Law Enforcement Takedowns Disrupt Cybercrimes Across the Globe

Article Link: https://cyberscoop.com/cybercrime-crackdown-operation-endgame-operation-secure/  

• A series of coordinated global law enforcement actions, including Operations Endgame, PowerOFF, and Secure, have significantly disrupted numerous cybercrime operations worldwide in recent weeks. These efforts have targeted prolific infostealers, malware loaders, and illicit online marketplaces.
• These crackdowns involved seizing tens of thousands of malicious IP addresses, domains, and command-and-control (C2) systems. The disruption aims to dismantle the infrastructure supporting criminal enterprises, thereby impeding their ability to conduct malicious activities.
• This wave of successful takedowns offers a welcome sign of progress in combating global cybercrime, demonstrating that international cooperation can yield substantial results. The actions have forced criminals to rethink their methods and infrastructure.
• These operations highlight the value of intelligence sharing and collaboration between law enforcement and private security entities. While many criminals remain at large, the ongoing disruption activity provides a blueprint for continued offensive actions against criminal networks.

Microsoft 365 to Block File Access Via Legacy Auth by Default

Article link: https://www.bleepingcomputer.com/news/microsoft/microsoft-365-to-block-file-access-via-legacy-auth-protocols-by-default/

• Microsoft is updating security defaults for all Microsoft 365 tenants, beginning in July and concluding by August 2025, to block access to SharePoint, OneDrive, and Office files through outdated authentication protocols. This move is part of the Microsoft Secure Future Initiative.
• Outdated protocols lack today’s authentication safeguards and are thus prone to brute-force and phishing attempts. Deactivating these methods diminishes exposure to vulnerabilities.
• This change will require administrative consent for third-party applications to access files and sites by default, preventing users from inadvertently overexposing organizational content. This heightened protection serves to improve the overall security posture for organizations utilizing Microsoft 365.
• Organizations should review their current use of legacy authentication and prepare for these upcoming changes to avoid service disruptions. Administrators can configure granular access policies for specific users or groups to manage necessary exceptions.

Phishing Goes Prime Time: Hackers Use Trusted Sites to Hijack Search Rankings

Article link: https://www.csoonline.com/article/4008277/phishing-goes-prime-time-hackers-use-trusted-sites-to-hijack-search-rankings.html   

• Cybercriminals are now leveraging trusted sites, particularly .gov and .edu domains, to hijack search engine rankings and place phishing pages atop search results via dark-market SEO tactics.
• Using the Hacklink platform, attackers utilize a built-in panel to manipulate backlinks to boost malicious sites, pointing to reputable domains, fooling both technical filters and user trust.
• Victims click what they believe are official resources, only to land on credential-stealing pages or malware downloads. These campaigns are difficult to differentiate from legitimate search results.
• Organizations should actively monitor backlink profiles and watch for abrupt jumps in search engine position. Threat monitoring and awareness can help flag shady redirects and domain spoofing.
• Link to Netcraft’s Report: https://www.netcraft.com/blog/how-fraudsters-are-poisoning-search-results-to-promote-phishing-sites

Community Orgs Need More Cybersecurity Help Says Report

Article link: https://cyberscoop.com/cyber-resilience-corps-volunteer-target-rich-resource-poor-assistance/  

• In a new report from the Cyber Resilience Corps, a volunteer organization from the University of California Berkeley Center for Long-Term Cybersecurity (CLTC) and the CyberPeace Institute, cybersecurity leaders are advocating for a strengthened, structured volunteer corps to support “target-rich, resource-poor” organizations such as nonprofits, schools, and community clinics.
• The report focuses on solutions to the specific challenges observed in approximately 43,000 cyber incidents targeting 121 community organizations tracked by the CyberPeace Institute between 2023 and 2025. These groups often hold sensitive data, making them attractive to hackers and domestic and foreign adversaries, but lack the resources to build up resilience in the wake of a cyberattack.
• The authors detail a “multi-phase ‘roadmap’” for strengthening community organizations’ cybersecurity, with “nine specific recommendations to rapidly assist local schools, cities, nonprofits, and utilities across three lines of effort,” including maturing cyber volunteering programs, expanding cyber volunteering programs, and enhancing continuity of service after volunteer engagements conclude.
• Link to CLTC’s Report: https://cltc.berkeley.edu/publication/roadmap-to-community-cybersecurity

NIST Outlines Real-World Zero-Trust Examples

Article link: https://www.darkreading.com/endpoint-security/nist-outlines-real-world-zero-trust-examples

• The National Institute of Standards and Technology (NIST) has finalized Special Publication (SP) 1800-35, offering 19 detailed zero-trust deployment scenarios, each illustrating sound layered defense strategies.
• Examples range from hybrid cloud integrations to mobile endpoint management, with emphasis on dynamic trust decisions and segmented resource access.
• NIST’s effort is part of an initiative to demystify zero-trust by translating conceptual frameworks, initially laid out in NIST SP 800-207 in 2020, into technical blueprints, including telemetry use and identity governance. Some scenarios involve multiple identity providers.
• Security architects are advised to use these cases as templates for iterative adaptation. Strategic planning must align identity models, network architecture, and risk metrics for meaningful application of zero-trust principles.
• Link to NIST SP 1800-35: https://csrc.nist.gov/pubs/sp/1800/35/final

BlueNoroff Deepfake Zoom Scam Hits Crypto Employee with macOS Backdoor Malware

Article link: https://thehackernews.com/2025/06/bluenoroff-deepfake-zoom-scam-hits.html

• A cryptocurrency employee was targeted by BlueNoroff, a North Korean-linked threat group, in a sophisticated Zoom meeting scam involving deepfake lures and macOS backdoor malware.
• The victim believed they were meeting with senior executives but was sent a Calendly link that directed them to a fake Zoom link attended by deepfakes of these executives. Upon complaining of being unable to use their microphone, they were instructed to download a supposed Zoom extension to fix the issue but actually turned out to be a payload installing 8 malicious binaries onto their host.  
• This specific social engineering attack is an iteration of the ClickFake interview attack strategy, similar to the ever-prevalent ClickFix attack, where applicants are led to run malicious commands under the pretext of addressing camera or microphone issues during a hiring assessment.
• Security teams should extend user awareness training to include fake interviews and impersonation risks. Additionally, macOS-specific threat monitoring should now be considered a requirement, not optional.

Discord Invite Link Hijacking Campaign Delivers Infostealers

Article link: https://thehackernews.com/2025/06/discord-invite-link-hijacking-delivers.html

• A campaign targeting influencers, their online audiences, and their Discord communities has emerged, where attackers hijack legitimate invite links and redirect users to malicious infostealers.
• The attack crafts fake sites mirroring real Discord invites and redirecting unsuspecting users to download malware via the ClickFix social engineering technique under the pretext of verification. Malware used here includes AsyncRAT, which offers remote-control capabilities, SkuId, a crypto wallet stealer, and a custom version of ChromeKatz, which bypasses encryption to steal browser data.
• Researchers observed how attackers exploit the ability to reuse expired or deleted Discord invite codes in vanity invite links. Attackers rely on trust in the platform to spread the malicious links.
• Verification practices for invite links must be revisited, and web traffic monitoring refined. Link reputation checks, particularly on expired or redirected domains, need to be incorporated into community moderation workflows.

Four States Caught Sharing Personal Health Data with Big Tech

Article link: https://themarkup.org/pixel-hunt/2025/06/17/we-caught-4-more-states-sharing-personal-health-data-with-big-tech

• A recent investigation uncovered that state-run healthcare exchange websites in Nevada, Maine, Massachusetts, Rhode Island, and previously discovered California, have been transmitting sensitive personal health information without user consent to Google, LinkedIn, and Snapchat.
• The websites used web trackers to monitor user activity and facilitate targeted advertising. When users entered sensitive information, such as prescription drug names, dosages, or health conditions, these invisible trackers sent the data to the tech platforms.
• This practice raises serious privacy concerns for individuals using these state health exchanges, as their confidential medical details are being shared with third parties. For organizations, it highlights the pressing need for thorough audits of website trackers and data flow to external entities.
• A supplementary article is provided detailing steps users can take to block trackers from sending data to tech companies.
• Link to Tracker Data-Sharing Prevention Guidance: https://themarkup.org/the-breakdown/2025/06/17/this-is-how-you-stop-data-trackers-from-sucking-up-your-health-data

Token Theft & MFA Defeat: 2025 State of Infosec Incident Stories

Article link: https://frsecure.com/blog/token-theft-attacks-mfa-defeat/

• FRSecure’s 2025 incident review of 65 business email compromise cases reveals that token theft, not MFA fatigue, is now the leading method for bypassing MFA protections. Session hijacking and browser token scraping are frequently used in real-world breaches.
• The review highlights cases of EvilGinx or EvilProxy attacks—token theft through phishing links in email, redirection to phishing pages acting as a reverse proxy for intercepting legitimate server requests, stealing of victim’s session cookies, and impersonation and MFA bypass with those cookies.
• With the emergence of these token-theft attacks, traditional MFA is even less of a silver bullet than before, increasing the need for robust conditional access policies that require organizational device compliance and limiting access third-party applications without prior authorization.
• Organizations are encouraged to implement conditional access policies, session timeouts, and device binding. Educating users about token approval prompts and monitoring token reuse across devices is critical to reducing exposure.