June 30,2025 Cyber Threat Intelligence Briefing

Описание: This week’s briefing covers:

00:00 - Intro

01:18 [THREAT ACTOR ACTIVITY] Threat Actor 'IntelBroker' Arrested and Charges Announced
The U.S. Attorney for the Southern District of New York, Jay Clayton, and the Assistant Director in Charge of the New York Field Office of the Federal Bureau of Investigation (FBI), Christopher G. Raia, announced the unsealing of a four-count criminal Indictment and Complaint charging Kai West, also known as “IntelBroker” and “Kyle Northern,” with a years-long hacking scheme.

02:13 [TECHNIQUE] 'FileFix' Technique is the New ClickFix
"FileFix" is a new social engineering technique designed as an alternative to the ClickFix attack, described by Security Researcher “Mr.D0x.” ClickFix exploits the Windows Run Dialog to trick users into executing malicious commands. FileFix, however, leverages the file upload functionality in browsers.

03:37 [THREAT ACTOR ACTIVITY] Impersonation of SonicWall's NetExtender Application
SonicWall, in collaboration with Microsoft, has reported on a campaign that impersonated their NetExtender application to allow for victim VPN configuration information being exfiltrated to an adversary-controlled server.

04:41 [THREAT ACTOR ACTIVITY] KTA007 (AKA APT28) Sending Malicious Documents via Signal
The campaign revolves around files via the Signal messaging app, commonly used on smart phones. In this case, word documents which contained malicious macros targeting the windows operating system were sent. This means the attack relies on the victim using a desktop version of Signal or transferring the malicious document between devices themselves.

05:49 [CAMPAIGN] KTA374 (Salt Typhoon) Target Telecoms Organizations in Canada
he Canadian Centre for Cyber Security and FBI have published a report on Salt Typhoon (tracked by Kroll as KTA374) and its recent targeting of telecommunications organizations in February 2025. This follows previous reporting of the group targeting the same sector in the U.S., therefore displaying a wider scope of campaign.

07:10 [CAMPAIGN] KTA243 (Scattered Spider) Focuses on the Aviation Sector
Both Hawaiian Airlines and WestJet Airlines have recently reported experiencing cybersecurity incidents. Hawaiian Airlines disclosed a “cybersecurity event” affecting some IT systems, while WestJet reported an intrusion impacting internal systems and their mobile app.

08:16 [CAMPAIGN] 7.3 Tbps DDoS Attack Recorded
Cloudflare reported a new massive DDoS attack. The report states that by combining UDP floods with legacy protocol amplification (RIPv1/QOTD) and MIRAI-based IoT botnets, threat actors achieved a throughput of 7.3 Tbps. According to Cloudflare, the traffic concentration was mostly from Brazil and Vietnam, which made up approximately 50% of the traffic origination, likely due to compromised IoT devices in those regions.

09:19 [VULNERABILITY] Critical Vulnerabilities in Cisco ISE Allow RCE
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address this vulnerability.

10:34 [VULNERABILITY] CVE-2025-5777 - CitrixBleed 2.0
An insufficient input validation leading to memory overread when NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server could allow remote unauthenticated attackers to read memory, potentially exposing sensitive information such as session tokens.

11:59 [RANSOMWARE] Ransomware Posts Drop Sharply in June 2025
Key Takeaways
• June 2025 saw only 422 ransomware attacks, marking the lowest monthly total in the past nine months and a 33% drop from May.
• Since February’s peak of over 1,000 attacks, ransomware incidents have consistently declined month over month.
• Unlike earlier months, June did not feature large-scale victim listings from a single group, suggesting fewer widespread vulnerability exploitations.
• Despite the overall decline, major ransomware groups like CLOP, AKIRA, QILIN, RANSOMHUB, and PLAY continue to dominate the threat landscape.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/pub...

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/pub...

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/pub...

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyb...

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/pub...

Kroll Responder MDR: https://www.kroll.com/en/services/cyb...

#krollcyber #threatintelligence #cyberthreats