Major Incidents or Breaches

  • Victoria’s Secret restored all critical systems following a security incident on 24 May that led to the shutdown of corporate and e-commerce systems.
  • Google experienced a major Cloud outage due to an API management issue, disrupting Google services and other online platforms. Cloudflare also suffered a significant outage but confirmed it was not security-related and no data was compromised.
  • Microsoft is investigating an ongoing incident affecting authentication for Microsoft 365 users, resulting in user errors with authentication features.
  • Microsoft is investigating Secure Boot errors caused by the KB5060533 update, which prevents Surface Hub v1 devices from starting up.

Newly Discovered Vulnerabilities

  • Apple disclosed that a now-patched zero-click vulnerability in its Messages app was actively exploited in the wild to spy on journalists using Paragon spyware.
  • SimpleHelp Remote Monitoring and Management (RMM) software is being actively exploited by ransomware actors targeting unpatched instances. CISA warned that this critical flaw has been exploited since January.
  • A flaw in Discord’s invitation system allows attackers to hijack expired or deleted invite links, redirecting users to malicious sites distributing AsyncRAT and Skuld Stealer malware.

Notable Threat Actor Activity

  • Threat actors are leveraging the open-source TeamFiltration framework in a large-scale campaign targeting over 80,000 Microsoft Entra ID accounts for account takeover.
  • A large-scale campaign has compromised over 269,000 legitimate websites with malicious JavaScript injections, deploying the JSFireTruck malware.
  • Ransomware gangs are exploiting unpatched SimpleHelp RMM vulnerabilities to conduct double extortion attacks.
  • A malware campaign is exploiting Discord invite link weaknesses to deliver AsyncRAT and Skuld Stealer, with a focus on stealing cryptocurrency wallet credentials.

Trends, Tools, or Tactics of Interest

  • Increased cyberattacks against humanitarian organisations globally, with DDoS attacks, vulnerability scans, and SQL injection attacks becoming more prevalent.
  • The TeamFiltration open-source framework is being abused for large-scale Entra ID account takeover attempts.
  • The JSFireTruck JavaScript malware campaign highlights ongoing threats to website supply chains via large-scale malicious script injection.
  • The double extortion tactic remains a preferred method for ransomware actors, as seen in attacks exploiting SimpleHelp RMM.

Regulatory or Policy Developments Affecting the Security Industry

  • The US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory regarding the active exploitation of SimpleHelp RMM vulnerabilities by ransomware actors.
  • Army intelligence analysts are monitoring civilian-run ICE tracking tools, treating them as potential threats amid nationwide immigration protests.
  • Customs and Border Protection’s use of Predator B drones over Los Angeles marks increased federal involvement in civilian protest monitoring, raising concerns about surveillance and jurisdiction.