Daily Brief

Luna Moth, also known as Silent Ransom Group, has increased data theft and extortion attacks on U.S. legal and financial sectors. These threat actors use callback phishing campaigns to gain remote access and steal sensitive data through social engineering tactics, without deploying ransomware. Attackers register fake domains through GoDaddy, mimicking IT support for major U.S. law and financial firms, to facilitate their scams. Victims are tricked into calling fake helpdesk numbers embedded in emails, where they are persuaded to install remote monitoring software, giving hackers direct access to their systems. Common tools exploited in these attacks include legitimate RMM software like Syncro, SuperOps, Zoho Assist, Atera, AnyDesk, and Splashtop, which are less likely to be detected as threats. Once access is gained, hackers spread through the network, searching and extracting valuable data, which they threaten to publish unless a ransom is paid. EclecticIQ’s report suggests adding indicators of compromise to blocklists and advises restricting the use of unapproved RMM tools to mitigate risk.

An unknown attacker accessed US government communications through TeleMessage, a clone of the secure messaging app Signal, used by Michael Waltz. TeleMessage, acquired by Smarsh in 2024, has temporarily shut down following the detection of the security incident, with investigations supported by an external cybersecurity firm. The exposure includes potentially unencrypted archived messages touching on sensitive topics from US Customs and Border Protection and financial transactions. The compromised app, discovered through a leaked photo of Waltz using it, was found to archive messages which could be insecure if not re-encrypted. Further analysis by journalists revealed hard-coded credentials in the app’s source code, suggesting significant security flaws. The incident raises questions about the legality of the app under Signal's open source license and its implications for security practices. Overall, the mishap underscores ongoing issues with secure communication within government circles and its ramifications on national security.

A new EDR bypass method, "Bring Your Own Installer," has been identified being used to install Babuk ransomware. This bypass technique, abusing the SentinelOne agent upgrade process, was uncovered by Aon's Stroz Friedberg Incident Response team. Attackers exploit a gap during the agent update that allows them to disable the EDR, leaving systems unprotected. It is recommended for SentinelOne users to enable the "Online Authorization" feature to prevent such attacks. Further investigations confirmed the bypass method works across multiple versions of the SentinelOne agent. After discovery, SentinelOne communicated mitigation steps to clients and other major EDR vendors. SentinelOne advises enabling Local Upgrade protection to strengthen security against such vulnerabilities. The impact of this bypass technique was first noticed during a forensic investigation of a client network following a ransomware breach.

Microsoft highlighted security risks in default Kubernetes Helm charts, which could expose sensitive data. Helm charts, crucial for streamlined application deployment on Kubernetes, often come with weak default settings, including lax authentication and exposed ports. Without adjustments, these settings leave applications vulnerable to scanning and exploitation by malicious actors. The report by Microsoft Defender for Cloud Research emphasized insecure default configurations in Helm charts as a significant threat to Kubernetes workloads. Three specific cases were cited indicating the scope of security issues across different Helm chart deployments. Microsoft advises users to manually review and secure YAML configurations and Helm charts before deployment. Regular scans for configuration errors and vigilant monitoring for unusual activities in container environments were recommended as part of the security practices.

The Darcula PhaaS platform facilitated the theft of 884,000 credit cards through 13 million malicious text message clicks over a seven-month period from 2023 to 2024. Researchers from multiple international organizations, including NRK and Mnemonic, uncovered the operation, highlighting its global reach across over 100 countries and 20,000 domains imitating major brands. Darcula's phishing texts typically masquerade as road toll fines or package delivery notices, tricking victims into providing account credentials on spoofed websites. Innovations in the platform include the use of RCS and iMessage for sending texts, a feature that increases the effectiveness of these phishing attacks. Recent upgrades to Darcula add capabilities like auto-generating phishing kits for any brand, incorporating stealth features, converting stolen credit card details to virtual cards, and simplifying the admin panel. Introduction of generative AI into Darcula by April 2025 allows criminals to create custom scams in any language using LLM tools. Investigation revealed the backbone toolkit 'Magic Cat,' the operation's connection to a Chinese individual, and lavish lifestyles funded by the scam. All findings were shared with law enforcement, uncovering operations involving large-scale SIM farms and processing setups for handling stolen credit cards.

TeleMessage, an Israeli company, experienced a potential security breach leading to the suspension of its services. This incident occurred with the company's TM SGNL tool, used for archiving messages from apps like Signal. A hacker claimed to breach TeleMessage and accessed data, though direct messages from Trump officials were reportedly safe. Stolen data may include government officials' contact details, some message contents, and back-end credentials. Screenshots from the breach show links to U.S. Customs and Border Protection and other financial institutions. The source code for the backdoored app, TM SGNL, analyzed by experts, revealed multiple vulnerabilities. Signal’s official spokesperson emphasized that the company does not guarantee security for unofficial app versions. Smarsh, the parent company, engages a cybersecurity firm to investigate and has promised transparency and updates.

The Darcula phishing-as-a-service platform stole 884,000 credit cards from SMS phishing attacks, impacting 13 million users globally. Over seven months, Darcula's cybercriminals utilized 20,000 domains to spoof reputable brands, targeting Android and iPhone users across more than 100 countries. Darcula has evolved to use RCS and iMessage in addition to SMS, increasing the effectiveness of their phishing attacks. New features allow criminals to automatically generate phishing kits for any brand and employ generative AI to create more convincing and language-specific scams. Mnemonic researchers reverse-engineered the Darcula infrastructure, discovering the 'Magic Cat' toolkit and infiltrating related Telegram groups. The investigation traced digital footprints to a Chinese individual believed to be the creator; despite company denials of involvement, ongoing activities suggest continuous operation. All findings from the investigation have been shared with law enforcement to aid in tackling this extensive cybercrime operation.

Researchers disclosed critical vulnerabilities in Apple's AirPlay protocol that could allow attackers remote control over devices. The vulnerabilities, named AirBorne, were found in both Apple and third-party devices utilizing the AirPlay SDK. Specific flaws, such as CVE-2025-24252 and CVE-2025-24132, enable a wormable zero-click remote code execution (RCE) exploit, allowing malware to spread across networks. Attackers could exploit these vulnerabilities to deploy ransomware and backdoors, significantly threatening user data security. Devices connected to public Wi-Fi are at high risk, with potential breaches extending to enterprise networks when compromised devices connect to them. All identified vulnerabilities have been patched in recent AirPlay and CarPlay updates. Organizations are urged to update all susceptible devices immediately and to advise employees to do the same for personal devices.

CISA has included a severe security vulnerability from Commvault in its Known Exploited Vulnerabilities catalog. The vulnerability, identified as CVE-2025-34028 with a CVSS score of 10.0, is a path traversal flaw in Commvault Command Center versions 11.38.0 through 11.38.19. The issue, which allows code execution through malicious ZIP file uploads, was discovered and reported by watchTowr Labs. Commvault has patched the vulnerability in newer releases, specifically versions 11.38.20 and 11.38.25. This vulnerability marks the second time a Commvault flaw has been actively exploited; the prior CVE-2025-3928 also involved remote attack capabilities. Affected agencies, notably those within the Federal Civilian Executive Branch, are mandated to apply the security patches by May 23, 2025, to mitigate risks. No unauthorized access to customer backup data has been detected despite the exploitation incidents.

Following a series of cyberattacks on Marks & Spencer, Co-op, and Harrods, the UK’s NCSC issued new cybersecurity guidance. Marks & Spencer experienced a disruptive ransomware attack by DragonForce, affecting online orders and payments. Co-op faced a cyber incident that led to VPN restrictions and eventual confirmation of significant customer data theft. Harrods reported an attempted breach, leading to increased network security measures, though no confirmed data breach. All incidents involved social engineering tactics to infiltrate networks, primarily through help desk impersonation. The NCSC refrained from speculating on the attackers’ identities but highlighted ongoing investigations with law enforcement. Enhanced security recommendations include reviewing and strengthening helpdesk authentication processes. Businesses nationwide are urged by NCSC to prepare for potential cyber threats by adopting recommended security measures.

Iranian threat group Lemon Sandstorm targeted critical national infrastructure in the Middle East, maintaining access for nearly two years. The group used custom backdoors such as HanifNet, HXLibrary, and NeoExpressRAT to conduct extensive espionage operations. The objective was suspected network prepositioning to ensure persistent future access, reflecting a strategic long-term threat. Fortinet identified and reported these activities which occurred from May 2023 to February 2025. Such nation-state-sponsored activities underline the critical need for robust cybersecurity measures in protecting sensitive national infrastructures.

Small to midsize business security personnel often fulfill multiple roles, from CISO to IT Help Desk, effectively becoming the entire security department. Despite Google Workspace handling infrastructure and spam filtering, it does not fully secure user identities, leaving significant security responsibilities to company admins. The first line of defense in cloud-native work environments is strong identity protection with enforced configuration through Google Workspace or a third-party identity provider (IdP). Phishing and social engineering via email remain top threats, underscoring the need for diligent monitoring and response strategies, despite Google's extensive filtering capabilities. Data Loss Prevention (DLP) is crucial as information leakages often occur slowly through employee errors or unchecked sharing permissions, requiring robust controls to manage sensitive data effectively. Maintaining visibility across all user activities and settings in Google Workspace is essential due to the vast and varied responsibilities faced by small security teams. Automated tools like Material Security help manage and monitor configurations continuously, alerting teams to any deviations in security settings and enabling rapid response to potential threats. Balancing productivity with security is crucial as teams manage sharing settings and permissions within Google Workspace to minimize risks without overly restricting collaboration.

President Trump praises TikTok, describing his affection for the platform due to its popularity among young voters who significantly supported him in the 2024 election. Despite a missed divestment deadline, Trump indicates a potential extension for TikTok’s sale to ensure its operation continues in the U.S. Trump references an ongoing deal for TikTok’s divestment involving significant investors, hinting at a resolution before the new June 19 deadline. Discusses DOGE's role under Elon Musk's leadership, highlighting its success in reducing government waste and fraud. Trump credits his administration's trade policies for significant investments by major tech companies like Apple and potential foreign companies to manufacture in the U.S. Announces a new tariff policy targeting foreign movies to bolster the American film industry, which he claims is declining rapidly. The White House, Department of Commerce, and the U.S. Trade Representative have yet to provide details on the implementation of the new movie tariff.

Golden Chickens, a cybercrime group also known as Venom Spider, has developed new malware versions, TerraStealerV2 and TerraLogger, aiming to enhance their data theft capabilities. TerraStealerV2 focuses on collecting credentials from browsers, cryptocurrency wallet data, and browser extension details, while TerraLogger acts as a keylogger recording keystrokes. The malware is distributed through various file types including EXEs, DLLs, MSI packages, and LNK files, leveraging OCX payloads sourced from a questionable external domain. Despite targeting data extraction, TerraStealerV2 does not yet bypass new Chrome security protocols, indicating potential areas of ongoing development or limitations in the malware's current version. Recorded Future reports that these tools are still under development and have not yet reached the sophistication levels seen in other mature malware tools used by Golden Chickens. There's no evidence of command-and-control communication capabilities in TerraLogger, suggesting it could be part of early development or designed for use alongside other malware in the Golden Chickens suite. This development by Golden Chickens occurs amidst broader trends in the cybercrime landscape, including the emergence of other stealer malware families and improved versions of existing malware with enhanced functionalities.

India's plan to become a significant player in global semiconductor manufacturing faced setbacks as Zoho dropped its $700 million fab investment and Adani Group paused its $10 billion project with Tower Semiconductor. Zoho abandoned its semiconductor manufacturing plans due to the capital-intensive nature of the industry and lack of confidence in the chosen technology path, citing the requirement for substantial government support. Adani Group halted talks over concerns that the semiconductor project did not make commercial sense. China's Cyberspace Administration initiated a three-month campaign to rectify abuses in AI technology, targeting unregistered AIs and enforcing stringent security and content regulations. Indian Supreme Court judges indicated that the use of spyware could be justified for national security, discussing this during a case probing alleged misuse of Pegasus spyware. South Korea's Fair Trade Commission fined Meta for failing to provide required consumer protections on its social platforms and mandated improvements within 180 days. The same regulator is consulting on remedies against Broadcom for alleged monopoly practices, seeking industry input on proposed regulatory changes. SK Telecom in South Korea has halted new customer signups to address issues stemming from a recent cyberattack, impacting millions of customers.