CyberSecurity Newsletter 23rd June 2025
In this week’s news: Covert tracking mechanism used by Meta and Yandex that potentially affects billions of Android users, Russian hackers bypass multi-factor authentication and access Gmail accounts, A new exploit priced at $12,000 for FortiGate firewalls has appeared for sale on the popular underground forum, Varonis Threat Labs have identified a new way to spot cyberattacks called Jitter-Trap, A cyberattack pushed the German napkin firm Fasana into insolvency, and intel471 deep dives into BlackBasta’s leaked chat logs.
A new investigation has uncovered a covert tracking mechanism used by Meta and Yandex that potentially affects billions of Android users. At the heart of the issue lies a silent communication channel between mobile browsers and native apps on the same device, enabled via localhost sockets. The technique effectively links anonymous web browsing to real-world user identities.
https://informationsecuritybuzz.com/meta-yandex-secretly-tracking-android-users/
Russian hackers bypass multi-factor authentication and access Gmail accounts by leveraging app-specific passwords in advanced social engineering attacks that impersonate U.S. Department of State officials. The threat actor targeted well-known academics and critics of Russia in what is described as a “sophisticated and personalized novel social engineering attack” that did not rush the persons of interest into taking action.
https://www.bleepingcomputer.com/news/security/russian-hackers-bypass-gmail-mfa-using-stolen-app-passwords/
Jira tickets could potentially be abused for prompt injection when support staff use AI to help handle issues. This “living off AI” proof-of-concept (PoC) attack targeting Atlassian’s Model Context Protocol (MCP) and Jira Service Management (JSM) was demonstrated by Cato Networks in a blog post Thursday.
https://www.scworld.com/news/jira-tickets-become-attack-vectors-in-poc-living-off-ai-attack
A malicious actor has advertised on the dark web a highly sophisticated exploit aimed at compromising FortiGate devices. A new exploit priced at $12,000 for FortiGate firewalls has appeared for sale on the popular underground forum Exploit. The post, published by a user with the pseudonym Anon-WMG, presents a tool capable of massively compromising Fortinet devices by exploiting exposed APIs.
https://www.redhotcyber.com/en/post/fortigate-under-attack-tools-for-mass-exploitation-of-exposed-apis-for-sale/
Microsoft is investigating a known OneDrive issue that is causing searches to appear blank for some users or return no results even when searching for files they know they've already uploaded. In a support document updated this week, the company shared that this bug impacts Windows, Android, iOS, and web users.
https://www.bleepingcomputer.com/news/microsoft/microsoft-investigates-onedrive-bug-that-breaks-file-search/
Cybersecurity experts at Varonis Threat Labs have identified a clever new way to spot hidden cyberattacks, even those used by highly skilled state-sponsored groups and criminal gangs. Their new technique, called Jitter-Trap, focuses on identifying patterns of randomness that hackers use to stay secret. This fresh approach aims to catch a tricky part of cyberattacks known as “post-exploitation and C2 communication.”
https://hackread.com/cyber-detection-hackers-jitter-patterns-against-them/
American insurance giant Aflac disclosed that its systems were breached in a broader campaign targeting insurance companies across the United States by attackers who may have stolen personal and health information. Aflac (short for American Family Life Assurance Company) is the largest supplemental insurance provider in the U.S. and a Fortune 500 company that provides insurance services to millions of customers in the U.S. and Japan.
https://www.bleepingcomputer.com/news/security/aflac-discloses-breach-amidst-scattered-spider-insurance-attacks/
The recent cyber-attacks on UK retailers Marks & Spencer (M&S) and The Co-op have been publicly linked, with the Cyber Monitoring Centre (CMC) assessing them as a single, combined cyber event.
https://www.infosecurity-magazine.com/news/ms-coop-hacks-single-event/
A cyberattack pushed the German napkin firm Fasana into insolvency, likely worsening existing financial troubles and serving as the final blow.The company was forced to halt production and delay May salaries. The German napkin maker is estimated to have lost €2 million in two weeks following a cyberattack. Now insolvent, it is seeking a new buyer after being acquired in March.
https://securityaffairs.com/179160/security/ransomware-attack-napkin-firm-fasana-insolvency.html
CoinMarketCap, the popular cryptocurrency price tracking site, suffered a website supply chain attack that exposed site visitors to a wallet drainer campaign to steal visitors' crypto. On Friday evening, January 20, CoinMarketCap visitors began seeing Web3 popups asking them to connect their wallets to the site. However, when visitors connected their wallets, a malicious script drained cryptocurrency from them.
https://www.bleepingcomputer.com/news/security/coinmarketcap-briefly-hacked-to-drain-crypto-wallets-via-fake-web3-popup/
Cyberattacks on insurance companies in the U.S. are continuing as Aflac reported to the Securities and Exchange Commission (SEC) on June 20 that it discovered an attack on its network June 12. The company said the recent attack — like many others U. S. insurance companies are experiencing — was caused by a sophisticated cybercrime group via social engineering tactics.
https://www.scworld.com/news/aflac-among-victims-in-cyberattacks-targeting-us-insurance-industry
A new and highly sophisticated cyberattack, believed to be from a Russian state-linked group, has been revealed. This innovative method tricks people into creating and handing over App-Specific Passwords (ASPs), bypassing common security measures like Multi-Factor Authentication (MFA).
https://hackread.com/hackers-use-social-engineering-expert-russian-operations/
Researchers discovered two local privilege escalation flaws that could let attackers gain root access on systems running major Linux distributions.
https://securityaffairs.com/179174/security/linux-flaws-chain-allows-root-access-across-major-distributions.html
The Black Basta ransomware-as-a-service (RaaS) group made more than US $100 million in ransoms and targeted at least 580 entities during its reign between 2021 and early 2025. It made this extraordinary amount of money in part by its recruitment and employment of experienced cybercrime players who had honed their skills. The group’s leader, the actor tramp, who was tangentially linked to the Conti ransomware group, had extensive contacts into this criminal ecosystem. These insights were revealed in February 2025 when an unknown person going by the nickname ExploitWhispers leaked 197,000 chat messages belonging to the group that covered a nearly one-year period between Sept. 18, 2023, and Sept. 28, 2024.
https://intel471.com/blog/a-look-at-tinker-black-bastas-phishing-fixer-negotiator
On May 22, 2025, U.S. and European law enforcement disrupted the infrastructure of DanaBot, a sophisticated banking trojan that infected computers and stole financial and personal information. Intel 471 contributed intelligence to this operation, which has also divulged the real-world identities of two people allegedly linked to the malware, including its developer, JimmBee, and a sales representative, O*nix. Both have been active participants in Russian-language cybercrime circles. DanaBot was one of the most prevalent banking malware families distributed between 2018 and 2020. It was sold as a monthly subscription, a common type of underground offering known as malware-as-a-service (MaaS), contributing to an online landscape marked by data theft operations with tremendous scale.
https://intel471.com/blog/danabot-malware-disrupted-threat-actors-named
SecurityScorecard’s STRIKE team has uncovered a network of compromised small office and home office (SOHO) devices they’re calling LapDogs. The threat is part of a broader shift in how China-Nexus threat actors are using Operational Relay Box (ORB) networks to hide their operations.
https://www.helpnetsecurity.com/2025/06/23/lapdogs-shortleash-backdoor-linux-soho-devices/
Hackers are exploiting a critical privilege escalation vulnerability in the WordPress theme "Motors" to hijack administrator accounts and gain complete control of a targeted site. The malicious activity was spotted by Wordfence, which had warned last month about the severity of the flaw, tracked under CVE-2025-4322, urging users to upgrade immediately.
https://www.bleepingcomputer.com/news/security/wordpress-motors-theme-flaw-mass-exploited-to-hijack-admin-accounts/
Zimperium zLabs has uncovered a major evolution of the GodFather Android trojan, which uses on-device virtualization to hijack real banking and crypto apps. Instead of using fake overlays, the malware creates a sandbox on the victim’s device, runs actual apps inside it, and intercepts user input in real time. This technique allows for full account takeovers and bypasses security features. The current campaign targets Turkish banks and shows a serious leap in mobile malware tactics.
https://securityaffairs.com/179191/malware/godfather-android-trojan-uses-virtualization-to-hijack-banking-and-crypto-apps.html
The Taiwanese cryptocurrency exchange BitoPro claims the North Korean hacking group Lazarus is behind a cyberattack that led to the theft of $11,000,000 worth of cryptocurrency on May 8, 2025. The company has attributed the attack to Lazarus based on the evidence recovered from its internal investigations. It notes that the attack patterns and methodology closely resemble those used in past cyberattacks.
https://www.bleepingcomputer.com/news/security/bitopro-exchange-links-lazarus-hackers-to-11-million-crypto-heist/
Oxford City Council warns it suffered a data breach where attackers accessed personally identifiable information from legacy systems. The incident has also caused an ICT service disruption, as announced on the website, and although most of the impacted systems have been brought back online, the remaining backlogs may continue to cause delays.
https://www.bleepingcomputer.com/news/security/oxford-city-council-suffers-breach-exposing-two-decades-of-data/