Read Time: 8 minutes

Brought to you by:

Howdy friends!

Been buzzing around for a few weeks coast to coast. But I’m back in a spot where I actually lived for a few years through Covid and it just absolutely fills my cup: Lake Tahoe.

Trouncing around California and Nevada this week has felt good. Even though I’m a city boy through and through, it’s good to get my ass up a mountain and into some water.

ICYMI

🖊️ Something I wrote: I left with such a good opinion of Sleuthcon that I wrote a quick trip report showcasing some of the highlights for me.

🎧️ Something I heard: Low Level’s breakdown of the giant internet outage from Google and Cloudflare last week.

🎤 Something I said: Talking Microsoft’s AI into giving me your data

🔖 Something I read: This thread by John Scott-Railton exposing a new Russian hacking tactic.

Vulnerable News

Data Brokers and the 2025 Minnesota Lawmaker Shooting

Data brokers aren't just annoying privacy violators - they're enabling real violence. A Minnesota man allegedly used people-search services to hunt down Democratic politicians, killing state rep Melissa Hortman and her husband, and wounding senator John Hoffman and his wife.

When they found his abandoned car, there were notebooks listing 45+ officials and 11 different people-search sites that sell home addresses, family info, and more for just a few bucks. (read more)

Even trusted users can become unexpected threats*

With deepfakes and AI tools getting sharper, verifying who’s actually requesting access isn’t so straightforward anymore. Join Persona on June 25 to see how their Know Your Employee solution helps spot sketchy behavior before it becomes an insider threat, without making life harder for HR or IT. I’m looking forward to seeing this in action! Join me: here

*Sponsored

Hijacked Discord Invites Used for Multi-Stage Malware Delivery

Turns out when Discord invites expire or get deleted, attackers can snag those same invite codes for their own malicious servers using vanity URLs. So that trusted Discord link you bookmarked months ago might now lead straight to cybercriminals. The attackers set up fake verification servers that trick users into running malicious PowerShell commands through a slick "ClickFix" social engineering technique.

They’re using legitimate services like GitHub, Bitbucket, and Pastebin to host encrypted payloads. Dropping AsyncRAT for remote access and a customized Skuld Stealer that specifically targets crypto wallets like Exodus and Atomic. The malware even injects malicious code into wallet applications to steal seed phrases when users unlock their wallets. Discord disabled the malicious bot, but the core technique remains a risk. (read more)

Over 46,000 Grafana instances exposed to account takeover bug

A client-side redirect vuln in Grafana (CVE-2025-4123) is still affecting over 46k internet-facing instances - that's about 36% of all exposed deployments. The bug lets attackers serve malicious plugins that can hijack user sessions and take over accounts, even with anonymous access enabled. While it needs some user interaction to work, the default plugin settings make it pretty trivial to exploit.

The exploit even bypasses CSP through Grafana's own JavaScript routing. Once an attacker gets their malicious plugin loaded, they can modify email addresses and reset passwords. If you're running Grafana, you'll want to upgrade to one of the patched versions released on May 21st. Props to bug bounty hunter Alvaro Balada for finding this one, and OX Security (original research paper) for diving deep into weaponizing it. (read more)

Google Warns of Scattered Spider Attacks Targeting IT Support Teams at U.S. Insurance Firms

If you work in Insurance heads up. Google is sounding the alarm that the Scatted Spider hacking spree that retail targets just faced (we covered here and here) is switching focus. They've recently joined forces with the DragonForce ransomware crew after their RansomHub infrastructure takeover.

What makes them effective is their targeting of companies with large, often outsourced IT support teams - basically anywhere with a help desk that can be convinced to reset credentials or bypass MFA. Google's threat intel team is seeing multiple insurance sector hits that match their MO perfectly. If you're running IT support for an insurance company, time to lock down those account recovery processes and maybe give your help desk team a refresher on employee verification procedures.

Google has a really good write-up on how to defend against this kind of stuff. (read more)

Pro-Israel hackers claim breach of Iranian bank amid military escalation

Predatory Sparrow (aka Gonjeshke Darande) has hit Bank Sepah in Iran, disrupting customer services and potentially affecting gas station payments across the country. The timing is smack in the middle of the ongoing military escalation between Israel and Iran. While the group claims they had help from "brave Iranians" inside the country, most security researchers believe they're actually linked to Israeli military intelligence.

Bank Sepah has been under U.S. sanctions since 2007 for allegedly helping Iran develop nuclear-capable missiles. The attack fits into a broader pattern of high-impact cyber operations targeting Iranian infrastructure, including previous hits on steel companies and fuel distribution systems. Meanwhile, pro-Iranian groups are ramping up their own operations, reportedly eyeing Israel's emergency alert system and threatening other Middle Eastern countries supporting Israel. (read more)

Also: “Iranian state television on Tuesday afternoon urged people to remove WhatsApp from their smartphones, alleging without specific evidence that the messaging app gathered user information to send to Israel.” - source: AP

Also Also: “Iran plunged into an internet near-blackout during deepening conflict. The connectivity drop appears to be a result of a decision by Iran's government, rather than Israeli strikes on infrastructure.” source: NBC

Gonna be a wild ride.

Google Chrome Zero-Day CVE-2025-2783 Exploited to Deploy Backdoor

A Chrome zero-day (CVE-2025-2783) got some action in March when a threaet actor named TaxOff used it to drop their Trinper backdoor. The exploit chain started with phishing emails about a "Primakov Readings forum," leading victims to a malicious site that leveraged the sandbox escape vulnerability. Trinper itself is a multithreaded C++ backdoor that's pretty feature-rich - it can log keystrokes, grab specific file types, and take orders from its C2.

Both TaxOff and Team46 are hitting Russian targets with similar TTPs, and they're not afraid to burn zero-days - they previously exploited a Yandex Browser DLL hijacking vulnerability (CVE-2024-6473) in a rail freight industry attack. The overlap in their phishing themes and infrastructure has analysts thinking these might actually be the same group operating under different names. (read more)

Researchers say AI hacking tools sold online were powered by Grok, Mixtral

Researchers at Cato Networks just caught some cybercriminals taking a shortcut with their "WormGPT" tools. Instead of building their own uncensored AI models from scratch, these enterprising scammers are basically wrapping commercial models like Grok and Mixtral with prompts that bypass their safety guardrails. The researcher managed to jailbreak these tools, discovering system prompts that instruct the AI to bypass its built-in restrictions and generate malicious content on demand.

These underground AI tools are being sold on BreachForums with subscription pricing around €550 per year, or €5,000 for private setups. They can craft phishing emails, write PowerShell malware, and handle other offensive tasks that the original models are designed to refuse. (read more)

New Linux Flaws Enable Full Root Access via PAM and Udisks Across Major Distributions

Qualys just found some fresh Linux privilege escalation bugs that are gonna make sysadmins everywhere reach for the coffee. We've got CVE-2025-6018 hitting PAM configs in SUSE systems, letting unprivileged users bump up to "allow_active" status. Then there's CVE-2025-6019 in libblockdev that takes you from "allow_active" straight to root via the udisks daemon. Chain these babies together and you've got a nice local-to-root attack path that works across Ubuntu, Debian, Fedora, and friends.

The researchers are calling these "modern local-to-root exploits" that basically collapse the security boundaries between a regular user and full system takeover. As a bonus, there's also CVE-2025-6020 in Linux PAM itself - a path traversal bug that can also get you root through symlink shenanigans. (read more)

Feeling Blue(Noroff): Inside a Sophisticated DPRK Web3 Intrusion

BlueNoroff (North Korean APT) just pulled off one hell of a social engineering trick. They convinced a crypto foundation employee to join what they thought was a legitimate Zoom meeting, but it was actually filled with deepfakes of the victim's senior leadership and external contacts. When the victim couldn't use their mic, the deepfakes told them to download a "Zoom extension" to fix the issue.

What followed was a masterclass in macOS malware engineering. The attackers deployed 8 different binaries across the victim's system, including a process injection technique that bypassed Apple's memory protections - something that's notoriously difficult on macOS. Keyloggers, screen capture, clipboard monitoring, and a crypto-focused infostealer targeting 23 different wallet types. The whole operation was designed specifically for macOS using AppleScript, native APIs, and platform-specific techniques. But… "Macs don't get viruses"! - I guess these guys didn’t get that memo. (read more)

Argentina uncovers suspected Russian spy ring behind disinformation campaigns

Argentina just busted what looks like a Russian influence operation. Their intelligence service (SIDE) uncovered a group called "The Company" that was allegedly running disinformation campaigns and trying to build a network of local collaborators. The suspected ringleaders, Lev Andriashvili and his wife Irina Iakovenko, were apparently bankrolling the whole thing and working to "form a group of people loyal to Russia's interests."

This operation ties back to Project Lakhta, the same Kremlin-linked influence campaign that targeted the U.S. and Europe. Familiar playbook, social media manipulation, infiltrating civil organizations, running focus groups, and gathering political intelligence. The Argentine government's making it clear they won't tolerate foreign interference, which is probably a smart move given how these operations have played out elsewhere. (read more)

No, the 16 billion credentials leak is not a new data breach

I wasn’t even going to cover this. But enough people DM’d me asking what was up, so I figured I should. 16 billion creds. Think about it for a sec. Of course this isn’t a breach. This is just a massive accumulation of pre-existing data leaks. If you’re doing all the normal things you’re supposed to - using 2FA (FIDO, such as Yubikey preferred), a password manager with randomly generated passwords for each site to prevent reuse, and keeping your devices up to date to avoid malware - then this news should not alarm you. Go nuts and rotate some passwords if you want, I’m not losing sleep about this one. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay