Daily Brief

Blue Teams use structured playbooks for efficient incident response, detailing steps to identify, contain, and remediate security threats. Wazuh, an open-source security platform, enhances these playbooks by providing real-time threat detection, automated responses, and comprehensive incident management. Wazuh integrates SIEM and XDR capabilities, allowing the correlation and analysis of security data across various environments, crucial for effective incident responses. The article presents specific playbook examples where Wazuh detects common cyber threats such as credential dumping, web shell activity, data exfiltration, and brute-force attacks. Real-world scenarios demonstrate Wazuh's ability to monitor and respond to suspicious activities through log analysis, file integrity monitoring, and network activity tracking. Wazuh supports the entire incident response lifecycle, from preparation to recovery, with tools for early detection, analysis, containment, and post-incident learning. Integration capabilities of Wazuh with other security tools are highlighted, promoting a holistic approach to cybersecurity within Blue Team operations.

Over 70 organizations worldwide, including a South Asian government and a European media group, were targeted in cyber espionage operations linked to China. The attacks, spanning from July 2024 to March 2025, involved sectors such as manufacturing, government, finance, telecommunications, and research. SentinelOne identified activity by the threat group PurpleHaze, associated with known Chinese espionage groups APT15 and UNC5174. Initial breaches involved reconnaissance targeting SentinelOne’s servers and an IT services firm handling the company’s logistics. Six distinct activity clusters identified, dating back to June 2024, showcasing sophisticated methods such as the deployment of malware like ShadowPad. Tools and software developed by The Hacker's Choice were used maliciously for the first time in state-sponsored attacks. SentinelOne's continuous monitoring and attribution efforts indicate expansive and complex operations likely aiming for broader espionage activities beyond initially compromised entities.

Two distinct Mirai-based botnet variants target a critical deserialization flaw in Wazuh Server, identified as CVE-2025-24016. The Wazuh Server vulnerability allows remote code execution and affects all versions from 4.4.0; patched in version 4.9.1 released in February 2025. The first botnet utilizes a shell script to download and deploy the LZRD Mirai variant from an external server, affecting various device architectures. The second botnet, referred to as Resbot, similarly exploits CVE-2025-24016 using malicious scripts to target Italian-speaking users, spreading through domains with Italian names. Apart from CVE-2025-24016, these botnets leverage other vulnerabilities in devices like TP-Link routers and ZTE routers, among others. Propagation strategies include FTP spread over port 21, telnet scanning, and leveraging old source code for Mirai to create or repurpose botnets. These incidents highlight the rapid exploit timelines adopted by attackers and the continuing challenge of securing IoT and network infrastructure against DDoS attacks.

Blue Teams use structured playbooks to ensure consistent, timely responses to cyber threats, aligning with organizational policies. Playbooks outline the process from identifying and containing to remediating incidents, reducing the impact of cyberattacks. Core of Blue Team playbooks is Incident Response (IR), detailing actionable steps for specific threats. Wazuh is portrayed as a versatile security platform that integrates SIEM and XDR functionalities to assist Blue Teams in real-time threat detection and incident management. Through Wazuh, teams can detect and respond to various threats, including credential dumping, web shells, data exfiltration, and brute-force login attempts. The open-source nature of Wazuh supports extensive customization and community-driven updates. Wazuh enhances Blue Team capabilities by correlating security data across environments, which is critical in the detection and analysis phase of incident responses.

United Natural Foods (UNFI) experienced a significant cyberattack, prompting shutdowns of several systems. The disruption affected UNFI's operations, impacting the fulfillment and distribution of customer orders. UNFI, a major player in the grocery wholesale sector in North America, reported disruptions shortly after discovering the attack on June 5th. In response to the attack, UNFI implemented its incident response plan, which involved taking certain systems offline to contain the breach. The company has engaged external cybersecurity experts to investigate the incident and aid in recovery efforts. Despite system shutdowns, UNFI deployed workarounds to maintain some level of service and is working on safely restoring their systems. Law enforcement has been notified, and UNFI continues to assess and mitigate the cybersecurity incident's impacts.

Google has patched a zero-day vulnerability in Chrome, found in the V8 JavaScript engine, which was actively exploited. The security flaw could allow an attacker to exploit heap corruption via a meticulously crafted HTML page. Updated Chrome versions 137.0.7151.68/.69 have been released for Windows and macOS, with a version for Linux as well. Google's Threat Analysis Group discovered this flaw, highlighting the need for continuous monitoring and quick response. Users are advised to update their Chrome browsers immediately to mitigate potential risks. Multiple other CVE vulnerabilities were reported this week, impacting products from Cisco, VMware, and IBM, among others. Implementing Attack Surface Reduction (ASR) rules is advised to block common malware techniques effectively.

Shadow IT encompasses unsanctioned apps, dormant accounts, and unmanaged user identities that standard security solutions like CASBs and IdPs often miss. It includes risks such as over-permissioned SaaS tools, orphaned access rights, and applications created in platforms like Google Workspace without authorization. Shadow IT is not only a visibility problem but has evolved into a significant attack surface that can lead to inadvertent data breaches or leaks. Real-world examples of these risks include dormant access exploitable by attackers, AI reading sensitive company information, and ex-employees retaining admin access. Wing Security provides tools to automatically discover and manage software applications, users, and integrations, identifying permissions, MFA status, and potential security misconfigurations. By using Wing Security's platform, companies can unify their approach to SaaS security, correlate events across applications, and proactively tackle security issues. The technology aims to transform the unknown elements of software usage into monitored assets, allowing companies to secure their digital environments more comprehensively.

The UK's proposal to remotely disable stolen mobile phones relies on cooperation from major tech companies like Apple and Google, who are hesitant to participate. Mobile phones have a unique International Mobile Equipment Identity (IMEI), which can be used to blacklist stolen devices, preventing them from connecting to cell networks. Despite the technology being available to extend IMEI blocking to cloud services, effectively rendering stolen phones useless, Apple and Google have resisted implementing these measures. Apple argues that implementing IMEI blocking could lead to unintended security issues, such as increased risk of blackmail, while Google maintains that IMEI numbers should remain a unique identifier managed between carriers and subscribers. The reluctance of big tech companies to block stolen phones in cloud services is partly driven by economic incentives, as every connected device generates continuous revenue. Critics argue that this stance not only fosters a market for stolen phones but also ignores broader societal harm, including personal loss and potential increase in crimes like identity theft. The article suggests a need for systemic cooperation and significant investments in consumer-focused security systems to effectively combat digital identity theft and related crimes, but sees little motivation from the industry to initiate such changes.

SentinelLABS identified over 75 strategic victims worldwide, involving governments and critical sectors, targeted by suspected Chinese spies using malware. The espionage operation utilized ShadowPad and GOREVERSE for pre-positioning ahead of potential conflicts, indicating advanced preparation for espionage and disruption. Notable victims include a European media group and a South Asian government entity, both essential for China's strategic intelligence and potential disruption tactics. SentinelOne's own infrastructure was targeted, signaling their significance within the strategic framework of the espionage operations, possibly for a supply-chain attack similar to SolarWinds' breach. Investigators linked the campaign to Chinese cyberespionage groups APT15 and UNC5174, known for their extensive infiltration capabilities and governmental backing. Critical vulnerabilities CVE-2024-8963 and CVE-2024-8190 in Ivanti software were exploited for initial access, demonstrating the espionage's sophistication and timing with undisclosed vulnerabilities. Ongoing research and monitoring are still required as the campaign’s activities and further organizational breaches continue to be discovered, suggesting a potential increase in affected entities beyond the initial 75.

Executives and technologists often prioritize revenue and technological solutions, sidelining human risk management (HRM) in cybersecurity. Most data breaches are caused by human error, such as phishing or weak passwords, not by technology failures. Security leaders tend to focus on technology investments due to familiarity and confidence, neglecting the crucial aspect of cultural change. There is a persistent internal conflict within organizations between pushing for advanced technology and implementing effective HRM. Consulting firms frequently promote technology-heavy strategies over HRM, influencing leadership's cybersecurity decisions. Standards like NIST's Cybersecurity Framework and ISO 27001 offer guidance on integrating HRM and technology effectively. True organizational security requires a balanced focus on both technological tools and the people who use them. The challenge lies in leaders recognizing the importance of HRM and demanding a balanced approach amidst competing priorities.

OpenAI has banned several ChatGPT accounts utilized by Russian-speaking hackers and two Chinese nation-state groups to support malware development and other cybercriminal activities. The Russian-linked users employed ChatGPT to assist in creating and refining Windows malware, including debugging and establishing command-and-control infrastructures. These accounts were used for single-use interactions focused on incremental improvements to malicious tools, demonstrating advanced operational security measures. The malware developed with OpenAI's help was distributed via a code repository disguised as legitimate software, initiating a multi-stage attack to exfiltrate sensitive data. Techniques used in the malware included privilege escalation, detection evasion through powershell script modifications, and payload obfuscation using Base64 encoding. Additional capabilities of the malware involved harvesting user credentials and cookies, as well as sending alerts to the attackers via a Telegram channel. Separate from the Russian hackers, the Chinese-associated accounts engaged ChatGPT for diverse purposes ranging from Linux system administration, software development, and assistance in social media automation. OpenAI stressed that this misuse of ChatGPT highlights the need for vigilant monitoring and proactive measures to prevent AI-powered cybersecurity threats.

China’s National Space Administration successfully deployed a solar wing on the Tianwen 2 probe, which is currently three million kilometers from Earth. The Tianwen 2 mission targets the quasi-moon 469219 Kamoʻoalewa and comet 311P, marking significant progress in China's space exploration efforts. Hitachi Power Solutions, Japan, is developing an AI agent to preserve the knowledge of its experienced workers, enhancing operational efficiency. Internal documents reveal China's censorship strategy involves removing content prior to review, intensifying around sensitive anniversaries like that of the Tiananmen Square massacre. Equinix has expanded its footprint in the Asia-Pacific region by acquiring three datacenters in Manila, Philippines, boosting its capacity and potential for regional growth. Samsung's Device eXperience division has integrated Cline AI with Microsoft’s VS Code to streamline coding processes in product development. Amazon Web Services has launched a new region in Taiwan with three availability zones, enhancing service reliability amidst the region's frequent earthquakes.

Former NSA adviser Anne Neuberger highlights severe vulnerabilities in U.S. infrastructure, stressing the urgent need for enhanced cyber resilience. Neuberger criticizes the reduction of the Cybersecurity and Infrastructure Security Agency’s workforce under the Trump administration, linking it to weakened national security. Emphasizing the role of artificial intelligence, Neuberger advocates for employing AI to patch security gaps in critical infrastructure and legacy systems. CISA faces significant challenges with proposed budget cuts and a potential reduction of one-third of its workforce, raising concerns about a "brain drain" and its impact on U.S. cybersecurity capabilities. The FBI and Kaspersky issue warnings about new variants of Badbox and Mirai botnets, showing a resurgence and evolution of cyber threats. Republican congressman demands explanations from Homeland Security regarding the closure of CISA’s Mobile App Vetting program amid ongoing threats like the Salt Typhoon breaches by Chinese cyberspies. Kettering healthcare provider confirms patient data breach by ransomware gang Interlock, exposing sensitive patient and staff information. Two cybercriminals from the doxxing gang "ViLE" receive prison sentences for stealing data from a law enforcement database and using it for extortion.

A new variant of the Mirai malware is exploiting a command injection vulnerability in TBK DVR devices. The vulnerability, identified as CVE-2024-3721, was disclosed by a researcher in April 2024, with a proof-of-concept published. This flaw affects DVR-4104 and DVR-4216 models and their rebranded versions under multiple brands. Kaspersky detected the exploitation in its Linux honeypots, noting that the malware affects approximately 50,000 internet-exposed devices globally. Infected devices are used for DDoS attacks, proxying malicious traffic, and other harmful activities. Most detected infections are in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil, according to Kaspersky's telemetry. It is currently unclear if TBK Vision has released any security patches for the vulnerability, highlighting the potential ongoing risk.

A supply chain attack has been discovered, targeting over a dozen packages associated with GlueStack in npm and PyPI repositories, affecting nearly 1 million weekly downloads. The compromised packages allow attackers to execute shell commands, take screenshots, and upload files from infected machines, with potential actions including cryptocurrency mining and data theft. The first package compromise was detected on June 6, 2025, with similarities noted to a previous npm package compromise indicating the possible involvement of the same threat actors. Malicious actors introduced a remote access trojan (RAT) capable of harvesting system information and public IP addresses, with maintainers having revoked access and deprecated affected versions. Two additional npm packages were found acting as both information stealers and file wipers, with one package specifically targeting application directories for deletion upon activation. A new PyPI package identified as a credential harvester masquerades as an Instagram growth tool but instead exfiltrates Instagram credentials to third-party services. Users of the affected packages are urged to roll back to safe versions to mitigate threats, highlighting the importance of maintaining secure software supply chains.