Darkwire Weekly – Issue #4

Your No-Fluff Cybersecurity & Privacy Brief - Week of June 9, 2025

Author

Dark Wire
June 10, 2025

🚨Top 3 Threats This Week

  • Chinese Hackers Target SentinelOne: SentinelOne says a Chinese state-backed group (likely APT41) attempted a supply chain breach via one of its IT providers. The foiled intrusion, using ShadowPad malware, was part of a broader campaign that hit 70+ organizations globally between mid-2024 and early 2025. (🔗 source)

  • Fortinet Flaws Exploited by Qilin: The Qilin (aka Agenda/Phantom Mantis) ransomware gang is leveraging critical Fortinet bugs to infiltrate organizations. Active since May, their campaign exploits authentication bypass RCE vulnerabilities in FortiGate devices to deploy ransomware – initially focusing on Spanish-speaking countries but expected to spread worldwide. (🔗 source)

  • Play Ransomware’s 900 Victims: An FBI cyber alert revealed that Play ransomware has breached roughly 900 organizations (as of May 2025) – more than previously known, including hits on critical infrastructure. The Play crew (aka PlayCrypt) frequently retools its malware to evade detection and has even resorted to calling victims on the phone to pressure ransom payments. (🔗 source)

🛡️Dark Web Watch

  • AT&T Mega Leak Resurfaces: Data from AT&T’s 2021 breach of ~70 million customers has been repackaged and put up for sale on a hacking forum. The seller merged stolen files to directly link victims’ names, birthdates, and Social Security numbers to their phone accounts – AT&T says it’s likely old breach data being recycled, and is investigating the new leak. (🔗 source)

  • BidenCash Market Takedown: A joint operation by U.S. and Dutch authorities seized 145 domains associated with the BidenCash underground marketplace. BidenCash, active since 2022, was a major hub for selling stolen credit card data (15+ million cards traded) with over 117,000 users – now its domains display law enforcement seizure notices instead of logins. (🔗 source)

Recent CVEs You Should Know

  • Roundcube Webmail RCE (CVE-2025-49113): A critical code execution flaw in Roundcube (patched June 1) is now being actively exploited. Hackers quickly reverse-engineered the patch to develop a working exploit (sold on forums) – it requires an email login to trigger, but attackers claim they can phish that via CSRF. Patch ASAP if you haven’t updated your Roundcube servers yet. (🔗 source)

  • Wazuh Server RCE (CVE-2025-24016): A now-patched deserialization bug in the Wazuh security platform (fixed in v4.9.1) is being abused in the wild by Mirai botnets. Within weeks of the PoC going public, at least two botnets began hijacking unpatched Wazuh servers to install malware and launch DDoS attacks – illustrating how quickly attackers weaponize new CVEs. (🔗 source)

🛠️ Tools & Resources

  • Vet – Open-Source Supply Chain Scanner: A new tool called Vet helps developers spot risks in their software supply chain beyond normal dependency checks. It flags known-vulnerable or malicious packages in your projects (across npm, PyPI, Maven, Go, etc.) and lets you enforce custom security policies – giving DevSecOps teams a proactive way to weed out risky components before they’re deployed. (🔗 source)

  • Meta’s Sensitive Doc Classifier: Meta open-sourced an AI tool to automatically detect sensitive information in documents and apply security labels. The solution (which uses Apache Tika and Meta’s Llama AI) scans text in files like Google Docs/Sheets and then tags them to prevent unauthorized access or exclude them from AI training data – a handy new DLP tool for the era of large language models. (🔗 source)

📚 Quick Bytes

  • Ticketmaster Breach Data Resold: The upstart Arkana ransomware group claims to have 1.3 TB of Ticketmaster’s customer records and listed the cache on its leak site. Researchers suspect it’s not a new hack at all, but rather the 560-million record database from Ticketmaster’s massive 2024 breach being re-sold under Arkana’s name as a “quick sale” to one buyer. (🔗 source)

  • BadBox Botnet Infects 1M+ IoT Devices: The FBI warns that BadBox 2.0 – a revived IoT botnet – has compromised over a million consumer gadgets worldwide (from streaming sticks and projectors to car infotainment systems). Many affected devices were tampered with at the factory or infected via trojanized apps, turning them into a giant proxy network for cybercriminals. (🔗 source)

  • Chinese Phone Hacks Spark “Mobile Crisis”: An AP investigation revealed Chinese state hackers are using stealthy zero-click exploits to infiltrate the iPhones of U.S. officials, journalists, and tech executives. Security experts call it a “mobile security crisis” – sophisticated spyware campaigns are surging even as many users fail to update or secure their phones, leaving sensitive data at risk. (🔗 source)

👀 Privacy Tip of the Week

  • Audit Your Browser Extensions: Take a moment to review the extensions/add-ons in your web browser and prune anything you don’t truly need or trust. Browser extensions often demand broad permissions and have deep access to your data – so the fewer you have, the lower your exposure. Disable or remove any extras, and stick to extensions from reputable sources going forward. 

👋 Stay sharp,

– The Darkwire Weekly Team
darkwireweekly.com

Reply

or to participate.