Cyber OSINT Overview, Jun 30 - Jul 6, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• Vulnerabilities in the Linux Kernel were a dominant topic, with numerous advisories detailing flaws that could lead to Denial of Service (DoS), privilege escalation, and remote code execution. These vulnerabilities affect a wide range of Linux distributions, including Ubuntu and Red Hat Enterprise Linux, and are consistently being discovered and patched. The sheer volume of reports from government and security agencies underscores the ongoing challenge of securing this foundational component of modern computing infrastructure.

• Actively exploited vulnerabilities in web browsers, particularly Google Chrome and Microsoft Edge, were frequently reported. Many of these critical flaws, such as type confusion bugs in the V8 JavaScript engine, allow for arbitrary code execution through crafted web pages. The consistent addition of these browser CVEs to CISA’s Known Exploited Vulnerabilities (KEV) catalog highlights the persistent threat they pose and the importance of timely patching for all users.

• The security of Industrial Control Systems (ICS) remains a major concern, with multiple advisories from CISA detailing critical vulnerabilities in products from vendors like Mitsubishi Electric, Hitachi Energy, and FESTO. These flaws could allow attackers to cause denial-of-service, tamper with system files, or achieve remote code execution on devices that manage critical infrastructure. The reports underscore the need for heightened security measures and prompt patching in the energy and critical manufacturing sectors.

• Phishing and social engineering attacks continue to evolve, with multiple reports highlighting their prevalence and increasing sophistication. Attackers are impersonating well-known brands like Microsoft and PayPal in callback phishing scams, as well as government agencies to steal financial data. Threat actors are also leveraging AI to generate more convincing phishing content and even entire malicious websites, lowering the barrier to entry for complex attacks and making it harder for users to identify fraudulent communications.

• Artificial Intelligence is increasingly a double-edged sword in cybersecurity, serving as both a powerful tool for attackers and a critical component for defenders. Reports highlight threat actors, such as North Korean IT workers, using AI to generate convincing fake identities and phishing sites. Simultaneously, the security community is developing AI-driven solutions for threat detection, analyzing binary code, and securing LLM deployments, while also grappling with the need to establish security best practices and regulations for AI systems themselves.

Critical Vulnerabilities #

• A type confusion vulnerability in the V8 JavaScript engine (CVE-2025-6554) is being actively exploited in the wild, affecting Google Chrome and Microsoft Edge. This high-severity flaw allows a remote attacker to achieve arbitrary code execution by tricking a user into visiting a specially crafted HTML page. Both Google and Microsoft have released emergency patches to address the issue, and CISA has promptly added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, urging immediate updates.

• A critical vulnerability (CVE-2025-20309) with a CVSS score of 10.0 affects Cisco Unified Communications Manager (Unified CM). The flaw is due to static, unchangeable root SSH credentials left over from development, which allows an unauthenticated remote attacker with network access to gain full system privileges. Cisco has released patches and urges customers to update immediately, as no workarounds are available to mitigate this maximum-severity risk.

• Citrix NetScaler ADC and Gateway are affected by multiple critical vulnerabilities that are being actively exploited. These include a memory overread flaw (CVE-2025-5777), dubbed ‘CitrixBleed 2,’ and a buffer overflow (CVE-2025-6543). Attackers can leverage these vulnerabilities to steal session tokens, bypass multi-factor authentication, and gain unauthorized access. CISA has added these vulnerabilities to the KEV catalog, and with over 50,000 instances potentially exposed, immediate patching is critical.

• Multiple vulnerabilities have been reported across a wide range of printers and multifunction peripherals from vendors including Brother, Toshiba, Ricoh, Fujifilm, and Konica Minolta. One critical, unpatchable flaw (CVE-2024-51978) allows an attacker to reverse-engineer the default administrator password from the device’s serial number. This can grant full privileged access, enabling remote code execution and data theft. The primary mitigation is for users to immediately change the default password.

• A critical remote code execution vulnerability (CVE-2025-47812) has been identified in Wing FTP Server versions v7.4.3 and prior. The flaw allows an unauthenticated attacker to execute arbitrary code on the server. Publicly available proof-of-concept exploit code significantly increases the risk, making it imperative for administrators to update to version 7.4.4 or later immediately.

• Multiple FESTO industrial control system products are affected by critical vulnerabilities that could allow for remote code execution. One out-of-bounds write flaw (CVE-2023-3935) in the Wibu CodeMeter Runtime could grant attackers full control of the host system. Additionally, OS command injection vulnerabilities (e.g., CVE-2022-30311) in Festo Hardware Controllers allow unauthorized execution of system commands with root privileges, posing a significant risk to industrial environments.

• Grafana has released security updates for its Image Renderer plugin and Synthetic Monitoring Agent to address critical vulnerabilities (CVE-2025-5959, CVE-2025-6554, CVE-2025-6191, and CVE-2025-6192). These vulnerabilities could pose significant risks to users of these widely-adopted observability tools. Administrators are strongly encouraged to upgrade to Grafana Image Renderer 3.12.9 and Synthetic Monitoring Agent 0.38.3 to mitigate these threats.

Major Incidents #

• The Sinaloa drug cartel employed a hacker to conduct surveillance on an FBI official and their contacts in Mexico City. The operation involved obtaining phone records, call data, and geolocation information, as well as accessing the city’s public camera system to track the official’s movements. This intelligence was then reportedly used by the cartel to identify, intimidate, and assassinate potential FBI informants and witnesses, highlighting the severe real-world consequences of targeted cyber-espionage.

• Qantas Airways confirmed a data breach affecting 6 million customer service records after a third-party provider was compromised. The exposed data includes customer names, email addresses, phone numbers, birth dates, and frequent flyer numbers. While financial details and passport information were not stored on the affected system, the airline anticipates a significant amount of data was stolen and is working with Australian authorities to investigate the incident.

• China-linked threat actor UNC5174 exploited three Ivanti zero-day vulnerabilities in a targeted campaign against French critical infrastructure. The attacks, which occurred between September and November 2024, impacted government agencies and organizations across telecommunications, finance, and transport sectors. The actor used a sophisticated rootkit and acted as an initial access broker, likely selling access to state-affiliated entities while also patching the exploited vulnerabilities to maintain exclusive control over the compromised systems.

• A ransomware attack on an Estonian cinema company resulted in the encryption of all its virtual machines and backups, causing significant disruption to its operations in Estonia, Latvia, and Lithuania. While the cinemas remained open, the incident underscores the severe impact of ransomware on business continuity. This attack was part of a broader landscape of incidents in Estonia, which also saw service disruptions at government IT centers and a major increase in phishing campaigns.

• The FBI has stated that the China-linked Salt Typhoon hacking campaign, which breached at least nine US telecommunications companies, is now “largely contained.” The espionage-focused group, which gained access to critical telecom infrastructure, is reportedly dormant and locked into its current positions. However, officials warn that the access could be pivoted to destructive actions in the future, highlighting the persistent threat posed by prepositioned state-sponsored actors.

• Technology distributor Ingram Micro experienced a ransomware attack that led to system disruptions and delayed shipments. The company took its website and other systems offline to contain the threat and engaged cybersecurity experts for recovery. The incident highlights the vulnerability of major global supply chain entities to ransomware, with attackers often timing their strikes around holidays to maximize disruption.

Emerging Threats #

• North Korean IT workers, tracked as Jasper Sleet, are leveraging AI to enhance their fraudulent employment operations. They use AI tools to manipulate photos and replace images on stolen identity documents, making their fake profiles more convincing for job applications. Additionally, they are experimenting with voice-changing software to bypass video interviews. These tactics enable them to secure remote IT jobs, generating revenue for the North Korean regime and providing a foothold to steal data and intellectual property from victim organizations.

• Attackers are distributing the XwormRAT malware using steganography, hiding the payload inside JPG image files. The infection chain begins with a malicious VBScript or JavaScript file that downloads the image. The malware loader is then extracted from the pixel data of the embedded bitmap, a more advanced technique than previous versions that used simple Base64 encoding. This evolving method makes the malware more difficult to detect by traditional security solutions.

• North Korea-aligned threat actors are targeting Web3 and cryptocurrency companies with NimDoor, a new macOS backdoor written in the Nim programming language. The attack starts with social engineering on Telegram, leading to the execution of a fake Zoom SDK update script. The use of an uncommon language like Nim, combined with multi-stage payloads and process injection techniques, makes the malware harder to detect and analyze, representing an evolution in the group’s efforts to compromise macOS systems.

• Threat actors are leveraging SEO poisoning and malvertising to distribute trojanized versions of legitimate IT tools like PuTTY and WinSCP. Unsuspecting users searching for these tools are directed to malicious websites hosting the fake installers. Upon execution, the Oyster/Broomstick backdoor is installed, establishing persistence through a scheduled task that executes a malicious DLL every three minutes. This campaign primarily targets IT professionals who frequently use such administrative tools.

• An increasing number of Android malware campaigns are being observed, with a 151% jump in mobile malware detections since the beginning of 2025. This includes a 147% rise in spyware and a 692% spike in SMS-based malware between April and May. Campaigns like Qwizzserial, distributed through smishing, and predatory Spyloan apps highlight the evolving tactics. A significant portion of the Android ecosystem remains vulnerable due to outdated operating systems that no longer receive security patches.

• Two new pro-Russian hacktivist groups, named IT Army of Russia and TwoNet, have emerged, launching cyberattacks against Ukraine and its allies. These groups coordinate their operations through Telegram, focusing on DDoS attacks, website defacements, and data theft. They are also actively recruiting insiders from Ukrainian critical infrastructure, posing a significant threat to national security and stability in the region.

• The financially motivated group Scattered Spider continues to evolve its tactics, exploiting legitimate tools to enhance evasion and persistence. The group, known for targeting telecommunications and tech firms with SIM-swapping and phishing, now orchestrates multi-stage intrusions across both cloud and on-premises environments. Their expansion to target the airline sector highlights their growing operational scope and sophistication in bypassing security controls.

Regulatory and Policy Updates #

• The US Food and Drug Administration (FDA) has expanded its premarket guidance for medical device cybersecurity. The new document unifies and clarifies the agency’s recommendations on security device design, labeling, and the information required in premarket submissions. This update reflects the FDA’s statutory authority for cybersecurity and strengthens regulatory expectations for manufacturers to ensure the safety and security of medical devices.

• The European Union has adopted a new blueprint aimed at improving the management of large-scale cyber crises and incidents. This framework clarifies the roles of member states in detection, response, and recovery, enhances cooperation between technical and political bodies, and integrates recent legislation like the NIS2 Directive. It also promotes civilian-military cooperation and coordination with NATO to bolster Europe’s overall cyber resilience against major threats.

• Microsoft will retire the Azure portal experience for Microsoft Sentinel by July 1, 2026, transitioning all users to the unified security operations platform in the Microsoft Defender portal. This move aims to consolidate SIEM and XDR capabilities into a single pane of glass, streamlining workflows, improving threat intelligence integration, and enhancing analyst efficiency. Customers are encouraged to begin planning their migration to avoid disruption and leverage the new, integrated capabilities.

• A proposed rule in a US tax bill that would have banned states from enforcing their own AI legislation for five years has been removed by the Senate. This decision preserves the ability of states to create and enforce their own regulations governing artificial intelligence. Advocacy groups had warned that the moratorium would have weakened consumer protections against harmful AI technologies and created a regulatory vacuum at the state level while federal policy remains in development.

• U.S. agencies, including CISA, FBI, and NSA, have issued a joint fact sheet warning critical infrastructure organizations about the heightened risk of targeted cyber operations by Iranian state-sponsored actors. The advisory cites increased geopolitical tensions and urges organizations to implement key mitigations. Recommended actions include disconnecting OT/ICS devices from the public internet, using strong and unique passwords, applying software patches promptly, and implementing phishing-resistant multifactor authentication.

Security Operations #

• AT&T has rolled out a “Wireless Account Lock” feature to combat SIM swapping attacks. Available through the myAT&T app, this feature allows users to block unauthorized changes to their wireless accounts, including SIM or eSIM swaps, number transfers, and device upgrades. This proactive security measure adds a crucial layer of protection against account takeovers, which often serve as a gateway for broader identity theft and financial fraud.

• Cloudflare has introduced a “Pay-Per-Crawl” feature, allowing website owners to charge AI companies for scraping their data. This system provides a new mechanism for content creators to control and monetize the use of their data for training large language models. It offers an alternative to either completely blocking web crawlers or permitting unrestricted access, addressing a growing concern in the digital content ecosystem about the resource consumption and uncompensated use of data by AI developers.

• Microsoft is consolidating its password management capabilities by discontinuing password management in the Microsoft Authenticator app starting in August. Users will be migrated to Microsoft’s other password solutions, which are integrated into Microsoft Edge, the Microsoft account dashboard, and the Windows autofill service. This move aims to streamline the user experience by centralizing password storage and synchronization across Microsoft’s ecosystem, though it removes a convenient feature from a widely used authenticator application.

• A new open-source tool, Prometheus Gateway, has been developed to mitigate data leakage risks in applications using Large Language Models (LLMs). It functions as a security-focused middleware layer, providing Data Loss Prevention (DLP), robust access control, and abuse prevention. This tool aims to help organizations adopt LLMs more securely by offering proactive controls for data sent to third-party APIs, addressing a key challenge in enterprise AI adoption.

• The Estonian Information System Authority (RIA) has introduced a new feature in its ‘Eesti äpp’ (Estonia app) that allows users to prove their identity digitally. This function, which provides a digital version of a passport or ID card, is equivalent to presenting a physical document for identity verification within Estonia. The feature is being rolled out gradually with both public and private sector service providers, aiming to enhance the convenience of digital services for citizens.

• Ubuntu has disabled certain Spectre speculative-execution vulnerability mitigations at the GPU Compute Runtime level, citing a shift in the risk-versus-performance tradeoff. This decision, made in consultation with Intel, is expected to provide a significant performance boost for GPU-intensive tasks. The rationale is that existing kernel-level mitigations are now considered sufficient, and the performance cost of the additional runtime protections is no longer justified for the level of security they provide.

• Cisco and Splunk demonstrated enhanced SOC capabilities at Cisco Live by integrating their platforms for improved threat detection and response. The collaboration utilized Cisco XDR and Splunk Enterprise Security to create a unified view of security events from network traffic, endpoints, and other sources. Custom dashboards and automation workflows were developed to quickly triage threats, analyze malware with Splunk Attack Analyzer and Secure Malware Analytics, and identify security gaps like cleartext password transmissions.

Wins #

• French law enforcement successfully arrested five operators of the notorious BreachForums cybercrime forum in a major international raid. The individuals, known by aliases including “ShinyHunters,” “Hollow,” “Noct,” and “Depressed,” were apprehended in simultaneous raids. This operation has led to the shutdown of the forum, which served as a significant marketplace for stolen data, credentials, and access to compromised corporate systems, disrupting a key part of the cybercrime ecosystem.

• The U.S. Treasury Department has sanctioned Russia-based bulletproof hosting provider Aeza Group for supporting a wide range of cybercriminal activities. The provider allegedly furnished infrastructure for the BianLian ransomware group and operators of infostealers like Meduza, RedLine, and Lumma. This action targets a crucial element of the cybercrime supply chain, aiming to disrupt the operational capabilities of multiple threat actor groups.

• The U.S. Department of Justice has disrupted a large-scale North Korean scheme to place skilled IT workers in U.S. companies to generate illicit revenue. The operation included multiple indictments, the seizure of financial accounts and fraudulent websites, and searches of 29 “laptop farms” across 16 states. This action dismantled a key part of the infrastructure that enabled North Korean operatives to steal sensitive data and millions of dollars from U.S. companies.

• The Hunters International ransomware-as-a-service (RaaS) group has announced the cessation of its operations. The group, believed to be a successor to the notorious Hive ransomware, posted a shutdown notice on its dark web leak site and is reportedly offering free decryption tools to previous victims. While this marks the end of a significant ransomware brand, security researchers suggest the group may rebrand and re-emerge as a data extortion-focused operation called “World Leaks.”

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.