Daily Brief

Cyber threats have evolved, prompting industries to adapt heightened security strategies, including network detection and response (NDR). Financial services employ NDR to detect unauthorized data accesses, safeguard transactions, and uphold regulatory compliance due to their high exposure to targeted attacks. In the energy sector, NDR identifies potential threats early, monitoring both traditional IT and operational technology (OT) environments, crucial for maintaining infrastructure integrity. Transportation industries leverage NDR to ensure the safety and efficiency of increasingly interconnected systems, guarding against data breaches and operational disruptions. Government agencies utilize NDR to detect advanced persistent threats (APTs), support zero trust models, and provide data for threat attribution, critical for national security. Across these sectors, NDR provides essential visibility and monitoring capabilities that traditional security measures miss, handling everything from regulatory compliance to real-time threat detection. The effectiveness of NDR in detecting subtle, sophisticated threats reaffirms its growing importance in future security architectures for protecting critical infrastructures and sensitive data.

Cybersecurity researchers have identified a sophisticated spear-phishing campaign using the legitimate remote access tool NetBird to target CFOs and other financial executives in various industries globally. Attackers impersonate a recruiter from Rothschild & Co., enticing victims with a fake PDF attachment that leads to a Firebase app-hosted phishing URL. Victims are tricked into solving a CAPTCHA, which then decrypts and redirects them to download a malicious ZIP archive containing two stages of VBScript payloads. The malware installation process involves setting up NetBird and OpenSSH, creating a hidden account, enabling remote desktop, and ensuring persistence via system reboot settings. This comprehensive attack was first detected in mid-May 2025 and involves intricate social engineering and advanced evasion techniques, making it both stealthy and persistent. The malware campaign has been operational for about a year, leveraging legitimate software to maintain persistent access to victims' systems and evade detection. Related discoveries include the rise of phishing-as-a-service platforms facilitating cybercrime through user-friendly web panels and subscription models, escalating the risk and prevalence of phishing scams. Enterprises are urged to boost detection capabilities and invest in user training to combat evolving phishing tactics that exploit human vulnerabilities.

Despite an FBI-led takedown attempt, the Lumma infostealer malware continues its operations, with command and control servers still active. Check Point Research highlights that Lumma's data theft activities are not only persisting but expanding, fueling cybercrime markets. Psychological tactics used in law enforcement efforts aim to destabilize the trust between Lumma affiliates and their customers. The Czech government has accused Chinese APT31 of a prolonged espionage attack on its Ministry of Foreign Affairs, demanding cessation and responsibility from China. The FBI alerts U.S. law firms of a new phishing strategy by the Silent Ransomware Group, which involves fake IT calls and remote access to steal sensitive data. Reports indicate that an AI impersonation of the White House Chief of Staff has been used to solicit funds and privileged information from senior figures. The White House confirms the seriousness of its cybersecurity measures following these incidents and continues to investigate the deepfake situation involving a high-level staff member.

Technical details of a high-severity flaw in Cisco IOS XE have been released, increasing the risk of exploitation. The CVE-2025-20188 flaw could let attackers upload files and execute commands with root privileges on Wireless LAN Controllers. Cisco identified the issue due to a hard-coded JWT in their software, exploitable when the Out-of-Band AP Image Download feature is active. Researchers provided a detailed analysis but stopped short of releasing a complete exploit script, citing the potential for widespread attack. Horizon3 demonstrated how the exploit works, using hardcoded tokens and path traversal to manipulate device operations. Users are advised to upgrade to the patched version of the software or disable the vulnerable feature as immediate countermeasures. This flaw highlights the ongoing risks associated with hardcoded credentials and insufficient path validation in device security.

An anonymous whistleblower named GangExposed has revealed the identities and internal operations of leaders within the Conti and Trickbot ransomware groups. GangExposed released extensive data including chat logs, personal videos, and ransom negotiations, aiming to dismantle the criminal group responsible for extorting billions globally. Key figures identified include 36-year-old Vitaly Nikolaevich Kovalev, aka Stern, leader of Trickbot and Conti, confirmed by German police, and Vladimir Viktorovich Kvitko, known as Professor. Despite a $10 million U.S. government bounty on information, GangExposed claims no interest in the reward, focusing instead on disrupting the criminals' activities. Conti leaders reportedly relocated to Dubai in 2020, continuing their operations targeting Western entities while maintaining a network that includes luxury assets and corporate connections. GangExposed obtained information through darknet services and semi-closed databases, and aims to see key members sanctioned and listed on Interpol's wanted persons list. Speculations arise regarding GangExposed's motives, with some suggesting he might be a former insider seeking revenge or aiming to expose criminal activities through detailed leaks.

Two new vulnerabilities found in Linux core dump handlers can lead to sensitive data exposure, impacting systems including Ubuntu, RHEL, and Fedora. Identified as CVE-2025-5054 and CVE-2025-4598, these flaws arise from race conditions allowing local attackers to access password hashes. Exploitation enables attackers to read core dumps of SUID executables, potentially revealing user passwords and other confidential information. Red Hat labels CVE-2025-4598's exploit complexity as moderate, requiring control over a race condition and an unprivileged local account. Mitigation includes disabling core dump generation for SUID binaries via system configurations, reducing risk at the expense of detailed crash analysis. Proof-of-concept code developed by Qualys can exploit these vulnerabilities in controllable laboratory conditions but has limited real-world applicability. Enterprises recommended to enforce rapid patching and robust monitoring to protect against potential confidentiality breaches and compliance issues.

A multinational law enforcement effort has dismantled a network providing crypting services, aiding malware evasion from antivirus detection. The U.S. Department of Justice, in collaboration with Dutch and Finnish authorities, seized four key domains on May 27, 2025, crucial for cybercriminal operations, namely AvCheck[.]net, Cryptor[.]biz, and Crypt[.]guru. Operation Endgame, which commenced in 2024, targets the infrastructure supporting global cybercrime, marking this as its fourth major action. Undercover operations confirmed the seized domains were actively used in cybercrime activities, with services facilitated to obscure malware, thereby enabling unauthorized access to computer systems. These services allowed criminals to refine malware for enhanced evasion capabilities against advanced security systems and forensic analysis. PureCrypter, another malware-as-a-service (MaaS) stated to distribute information stealers, demonstrates ongoing advancements in evasion techniques, highlighting the necessity of this operation. The law enforcement action involved several countries, emphasizing a collaborative international effort to combat cyber threats effectively.

Two critical vulnerabilities, CVE-2025-48827 and CVE-2025-48828, were identified in vBulletin software, affecting versions 5.0.0 to 5.7.5 and 6.0.0 to 6.0.3. These flaws allow for API method invocation and remote code execution via template engine abuse and are rated 10.0 and 9.0 respectively on the CVSS v3 scale. The vulnerabilities were patched quietly in a previous update, but many forums remain vulnerable due to not updating their software. Active exploitation of these vulnerabilities has been observed, with attackers employing methods detailed by researcher Egidio Romano. Attackers have managed to execute remote, unauthenticated code on servers, potentially gaining shell access as the web server user. Exploitation attempts have been traced back to attackers in Poland, who have been trying to deploy PHP backdoors. Forum administrators are urged to apply the latest security updates or upgrade to the newest vBulletin release (version 6.1.1) which is not susceptible to these flaws.

ConnectWise, an IT management software vendor, confirmed a security breach by a sophisticated nation-state actor impacting a limited number of customers using ScreenConnect, a remote access tool. The breach, initially disclosed in a May 28 advisory, involved unauthorized access to the IT environments and subsequent breaches at customer sites. Major clients like Panasonic, Swarovski, Aflac, and Honeywell are users of ScreenConnect, highlighting the potential impact of such a supply-chain attack on businesses. Immediately post-discovery, ConnectWise engaged Mandiant, a reputable forensic investigation firm, intensifying scrutiny and security measures across its networks to prevent further unauthorized activities. The breach details remain partially undisclosed; however, the vulnerability CVE-2025-3935 in ScreenConnect, patched prior to the breach, was suggested as a potential exploit used by attackers. One affected customer shared their frustration on Reddit, indicating that the breach notification was vague and delayed, stating it occurred in November 2024 and is under FBI investigation. Despite not observing further suspicious activities post-remediation, the long-term implications for ConnectWise and its clients over the breach, particularly concerning trust and security, remain significant.

Nathan Vilas Laatsch, a 28-year-old IT specialist at the Defense Intelligence Agency, was apprehended for attempting to pass classified documents to what he believed was a foreign government. Laatsch, disillusioned with current U.S. administration values, claimed he wanted to act in support of traditional U.S. ideals by sharing top secret information. Initially contacting a foreign entity in March, Laatsch was unaware that his communications were intercepted by the FBI, who then posed as representatives from the foreign government. Over several days, Laatsch transcribed sensitive information onto a USB drive at his workplace, intending to drop it in a public park for retrieval by supposed foreign agents. During the orchestrated drop on May 1, FBI agents recovered the USB drive, finding it contained files classified up to the top secret level. Following a second attempted information drop, where Laatsch transmitted notes concealed within his clothing, he was arrested by the FBI on May 29. Facing serious charges, Laatsch expressed a preference for foreign citizenship as compensation for his actions but stated financial compensation was not his primary motive. FBI director Kash Patel highlighted the case as a stark reminder of the ongoing threat posed by insider risks to national security.

The Fred Hutchinson Cancer Center in Seattle agreed to a $52.5 million settlement following a cyberattack in November 2023. Personal and sensitive data of cancer patients were stolen, including health diagnoses, treatments, and insurance information. Cybercriminals used the stolen data to threaten patients with swatting attacks unless they paid to prevent the sale of their data. The settlement includes cash compensation to affected parties, investments in security infrastructure, and funds for medical fraud monitoring. Around 140,000 people applied for the settlement benefits by the specified deadline, with individual payments up to $5,000 based on material losses. Despite severe tactics by the attackers, Fred Hutch did not pay any ransom and claims no patient data has been sold post-attack. The attack was executed by exploiting the CitrixBleed vulnerability; the responsible group, Hunters International, claimed the attack among others.

An international law enforcement collaboration successfully dismantled AVCheck, a prominent counter antivirus service utilized by cybercriminals. AVCheck allowed attackers to check if their malware would be detected by commercial antivirus programs prior to broader deployment. Authorities have also linked AVCheck to crypting services like Cryptor.biz and Crypt.guru, essential for obfuscating malware to evade detection. The seizure of AVCheck and related crypting services is a strategic move to disrupt cybercriminal activities at early stages, aiming to reduce potential victimization. The operation involved undercover agents purchasing from AVCheck to establish its role in facilitating cybercrimes, which included connections to known ransomware attacks on American targets. This bust was part of Operation Endgame, which also saw the seizure of 300 servers and 650 domains utilized in various ransomware operations. The takedown underscored the intricate ecosystems supporting malware operations and the importance of international cooperation in tackling advanced cyber threats.

Meta, formerly known as Facebook, has formed a partnership with defense firm Anduril Industries for the development of extended reality (XR) products. The collaboration follows Meta's extensive investments totaling $80 billion in virtual, augmented, and mixed reality technologies since acquiring Oculus in 2014. Meta's Reality Labs division has reported significant financial losses, approximating $4.2 billion in Q1 2025 alone, and consistent losses in preceding quarters. This strategic move into defense aims to produce augmented and virtual reality tools that enhance battlefield intelligence and decision-making for the U.S. military. The partnership leverages Anduril's Lattice platform, which integrates AI to provide real-time data and insights to soldiers through AR/VR interfaces. This venture is seen as an opportunity to rejuvenate Meta's struggling tech initiatives and potentially yield returns on their hefty VR investments amid the challenging consumer tech market. Both companies emphasize the dual-use nature of the technology, aiming to support national security and redefine the capabilities of American servicemembers.

Germany's Federal Criminal Police Office (BKA) has identified 36-year-old Russian Vitaly Nikolaevich Kovalev as the leader of the cybercrime gangs TrickBot and Conti. Kovalev, also known as "Stern," is believed to have founded the TrickBot group and was previously charged in a U.S. operation along with six other Russians. The cybercrime operations included the use of various malware such as Trickbot, Ryuk, and Conti affecting hundreds of thousands of systems globally including hospitals and public facilities. Germany has issued an Interpol red notice for Kovalev and suspects he currently resides in Russia. In February 2023, Kovalev's role was detailed further following leaks (TrickLeaks and ContiLeaks) which exposed internal communications and identities of gang members. Following the exposure, the Conti gang was reportedly disbanded, with members migrating to other cybercrime groups. German authorities have described the TrickBot group as highly organized, project-oriented, and consisting of over 100 members at its peak.

EDDIESTEALER is a novel Rust-based malware distributed through deceptive CAPTCHA verification pages, tricking users into downloading it via a PowerShell script. Attackers compromise legitimate websites and insert malicious JavaScript that prompts bogus CAPTCHA verifications, leading victims to initiate the download process themselves. The malware targets a range of data including credentials, cryptocurrency wallets, browser information, and more from various applications including FTP clients and messaging apps. EDDIESTEALER is designed to bypass specific browser security features, allows configuration changes by the command-and-control operator, and uses encrypted communications to exfiltrate data. Elastic Security Labs highlights the increasing use of Rust in malware development for its capabilities to enhance stealth and resilience against detection. The article also discusses other related malware campaigns targeting multiple platforms, indicating a broader trend of sophisticated cyberattacks involving data theft. Security disclosures reveal various tactics like browser redirections and device-specific exploits used to spread different types of info-stealing malware across operating systems.