June 1, 2025

Cyber OSINT Overview, May 26 - Jun 1, 2025

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics

  • AI in Cybersecurity (Risks, Development, Defense) is a dominant theme, covering new AI tools, safety guidelines from ETSI and NSA/CISA, AI-driven attacks like deepfakes and sophisticated phishing lures, the security of AI development processes including Model Context Protocol (MCP) and OAuth evolution, and the use of AI for defensive cybersecurity measures. Numerous articles discuss deploying AI safely, its role in national security, and vulnerabilities in AI-related software or its use as a lure.
  • Ransomware and extortion tactics continue to pose a significant threat, with multiple incidents reported across various sectors including healthcare (Kettering Health, Covenant Health), retail (Peter Green Chilled, Victoria’s Secret), and utilities (Nova Scotia Power). Groups like Interlock, DragonForce, and Scattered Spider are active, and new tactics like vishing by the Silent Ransom Group are emerging. The financial and operational impacts are substantial, driving discussions on prevention and response.
  • Phishing and social engineering remain prevalent, with attackers employing increasingly sophisticated methods. Adversary-in-the-Middle (AiTM) attacks, facilitated by kits like Evilginx and Phishing-as-a-Service (PhaaS) platforms such as Tycoon2FA and Haozi, are on the rise. Attackers are also abusing legitimate services like Google Apps Script and Google Calendar for hosting phishing pages or for command and control, enhancing the credibility of their campaigns. These attacks often aim to steal credentials for enterprise cloud environments.
  • Nation-state sponsored cyber activity continues to be a major concern, with multiple threat actors linked to Russia and China conducting espionage and disruptive campaigns. Groups such as Void Blizzard/Laundry Bear (Russia-affiliated) are targeting NATO members and Ukraine, often using stolen credentials. APT41 (China-linked) has been observed using Google Calendar for C2. Other actors like Bitter APT, Damascened Peacock, and Salt/Volt Typhoon are also active, targeting government, defense, and critical infrastructure sectors globally.
  • Industrial Control Systems (ICS) and Operational Technology (OT) face ongoing threats from vulnerabilities in widely used products. CISA has issued several advisories concerning Siemens (SiPass, SiPass Integrated), Consilium Safety (CS5000 Fire Panel), Instantel (Micromate), and Johnson Controls (iSTAR ICU Tool). These vulnerabilities could lead to denial-of-service, unauthorized access, or remote code execution, impacting critical infrastructure sectors like commercial facilities, manufacturing, and energy.
  • Data breaches and leaks continue to expose sensitive information at an alarming scale. A notable incident involved the exposure of 184 million login credentials for major services like Instagram, Roblox, and Facebook, likely harvested by infostealer malware. Additionally, companies like Adidas and LexisNexis reported third-party data breaches affecting customer information. These events underscore the persistent threat of credential theft and the importance of robust data protection measures.
  • Vulnerabilities in widely used software and hardware continue to be a major attack vector. Critical flaws were reported in Cisco IOS XE wireless LAN controllers (CVE-2025-20188 allowing RCE), vBulletin forum software (CVE-2025-48827, CVE-2025-48828 leading to RCE), Apache InLong (CVE-2025-27522 enabling RCE via deserialization), and various TeleMessage services (multiple CVEs exposing data and allowing unauthorized access). Ivanti EPMM also saw actively exploited zero-days (CVE-2025-4427, CVE-2025-4428). These highlight the need for timely patching and robust vulnerability management programs.

Critical Vulnerabilities

  • Multiple vulnerabilities in Siemens SiPass and SiPass Integrated products (CVE-2022-31812, CVE-2022-31807) expose systems to denial-of-service via out-of-bounds read and unauthorized firmware modification through improper cryptographic signature verification. These flaws affect physical access control systems widely deployed in commercial facilities and critical manufacturing. CISA advises updating SiPass Integrated to V2.95.3.18 or later and enabling TLS for SiPass AC5102/ACC-AP, though no fix is currently available for the latter.
  • Consilium Safety CS5000 Fire Panels (all versions) suffer from critical vulnerabilities: CVE-2025-41438 (CVSS 9.3) due to an insecure default account and CVE-2025-46352 (CVSS 9.3) from hard-coded VNC credentials. Exploitation could grant attackers high-level remote access, potentially rendering fire panels non-functional. Consilium Safety has no planned fixes, advising upgrades to newer models and implementing compensating physical security controls for existing CS5000 deployments.
  • A critical vulnerability, CVE-2025-20188 (CVSS 10.0), in Cisco IOS XE Software for Wireless LAN Controllers allows unauthenticated remote attackers to upload arbitrary files and achieve remote code execution with root privileges. This flaw is due to a hard-coded JSON Web Token (JWT) and insufficient path validation when the ‘Out-of-Band AP Image Download’ feature is enabled. Horizon3.ai has published technical details, increasing exploitation risk. Cisco urges users to update to version 17.12.04 or newer or disable the vulnerable feature.
  • vBulletin forum software versions 5.0.0-5.7.5 and 6.0.0-6.0.3 (on PHP 8.1+) contain critical vulnerabilities CVE-2025-48827 (API method invocation, CVSS 10.0) and CVE-2025-48828 (RCE via template engine, CVSS 9.0). These allow unauthenticated RCE due to misuse of PHP’s Reflection API and template conditionals. Active exploitation of CVE-2025-48827 has been observed. Administrators are urged to update to the latest patched versions, such as 5.7.5 Patch Level 3 or vBulletin 6.1.1.
  • Multiple critical vulnerabilities (CVE-2025-48045, CVE-2025-48046, CVE-2025-48047) in MICI NetFax server versions prior to 3.0.1.0 allow an authenticated attacker to achieve remote code execution as root. The vulnerabilities include default credential disclosure, stored password disclosure, and command injection. Notably, default admin credentials are provided in cleartext in HTTP responses. MICI has reportedly stated they will not address these vulnerabilities.
  • Ivanti Endpoint Manager Mobile (EPMM) is affected by two actively exploited zero-day vulnerabilities, CVE-2025-4427 and CVE-2025-4428, which can be chained for unauthenticated remote code execution. China-linked espionage group UNC5221 has reportedly targeted nearly 20 organizations, including a cybersecurity firm and critical infrastructure entities in Europe and North America. Ivanti released patches on May 13, 2025, and urges immediate updates.
  • Multiple vulnerabilities (CVE-2025-48925 to CVE-2025-48930) have been disclosed in the TeleMessage service. These include issues such as storage of cleartext information in memory (CVE-2025-48930), reliance on client-side MD5 hashing for authentication (CVE-2025-48925), exposure of a heap dump endpoint (CVE-2025-48927, CVE-2025-48928), long-lived credentials (CVE-2025-48929), and an admin panel leaking user data (CVE-2025-48926). These flaws could lead to data exposure and unauthorized access.

Major Incidents

  • IT management software firm ConnectWise confirmed a cyberattack by a suspected nation-state actor that breached its environment and impacted a limited number of cloud-hosted ScreenConnect customers. The incident, reportedly occurring in August 2024 and discovered in May 2025, is linked to the ScreenConnect vulnerability CVE-2025-3935. ConnectWise has contacted affected customers and involved law enforcement, stating systems are now secure.
  • Multiple U.S. hospitals have experienced service disruptions due to cyberattacks. Covenant Health facilities in Maine and New Hampshire shut down data systems following an attack on May 26, 2025. Kettering Health in Ohio also faced a system-wide outage linked to the Interlock ransomware group. These incidents highlight the ongoing targeting of the healthcare sector, leading to canceled procedures and patient care disruptions.
  • A massive dataset containing over 184 million unique login credentials for services including Google, Microsoft, Facebook, Instagram, Snapchat, and Roblox was discovered exposed on an unsecured Elasticsearch database in May 2025. The 47GB dataset contained plaintext usernames and passwords, likely amassed by infostealer malware. The database has since been taken offline, but the exposure underscores the risks of widespread credential theft.
  • Victoria’s Secret shut down its U.S. website and some in-store services for three days starting May 26, 2025, due to an unspecified security incident. The company engaged third-party experts and stated it was working to restore operations. The Scattered Spider threat group is suspected to be involved, aligning with a recent trend of attacks targeting major retailers. The full impact and whether customer data was compromised remain unclear.
  • Adidas confirmed a data breach where an unauthorized external party accessed customer data through a third-party customer service provider. The exposed information primarily consists of contact details for consumers who had previously contacted their help desk; passwords and financial data were reportedly not affected. This follows a similar incident disclosed by Adidas earlier in May affecting customers in Turkey and South Korea.
  • Nova Scotia Power, a Canadian utility, confirmed it was hit by a ransomware attack around March 19, 2025, impacting approximately 280,000 customers. The company stated it has not paid any ransom. The attack led to a data breach, with customer information including names, addresses, dates of birth, driver’s license numbers, and social insurance numbers being stolen. The utility has been providing updates and is working with cybersecurity experts and law enforcement.
  • Tens of thousands in Moscow and surrounding areas experienced internet outages for several days starting May 28, 2025, after a major DDoS attack targeted Russian internet service provider ASVT. The company attributed the attack, one of the most severe this year, to the pro-Ukraine ‘IT Army’ collective. This incident follows a similar attack on another Russian ISP, Lovit, in March, also claimed by the IT Army.

Emerging Threats

  • Phishing-as-a-Service (PhaaS) platforms like Tycoon2FA and Haozi are enabling less-skilled attackers to launch sophisticated campaigns. Tycoon2FA targets Microsoft 365 and Gmail accounts using Adversary-in-the-Middle (AiTM) techniques to bypass MFA. Haozi, a Chinese-language PhaaS, offers user-friendly, plug-and-play phishing kits sold via Telegram, facilitating significant illicit transactions. These services lower the barrier to entry for cybercrime, increasing the volume of phishing attacks.
  • Nation-state actors are employing novel tactics for espionage and C2. Microsoft identified Void Blizzard (aka LAUNDRY BEAR, Russia-affiliated) using stolen credentials and spear phishing to target government, defense, and healthcare sectors in Europe and North America. Google reported APT41 (China-linked) using Google Calendar events for command and control to deploy TOUGHPROGRESS malware against government entities. Separately, Bitter APT (South Asia-linked) targeted Pakistan Telecommunication Company Limited (PTCL) workers with spear phishing during regional conflicts.
  • Threat actors are increasingly using fake AI tool installers and websites as lures to distribute malware. Campaigns attributed to UNC6032 (Vietnam-linked) and others promote tools like Luma AI, Canva Dream Lab, Kling AI, ChatGPT, and InVideo AI via social media ads (Facebook, LinkedIn) and SEO poisoning. Victims are tricked into downloading info-stealers (e.g., Starkveil, GRIMPULL), backdoors (e.g., XWorm, Frostrift), and ransomware (e.g., CyberLock, Lucky_Gh0$t).
  • Android banking Trojans like Zanubis and Octo (also known as Coper or ExobotCompact) continue to evolve, posing significant threats. Zanubis, initially targeting Peru, has expanded its capabilities for data exfiltration and remote control, employing new obfuscation and deception tactics. Octo, sold as Malware-as-a-Service, uses fake apps, SMS phishing, and social engineering to gain Accessibility Services and Device Admin privileges for keylogging, overlay attacks, and VNC-based remote access.
  • A new Rust-based infostealer, EDDIESTEALER, is being distributed via fake CAPTCHA campaigns. These campaigns use compromised websites to display deceptive CAPTCHA verification pages that trick users into executing malicious PowerShell scripts. The scripts then download and run EDDIESTEALER, which harvests credentials, browser information, and cryptocurrency wallet details, communicating with a C2 server for tasking.
  • The Silent Ransom Group (SRG), also known as Luna Moth or UNC3753, has shifted tactics to include IT-themed social engineering vishing calls targeting U.S. law firms. Initially known for callback phishing, the group now directly calls victims, impersonates IT staff to gain remote access (e.g., Zoho Assist, AnyDesk), exfiltrates sensitive data using tools like WinSCP or Rclone, and then extorts the firms. This change in TTP has proven highly effective.
  • Threat actors are abusing Google Apps Script to host phishing pages, leveraging Google’s trusted domain (script.google.com) to bypass security filters and lend legitimacy to their attacks. Phishing emails, often disguised as invoices, link to these hosted pages which are designed to steal login credentials. This method provides attackers with flexibility to modify scripts and lures without resending links.

Regulatory and Policy Updates

  • International and national efforts are underway to establish AI security standards and governance. ETSI, in collaboration with UK’s NCSC and DSIT, published a global standard for securing AI systems throughout their lifecycle. Concurrently, the US NSA and CISA issued guidance urging organizations to secure data used in AI models. These initiatives aim to provide baseline security requirements and best practices for AI developers, vendors, and users to mitigate evolving AI-related cyber threats.
  • The UK and Australia are significantly investing in their national cyber warfare capabilities. The UK Ministry of Defence announced a £1 billion ‘Digital Targeting Web,’ an AI-driven battlefield system, and the establishment of a new Cyber and Electromagnetic Command. Similarly, Australia is investing in its Defence Force’s cyber warfare workforce, including a new skills-based pay structure to retain talent. These moves reflect a growing emphasis on cyber operations in national defense strategies.
  • The European Union Agency for Cybersecurity (ENISA) published a handbook guiding EU member states on implementing cyber stress testing. This initiative supports broader EU cyber regulations like the NIS 2 Directive, DORA, and CER, aiming to enhance the cybersecurity and resilience of critical infrastructure entities. The handbook focuses on desktop-based stress tests using technical questionnaires centered around risk scenarios.
  • Five major U.S. banking associations have petitioned the SEC to repeal its rule mandating public companies to disclose material cybersecurity incidents within four business days. The groups argue that premature disclosure under Form 8-K Item 1.05 harms registrants, fails to provide meaningful investor information, and could offer actionable intelligence to threat actors, potentially increasing systemic risk within the financial sector.
  • Australia has introduced new rules requiring organizations with an annual turnover of $3 million or more, or those responsible for critical infrastructure, to report any ransom payments to Home Affairs and the Australian Signals Directorate within three days. This measure aims to provide better visibility into the ransomware landscape and inform national response strategies.
  • The Chrome Root Program announced upcoming changes to its trust store, intending to remove default trust for Certificate Authorities (CAs) Chunghwa Telecom and Netlock. This action, effective in Chrome 139 for TLS server authentication certificates with Signed Certificate Timestamps (SCTs) dated after July 31, 2025, is due to a pattern of compliance failures and unmet improvement commitments by these CAs, eroding Chrome’s confidence in their reliability.
  • Four US Senate Democrats have urged Homeland Security Secretary Kristi Noem to reestablish the Cyber Safety Review Board (CSRB) after its members were dismissed earlier this year by the Trump administration. The senators emphasized the CSRB’s critical role in investigating significant cyber incidents, such as the ongoing Salt Typhoon hacks linked to China, and providing recommendations to improve national cybersecurity posture. The dismissal has halted the board’s investigation into the Salt Typhoon campaign.

Security Operations

  • CISA, in collaboration with ASD’s ACSC and other partners, released new guidance for organizations on procuring and implementing Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platforms. The guidance includes resources for executives on enhancing cybersecurity frameworks and for practitioners on threat detection, incident response, and prioritizing log ingestion. This aims to help organizations strengthen their cybersecurity posture by effectively leveraging these critical security technologies.
  • Microsoft is deprecating the password autofill feature in its Authenticator app, with new password saving ending in June 2025, autofill ending in July 2025, and saved passwords becoming inaccessible in Authenticator from August 2025. Users are being notified to export their passwords to a CSV file or transition to using Microsoft Edge for password management, as saved passwords sync with Microsoft Accounts. This change aims to consolidate password management within the Edge browser.
  • 0patch has released micropatches for several Windows vulnerabilities affecting end-of-life systems. These include a fix for CVE-2025-29957, a pre-authentication denial-of-service vulnerability in Windows Deployment Service that could allow network attackers to consume all server memory. Another micropatch addresses CVE-2025-26633, a security feature bypass in Microsoft Management Console (.msc files) that could allow malicious scripts to bypass security warnings. These patches provide continued protection for legacy Windows Server 2012/R2 and older Windows 10/7/Server 2008 R2 versions.
  • Security practitioners are advised to enhance SSH security by meticulously managing authorized_keys files. Recommendations include setting restrictive file permissions (read-only for the user, owned by root), considering centralized management of key files (e.g., using /etc/ssh/authorized_keys/%u), leveraging AuthorizedKeysCommand for on-demand key retrieval, and implementing robust file integrity monitoring for these critical files. These steps help prevent attackers from easily gaining persistent access by adding their own keys.
  • Researchers highlight the risk of privilege escalation in Microsoft Entra ID and Azure environments through specific billing roles. External guest users, even with limited permissions in a host tenant, might be able to create and transfer Azure subscriptions if they possess certain billing roles in their home tenant. This could grant them ‘Owner’ rights over the new subscription within the host tenant, posing a significant security risk. Organizations are advised to review and potentially restrict guest users’ ability to create or transfer subscriptions.
  • The cybersecurity industry is seeing increased focus on AI-powered security operations and exposure management, exemplified by Zscaler’s intent to acquire Red Canary for MDR capabilities and Tenable’s acquisition of Apex Security for AI risk management. These moves aim to integrate AI, automation, and threat intelligence to provide comprehensive visibility and control over expanding attack surfaces, including those introduced by AI technologies themselves. The goal is to create more proactive and efficient security operations centers.
  • A new tool, ExtensionPedia by LayerX, allows users to check the security and privacy risks of browser extensions for Chrome, Firefox, and Edge before installation. It provides a risk score and details on permissions requested and known vulnerabilities. This can help individuals and enterprises make more informed decisions about which extensions to trust, mitigating risks associated with malicious or overly permissive browser add-ons.

Wins

  • International law enforcement, under ‘Operation Endgame,’ successfully disrupted AVCheck, a major counter-antivirus (CAV) service used by cybercriminals to test malware detectability. The operation seized AVCheck’s domain and related crypting services Cryptor.biz and Crypt.guru. This action hinders criminals’ ability to refine malware for evasion and is part of a broader crackdown on the ransomware supply chain.
  • As part of Operation Endgame, authorities also disrupted the Danabot malware-as-a-service operation and the SmokeLoader botnet by seizing hundreds of servers and domains. These actions represent significant blows to the cybercrime ecosystem by dismantling key infrastructure used for distributing malware and launching attacks. The FBI and Dutch Police also seized infrastructure for the Heartsender phishing service.
  • Authorities in Pakistan arrested 21 individuals allegedly linked to ‘Heartsender,’ a spam and malware dissemination service also known as Fudpage and Fudtools. The group, reportedly led by Rameez Shahzad of WeCodeSolutions (formerly The Manipulaters), provided phishing kits and undetectable malware services, contributing to significant financial losses globally, particularly through Business Email Compromise (BEC) schemes. This follows an earlier FBI and Dutch Police takedown of Heartsender’s infrastructure.
  • Iranian national Sina Gholinejad pleaded guilty to computer fraud and conspiracy to commit wire fraud for his involvement in the Robbinhood ransomware scheme. This ransomware notably impacted the city of Baltimore in 2019, causing over $19 million in damages, and also targeted other U.S. cities and healthcare organizations. Gholinejad, also known as Sina Ghaaf, was arrested in North Carolina in January.
  • The U.S. Treasury Department sanctioned Philippines-based Funnull Technology Inc. and its administrator Liu Lizhi for facilitating cryptocurrency investment scams, commonly known as ‘pig butchering.’ Funnull allegedly provided infrastructure for hundreds of thousands of malicious websites, contributing to over $200 million in losses for U.S. victims. This action aims to disrupt the support system for these fraudulent operations.
  • Meta announced the disruption of three covert influence operations originating from China, Iran, and Romania. These campaigns used fake social media accounts on Facebook and Instagram to manipulate political discourse by spreading propaganda and critical content in multiple countries, including Myanmar, Taiwan, Japan, Azerbaijan, and Turkey. Meta removed these networks before they could build significant audiences.
  • German authorities identified Vitaly Nikolaevich Kovalev as ‘Stern,’ the alleged leader of the Trickbot and Conti cybercrime operations. This identification, aided by previous leaks (TrickLeaks, ContiLeaks), has led to an Interpol red notice for Kovalev, who is suspected of founding ‘Wizard Spider.’ This development is a significant step in holding key figures in major ransomware and malware operations accountable.

Disclaimer

The summaries in this brief are generated autonomously by a LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is create in collaboration with BlackStork and is based on a free template available on GitHub.

Reach out if you have questions or suggestions.