Daily Brief

Qualcomm has released updates to fix three zero-day vulnerabilities in its Adreno GPU, exploited in targeted attacks. The vulnerabilities were responsibly reported by the Google Android Security team and confirmed by indications from Google Threat Analysis Group. The specific vulnerabilities, labeled CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038, were exploited in limited, selective scenarios. Patches for the affected GPU drivers were distributed to Original Equipment Manufacturers (OEMs) with an urgent recommendation to update devices immediately. Previous similar vulnerabilities in Qualcomm chipsets have been used by commercial spyware providers like Variston and Cy4Gate. In a related incident, a security flaw identified as CVE-2024-43047 was used by Serbian authorities to access and spy on Android devices owned by activists and journalists. The exact methods of exploitation and the attackers behind these current vulnerabilities remain undisclosed.

MainStreet Bancshares disclosed to the SEC that customer data was stolen during an attack on a third-party provider. Approximately 4.65 percent of MainStreet’s customer data was compromised in the breach. The company confirmed that its own technical infrastructure was not compromised, and there were no unauthorized transactions or financial losses. MainStreet activated its incident response process immediately upon learning of the breach and discontinued relations with the affected third-party provider. Measures were put in place on May 26, 2025, to monitor for any suspicious activity relating to the impacted customers, who were also notified and provided monitoring tools. Concurrently, U.S. banks are lobbying the SEC to relax rules requiring rapid public disclosure of cybersecurity incidents, arguing it can lead to premature reporting and potential misuse by criminals. The push against the SEC’s disclosure rules highlights ongoing tensions between regulatory requirements and industry concerns over publicity and operational impacts following a cyberattack.

Qualcomm patched three zero-day vulnerabilities in the Adreno GPU, affecting numerous chipsets, after targeted attacks. Two critical flaws and one high-severity vulnerability were identified, causing potential memory corruption due to improper command execution and use-after-free issues. These security issues were reported by the Google Android Security team and are suspected to be part of limited, targeted exploitation. Alongside GPU issues, Qualcomm also fixed a buffer over-read vulnerability in its Data Network Stack & Connectivity that could expose sensitive information. In a related incident, it was discovered that a previously fixed zero-day was exploited by Serbian authorities to unlock devices of activists and journalists, where NoviSpy spyware was subsequently installed. Qualcomm has consistently addressed various security flaws in its chipsets over the years to prevent attackers from accessing private data and system controls. Qualcomm strongly encourages OEMs to deploy the patches promptly to mitigate the exploitation risks.

Cyber threats have evolved, prompting industries to adapt heightened security strategies, including network detection and response (NDR). Financial services employ NDR to detect unauthorized data accesses, safeguard transactions, and uphold regulatory compliance due to their high exposure to targeted attacks. In the energy sector, NDR identifies potential threats early, monitoring both traditional IT and operational technology (OT) environments, crucial for maintaining infrastructure integrity. Transportation industries leverage NDR to ensure the safety and efficiency of increasingly interconnected systems, guarding against data breaches and operational disruptions. Government agencies utilize NDR to detect advanced persistent threats (APTs), support zero trust models, and provide data for threat attribution, critical for national security. Across these sectors, NDR provides essential visibility and monitoring capabilities that traditional security measures miss, handling everything from regulatory compliance to real-time threat detection. The effectiveness of NDR in detecting subtle, sophisticated threats reaffirms its growing importance in future security architectures for protecting critical infrastructures and sensitive data.

Cybersecurity researchers have identified a sophisticated spear-phishing campaign using the legitimate remote access tool NetBird to target CFOs and other financial executives in various industries globally. Attackers impersonate a recruiter from Rothschild & Co., enticing victims with a fake PDF attachment that leads to a Firebase app-hosted phishing URL. Victims are tricked into solving a CAPTCHA, which then decrypts and redirects them to download a malicious ZIP archive containing two stages of VBScript payloads. The malware installation process involves setting up NetBird and OpenSSH, creating a hidden account, enabling remote desktop, and ensuring persistence via system reboot settings. This comprehensive attack was first detected in mid-May 2025 and involves intricate social engineering and advanced evasion techniques, making it both stealthy and persistent. The malware campaign has been operational for about a year, leveraging legitimate software to maintain persistent access to victims' systems and evade detection. Related discoveries include the rise of phishing-as-a-service platforms facilitating cybercrime through user-friendly web panels and subscription models, escalating the risk and prevalence of phishing scams. Enterprises are urged to boost detection capabilities and invest in user training to combat evolving phishing tactics that exploit human vulnerabilities.

Despite an FBI-led takedown attempt, the Lumma infostealer malware continues its operations, with command and control servers still active. Check Point Research highlights that Lumma's data theft activities are not only persisting but expanding, fueling cybercrime markets. Psychological tactics used in law enforcement efforts aim to destabilize the trust between Lumma affiliates and their customers. The Czech government has accused Chinese APT31 of a prolonged espionage attack on its Ministry of Foreign Affairs, demanding cessation and responsibility from China. The FBI alerts U.S. law firms of a new phishing strategy by the Silent Ransomware Group, which involves fake IT calls and remote access to steal sensitive data. Reports indicate that an AI impersonation of the White House Chief of Staff has been used to solicit funds and privileged information from senior figures. The White House confirms the seriousness of its cybersecurity measures following these incidents and continues to investigate the deepfake situation involving a high-level staff member.

Technical details of a high-severity flaw in Cisco IOS XE have been released, increasing the risk of exploitation. The CVE-2025-20188 flaw could let attackers upload files and execute commands with root privileges on Wireless LAN Controllers. Cisco identified the issue due to a hard-coded JWT in their software, exploitable when the Out-of-Band AP Image Download feature is active. Researchers provided a detailed analysis but stopped short of releasing a complete exploit script, citing the potential for widespread attack. Horizon3 demonstrated how the exploit works, using hardcoded tokens and path traversal to manipulate device operations. Users are advised to upgrade to the patched version of the software or disable the vulnerable feature as immediate countermeasures. This flaw highlights the ongoing risks associated with hardcoded credentials and insufficient path validation in device security.

An anonymous whistleblower named GangExposed has revealed the identities and internal operations of leaders within the Conti and Trickbot ransomware groups. GangExposed released extensive data including chat logs, personal videos, and ransom negotiations, aiming to dismantle the criminal group responsible for extorting billions globally. Key figures identified include 36-year-old Vitaly Nikolaevich Kovalev, aka Stern, leader of Trickbot and Conti, confirmed by German police, and Vladimir Viktorovich Kvitko, known as Professor. Despite a $10 million U.S. government bounty on information, GangExposed claims no interest in the reward, focusing instead on disrupting the criminals' activities. Conti leaders reportedly relocated to Dubai in 2020, continuing their operations targeting Western entities while maintaining a network that includes luxury assets and corporate connections. GangExposed obtained information through darknet services and semi-closed databases, and aims to see key members sanctioned and listed on Interpol's wanted persons list. Speculations arise regarding GangExposed's motives, with some suggesting he might be a former insider seeking revenge or aiming to expose criminal activities through detailed leaks.

Two new vulnerabilities found in Linux core dump handlers can lead to sensitive data exposure, impacting systems including Ubuntu, RHEL, and Fedora. Identified as CVE-2025-5054 and CVE-2025-4598, these flaws arise from race conditions allowing local attackers to access password hashes. Exploitation enables attackers to read core dumps of SUID executables, potentially revealing user passwords and other confidential information. Red Hat labels CVE-2025-4598's exploit complexity as moderate, requiring control over a race condition and an unprivileged local account. Mitigation includes disabling core dump generation for SUID binaries via system configurations, reducing risk at the expense of detailed crash analysis. Proof-of-concept code developed by Qualys can exploit these vulnerabilities in controllable laboratory conditions but has limited real-world applicability. Enterprises recommended to enforce rapid patching and robust monitoring to protect against potential confidentiality breaches and compliance issues.

A multinational law enforcement effort has dismantled a network providing crypting services, aiding malware evasion from antivirus detection. The U.S. Department of Justice, in collaboration with Dutch and Finnish authorities, seized four key domains on May 27, 2025, crucial for cybercriminal operations, namely AvCheck[.]net, Cryptor[.]biz, and Crypt[.]guru. Operation Endgame, which commenced in 2024, targets the infrastructure supporting global cybercrime, marking this as its fourth major action. Undercover operations confirmed the seized domains were actively used in cybercrime activities, with services facilitated to obscure malware, thereby enabling unauthorized access to computer systems. These services allowed criminals to refine malware for enhanced evasion capabilities against advanced security systems and forensic analysis. PureCrypter, another malware-as-a-service (MaaS) stated to distribute information stealers, demonstrates ongoing advancements in evasion techniques, highlighting the necessity of this operation. The law enforcement action involved several countries, emphasizing a collaborative international effort to combat cyber threats effectively.

Two critical vulnerabilities, CVE-2025-48827 and CVE-2025-48828, were identified in vBulletin software, affecting versions 5.0.0 to 5.7.5 and 6.0.0 to 6.0.3. These flaws allow for API method invocation and remote code execution via template engine abuse and are rated 10.0 and 9.0 respectively on the CVSS v3 scale. The vulnerabilities were patched quietly in a previous update, but many forums remain vulnerable due to not updating their software. Active exploitation of these vulnerabilities has been observed, with attackers employing methods detailed by researcher Egidio Romano. Attackers have managed to execute remote, unauthenticated code on servers, potentially gaining shell access as the web server user. Exploitation attempts have been traced back to attackers in Poland, who have been trying to deploy PHP backdoors. Forum administrators are urged to apply the latest security updates or upgrade to the newest vBulletin release (version 6.1.1) which is not susceptible to these flaws.

ConnectWise, an IT management software vendor, confirmed a security breach by a sophisticated nation-state actor impacting a limited number of customers using ScreenConnect, a remote access tool. The breach, initially disclosed in a May 28 advisory, involved unauthorized access to the IT environments and subsequent breaches at customer sites. Major clients like Panasonic, Swarovski, Aflac, and Honeywell are users of ScreenConnect, highlighting the potential impact of such a supply-chain attack on businesses. Immediately post-discovery, ConnectWise engaged Mandiant, a reputable forensic investigation firm, intensifying scrutiny and security measures across its networks to prevent further unauthorized activities. The breach details remain partially undisclosed; however, the vulnerability CVE-2025-3935 in ScreenConnect, patched prior to the breach, was suggested as a potential exploit used by attackers. One affected customer shared their frustration on Reddit, indicating that the breach notification was vague and delayed, stating it occurred in November 2024 and is under FBI investigation. Despite not observing further suspicious activities post-remediation, the long-term implications for ConnectWise and its clients over the breach, particularly concerning trust and security, remain significant.

Nathan Vilas Laatsch, a 28-year-old IT specialist at the Defense Intelligence Agency, was apprehended for attempting to pass classified documents to what he believed was a foreign government. Laatsch, disillusioned with current U.S. administration values, claimed he wanted to act in support of traditional U.S. ideals by sharing top secret information. Initially contacting a foreign entity in March, Laatsch was unaware that his communications were intercepted by the FBI, who then posed as representatives from the foreign government. Over several days, Laatsch transcribed sensitive information onto a USB drive at his workplace, intending to drop it in a public park for retrieval by supposed foreign agents. During the orchestrated drop on May 1, FBI agents recovered the USB drive, finding it contained files classified up to the top secret level. Following a second attempted information drop, where Laatsch transmitted notes concealed within his clothing, he was arrested by the FBI on May 29. Facing serious charges, Laatsch expressed a preference for foreign citizenship as compensation for his actions but stated financial compensation was not his primary motive. FBI director Kash Patel highlighted the case as a stark reminder of the ongoing threat posed by insider risks to national security.

The Fred Hutchinson Cancer Center in Seattle agreed to a $52.5 million settlement following a cyberattack in November 2023. Personal and sensitive data of cancer patients were stolen, including health diagnoses, treatments, and insurance information. Cybercriminals used the stolen data to threaten patients with swatting attacks unless they paid to prevent the sale of their data. The settlement includes cash compensation to affected parties, investments in security infrastructure, and funds for medical fraud monitoring. Around 140,000 people applied for the settlement benefits by the specified deadline, with individual payments up to $5,000 based on material losses. Despite severe tactics by the attackers, Fred Hutch did not pay any ransom and claims no patient data has been sold post-attack. The attack was executed by exploiting the CitrixBleed vulnerability; the responsible group, Hunters International, claimed the attack among others.