CyberSecurity Newsletter 9th June, 2025
In this week’s news:Hackers Using Fake IT Support Calls to Breach Corporate Systems, New Mirai botnet infect TBK DVR devices via command injection flaw, New Supply Chain Malware Operation Hits npm and PyPI, Ransomware and USB attacks are hammering OT systems, Police arrests 20 suspects for distributing child sexual abuse content, U.S. Offers $10M bounty for info on RedLine malware creator and state hackers, Critical Fortinet flaws now exploited in Qilin ransomware attacks and Taiwan alleged to have targeted China with US backing
A joint advisory from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) states that Play ransomware has hit approximately 900 organizations over the past three years. The Play ransomware group has been active since June 2022, the list of victims includes the City of Oakland, the Cloud services provider Rackspace, and the Dutch maritime logistics company Royal Dirkzwager.
https://securityaffairs.com/178702/cyber-crime/play-ransomware-group-hit-900-organizations-since-2022.html
China has accused Taiwan of having operated five advanced persistent threat groups under its Information, Communications and Electronic Force Command following the 2016 elections with the assistance of the U.S., according to The Register.
https://www.scworld.com/brief/taiwan-alleged-to-have-targeted-china-with-us-backing
A financially motivated group of hackers known as UNC6040 is using a simple but effective tactic to breach enterprise environments: picking up the phone and pretending to be IT support, simply called voice phishing (Vishing). According to a new report from Google’s Threat Intelligence Group (GTIG), this actor has been impersonating internal tech staff in phone-based social engineering attacks. Their goal is to trick employees, mostly in English-speaking branches of multinational companies, into granting access to sensitive systems, particularly Salesforce, a widely used customer relationship management (CRM) platform.https://hackread.com/hackers-fake-it-support-calls-breach-systems-google/
A new variant of the Mirai malware botnet is exploiting a command injection vulnerability in TBK DVR-4104 and DVR-4216 digital video recording devices to hijack them. The flaw, tracked under CVE-2024-3721, is a command injection vulnerability disclosed by security researcher "netsecfish" in April 2024. The proof-of-concept (PoC) the researcher published at the time came in the form of a specially crafted POST request to a vulnerable endpoint, achieving shell command execution through the manipulation of certain parameters (mdb and mdc).
https://www.bleepingcomputer.com/news/security/new-mirai-botnet-infect-tbk-dvr-devices-via-command-injection-flaw/
Cybersecurity researchers have flagged a supply chain attack targeting over a dozen packages associated with GlueStack to deliver malware. The malware, introduced via a change to "lib/commonjs/index.js," allows an attacker to run shell commands, take screenshots, and upload files to infected machines, Aikido Security told The Hacker News, stating these packages collectively account for nearly 1 million weekly downloads.
https://thehackernews.com/2025/06/new-supply-chain-malware-operation-hits.html
Healthcare giant Kettering Health, which manages 14 medical centers in Ohio, confirmed that the Interlock ransomware group breached its network and stole data in a May cyberattack. Kettering Health operates over 120 outpatient facilities and employs over 15,000 people, including over 1,800 physicians. The healthcare network noted in a Thursday statement that its network devices have been secured, and its team is now working on re-establishing communication channels with patients disrupted by the outage triggered by last month's ransomware attack.
https://www.bleepingcomputer.com/news/security/kettering-health-confirms-interlock-ransomware-behind-cyberattack/
Ransomware, trojans, and malware delivered through USB devices are putting growing pressure on industrial systems, according to the Honeywell 2025 Cyber Threat Report, which draws on data from monitoring tools deployed across industrial sites around the world. The findings highlight persistent and serious risks to OT environments that keep critical infrastructure running.
Ransomware and USB attacks are hammering OT systems - Help Net Security
Ransomware and malware delivered through USB devices put pressure on industrial systems, according to the Honeywell 2025 Cyber Threat Report.
Law enforcement authorities from over a dozen countries have arrested 20 suspects in an international operation targeting the production and distribution of child sexual abuse material. Starting in late 2024, the Spanish National Police discovered multiple instant messaging groups dedicated to the circulation of child sexual exploitation images and alerted authorities in other countries through INTERPOL and Europol after identifying 88 suspects in the Americas, Europe, Asia, and Oceania. "In December 2024, INTERPOL invited Spanish investigators to Chile to attend the Latin America Victim Identification Task Force meeting," the international police organization said.
https://www.bleepingcomputer.com/news/security/police-arrests-20-suspects-for-distributing-child-sexual-abuse-content/
The U.S. Department of State offers a reward of up to $10 million for information nation-state actors linked to the RedLine infostealer and its alleged author, Russian national Maxim Alexandrovich Rudometov. US authorities specifically target the used of the infostealer in cyber operations targeting critical infrastructure organizations in the United States. The bounty is part of the US DoS’s Rewards for Justice program, which offers payouts for tips on foreign government hackers targeting U.S. entities.
https://securityaffairs.com/178712/cyber-crime/u-s-offers-10m-bounty-for-info-on-redline-malware-creator-and-state-hackers.html
The Qilin ransomware operation has recently joined attacks exploiting two Fortinet vulnerabilities that allow bypassing authentication on vulnerable devices and executing malicious code remotely. Qilin (also tracked as Phantom Mantis) surfaced in August 2022 as a Ransomware-as-a-Service (RaaS) operation under the "Agenda" name and has since claimed responsibility for over 310 victims on its dark web leak site.
https://www.bleepingcomputer.com/news/security/critical-fortinet-flaws-now-exploited-in-qilin-ransomware-attacks/
Cybercrime orchestrated the £47 million theft from Her Majesty’s Revenue and Customs UK (HMRC) after executing a sophisticated phishing operation that compromised the online accounts of around 100,000 taxpayers. The multimillion-pound swindle serves as a prime example of the evolving nature of organised cybercrime and highlights significant vulnerabilities in digital tax systems.
https://medium.com/digital-business-insider/hmrc-phishing-scam-2f050957e517
GBHackers News reports that updates to the ViperSoftX information-stealing malware have bolstered its modularity, covertness, and persistence. Aside from featuring a complex execution flow and a GUID-based mutex identifier, compared with the older iteration's static mutex, the latest ViperSoftX malware version has also adopted HttpClient and base64-encoded command-and-control communications to better bypass network detection systems, according to findings from K7 Security Labs.
https://www.scworld.com/brief/more-sophisticated-vipersoftx-malware-variant-emerges
A new data wiper malware named 'PathWiper' is being used in targeted attacks against critical infrastructure in Ukraine, aimed at disrupting operations in the country. The payload was deployed through a legitimate endpoint administration tool, indicating that attackers had achieved administrative access to the system through a prior compromise.
https://www.bleepingcomputer.com/news/security/new-pathwiper-data-wiper-malware-hits-critical-infrastructure-in-ukraine/
A recent investigation has revealed that several widely used Google Chrome extensions are transmitting sensitive user data over unencrypted HTTP connections, exposing millions of users to serious privacy and security risks.
https://hackread.com/popular-chrome-extensions-data-leak-unencrypted-connection/
Microsoft has released a PowerShell script to help restore an empty 'inetpub' folder created by the April 2025 Windows security updates if deleted. As Microsoft previously warned, this folder helps mitigate a high-severity Windows Process Activation privilege escalation vulnerability. In April, after installing the new security updates, Windows users suddenly found that an empty C:\Inetpub folder was created. As this folder is associated with Microsoft's Internet Information Server, users found it confusing that it was created when the web server was not installed.
https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-script-to-restore-inetpub-folder-you-shouldnt-delete/Outdoor apparel retailer The North Face is alerting its customers after detecting a credential stuffing attack in April 2025. The attack resulted in unauthorized access to customer accounts, potentially exposing personal information. VF Corporation, The North Face’s parent company, issued notification letters on May 30, following internal investigations that began on April 23.
https://dailysecurityreview.com/security-spotlight/the-north-face-confirms-credential-stuffing-attack-customer-accounts-exposed/
Cartier, the luxury jewellery brand under Richemont Group, has disclosed a cybersecurity incident in which an unauthorized party gained temporary access to its online systems. The breach, shared in a customer email obtained by Reuters, led to the theft of limited personal information.
https://dailysecurityreview.com/security-spotlight/cartier-cyberattack-exposes-customer-data-as-retail-sector-faces-ongoing-threats/
Millions of Internet-of-Things (IoT) devices running the open-source version of the Android operating system are part of the Badbox 2.0 botnet, the FBI has warned. Cyber criminals are using the botnet to perform ad fraud and click fraud. Access to and use of the compromised devices is also offered for sale through residential proxy services, which facilitate malware distribution, DDoS attacks, account takeover attacks, fake account creation, etc.
https://www.helpnetsecurity.com/2025/06/06/millions-of-android-devices-roped-into-badbox-2-0-botnet-is-yours-among-them/