinese-made ones. Bitsight identified both HTTP and RTSP camera technologies as avenues for unauthorized accessing of sensitive live feeds. Security gaps allow easy access without sophisticated tools; in some cases, only a web browser is needed. The exposed cameras not only compromise national security but also provide criminal opportunities, giving insights into retail and residential patterns. The findings raise concerns about the lack of default encryption and security controls in IoT devices, particularly in critical infrastructure. Bitsight also noted the presence of a cybercriminal community online that exchanges information about accessible cameras.

Rare Werewolf APT, previously known as Rare Wolf, conducts cyberattacks on Russian and CIS countries' enterprises, leveraging legitimate third-party software. The group utilizes command files and PowerShell scripts to infect systems, siphon credentials, and deploy XMRig cryptocurrency miners. Primary attack vectors include phishing emails with password-protected archives that deliver malware and legitimate applications like 4t Tray Minimizer. Other tools deployed post-infection include Mipko Employee Monitor, WebBrowserPassView, and Defender Control for further data theft and antivirus disabling. Attacks feature unique operational details, such as scheduled wake-up of compromised systems at 1 a.m. and shut down by 5 a.m., post-data theft. Hundreds of users across industrial and educational sectors in Russia, Belarus, and Kazakhstan have been affected. The usage of legitimate tools complicates the detection and attribution of malicious activities carried out by the group. Similar attacks by another group, DarkGaboon, were mentioned, utilizing LockBit 3.0 ransomware in a parallel but separate campaign targeting Russian entities.

Apple has introduced a new open-source containerization framework designed to run Linux container images on Macs, improving performance and security. The framework allows each Linux container to operate within its own lightweight virtual machine (VM), enhancing operational efficiency and security by minimizing shared resources. This development targets developers who prefer Mac hardware but need to deploy applications in a Linux environment, providing a stable and optimized solution that utilizes Apple's Swift programming language and is tailored for Apple Silicon chips. Existing tools like Docker and Podman have offered similar capabilities, but Apple's solution promises better integration and performance on Mac systems. The new containerization approach uses a minimal root filesystem and an optimized Linux kernel to achieve faster start times and a smaller attack surface for security. Apple’s documentation highlights unique features such as dedicated IP addresses for each container, eliminating the need for individual port forwarding and supporting quicker setup and management. However, the framework's full capabilities will only be unlocked with the future macOS 26 Tahoe release, suggesting limited functionality with the current macOS 15 Sequoia. The framework is still in development, with upcoming updates expected to introduce features like memory ballooning, which allows VMs to adjust memory dynamically.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added critical security vulnerabilities related to Erlang/Open Telecom Platform (OTP) SSH and Roundcube to its Known Exploited Vulnerabilities catalog. These vulnerabilities are actively exploited, but specific details about the exploitation techniques and the perpetrators remain undisclosed. Recent reports by ESET identified that a Russia-linked group, APT28, exploited similar vulnerabilities to target Eastern European governmental and defense sectors. It is uncertain if the newly reported abuses of CVE-2024-42009 relate directly to APT28’s activities or a different threat. There are currently 340 Erlang servers exposed, with a risk not all being susceptible to the reported flaw. CVE-2025-32433 has seen rapid follow-ups with several proof-of-concept exploits being made publicly available soon after its disclosure. Federal Civilian Executive Branch (FCEB) agencies must implement resolutions for these vulnerabilities by June 30, 2025, to mitigate risks adequately. In a related security issue, Patchstack has highlighted an uncorrected severe vulnerability in the PayU CommercePro plugin for WordPress, impacting over 5,000 active installations and allowing account takeovers without authentication.

Arkana Security briefly advertised over 569 GB of purportedly "new" Ticketmaster data for sale, which was actually from a previous 2024 Snowflake data theft. The data was previously compromised during attacks by the threat group ShinyHunters, using stolen Snowflake credentials to access and extort multiple companies. Screenshots and file names from the Arkana post matched the data stolen in 2024, debunking claims of a new breach. The extortion attempt included marketing print-at-home and celebrity concert tickets to pressure victims. The origin and current possession of the resold data by Arkana remain unclear, with potential ties to ShinyHunters or other associated actors. The listing for the Ticketmaster data was removed from Arkana's site as of June 9, indicating a possible cessation or shift in their strategy. ShinyHunters, known for numerous high-profile breaches, has seen several associated threat actors arrested, raising questions about the current composition and operations of the group. Ticketmaster and Arkana did not respond to inquiries regarding the data listing, leaving some details unconfirmed.

Over 84,000 Roundcube webmail installations are at risk due to the CVE-2025-49113 vulnerability, which enables critical remote code execution. The flaw affects multiple versions of the Roundcube system, spanning from 1.1.0 to 1.6.10, and was recently patched as of June 1, 2025. Attackers have reverse-engineered the patch to create an exploit now being sold on underground forums, even though exploiting the flaw requires user authentication. Large-scale exposure of the vulnerability was reported, with the United States, India, and Germany having the highest number of vulnerable instances. The vulnerability was first reported by security researcher Kirill Firsov, who also detailed prevention methods on his blog amid concerns of ongoing attacks. Recommended immediate actions include updating to the latest Roundcube versions or implementing security measures like access restrictions and monitoring for signs of exploitation.

A critical vulnerability in a deprecated Google recovery form allowed phone number extraction via brute force. The flaw, discovered by BruteCat, exploited lacking anti-abuse protections in a JavaScript-disabled Google form. Hackers could retrieve phone numbers by rotating IPv6 addresses and bypassing captchas using BotGuard tokens. Attackers required just the user's profile name and hints of their phone number to initiate the brute force. The vulnerability posed severe risks for phishing and SIM swapping attacks targeting Google account holders. Google upgraded the flaw's severity upon discovery by BruteCat, eventually deprecating the vulnerable endpoint. Although the breach vector has been mitigated as of June 6, 2025, there is no evidence if it was maliciously exploited before the fix. The incident emphasizes the need for continuous security enhancements and monitoring even in legacy systems.

SentinelOne disclosed further details on a failed supply chain attack orchestrated by Chinese hackers targeting more than 70 global entities from June 2024 to March 2025. The cybersecurity firm, a major player in endpoint protection, identified two main attack clusters named 'PurpleHaze' and 'ShadowPad' aimed at sectors including government, telecom, and finance. The initial attack phase involved exploiting network vulnerabilities, particularly in devices like Ivanti Cloud Service Appliances and Check Point gateways. PurpleHaze cluster activity in October 2024 included scanning SentinelOne's servers and setting up fake domains to mimic its infrastructure, attempting to deploy the GOREshell backdoor using zero-day exploits. The later 'ShadowPad' attacks targeted an IT service provider linked to SentinelOne, deploying malware to attempt a supply chain breach via sophisticated malware obscured with ScatterBrain. Attack methods also involved using PowerShell scripts for delayed execution and data exfiltration, enhancing stealth and persistence in compromised networks. Despite these aggressive attempts, SentinelOne confirmed no breach of their systems was successful, underlining the persistent and sophisticated nature of state-sponsored cyber threats targeting critical global infrastructures.

United Natural Foods experienced a cyberattack on June 5, prompting system shutdowns to contain the breach. The attack led to operational disruptions, affecting the company's ability to fulfill orders to major retailers like Whole Foods and Walmart. In response to the intrusion, the company implemented its incident response plan and engaged third-party cybersecurity experts. The company has reported the incident to law enforcement and is actively working to mitigate and remediate the impacts. Despite not confirming, indications suggest the event was likely a ransomware attack, typical of recent patterns affecting the industry. The cyberattack continues to cause temporary business disruptions, which may influence food supply chains and increase consumer prices. United Natural Foods boasts a critical role in the North American market, supplying over 30,000 retailers and recording $8.2 billion in net sales for fiscal Q2.

Sensata Technologies experienced a ransomware attack on April 6, leading to a significant data breach. The company, which specializes in industrial technology for the automotive and aerospace sectors, confirmed the theft of personal data affecting both current and former employees and their dependents. Initial SEC filings in April acknowledged the attack, noting disruptions to shipping, manufacturing, and other business operations. Further investigations with external experts disclosed unauthorized access to Sensata’s network from March 28 to April 6, during which sensitive files were accessed and copied. On May 23, Sensata determined the exact nature of the stolen data, prompting notifications to the breached individuals about the exposure. Affected parties have been offered one year of free credit monitoring and identity theft protection services. As of now, no ransomware group has claimed responsibility for the incident. Sensata's annual revenue exceeds $4 billion, underlining the significant impact of the breach on a major player in the industrial technology field.