Cyber Threat Intelligence 03 July 2025
-
Financial Sector
- How FinTechs Are Turning GRC Into a Strategic Enabler
"In this Help Net Security interview, Alexander Clemm, Corp GRC Lead, Group CISO, and BCO at Riverty, shares how the GRC landscape for FinTechs has matured in response to tighter regulations and global growth. He discusses the impact of frameworks like DORA and the EU AI Act, and reflects on building a culture where compliance supports, rather than slows, business progress."
https://www.helpnetsecurity.com/2025/07/02/alexander-clemm-riverty-fintechs-grc-landscape/
New Tooling
- Secretless Broker: Open-Source Tool Connects Apps Securely Without Passwords Or Keys
"Secretless Broker is an open-source connection broker that eliminates the need for client applications to manage secrets when accessing target services like databases, web services, SSH endpoints, or other TCP-based systems."
https://www.helpnetsecurity.com/2025/07/02/secretless-broker-open-source-tool-connects-apps-securely/
https://github.com/cyberark/secretless-broker
Vulnerabilities
- Cisco Warns That Unified CM Has Hardcoded Root SSH Credentials
"Cisco has removed a backdoor account from its Unified Communications Manager (Unified CM), which would have allowed remote attackers to log in to unpatched devices with root privileges. Cisco Unified Communications Manager (CUCM), formerly known as Cisco CallManager, serves as the central control system for Cisco's IP telephony systems, handling call routing, device management, and telephony features. The vulnerability (tracked as CVE-2025-20309) was rated as maximum severity, and it is caused by static user credentials for the root account, which were intended for use during development and testing."
https://www.bleepingcomputer.com/news/security/cisco-removes-unified-cm-callManager-backdoor-root-account/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssh-m4UBdpE7
https://securityaffairs.com/179577/security/cisco-removed-the-backdoor-account-from-its-unified-communications-manager.html
https://www.theregister.com/2025/07/02/cisco_patch_cvss/ - 600,000 WordPress Sites Affected By Arbitrary File Deletion Vulnerability In Forminator WordPress Plugin
"On June 20th, 2025, we received a submission for an Arbitrary File Deletion vulnerability in Forminator, a WordPress plugin with more than 600,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to specify arbitrary file paths in a form submission, and the file will be deleted when the submission is deleted. It can be leveraged to delete critical files like wp-config.php, which can lead to remote code execution. Props to Phat RiO – BlueRock who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $8,100.00 for this discovery, the top bounty awarded through our program so far."
https://www.wordfence.com/blog/2025/07/600000-wordpress-sites-affected-by-arbitrary-file-deletion-vulnerability-in-forminator-wordpress-plugin/
https://www.bleepingcomputer.com/news/security/forminator-plugin-flaw-exposes-wordpress-sites-to-takeover-attacks/
https://www.securityweek.com/forminator-wordpress-plugin-vulnerability-exposes-400000-websites-to-takeover/ - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-6554 Google Chromium V8 Type Confusion Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/07/02/cisa-adds-one-known-exploited-vulnerability-catalog
Malware
- Analysis Of Attacks Targeting Linux SSH Servers For Proxy Installation
"AhnLab SEcurity intelligence Center (ASEC) monitors attacks targeting Linux servers that are inappropriately managed using honeypots. One of the representative honeypots is the SSH service that uses weak credentials, which is targeted by a large number of DDoS and coinminer attackers. ASEC has identified cases where Linux servers were attacked to install proxies. In each case, TinyProxy or Sing-box was installed. No other attack logs were found except for the installation of TinyProxy or Sing-box. It appears that the attackers aim to use the infected systems as proxy nodes."
https://asec.ahnlab.com/en/88749/ - DCRAT Impersonating The Colombian Government
"The FortiMail IR team recently uncovered a new email attack distributing a Remote Access Trojan called DCRAT. The threat actor is impersonating a Colombian government entity to target organizations in Colombia. The threat actor uses multiple techniques, such as a password protected archive, obfuscation, steganography, base64 encoding, and multiple file drops, to evade detection."
https://www.fortinet.com/blog/threat-research/dcrat-impersonating-the-columbian-government - June's Dark Gift: The Rise Of Qwizzserial
"Discovered by Group-IB in mid-2024, the Qwizzserial, which was initially not very active, began to spread strongly in Uzbekistan, masquerading as legitimate applications. The malware steals banking information and intercepts 2FA sms, transmitting it to fraudsters via Telegram bots."
https://www.group-ib.com/blog/rise-of-qwizzserial/
https://www.infosecurity-magazine.com/news/android-sms-stealer-100000/ - Okta Observes v0 AI Tool Used To Build Phishing Sites
"Okta Threat Intelligence has observed threat actors abusing v0, a breakthrough Generative Artificial Intelligence (GenAI) tool created by Vercel, to develop phishing sites that impersonate legitimate sign-in webpages. This observation signals a new evolution in the weaponization of Generative AI by threat actors who have demonstrated an ability to generate a functional phishing site from simple text prompts. Okta researchers were able to reproduce our observations."
https://www.okta.com/newsroom/articles/okta-observes-v0-ai-tool-used-to-build-phishing-sites/
https://thehackernews.com/2025/07/vercels-v0-ai-tool-weaponized-by.html - MacOS NimDoor | DPRK Threat Actors Target Web3 And Crypto Platforms With Nim-Based Malware
"In April 2025, Huntabil.IT observed a targeted attack on a Web3 startup, attributing the incident to a DPRK threat actor group. Several reports on social media at the time described similar incidents at other Web3 and Crypto organizations. Analysis revealed an attack chain consisting of an eclectic mix of scripts and binaries written in AppleScript, C++ and Nim. Although the early stages of the attack follow a familiar DPRK pattern using social engineering, lure scripts and fake updates, the use of Nim-compiled binaries on macOS is a more unusual choice. A report by Huntress in mid-June described a similar initial attack chain as observed by Huntabil.IT, albeit using different later stage payloads."
https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware/
https://www.bleepingcomputer.com/news/security/nimdoor-crypto-theft-macos-malware-revives-itself-when-killed/
https://thehackernews.com/2025/07/north-korean-hackers-target-web3-with.html - FoxyWallet: 40+ Malicious Firefox Extensions Exposed
"A large-scale malicious campaign has been uncovered involving dozens of fake Firefox extensions designed to steal cryptocurrency wallet credentials. These extensions impersonate legitimate wallet tools from widely-used platforms such as Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox. Once installed, the malicious extensions silently exfiltrate wallet secrets, putting users’ assets at immediate risk. So far, we were able to link to over 40 different extensions to this campaign, which is still ongoing and very much alive — some extensions are still available on the marketplace. The linkage was done through a meticulous effort of discovering shared TTPs and infrastructure."
https://blog.koi.security/foxywallet-40-malicious-firefox-extensions-exposed-4c14419de486
https://www.bleepingcomputer.com/news/security/dozens-of-fake-wallet-add-ons-flood-firefox-store-to-drain-crypto/ - French Cybersecurity Agency Confirms Government Affected By Ivanti Hacks
"France’s cybersecurity agency reported on Tuesday that a range of government, utility and private sector entities in the country were impacted by a hacking campaign last year exploiting multiple zero-day vulnerabilities in an Ivanti appliance. The campaign, which had prompted a warning in September by U.S. cybersecurity authorities, targeted the Ivanti Cloud Service Appliance — a bit of software that connects on-premise networks with cloud-based services. In France, the hacking campaign targeted “organizations from governmental, telecommunications, media, finance, and transport sectors,” stated the report from ANSSI — the Agence Nationale de la Sécurité des Systèmes d’Information (the National Agency for the Security of Information Systems) — exploiting bugs tracked as CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380."
https://therecord.media/france-anssi-report-ivanti-bugs-exploited
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-009.pdf
https://www.darkreading.com/cyber-risk/initial-access-broker-self-patches-zero-days
https://www.bankinfosecurity.com/chinese-hackers-exploited-ivanti-flaw-in-france-a-28888
https://www.infosecurity-magazine.com/news/chinese-hackers-france-ivanti/ - PDFs: Portable Documents, Or Perfect Deliveries For Phish?
"The portable document format (PDF) is a standard method for sharing information electronically. Files created in other applications (e.g., Microsoft Word) are often converted into this format, which can then be viewed using PDF rendering applications like Adobe Reader, commonly available on most OSs. Thanks to its excellent portability, this file format is widely used for the mass distribution of documents to large audiences. However, in recent months, it has also been exploited for illegitimate purposes, such as brand impersonation."
https://blog.talosintelligence.com/pdfs-portable-documents-or-perfect-deliveries-for-phish/
https://thehackernews.com/2025/07/hackers-using-pdfs-to-impersonate.html - Jasper Sleet: North Korean Remote IT Workers’ Evolving Tactics To Infiltrate Organizations
"Since 2024, Microsoft Threat Intelligence has observed remote information technology (IT) workers deployed by North Korea leveraging AI to improve the scale and sophistication of their operations, steal data, and generate revenue for the Democratic People’s Republic of Korea (DPRK). Among the changes noted in the North Korean remote IT worker tactics, techniques, and procedures (TTPs) include the use of AI tools to replace images in stolen employment and identity documents and enhance North Korean IT worker photos to make them appear more professional. We’ve also observed that they’ve been utilizing voice-changing software."
https://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/
https://www.darkreading.com/cyberattacks-data-breaches/scope-scale-spurious-north-korean-it-workers
Silent Push Uncovers Chinese Fake Marketplace e-Commerce Phishing Campaign Using Thousands Of Websites To * Spoof Popular Retail Brands
"From a lead gained through a recent X/Twitter post by Mexican journalist Ignacio Gómez Villaseñor, Silent Push Threat Analysts have been investigating a new phishing e-commerce website scam campaign. The original campaign observed was targeting Spanish-language visitors shopping for the “Hot Sale 2025.” The research by Gómez Villaseñor focused on specific domains found on one IP address targeting Spanish-language audiences; however, it was but one slice of a much larger campaign."
https://www.silentpush.com/blog/fake-marketplace/
https://therecord.media/china-linked-hackers-website-phishing - Cl0p Cybercrime Gang's Data Exfiltration Tool Found Vulnerable To RCE Attacks
"Security experts have uncovered a hole in Cl0p's data exfiltration tool that could potentially leave the cybercrime group vulnerable to attack. The vulnerability in the Python-based software, which was used in the 2023-2024 MOVEit mass data raids, was discovered by Italian researcher Lorenzo N and published by the Computer Incident Response Center Luxembourg (CIRCL). Classed as an improper input validation (CWE-20) bug, the flaw with an 8.9 severity score is underpinned by a lack of input sanitization, which results in the tool constructing OS commands by concatenating attacker-supplied strings."
https://www.theregister.com/2025/07/02/cl0p_rce_vulnerability/
https://vulnerability.circl.lu/vuln/gcve-1-2025-0002 - Windows Shortcut (LNK) Malware Strategies
"Attackers are increasingly exploiting Windows shortcut (LNK) files for malware delivery. Our telemetry revealed 21,098 malicious LNK samples in 2023, which surged to 68,392 in 2024. In this article, we present an in-depth investigation of LNK malware, based on analysis of 30,000 recent samples. Windows shortcut files use the .lnk file extension and function as a virtual link that allows people to easily access other files without having to navigate through multiple folders on a Windows host. The flexibility of LNK files makes them a powerful tool for attackers, as they can both execute malicious content and masquerade as legitimate files to deceive victims into unintentionally launching malware."
https://unit42.paloaltonetworks.com/lnk-malware/ - ESET Research: Russia’s Gamaredon APT Group Unleashed Spearphishing Campaigns Against Ukraine With An Evolved Toolset
"ESET Research has released a white paper about Gamaredon’s updated cyberespionage toolset, new stealth-focused techniques, and aggressive spearphishing operations observed across the previous year. Gamaredon, attributed by the Security Service of Ukraine (SSU) to the 18th Center of Information Security of Russia’s Federal Security Service (FSB), has targeted Ukrainian governmental institutions since at least 2013. In 2024, Gamaredon exclusively attacked Ukrainian institutions. ESET’s latest research shows that the group remains highly active, consistently targeting Ukraine, but has notably adapted its tactics and tools. The group’s objective is cyberespionage aligned with Russian geopolitical interests. Last year, the group significantly increased the scale and frequency of spearphishing campaigns, employing new delivery methods, and one attack payload was used solely to spread Russian propaganda."
https://www.eset.com/us/about/newsroom/research/eset-research-russias-gamaredon-apt-group-unleashed-spearphishing-campaigns-against-ukraine-with-an-evolved-toolset/
https://www.welivesecurity.com/en/eset-research/gamaredon-2024-cranking-out-spearphishing-campaigns-ukraine-evolved-toolset/
https://web-assets.esetstatic.com/wls/en/papers/white-papers/gamaredon-in-2024.pdf
https://www.darkreading.com/cyberattacks-data-breaches/russian-apt-gamaredon-ukraine-phishing
Breaches/Hacks/Leaks
- US Calls Reported Threats By Pro-Iran Hackers To Release Trump-Tied Material a ‘Smear Campaign’
"Pro-Iran hackers have threatened to release emails supposedly stolen from people connected to President Donald Trump, according to a news report, a move that federal authorities call a “calculated smear campaign.” The United States has warned of continued Iranian cyberattacks following American strikes on Iran’s nuclear facilities and the threats those could pose to services, economic systems and companies. The Cybersecurity and Infrastructure Security Agency said late Monday that the threat to expose emails about Trump is “nothing more than digital propaganda” meant to damage Trump and other federal officials."
https://www.securityweek.com/us-calls-reported-threats-by-pro-iran-hackers-to-release-trump-tied-material-a-smear-campaign/ - Medical Device Company Surmodics Reports Cyberattack, Says It’s Still Recovering
"Minnesota-based company Surmodics said a cyberattack on June 5 forced the medical device manufacturer to shut down parts of its IT system. Surmodics is the largest U.S. provider of outsourced hydrophilic coatings used to reduce friction for objects such as intravascular medical devices. Last month its IT team discovered unauthorized access in its network and took systems offline, while using alternative methods to accept customer orders and ship products. Law enforcement has been notified, according to a filing with the U.S. Securities and Exchange Commission (SEC)."
https://therecord.media/surmodics-medical-device-company-reports-cybersecurity-incident - Hacker With ‘political Agenda’ Stole Data From Columbia, University Says
"A hacktivist with a “political agenda” broke into Columbia University IT systems and stole “targeted” student data in recent weeks, a university official said Tuesday. It is unclear how long the hacker was in university systems but a Columbia spokesperson said there has been no threat activity detected since June 24. Last week, the school said it was investigating a cyberattack and the university’s website and other systems were intermittently offline. “Our investigation has indicated the hackers are highly sophisticated and were very targeted in their theft of documents,” the university official said. “They broke in and stole student data with the apparent goal of furthering their political agenda.”"
https://therecord.media/hacker-political-agenda-columbia-cyberattack - Ransomware Gang Attacks German Charity That Feeds Starving Children
"Deutsche Welthungerhilfe (WHH), the German charity that aims to develop sustainable food supplies in some of the world’s most impoverished countries, has been attacked by a ransomware gang. The charity, whose name literally translates as World Hunger Help, reached 16.4 million people in 2023. It is currently providing emergency aid to people in Gaza, Ukraine, Sudan and other countries and regions where there is an urgent need for food, water, medicine and basic necessities. A spokesperson confirmed to Recorded Future News that WHH had been targeted by a ransomware-as-a-service (RaaS) group which recently listed the charity on its darknet leak site."
https://therecord.media/welthungerhilfe-german-hunger-relief-charity-ransomware-attack - Hacktivists' Claimed Breach Of Nuclear Secrets Debunked
"Security experts are dismissing a pro-Iranian hacktivist group's claim to have breached Indian nuclear secrets in reprisal for the country's support of Israel. The LulzSec Black group last week claimed to have hacked "the company responsible for Indian nuclear reactors" and to have stolen 80 databases, of which it was now selling 17 databases containing 5.2 gigabytes of data. The group claimed the information detailed the precise location of India's nuclear reactors, numerous chemical laboratories, employee personally identifiable information, industrial and engineering information, precise details of guard shifts and "other sensitive data related to infrastructure.""
https://www.bankinfosecurity.com/hacktivists-claimed-breach-nuclear-secrets-debunked-a-28881
General News
- Cybersecurity Essentials For The Future: From Hype To What Works
"Cybersecurity never stands still. One week it’s AI-powered attacks, the next it’s a new data breach, regulation, or budget cut. With all that noise, it’s easy to get distracted. But at the end of the day, the goal stays the same: protect the business. CISOs are being asked to juggle more, with tighter resources, more boardroom time, and threats that keep changing. Here are five areas that deserve your attention now and going forward."
https://www.helpnetsecurity.com/2025/07/02/cybersecurity-essentials-best-practices/ - Scammers Are Tricking Travelers Into Booking Trips That Don’t Exist
"Not long ago, travelers worried about bad weather. Now, they’re worried the rental they booked doesn’t even exist. With AI-generated photos and fake reviews, scammers are creating fake listings so convincing, people are losing money before they even pack a bag. The FTC reported that Americans lost $274 million to vacation and travel fraud in 2024."
https://www.helpnetsecurity.com/2025/07/02/ai-travel-scams/ - DOJ Investigates Ex-Ransomware Negotiator Over Extortion Kickbacks
"An ex-ransomware negotiator is under criminal investigation by the Department of Justice for allegedly working with ransomware gangs to profit from extortion payment deals. The suspect is a former employee of DigitalMint, a Chicago-based incident response and digital asset services company that specializes in ransomware negotiation and facilitating cryptocurrency payments to receive a decryptor or prevent stolen data from being publicly released. The company claims to have conducted over 2,000 ransomware negotiations since 2017. Bloomberg first reported that the DOJ is investigating whether the suspect worked with ransomware gangs to negotiate payments, then allegedly received a cut of the ransom that was charged to the customer."
https://www.bleepingcomputer.com/news/security/doj-investigates-ex-ransomware-negotiator-over-extortion-kickbacks/ - Spain Arrests Hackers Who Targeted Politicians And Journalists
"The Spanish police have arrested two individuals in the province of Las Palmas for their alleged involvement in cybercriminal activity, including data theft from the country's government. The duo has been described as a "serious threat to national security" and focused their attacks on high-ranking state officials as well as journalists. They leaked samples of the stolen data online to build notoriety and inflate the selling price. "The investigation began when agents detected the leakage of personal data affecting high-level institutions of the State across various mass communication channels and social networks," reads the police announcement."
https://www.bleepingcomputer.com/news/security/spain-arrests-hackers-who-targeted-politicians-and-journalists/
https://therecord.media/spain-arrests-two-data-leaks-targeting-gov-officials-journalists - Spain TLD’s Recent Rise To Dominance
"Threat actors use various Top-Level Domains (TLDs) to host malicious content and serve as Command and Control (C2) locations. Commonly abused TLDs used to host credential phishing include .ru and .com. More recently, Cofense Intelligence detected a meteoric increase in abuse of the .es TLD for malicious activity. From Q4 2024 to Q1 2025, .es TLD abuse increased 19x and became part of the top 10 abused TLDs in credential phishing. This increase applies to both first-stage URLs (links embedded in emails or attachments) and second-stage URLs (sites visited after the embedded URLs). These second-stage URLs typically host credential phishing pages or exfiltrate information. It is these second-stage URLs that have seen the greatest increase in .es TLD abuse."
https://cofense.com/blog/spain-tld-s-recent-rise-to-dominance - 1 Year Later: Lessons Learned From The CrowdStrike Outage
"One year after a buggy CrowdStrike update knocked IT systems offline, organizations seeking to strike the right balance between security and productivity have viewed the incident as a learning opportunity. The cost of the CrowdStrike outage was estimated at $5.4 billion, affecting payment systems, airline reservations, and a variety of other industries. The impact of the outage highlights why many operational technology (OT) teams are as sensitive to patches and other updates in their critical infrastructure, as they are highly averse to outages that can happen if such updates are defective."
https://www.darkreading.com/vulnerabilities-threats/1-year-later-lessons-crowdstrike-outage - Rethinking Cyber-Risk As Traditional Models Fall Short
"Rapidly advancing technology, increasingly sophisticated attackers, and a rise in supply chain threats make systemic cyber-risk difficult to assess. An influx of vulnerabilities that continue to amass each year, paired with faster exploit times, doesn't help. Risk models developed to measure systemic cyber-risk can help organizations determine the likelihood of a disruptive attack and expose security holes. Insurers use modeling to assess systemic cyber-risk, which influences underwriting, coverage, and policy pricing decisions."
https://www.darkreading.com/cyber-risk/rethinking-cyber-risk-traditional-models-fall-short - Like Ransoming a Bike: Organizational Muscle Memory Drives The Most Effective Response
"Ransomware has become an enterprise boogeyman experiencing 37 percent increase over 2024 according to the Verizon Data Breach Investigations Report (PDF), being present in nearly half of all breaches. It would seem that resistance is futile as all the technology and training put in place fail to repel attacks, and all the best practices in backups and redundancy provide only cold comfort. But in the old joke of a tiger pursuing two friends, there are lessons in survivability that translate in a business context. However, in this context It’s not just being the faster friend, it’s organizational athleticism and muscle memory fostering agility and quick, decisive thinking that can make a massive difference in impact. And as with athletic performance, that muscle memory is earned with proper training, form, and practice."
https://www.securityweek.com/like-ransoming-a-bike-organizational-muscle-memory-drives-the-most-effective-response/ - That Network Traffic Looks Legit, But It Could Be Hiding a Serious Threat
"Where do you turn when firewalls and endpoint detection and response (EDR) fall short at detecting the most important threats to your organization? Breaches at edge devices and VPN gateways have risen from 3% to 22%, according to Verizon's latest Data Breach Investigations report. EDR solutions are struggling to catch zero-day exploits, living-off-the-land techniques, and malware-free attacks. Nearly 80% of detected threats use malware-free techniques that mimic normal user behavior, as highlighted in CrowdStrike's 2025 Global Threat Report. The stark reality is that conventional detection methods are no longer sufficient as threat actors adapt their strategies, using clever techniques like credential theft or DLL hijacking to avoid discovery."
https://thehackernews.com/2025/07/that-network-traffic-looks-legit-but-it.html
อ้างอิง
Electronic Transactions Development Agency(ETDA) - How FinTechs Are Turning GRC Into a Strategic Enabler