Daily Brief

Two RubyGems packages were found impersonating the Fastlane CI/CD plugins, redirecting Telegram API requests to a malicious server. Sensitive data intercepted by the malicious packages includes chat IDs, message content, attached files, proxy credentials, and bot tokens. This cyberattack on Fastlane's Telegram plugins represents a significant supply chain threat within the Ruby development community. Socket researchers discovered the attack and have issued warnings to the RubyGems community to mitigate further risk. Despite claims on landing pages, there's no evidence that the attacker’s proxy does not store or modify stolen data. Developers using these malicious gems are advised to immediately remove them and rotate any Telegram bot tokens that have been potentially compromised. The compromised endpoints use Cloudflare Worker scripts, obscuring further investigation into their operations and extent of data leakage.

Threat hunters have discovered a malicious campaign using fake DocuSign and Gitcode sites to spread NetSupport RAT via complex PowerShell scripts. The initial contact with victims often starts through social engineering methods, using emails or social media, directing them to these malicious websites. The attack sequence begins with victims being tricked into executing a PowerShell script that triggers multi-stage downloads and installations of the malware. One distinct method involves a Clipboard poisoning attack where a CAPTCHA verification dupes users into copying a malicious script unwittingly. The PowerShell scripts facilitate downloading more scripts and eventually the NetSupport RAT from a controlled server masquerading as a legitimate service. This multi-layered execution strategy aims to bypass detection systems and remains resilient against simple security takedowns. The URLs and domain patterns used in the attack share similarities with previous campaigns known to involve SocGholish, suggesting a potentially larger organized threat. Although the NetSupport Manager is a legitimate tool, it's often abused by multiple threat actors to gain unauthorized remote access to victim's systems.

Mozilla has launched a new security feature aimed at blocking malicious Firefox extensions designed to drain cryptocurrency wallets. The feature includes a risk profile system that triggers alerts when extensions exceed a set threshold, prompting further review by human moderators. If identified as malicious, the extensions are immediately blocked to prevent them from being downloaded and used by Firefox users. The targeting of cryptocurrency wallets via browser extensions has become a prevalent attack vector, allowing cybercriminals to steal private keys and funds. Mozilla's Add-ons Operations team, led by Andreas Wagner, has removed hundreds of these harmful extensions in recent years. The team continuously adapts its detection methods to keep pace with evolving tactics by cybercriminals. Andreas Wagner advises users to only download official extensions directly from their crypto wallet's website to avoid falling victim to scams. Mozilla's efforts align with a broader trend of using automated systems to enhance cybersecurity and protect user assets.

The term "Scattered Spider" does not represent a specific group but rather various cybercriminal activities with different names across cybersecurity platforms. Initial intrusions by the so-called Scattered Spider often involve identity-based tactics like help desk scams, which bypass multi-factor authentication (MFA) and facilitate wider attacks such as data theft or ransomware deployment. Despite widespread reporting, help desk scams have been a consistent method employed by these threat actors since 2022, highlighting a recurring vulnerability in corporate security procedures. These criminals predominantly target accounts with high-level admin privileges, enabling significant access without the need for further credentials escalation within the victim's network. The group's technique diversity includes not only help desk scams but also advanced methods like Attacker-in-the-Middle (AiTM) phishing toolkits, aimed at bypassing MFA. Recommendations for organizations include introducing deliberate friction in help desk processes and improving verification methods to counter identity-based attacks effectively. The article emphasizes the importance of adapting and enhancing corporate security strategies in response to evolving threat tactics rather than focusing only on conventional protection measures.

CISA issued a warning about exploitation of a patched vulnerability in ConnectWise ScreenConnect, capable of executing remote code. The vulnerability, CVE-2025-3935, involves ViewState code injection, potentially allowing attackers remote server control if they compromise machine keys. Recent attacks, suspected to be executed by state-sponsored actors, have reportedly involved this specific ScreenConnect security flaw. Additionally, CISA has identified critical vulnerabilities in ASUS routers and Craft CMS that are also currently being exploited. Especially concerning is the ASUS RT-AX55 device flaw, involved in forming a botnet in stealthy attacks described as orchestrated by sophisticated adversaries. These vulnerabilities are now part of CISA's Known Exploited Vulnerabilities Catalog, with federal agencies directed to apply recommended mitigations by June 23.

Microsoft issued a corrective update, KB5062170, to address a previously faulty patch that caused Windows 11 systems to enter recovery mode. The problematic patch affected a limited number of Windows 11 machines, particularly virtual machines, resulting in a boot error with an error code 0xc0000098 related to a missing or faulty ACPI.sys file. The flawed patch was part of the May Patch Tuesday updates and primarily impacted enterprise IT environments, while general consumers remained largely unaffected. Despite resolving the boot error issue, the new patch still harbors unresolved problems with CJK fonts appearing blurry in Chromium browsers at 100 percent scaling, with Microsoft suggesting a temporary scaling increase to 125 or 150 percent. Out-of-band updates, intended to fix urgent issues, are becoming increasingly common for Microsoft, raising concerns about their quality control measures. Microsoft's frequent need for remedial patches affects not only Windows client systems but also Windows Server platforms, reflecting broader challenges in software update management. While Microsoft is proactive in addressing these problems, the recurring nature of such issues has significant implications for enterprise IT administrators and their operational planning.

Victoria's Secret delayed its Q1 2025 earnings due to a cybersecurity incident on May 24, impacting their corporate systems. The breach led to necessary precautionary measures, including shutting down certain corporate and in-store systems and their e-commerce website. External cybersecurity experts have been engaged to manage the impact and assist in system restoration. Corporate system restoration efforts are ongoing, with the website back online as of May 29, 2025, though other system functionalities are still being recovered. The incident has disrupted access to essential systems and data needed for preparing and releasing the company's financial results. The earnings release and corresponding webcast, initially scheduled post-May 3, 2025, have been postponed. Details regarding the exact nature of the incident have not been fully disclosed, but indications suggest it could be related to a ransomware attack. This incident at Victoria's Secret is part of a broader pattern of cybersecurity threats targeting various retailers globally.

A critical vulnerability in Roundcube webmail software, identified as CVE-2025-49113, has been discovered with a CVSS score of 9.9, indicating severe risk. This flaw, present for 10 years, allows authenticated users to execute arbitrary code through flawed PHP object deserialization. The vulnerable versions, prior to Roundcube Webmail 1.6.11 and 1.5.10 LTS, have been patched in the latest updates to address the security issues. Kirill Firsov from FearsOff, a cybersecurity firm based in Dubai, discovered the vulnerability and reported it, with further technical details and a proof-of-concept expected to be released soon. Historically, vulnerabilities in Roundcube have been targets for exploitation by nation-state actors such as APT28 and Winter Vivern, primarily for phishing and data theft. Security teams are advised to promptly upgrade to the corrected versions to mitigate potential exploitation and safeguard sensitive information.

Illicit crypto-mining group JINX-0132 is exploiting vulnerabilities in popular DevOps tools to hijack cloud computing resources and mine cryptocurrency. Tools targeted include HashiCorp's Nomad and Consul, Docker Engine API, and Gitea, with specific focus on settings left at insecure defaults. An estimated 25% of all cloud environments use one of these affected technologies, with 20% specifically utilizing HashiCorp Consul. About 5% of these deployments are directly exposed to the internet, and 30% of those exposed are misconfigured, making them susceptible to JINX-0132 attacks. Wiz Threat Research identified HashiCorp Nomad as particularly vulnerable due to default settings that lack necessary security measures. Docker API's misconfigurations allow attackers to control the Docker CLI, potentially escalating to Kubernetes or other hosts. Older Gitea versions have known vulnerabilities, but even secure versions risk exploitation if default settings are altered or the installation page is left unlocked. Immediate actions recommended include securing DevOps tools by changing default configurations and restricting internet exposure.

The article discusses the increasing prevalence and impact of help desk scams, focusing on significant losses faced by UK retailers such as Marks & Spencer and Co-op as a result of these attacks. Help desk scams involve attackers impersonating users to gain access to their accounts by convincing help desk personnel to reset credentials, including Multi-Factor Authentication (MFA). The attackers use a variety of social engineering tactics, often leveraging native English-speaking skills to build trust and manipulate the help desk process. These scams have proven effective for bypassing security measures like MFA and gaining control of high-value accounts with admin privileges, setting the stage for further malicious activities like data theft and ransomware deployment. Organizations are advised to introduce friction into their help desk processes, recognizing and mitigating risks, especially when dealing with high-privileged accounts. Despite the focus on help desk scams, the article emphasizes considering broader security strategies as these scams are part of a wider toolkit employed by threat actors like Scattered Spider, which includes identity-based tactics and advanced phishing methods. The article underscores the need for organizations to reinforce their help desks against such vulnerabilities, improving security protocols and employee training to prevent social engineering attacks.

Google has released an emergency update for a Chrome zero-day vulnerability identified as CVE-2025-5419. The vulnerability, a severe out-of-bounds read/write issue in Chrome's V8 JavaScript engine, was reported by Google's own Threat Analysis Group. This is the third zero-day exploit found in Chrome since the beginning of the year, with prior vulnerabilities patched in March and May. The latest versions of Chrome addressing this security flaw—137.0.7151.68/.69 for Windows/Mac and 137.0.7151.68 for Linux—are being rolled out over the coming weeks. Users are advised to manually update their Chrome browsers via the Help section to install the security patch immediately. Google has restricted details of the exploit to prevent further abuse until a majority of users have implemented the update. Previous zero-day vulnerabilities patched by Google this year involved serious risks including malware deployment and account takeover upon exploitation.

Cartier has notified its customers about a cyber incident where an unauthorized party accessed limited client information. The affected data includes names, email addresses, and countries of residence, but no payment or sensitive personal information was compromised. The jewelry giant has enhanced its system security and is collaborating with top external cybersecurity experts to address the breach. Cartier emphasizes the minor impact of the breach, suggesting that the exposed information is basic and possibly already available through previous breaches or open sources. Authorities have been informed of the breach, though Cartier has not revealed the total number of customers affected. The incident is part of a broader trend of recent digital security breaches impacting major brands like Adidas and Victoria’s Secret. Cartier urges all affected clients to stay vigilant for unusual or suspicious communications.

A new Android banking trojan named Crocodilus is actively targeting users in Europe, South America, and other regions, masquerading as legitimate applications. ThreatFabric reports that Crocodilus uses advanced obfuscation techniques to evade detection and has capabilities to launch overlay attacks to steal banking and cryptocurrency credentials. The malware abuses Android accessibility services to capture cryptocurrency wallet seed phrases, enabling theft of virtual assets. Recent developments show the malware extending its operational scope to countries like Poland, Argentina, Brazil, India, Indonesia, and the United States. Distribution methods include deceptive ads on social platforms mimicking banks and e-commerce sites, and fake prompts for web browser updates or online casino applications. New features in the malware include the ability to add contacts in victims' phones, possibly to bypass new security measures introduced by Google. Crocodilus also features an automated seed phrase collector that targets specific cryptocurrency wallets, further enhancing its threat to financial security. These updates indicate not only enhanced technical sophistication but also a strategic expansion of the malware's reach globally.

The latest update of the Crocodilus malware introduces a feature adding fake contacts to deceive Android users during calls. Initially documented in late March 2025, Crocodilus has since enhanced its data theft and remote control features and broadened its geographic target scope. New evasion tactics include code packing and layered XOR encryption to complicate detection and reverse engineering efforts. The malware can now create local contacts on infected devices, causing impersonation of banks or trusted entities when receiving calls. This version also improves data parsing before exfiltration, ensuring higher-quality thefts. The Threat Fabric research highlights the rapid evolution of the malware, emphasizing its increased use of social engineering techniques. Android users are advised to download apps only from Google Play or trusted sources and to keep Google Play Protect active.

Google Chrome announces plans to remove trust for digital certificates issued by Chunghwa Telecom and Netlock after July 31, 2025, due to compliance and conduct issues. Affected certificates will mainly relate to TLS (Transport Layer Security) server authentication from these providers. This decision follows observations of compliance failures, unmet improvement commitments, and insufficient progress addressing publicly disclosed incidents over several years. Users visiting websites with certificates from these authorities after the cutoff will receive a full-screen security warning in Chrome. Google advises website operators using these CAs to transition to new publicly-trusted CAs to avoid disruptions. Enterprises can still manually trust these CAs by installing their root certificates locally on devices running Chrome. Similar actions were previously taken against Entrust’s certificates, whose certificate business was sold to Sectigo. Apple has also distrusted NetLock Arany certificates from November 2024. In March, the CA/Browser Forum adopted new security measures for domain control validation and to flag insecure X.509 certificate practices.