Daily Brief

Meta announced the disruption of three influence operations linked to Iran, China, and Romania, aimed at manipulating public discourse. A Romanian network sported 658 Facebook accounts and others on platforms like TikTok and YouTube, pushing localized content in Romania to appear credible. An Iranian operation targeted Azeri-speaking regions using 60 social media accounts and leaned on hashtags to integrate into broader conversations, labeled as Storm-2035. Chinese-linked activity used AI-generated profiles and account farms to target discourse in Myanmar, Japan, and Taiwan, criticizing local resistance and foreign relations. In total, operations involved a complex web of fake accounts across major social platforms, including Facebook, Instagram, and X, using various tactics to sway public opinion and regional political narratives. These disruptions are part of Meta’s ongoing efforts to maintain platform integrity and combat misinformation by leveraging advanced detection methods to identify and neutralize these campaigns before they gain traction.

SentinelOne experienced a significant service disruption affecting multiple products including threat intelligence and endpoint protection. The outage impacted commercial customer consoles, reducing visibility for managed response services. SentinelOne assured customers that endpoint protection remained active despite the outage. Early assessments by SentinelOne suggest the outage stemmed from cloud-related issues rather than a security breach. The company managed to restore all services by Thursday evening at 7:41 PM UTC. Several customers learned of the outage through social media before official communications were issued by SentinelOne. AWS reported a minor issue that lasted an hour, unrelated to the duration of SentinelOne's six-hour outage. SentinelOne's reliance on AWS for hosting services highlighted as a potential factor in the service disruption.

The U.S. Treasury has placed sanctions on Funnull Technology Inc, a company based in the Philippines, blocking all its properties and assets in the United States. Funnull Technology, managed by Chinese national Liu Lizhi, was involved in hosting infrastructure for widespread pig butchering scams, costing American victims over $200 million. These scams involved social engineering techniques, primarily romantic deceit, to build trust before fraudulently convincing victims to invest in fake schemes, often involving cryptocurrencies. Liu Lizhi was specifically sanctioned for his administrative role and for possessing documents detailing fraudulent activities and operations. In conjunction with the sanctions, the FBI issued warnings about Funnull's practices, including reselling IP addresses and internet infrastructure to cybercriminals for scam websites. The FBI highlighted that the sanctioned entity was linked to an alarming number of virtual currency investment scam sites reported to them. Additionally, the recent actions underline the ongoing efforts by U.S authorities to curb cybercrimes that not only target individual finance but also impair legitimate digital asset ecosystems.

Microsoft Authenticator app has started alerting users that its password autofill feature will be deprecated in July. Users are encouraged to export their passwords or switch to Microsoft Edge to retain autofill functionality. After the feature deprecation, passwords will be accessible through Microsoft Edge, which is integrated with additional security features like Microsoft Defender SmartScreen. The Authenticator app will continue to support secure sign-in features such as multi-factor authentication and biometric confirmations. Users can export their passwords in a CSV format and import them into another password manager if they do not wish to use Microsoft Edge. The move is part of Microsoft's broader strategy to streamline its services and enhance security by promoting its own web browser.

Microsoft's latest Patch Tuesday update for Windows 11 is failing to install on some virtual machines. Affected systems, primarily VMs including those on Azure and Citrix or Hyper-V, are displaying boot errors and entering recovery mode. The error involves the ACPI.sys file, crucial for power management and hardware resource control in Windows. Users impacted are mostly in enterprise setups; Windows 11 Home and Pro users are generally unaffected. No definitive workaround has been provided by Microsoft, except recommendations to avoid the update until a fix is implemented. This issue is part of a series of problematic updates from Microsoft, including a recent one causing issues with Remote Desktop sessions and another that potentially increases security vulnerabilities. Microsoft has acknowledged the issue and stated that engineers are working on resolving the problem.

Retired US Army Lt. Gen. H.R. McMaster testified to the U.S. House Homeland Security Committee, claiming Chinese espionage deep within U.S. networks indicates preparation for war. McMaster emphasized China's significant increase in defense spending and the development of a potential first-strike nuclear capability aimed at crippling U.S. critical infrastructure. Highlighted the role of Chinese surveillance tactics, including spy balloons, as a part of a broader intelligence collection strategy targeting U.S. communications. Wendi Whitmore of Palo Alto Networks corroborated the intense cyber threat from nations like China, mentioning her company blocks billions of cyberattacks daily, with a significant portion being novel attacks. Public-private partnerships, such as the proposed codification of CISA's JCDC, are deemed crucial for enhancing national cybersecurity readiness. Both McMaster and Whitmore underscored the urgent need for the U.S. to consider these escalating threats seriously to bolster defenses against potential large-scale conflicts.

ConnectWise confirmed a cyberattack by suspected state-sponsored actors, affecting a limited number of ScreenConnect customers. The attack was identified as suspicious activity in ConnectWise's environment, leading to an investigative partnership with Mandiant and coordination with law enforcement. The breach specifically impacted cloud-based ScreenConnect instances, discovered following ConnectWise's proactive security enhancements including increased monitoring and network security hardening. Customers discussed the incident and linked it to a CVE-2025-3935 vulnerability in ScreenConnect, a high-severity ViewState code injection flaw patched in April 24. The breach reportedly occurred in August 2024 but was not detected until May 2025, with threat actors potentially exploiting the system via stolen machine keys allowing remote code execution. ConnectWise has patched the vulnerability on its cloud-hosted platforms and has not observed further suspicious activity post-enhancements. The full extent of the data compromised and the specific number of affected customers remain undisclosed by ConnectWise.

Threat actors exploit Google Apps Script to create convincing phishing pages within Google's trusted domain. Cofense security researchers uncovered the attack scheme which mimics legitimate Google login screens to steal credentials. The phishing tactics involve emails that mimic invoices or tax communications, directing victims to these malicious pages. Once credentials are entered on the fake login page, victims are redirected to the actual service to reduce suspicion. The open nature of Google Apps Script allows attackers to change their phishing script remotely without issuing new links. Effective defense measures suggested include stricter email security settings and potentially blocking or flagging Google Apps Script URLs. This method of attack capitalizes on the trust afforded to Google’s domain, making it harder for typical security measures to flag the phishing attempt. Google has yet to respond to inquiries about implementing specific anti-abuse measures following these findings.

Thousands of Asus routers are compromised by a botnet named AyySSHush, as detected by the threat monitoring firm GreyNoise. The botnet exploits vulnerabilities in the routers to disable Trend Micro security features and gain backdoor access. Attackers are using brute-force attacks and authentication bypass bugs to achieve initial router access and execute arbitrary commands. Compromised routers have an SSH backdoor installed, making the botnet nearly invisible and persistent even after firmware updates. GreyNoise worked closely with governments and industry partners before disclosing these vulnerabilities months after their discovery. The specific router models affected are popular ones, namely RT-AC3100, RT-AC3200, and RT-AX55. GreyNoise notes similarities between this botnet and another campaign named ViciousTrap, mentioned by French research group Sekoia. Asus issued patches for the vulnerabilities, but affected devices still require a factory reset to completely eradicate the threat.

A flaw in Apple's Safari web browser enables fullscreen browser-in-the-middle (BitM) attacks, posing significant credential theft risks. Attackers exploit the Fullscreen API in Safari, allowing them to obscure browser guardrails and deceive users into revealing sensitive information. SquareX researchers observed that these attacks particularly endanger Safari users due to the browser's insufficient alert mechanisms when entering fullscreen mode. The technique involves tricking users via legitimate-looking but malicious websites, using tools like noVNC to superimpose an attacker-controlled browser window over the legitimate session. This type of attack does not trigger security alerts from endpoint detection and response systems (EDRs) or secure access service edge (SASE/SSE) because it abuses standard browser functionalities. Unlike Safari, browsers like Firefox and those based on Chromium signal to users when full screen mode is activated, adding a layer of security that Safari lacks. SquareX's disclosure to Apple received a "wontfix" response, with Apple suggesting their current fullscreen animation is an adequate indication for users. Apple has yet to offer a detailed public response to SquareX's findings or BleepingComputer's inquiry about their stance on the issue.

Cybercriminals are distributing malware through fake installers of popular AI tools like OpenAI ChatGPT and InVideo AI. Malware variants linked to this scam include CyberLock ransomware, Lucky_Gh0$t ransomware, and a destructive malware named Numero. CyberLock encrypts files by escalating privileges and demands a $50,000 ransom in Monero, whereas Lucky_Gh0$t targets files under 1.2GB, erasing backups. Numero malware disrupts the graphical user interface of Windows, making systems unusable by continuously running malicious processes. Fake websites, such as "novaleadsai[.]com," are promoted using SEO poisoning to look authentic, tricking users into downloading malicious software. Victims are lured with offers like free access for a year, followed by a hefty monthly subscription fee, only to receive malware in place of the promised software. Talos and Mandiant reports highlight an uptrend in the misuse of AI tool popularity for spreading various malware targeting business and marketing professionals. Malvertising campaigns also direct users from reputable platforms like Facebook and LinkedIn to malware-infected websites, further emphasizing the broadened threat landscape.

The U.S. Treasury Department sanctioned Funnull Technology, a Philippines-based firm, for supporting large-scale cyber scams causing over $200 million in American losses. Funnull Technology facilitated various online scams, including romance baiting and pig butchering, by providing IP addresses and hosting services to cybercriminals. These criminals built trust with victims via social platforms then lured them into fraudulent investment schemes, eventually diverting invested funds to their own accounts. The sanctioned firm also used domain generation algorithms and web design templates to help cybercriminals impersonate legitimate brands and evade takedown attempts. U.S. entities are now prohibited from conducting any transactions with Funnull or its Chinese administrator, Liu Lizhi, and all their U.S. assets are frozen. Additional penalties could apply to international financial institutions engaging in transactions with the blacklisted entities. The FBI issued a flash alert detailing technical aspects of Funnull's operations, including IP addresses and domain patterns indicative of their scam operations. Cybercrime losses in the U.S. hit a record $16.6 billion in 2024, with over $6.5 billion attributed to investment scams.

Cybercriminals are increasingly exploiting the popularity of AI tools to spread ransomware and malware, with incidents involving deepfake content generators and fake AI tool websites. Notable ransomware groups like CyberLock and Lucky_Gh0$t, along with new malware like Numero, exploit SEO poisoning and malvertising to appear prominently in search engine results. CyberLock ransomware, disseminated through a counterfeit AI tool site, demands a $50,000 ransom in Monero, claiming the funds support humanitarian efforts. Lucky_Gh0$t, a derivative of Chaos ransomware, masks itself as a ChatGPT installer, targeting files under 1.2GB for encryption, with larger files replaced by junk data. The novel malware, Numero, primarily disrupts the visual interface of Windows systems, locking the graphical elements in a dysfunctional loop without data encryption. Organizations are urged to download AI tools exclusively from reputable, official sources to avoid these increasingly sophisticated attacks leveraging AI technology fascination.

Threat landscapes are rapidly expanding, exposing new vulnerabilities that attackers are eager to exploit using sophisticated techniques such as Attack Surface Management (ASM). Sprocket Security's Attack Surface Management Tool focuses on understanding attacker behavior and provides capabilities for real-time asset mapping and change detection. Attackers utilize publicly available tools and automation to discover assets, highlighting the necessity for organizations to continuously monitor and protect their digital infrastructures. A highlighted case within the article is the mass exploitation of VMware ESXi servers, demonstrating the critical need for timely patches and proactive security measures. Sprocket Security emphasizes the importance of seeing an organization’s digital infrastructure from an attacker's perspective to effectively prevent breaches. The article encourages the integration of ASM tools into daily security workflows to enhance visibility, proactive defense, and efficiency in testing and validation phases. Sprocket ASM provides free tools that offer continuous penetration testing capabilities, notifications on new discoveries, and the ability to track manually added assets not visible on the internet.

Cybersecurity researchers identified a new remote access trojan (RAT) exploiting corrupted DOS and PE headers to avoid detection on Windows systems. The malware was discovered by Fortinet's FortiGuard Incident Response Team after persisting undetected for several weeks on a compromised machine. Fortinet acquired memory dumps from the machine to analyze the malware, which concealed its operations within a dllhost.exe process. The malware decrypts C2 server information from memory and establishes secure communication over TLS, enhancing its stealth and persistence. Despite corrupted headers obstructing direct payload analysis, Fortinet successfully deconstructed the malware in a controlled environment after multiple attempts. The RAT has capabilities for capturing screenshots, managing system services, and handling incoming connections, effectively turning the infected host into a multipurpose remote-access platform. The communication with the C2 server and the complex multi-threaded architecture of the RAT support simultaneous operations and evolving attack strategies.