Cyber OSINT Overview, Jun 9 - Jun 15, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• Multiple vendors, including Microsoft and Adobe, released a significant number of security patches in June. Microsoft’s Patch Tuesday addressed 67 vulnerabilities, including an actively exploited zero-day in WebDAV (CVE-2025-33053) and a publicly disclosed flaw in the SMB client (CVE-2025-33073). Adobe released patches for a massive 254 CVEs across its product suite, with Experience Manager and Acrobat receiving critical updates for remote code execution. The high volume and criticality of these patches were a major focus for security teams and researchers.

• Ransomware remains a dominant threat, with multiple reports detailing the activities of various groups. Safepay, Qilin, Play, and Akira were frequently mentioned as top perpetrators, with a new group, Devman, emerging as a potential rebrand of a Qilin affiliate. These groups continue to target critical sectors like healthcare and finance, leveraging social engineering, compromised VPN credentials, and unpatched vulnerabilities for initial access. The tactics are shifting from simple data encryption to double extortion, involving data exfiltration and public leaks to increase pressure on victims.

• The security implications of AI are a growing concern for organizations and security leaders. Discussions focused on two main fronts: securing AI systems and using AI for defense. New threats like prompt injection, LLM scope violations in tools like M365 Copilot, and the use of agentic AI for malicious purposes are expanding the attack surface. In response, the industry is developing AI-driven security tools, such as Cisco’s reasoning LLM and Palo Alto Networks’ Prisma AIRS, while emphasizing the need for robust governance and zero-trust principles to manage AI agents.

• Industrial Control Systems (ICS) and Operational Technology (OT) are facing increased scrutiny due to numerous vulnerabilities disclosed by CISA. Advisories highlighted flaws in widely used products from Siemens, AVEVA, and Hitachi Energy, among others. These vulnerabilities range from remote code execution and denial-of-service to cross-site scripting and improper privilege management. The breadth of affected products, from PLCs and industrial switches to data archives and medical devices, underscores the expanding attack surface in critical infrastructure sectors.

Critical Vulnerabilities #

• A zero-day remote code execution vulnerability in Windows WebDAV (CVE-2025-33053) is being actively exploited by the Stealth Falcon APT group. The flaw, which has an 8.8 CVSS score, allows an attacker to execute code by convincing a user to click a malicious link or open a malicious file. Microsoft has released patches for all Windows versions, including out-of-support ones like Windows 8 and Server 2012, indicating the severity of the threat. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

• Ransomware groups are actively exploiting a path traversal vulnerability in SimpleHelp Remote Monitoring and Management (RMM) software, CVE-2024-57727. This flaw affects SimpleHelp versions 5.5.7 and earlier and allows attackers to gain access to downstream customer networks. CISA has added the vulnerability to its KEV Catalog and issued an advisory warning that these attacks have been ongoing since January 2025, leading to service disruptions and double extortion compromises.

• A critical pre-authentication remote code execution vulnerability (CVE-2025-32433) in Erlang/OTP SSH server has been added to CISA’s KEV catalog due to active exploitation. With a CVSS score of 10.0, the flaw allows an unauthenticated attacker to execute arbitrary commands by exploiting a weakness in SSH message handling. This vulnerability affects OTP versions prior to OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. Given its severity and evidence of exploitation, immediate patching or mitigation via firewall rules is critical.

• Adobe released patches for 254 vulnerabilities across seven products, including Acrobat Reader, Experience Manager, and Commerce. Many of these flaws are critical and could lead to arbitrary code execution if exploited. The most significant update is for Adobe Experience Manager, which addresses 225 CVEs, primarily cross-site scripting (XSS) issues. Adobe rates the fix for Commerce as Priority 1, indicating it should be patched urgently, although no active exploits were reported at the time of release.

• A zero-click vulnerability in Apple’s iMessage (CVE-2025-43200) was exploited to deploy Paragon’s Graphite spyware on the iPhones of European journalists. The flaw, which existed in the processing of maliciously crafted photos or videos shared via an iCloud Link, allowed for remote compromise without any user interaction. Apple addressed the vulnerability in iOS 18.3.1 in February but only recently added the CVE to its security advisory, coinciding with a Citizen Lab report detailing the attacks.

• Critical vulnerabilities have been identified in various pan-tilt-zoom (PTZ) cameras from vendors including PTZOptics, ValueHD, multiCAM, and SMTAV. These flaws include improper authentication (CVE-2024-8956), OS command injection, and the use of hard-coded credentials. Successful exploitation could allow a remote, unauthenticated attacker to leak sensitive data like usernames and password hashes, execute arbitrary commands, and gain full administrative access to the devices. A CVSS score of 9.3 highlights the severity of these vulnerabilities.

• A publicly disclosed elevation of privilege vulnerability (CVE-2025-33073) affects the Windows SMB client. An attacker could exploit this by convincing a user to connect to a malicious SMB server, potentially elevating their privileges to SYSTEM. Microsoft rates exploitation as more likely. This vulnerability is part of a series of flaws in core Windows components patched this month, including a critical RCE in the KDC Proxy Service (CVE-2025-33071) and another EoP in the Common Log File System Driver (CVE-2025-32713).

Major Incidents #

• A major cyberattack on United Natural Foods (UNFI), one of the largest food distributors in the US, has caused significant operational disruptions and led to empty shelves in grocery stores. The company, which supplies Whole Foods, Amazon, and Target, proactively took some systems offline after detecting unauthorized activity on June 5. While UNFI has not confirmed the nature of the attack, the incident’s characteristics strongly suggest a ransomware attack, highlighting the vulnerability of critical supply chains to cyber threats.

• Multiple state and government entities are experiencing significant internet disruptions. NetBlocks reported a near-total telecoms blackout in the Gaza Strip lasting over 100 hours, severely impacting communication and aid efforts. Similar shutdowns were observed in Iraq, intended to prevent cheating during school exams, and in Manipur, India, amidst tribal unrest. In addition, Sweden’s Prime Minister stated the country is under attack following major DDoS attacks that took public broadcasters and government sites offline, with Russia suspected as the perpetrator.

• A data broker owned by major US airlines, including Delta, American Airlines, and United, has been secretly selling passenger flight data to government agencies like DHS, CBP, and ICE. The data, sourced from the Airlines Reporting Corporation (ARC), includes passenger names, full flight itineraries, and financial details for domestic travel. The contract reportedly includes clauses requiring the government agencies not to disclose ARC as the source of the data, raising significant privacy concerns over the clandestine sale of traveler information.

• The healthcare sector is under siege from ransomware attacks, with a major assault by the Qilin group on a diagnostics provider causing widespread chaos. The attack disrupted thousands of patient procedures, including blood transfusions and cancer screenings, and exposed sensitive data. Health-ISAC reports a continued upward trend in ransomware events and VPN exploits targeting the health sector. The incidents highlight critical vulnerabilities in the industry, such as weak MFA, excessive privileges, and insufficient endpoint protection.

• The genetic testing company 23andMe is facing intense scrutiny from the U.S. Congress over the privacy and security of customer DNA data amid its bankruptcy and potential sale. Following a major data breach and the proposed acquisition by pharmaceutical company Regeneron, 1.9 million of its 15 million customers have requested their data be deleted. Lawmakers have raised concerns about the potential for data misuse, including transfer to foreign adversaries or use in targeted advertising, and criticized the company for not implementing an explicit opt-in for data transfer in a sale.

• Humanitarian and public interest organizations are facing a dramatic increase in cyberattacks. A Cloudflare report on Project Galileo revealed a 241% increase in blocked threats against protected organizations compared to the previous year, with journalism and human rights groups being the most targeted. Attacks include massive DDoS campaigns against outlets like the Belarusian Investigative Center and a prolonged attack on the digital rights group Tech4Peace, highlighting the escalating digital risks for civil society.

• The owner of the pornographic websites GirlsDoPorn and GirlsDoToys has pleaded guilty to multiple charges of sex trafficking. From 2013 to 2019, Michael James Pratt and his associates coerced hundreds of women into filming pornographic videos under false pretenses, such as promising limited distribution. Pratt, who was a fugitive on the FBI’s most wanted list, now faces a minimum sentence of 15 years and a maximum of life in prison, marking a significant legal outcome against a large-scale online exploitation operation.

Emerging Threats #

• The Stealth Falcon APT group is actively exploiting a WebDAV zero-day (CVE-2025-33053) to target defense and government entities in the Middle East. The attack chain involves a malicious .url file that uses a technique named ‘Remote Path Interception by Search Order Hijacking’ to execute malware. The final payload is a custom implant called Horus Agent, which is based on the open-source Mythic C2 framework and includes anti-analysis and anti-detection measures.

• Threat actors are exploiting the popularity of AI tools to distribute malware. A new campaign distributes BrowserVenom, an implant that forces browser traffic through a malicious proxy, via a phishing site masquerading as the official homepage for the DeepSeek-R1 LLM. The campaign uses Google Ads to promote the malicious site, tricking users into downloading a fake installer. This highlights a trend of using malvertising and popular brands as lures for malware distribution.

• The Kimsuky APT group has been observed using phishing emails disguised as academic paper review requests. These emails contain password-protected HWP document files with malicious OLE objects. When a user opens the document and clicks a hyperlink, a batch file executes that deploys several components, including a PowerShell script to collect system information and download additional payloads. This attack leverages social engineering and document-based exploits to gain initial access and exfiltrate data to a Dropbox account.

• A widespread campaign is compromising websites by injecting malicious JavaScript obfuscated with the JSFireTruck (JSF*ck) technique. This method uses a limited character set to hide the code’s purpose, which is to check the website referrer and redirect visitors from search engines to malicious URLs. These destinations can lead to malware downloads, malvertising, or other scams. Over 270,000 webpages have been found infected, indicating a large-scale, coordinated effort to abuse legitimate sites for malicious traffic redirection.

• The Fog ransomware, first documented in May 2024, has been observed in a recent attack on a financial institution using an unusual set of tools. Attackers deployed legitimate employee monitoring software called Syteca, likely for its keylogging and screen capture capabilities. They also used several open-source penetration testing tools not commonly seen in ransomware attacks, including GC2, Adaptix, and Stowaway. This diverse toolset indicates an evolution in ransomware actors’ TTPs, combining commodity tools with legitimate software for stealth and data exfiltration.

• The BlackSuit ransomware group is adopting social engineering tactics previously associated with Black Basta. The attack begins with an ’email bomb’ to overwhelm the target, followed by a Microsoft Teams message or phone call from an actor impersonating IT support. The primary goal is to trick the user into granting remote access via Quick Assist or another remote tool, or to harvest credentials through a fake login page. This suggests a potential merger of TTPs or personnel between the two prominent ransomware operations.

• The APT group Librarian Ghouls, also known as Rezet, continues to target Russian entities with phishing emails containing password-protected archives. The malicious payload establishes remote access, steals credentials, and deploys an XMRig cryptominer. A distinctive feature of this group is its extensive use of legitimate third-party software, such as the 4t Tray Minimizer, to obscure its presence, combined with command files and PowerShell scripts to execute its malicious logic.

Regulatory and Policy Updates #

• The White House has issued a new Executive Order reprioritizing the nation’s cybersecurity efforts under the Trump administration. This order reverses some previous policies and introduces new focus areas, including mandating that federal agencies incorporate AI vulnerability management into their existing practices by November 2025. Other key provisions include promoting a voluntary ‘Cyber Trust Mark’ for IoT devices, accelerating the transition to post-quantum cryptography, and reinforcing secure software development practices.

• The UK government and its National Cyber Security Centre (NCSC) are advocating for significant policy changes to improve national cybersecurity. The NCSC is pushing for a strategic policy agenda to address market failures where vendors do not bear the costs of insecure products. Concurrently, the government has mandated annual cyber incident response exercises for its departments and is seeking public input on a new Code of Practice for the security of enterprise-connected devices, signaling a more hands-on regulatory approach.

• Digital rights groups are voicing strong opposition to the reintroduced Stop CSAM Act in the US Senate, arguing it threatens user privacy and the viability of end-to-end encrypted services. The groups, including the ACLU and EFF, contend that the bill’s ‘recklessness’ standard would make it impossible for providers of encrypted messaging and storage to avoid liability for content they cannot see. They warn this could force companies to either weaken encryption to monitor content or cease offering secure services altogether.

• The UK’s communications regulator, Ofcom, has launched an investigation into the social media platform 4chan for failing to provide information on how it protects users from illegal content under the new Online Safety Act. This action follows 4chan’s lack of response to an official information request. If found in breach, 4chan could face fines up to £18 million or 10% of its global revenue, and UK ISPs could be ordered to block access to the site.

• Concerns are growing over government and corporate handling of personal data, with two major incidents coming to light. A data broker owned by major US airlines was found to be secretly selling passenger flight itineraries and financial details to DHS agencies. Separately, 23andMe faced a congressional hearing over its handling of genetic data during its bankruptcy and sale, with lawmakers criticizing the lack of an explicit opt-in for data transfer to a new owner.

Security Operations #

• NIST has released new practical guidance for implementing a Zero Trust Architecture (ZTA) in its special publication SP 1800-35. This document is designed to complement the foundational ZTA concepts in SP 800-207 by providing 19 concrete implementation examples from 24 technology partners, including Tenable. The guide outlines core steps for any ZTA deployment, from asset discovery and policy specification to continuous monitoring and improvement, serving as a foundational starting point for organizations.

• Security experts are advocating for a shift from static posture management to a runtime-first defense strategy in the cloud. Traditional tools like CSPM are insufficient for dynamic, ephemeral environments as they only provide a snapshot in time. A runtime security approach offers continuous monitoring of live workloads, enabling real-time detection of anomalous behavior, active exploits, and lateral movement. This allows for automated response that can block attacks as they happen, rather than after a breach has occurred.

• Organizations are increasingly adopting phishing-resistant authentication methods like FIDO2 to combat the rise of one-time password (OTP) interception. FIDO2 leverages possession-based credentials, such as security keys or device biometrics, to perform cryptographic authentication without sending sensitive information over the network. This approach effectively stops phishing attacks that trick users into revealing OTPs. Authentication services like Symantec VIP are making it easier for organizations to deploy and manage these stronger authentication methods.

• Security teams can enhance their Kubernetes security workflows by using specialized kubectl plugins. Tools like access-matrix for RBAC auditing, kubectl-trace for eBPF-based syscall tracing, and np-viewer for network policy visualization provide deeper insights and streamline complex tasks. These plugins allow security engineers to quickly audit permissions, trace suspicious activity, and manage configurations directly from the command line, improving efficiency and reducing risk in complex containerized environments.

• Android users can significantly improve their security and privacy by enabling the Private DNS feature. This mode encrypts DNS queries, preventing them from being sent as plain text over the network. This is particularly important on public Wi-Fi, where unencrypted queries can be intercepted by malicious actors to monitor browsing activity. Users can configure this feature in their device’s network settings by specifying a secure DNS provider like Cloudflare (1dot1dot1dot1.cloudflare-dns.com) or Google (dns.google).

• Interactive sandboxing is highlighted as a critical tool for Security Operations Centers (SOCs) to improve detection rates and reduce analyst workload. Unlike automated sandboxes, interactive environments allow analysts to engage with potential threats, such as entering passwords or clicking links, to reveal multi-stage malware like AsyncRAT. This hands-on analysis provides a full process breakdown, network activity visibility, and extracted malware configurations, enabling more effective and proactive threat mitigation.

• The role of the CISO is evolving into what is termed a ‘Cybersecurity Warrior Leader’ (CWL), who must balance technical defense with organizational health. This approach emphasizes the importance of self-care and team well-being as critical assets to prevent burnout and maintain performance. By fostering psychological safety and using tools like Organizational Health Assessments (OHAs), CWLs can build resilient teams capable of navigating the relentless pressure of the modern threat landscape.

Wins #

• A coordinated international law enforcement action, dubbed ‘Operation Secure,’ successfully disrupted a major infostealer cybercrime ecosystem in Asia. The operation, involving 26 countries and supported by private sector partners like Group-IB, resulted in the seizure of 41 physical servers and the takedown of over 20,500 malicious IP addresses and domains. Authorities arrested 32 suspects across Vietnam, Sri Lanka, and Nauru, dismantling infrastructure used to deploy 69 different infostealer variants.

• Michael James Pratt, the owner of the notorious coercive pornography website GirlsDoPorn, has pleaded guilty to sex trafficking charges. Pratt, who was a fugitive on the FBI’s Most Wanted list before being extradited from Spain, faces a potential life sentence. His plea marks a significant victory for law enforcement and the victims of the operation, which lured and coerced hundreds of women into filming pornographic videos under false pretenses.

• Cloudflare’s Project Galileo celebrated its 11th anniversary of providing free, robust cybersecurity protection to vulnerable public interest organizations worldwide. Over the past year, the project has blocked 108.9 billion cyber threats, representing a 241% increase from the previous period. This initiative continues to be a crucial lifeline for at-risk groups, including independent journalists, human rights activists, and civil society organizations, ensuring they can remain online and continue their important work despite facing escalating cyberattacks.

• A South African court sentenced a former employee of Ecentric Payment Systems to eight years in prison for attempted extortion and other cybercrimes. The individual, Lucky Erasmus, and an accomplice gained remote access to the company’s systems, stole data, and demanded a ransom of over $500,000. This conviction is a landmark case under South Africa’s new cybercrime legislation and serves as a significant deterrent against insider threats and extortion attempts.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is create in collaboration with BlackStork and is based on a free template available on GitHub.

Reach out if you have questions or suggestions.