Cyber Threat Intelligence 30 June 2025
-
Healthcare Sector
- Feds Warn Patients, Healthcare Entities Of Phishing Scams
"U.S. federal authorities are warning the public and healthcare sector organizations of email and fax phishing scams by fraudsters seeking to steal personal information about patients or payments. The warnings come as three large U.S. insurers continue to recover from recent cyberattacks. The FBI and its Internet Crime Complaint Center in a joint alert issued Friday warned the public about criminals impersonating legitimate health insurers and their investigative team members."
https://www.bankinfosecurity.com/feds-warn-patients-healthcare-entities-phishing-scams-a-28852
https://www.ic3.gov/PSA/2025/PSA250627
https://www.theregister.com/2025/06/27/patients_providers_records_payment_scam/
Vulnerabilities
- Hackers Make Hay? Smart Tractors Vulnerable To Full Takeover
"Researchers have figured out how to simultaneously spy on tens of thousands of smart tractors around the world, and even take full control over any of them. Smart farming is on the rise, in an effort to enhance farming practices by improving efficiency, reducing labor costs, and optimizing resources. Tractors are thus increasingly equipped with advanced technologies like GPS, sensors, and artificial intelligence, which enable them to operate autonomously in some cases, or be controlled remotely. In their most basic form, there's still someone inside the vehicle, but the tractor is connected to the cloud in order to get real-time weather data or location information, among other things."
https://www.darkreading.com/cloud-security/hackers-hay-smart-tractors-vulnerable-takeover - How We Turned a Real Car Into a Mario Kart Controller By Intercepting CAN Data
"If you went to our PTP Cyber Fest over the Infosec week you may have seen the PTP hack car being used as a games controller for the game SuperTuxKart (a free and open-source Mario Kart type game). You really could steer, accelerate and brake using the car, ‘driving’ the on screen kart! This was based on a silly idea I had last year as a way of making a more fun demo than just teaching people how to intercept and replay CAN messages. Here is the post that explains it."
https://www.pentestpartners.com/security-blog/how-we-turned-a-real-car-into-a-mario-kart-controller-by-intercepting-can-data/
https://www.theregister.com/2025/06/27/renault_clio_racing_controller/ - Security Advisory: Airoha-Based Bluetooth Headphones And Earbuds
"During our research on Bluetooth headphones and earbuds, we identified several vulnerabilities in devices that incorporate Airoha Systems on a Chip (SoCs). In this blog post, we briefly want to describe the vulnerabilities, point out their impact and provide some context to currently running patch delivery processes as described at this year’s TROOPERS Conference."
https://insinuator.net/2025/06/airoha-bluetooth-security-vulnerabilities/
https://www.bleepingcomputer.com/news/security/bluetooth-flaws-could-let-hackers-spy-through-your-microphone/
Malware
- Threat Spotlight: CVE-2025-5777: Citrix Bleed 2 Opens Old Wounds
"Citrix released an advisory for CVE-2025-5777 affecting NetScaler ADC and Gateway devices, allowing attackers to hijack user sessions and bypass authentication. While no public reporting of exploitation for this vulnerability has emerged, ReliaQuest has observed indications of exploitation to gain initial access. Citrix recommends patching affected systems to the latest versions and terminating active sessions to mitigate session hijacking and further risks of exploitation."
https://reliaquest.com/blog/threat-spotlight-citrix-bleed-2-vulnerability-in-netscaler-adc-gateway-devices/
https://www.bleepingcomputer.com/news/security/citrix-bleed-2-flaw-now-believed-to-be-exploited-in-attacks/
https://www.darkreading.com/vulnerabilities-threats/citrixbleed-2-active-exploitation
https://www.infosecurity-magazine.com/news/citrixbleed-2-vulnerability/
https://www.securityweek.com/evidence-suggests-exploitation-of-citrixbleed-2-vulnerability/ - Case Of Attacks Targeting South Korean Web Servers Using MeshAgent And SuperShell
"Lately, attacks on South Korean web servers utilizing MeshAgent and SuperShell have been identified. The presence of ELF-based malware at the malicious code distribution address suggests that the attackers are targeting not only Windows servers but also Linux servers. It is assumed that the attackers installed a web shell using a file upload vulnerability and used it to install additional payloads. Through reconnaissance and lateral movement, the attackers attempted to infect not only the compromised system but also other systems within the organization."
https://asec.ahnlab.com/en/88627/ - Scattered Spider Hackers Shift Focus To Aviation, Transportation Firms
"Hackers associated with "Scattered Spider" tactics have expanded their targeting to the aviation and transportation industries after previously attacking insurance and retail sectors. These threat actors have employed a sector-by-sector approach, initially targeting retail companies, such as M&S and Co-op, in the United Kingdom and the United States and subsequently shifting their focus to insurance companies. While the threat actors were not officially named as responsible for insurance sector attacks at first, recent incidents have impacted Aflac, Erie Insurance, and Philadelphia Insurance Companies."
https://www.bleepingcomputer.com/news/security/scattered-spider-hackers-shift-focus-to-aviation-transportation-firms/
https://thehackernews.com/2025/06/fbi-warns-of-scattered-spiders.html
https://securityaffairs.com/179413/cyber-crime/the-fbi-warns-that-scattered-spider-is-now-targeting-the-airline-sector.html - Scattered Spider’s Calculated Path From CFO To Compromise
"“Scattered Spider” targets executive and administrative accounts, exploiting human trust and workflows to bypass multi-factor authentication (MFA) and infiltrate critical systems. The group showed technical sophistication by dumping NTDS.dit and harvesting over 1,400 secrets. By leveraging unmanaged virtual machines (VMs), ngrok, and privileged service principals, Scattered Spider maintained persistence while evading detection. To counter these threats, organizations should monitor privileged accounts, enforce strict identity verification protocols, implement hypervisor-level logging, conduct social engineering assessments, and train employees to recognize manipulation tactics."
https://reliaquest.com/blog/scattered-spiders-calculated-path-from-cfo-to-compromise/
https://www.darkreading.com/cloud-security/scattered-spider-cfo-scorched-earth-attack
https://www.bankinfosecurity.com/teardown-how-scattered-spider-hacked-logistics-firm-a-28846 - The New Face Of Remcos: Path Bypass And Masquerading
"Since last year and well into this year, Remcos malware campaigns stayed very active, continually morphing to stay hidden. Attackers usually send phishing emails with malicious files like malicious shortcuts, scripts or documents. When a victim opens the file, it quietly drops the Remcos program and hides it in new folders with similar names to legitimate Windows system folders on the PC. Once installed, Remcos lets the attackers control the PC, steal passwords and record keystrokes. The malware keeps a backdoor open by setting up scheduled tasks or other sneaky tricks. This way, they stay on the system for a long time without being detected."
https://www.forcepoint.com/blog/x-labs/remcos-malware-new-face
https://hackread.com/remcos-malware-campaigns-hit-businesses-and-schools/ - Fake DocuSign Email Hides Tricky Phishing Attempt
"On my daily rounds, I encountered a phishing attempt that used a not completely unusual, yet clever delivery method. What began as a seemingly routine DocuSign notification turned into a multi-layered deception involving Webflow, a shady redirect, and a legitimate Google login page. Webflow is a visual website builder that allows designers and developers to create custom, responsive websites. It’s a no-code solution that allows users to visually design, build, and launch websites directly in the browser The attack all starts with an email claiming to be from a known contact, referencing a completed DocuSign document."
https://www.malwarebytes.com/blog/news/2025/06/fake-docusign-email-hides-tricky-phishing-attempt - DeepSeek Deception: Sainbox RAT & Hidden Rootkit Delivery
"Netskope Threat Labs has discovered a campaign using fake installers to deliver the Sainbox RAT and Hidden rootkit. During our threat hunting activities, we encountered multiple installers disguised as legitimate software, including WPS Office, Sogou, and DeepSeek. These installers were mainly MSI files that were delivered via phishing websites. Both the phishing pages and installers were in Chinese, indicating that the targets are Chinese speakers. We can attribute this attack to Silver Fox (a China-based adversary group) with medium confidence based on the TTPs, particularly the phishing websites, the fake installers for popular Chinese software, the use of Gh0stRAT variants, and the targeting of Chinese speakers."
https://www.netskope.com/blog/deepseek-deception-sainbox-rat-hidden-rootkit-delivery
https://thehackernews.com/2025/06/chinese-group-silver-fox-uses-fake.html
https://www.securityweek.com/chinese-hackers-target-chinese-users-with-rat-rootkit/ - Hive0154 Aka Mustang Panda Shifts Focus On Tibetan Community To Deploy Pubload Backdoor
"In June 2025, IBM X-Force researchers discovered China-aligned threat actor, Hive0154, spreading Pubload malware featuring lure documents and filenames targeting the Tibetan community. The Tibetan sovereignty dispute is often invoked by Chinese threat groups in their cyber operations, with the latest campaign coinciding with activities leading up to a major event for the Tibetan community, the Dalai Lama's 90th birthday."
https://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor
https://thehackernews.com/2025/06/pubload-and-pubshell-malware-used-in.html - GIFTEDCROOK’s Strategic Pivot: From Browser Stealer To Data Exfiltration Platform During Critical Ukraine Negotiations
"The Arctic WolfLabs team has discovered that the cyber-espionage group UAC-0226, known for utilising the infostealer GIFTEDCROOK, has significantly evolved its capabilities. It has transitioned the malware from a basic browser data stealer (which we’re referring to as v1), through two new upgrades (v1.2 and v1.3) into a robust intelligence-gathering tool. Analysis of early files from February 2025 suggests that the GIFTEDCROOK project began as a demo during that period. It subsequently matured and was put into production in March 2025, with new capabilities continuously being developed and added since then."
https://arcticwolf.com/resources/blog-uk/giftedcrooks-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform-during-critical-ukraine-negotiations/
https://thehackernews.com/2025/06/giftedcrook-malware-evolves-from.html - Anubis Ransomware Targets Global Victims With Wiper Functionality
"This blog provides a detailed technical analysis of Anubis ransomware, an emerging RaaS threat known for combining data encryption with an optional file-wiping feature that permanently destroys victim data. By mapping its behavior to the MITRE ATT&CK Enterprise framework, we explore the full attack chain, from initial access via spear-phishing to the use of ECIES-based encryption and file-wiping mechanisms that amplify impact."
https://www.picussecurity.com/resource/blog/anubis-ransomware-targets-global-victims-with-wiper-functionality
Breaches/Hacks/Leaks
- Hawaiian Airlines Discloses Cyberattack, Flights Not Affected
"Hawaiian Airlines, the tenth-largest commercial airline in the United States, is investigating a cyberattack that has disrupted access to some of its systems. With over 7,000 employees, 235 average daily flights, and a fleet of over 60 airplanes, Hawaiian Airlines connects Hawai'i with 15 U.S. mainland cities and 10 other destinations across Asia and the Pacific. The airline stated in a statement issued on Thursday morning that the incident didn't affect flight safety and has already contacted relevant authorities to assist in investigating the attack."
https://www.bleepingcomputer.com/news/security/hawaiian-airlines-discloses-cyberattack-flights-not-affected/
https://therecord.media/hawaiian-airlines-cyberattack-flights-safe
https://cyberscoop.com/scattered-spider-aviation-hawaiian-airlines-cyberattack/
https://www.infosecurity-magazine.com/news/hawaiian-airlines-cybersecurity/
https://www.theregister.com/2025/06/27/aloha_youve_been_pwned_hawaiian/ - Retail Giant Ahold Delhaize Says Data Breach Affects 2.2 Million People
"Ahold Delhaize, one of the world's largest food retail chains, is notifying over 2.2 million individuals that their personal, financial, and health information was stolen in a November ransomware attack that impacted its U.S. systems. The multinational retailer and wholesale company operates over 9,400 local stores across Europe, the United States, and Indonesia, employing more than 393,000 people and serving approximately 60 million customers each week in-store and online."
https://www.bleepingcomputer.com/news/security/retail-giant-ahold-delhaize-says-data-breach-affects-22-million-people/
https://therecord.media/hackers-cyberattack-grocery-chain
https://www.bankinfosecurity.com/food-retail-giants-breach-22-million-employees-affected-a-28842
https://www.theregister.com/2025/06/27/ahold_delhaize_breach/
General News
- Money Mule Networks Evolve Into Hierarchical, Business-Like Criminal Enterprises
"In this Help Net Security interview, Michal Tresner, CEO of ThreatMark, discusses how cybercriminals are weaponizing AI, automation, and social engineering to industrialize money mule operations. He looks at how these networks have changed and how behavioral intelligence is helping to catch fraud. Tresner also shares practical tips for CISOs trying to stop mule activity before it gets out of hand."
https://www.helpnetsecurity.com/2025/06/27/michal-tresner-threatmark-money-mule-networks/ - After a Hack Many Firms Still Say Nothing, And That’s a Problem
"Attackers are more inclined to “log in rather than break in,” using stolen credentials, legitimate tools, and native access to stealthily blend into their target’s environment, according to Bitdefender’s 2025 Cybersecurity Assessment Report. 68% of security leaders are focusing on reducing the number of tools and applications running in their environments. Why? Because every unused admin account, unnecessary app, or extra permission is a potential doorway for attackers, and a place for them to hide once they’re in. By turning off what’s not needed, organizations give attackers fewer options."
https://www.helpnetsecurity.com/2025/06/27/cybersecurity-risk-reduction-breach-transparency/ - We Know GenAI Is Risky, So Why Aren’t We Fixing Its Flaws?
"Even though GenAI threats are a top concern for both security teams and leadership, the current level of testing and remediation for LLM and AI-powered applications isn’t keeping up with the risks, according to Cobalt. Pentesting data from the report highlights a troubling reality: LLM applications often have serious security vulnerabilities. These high-risk issues appear more frequently in LLMs than in any other type of system, showing that LLM deployments carry a particularly elevated risk."
https://www.helpnetsecurity.com/2025/06/27/cobalt-research-llm-security-vulnerabilities/ - Vulnerability Debt: How Do You Put a Price On What To Fix?
"As defined by the UK National Cyber Security Centre, a vulnerability is "a weakness in an IT system that can be exploited by an attacker to deliver a successful attack. They can occur through flaws, features or user error, and attackers will look to exploit any of them, often combining one or more, to achieve their end goal.""
https://www.darkreading.com/vulnerabilities-threats/vulnerability-debt-fix-price
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Feds Warn Patients, Healthcare Entities Of Phishing Scams