Threat Alerts

Several US government agencies, including CISA, the FBI, the NSA, and the DoD Cyber Crime Center, have issued a fresh warning highlighting the elevated risk of Iranian state-backed cyber operations in light of recent geopolitical tensions. Officials warn that Iranian and pro-Iranian threat actors may retaliate for recent US military actions with disruptive attacks targeting critical infrastructure sectors, including energy, water, manufacturing, and healthcare. Of particular concern are unsophisticated but effective intrusions against internet-exposed industrial control systems (ICS) and operational technology (OT) using default credentials or weak configurations.

Organizations operating ICS/OT, especially those in sectors historically targeted by Iranian actors, are urged to review the new fact sheet, assess their exposure, and immediately implement hardening measures — such as eliminating default passwords and securing remote access — to reduce risk of exploitation. CISA emphasizes that while no coordinated campaign has yet been observed, the threat remains credible and proactive mitigation is strongly recommended.

Scattered Spider continues its high-impact campaign across industries, with new activity observed in the aviation sector following earlier waves of attacks on the retail and insurance verticals. Known for its aggressive and coordinated social engineering operations, the group maintains consistent TTPs—primarily leveraging phishing to impersonate IT support staff, gaining access to Microsoft Entra ID, SSO, and VDI environments. From there, they pivot into integrated SaaS platforms to facilitate lateral movement and exfiltrate data before deploying ransomware—typically on VMware ESXi systems. The group tends to concentrate on one sector at a time, often for a few weeks, and has shown no signs of slowing.

Recent incidents include a cyberattack on Qantas Airlines, confirmed on July 2, involving a third-party customer service platform that may have exposed data for up to 6 million customers. While attribution has not been formally announced, the TTPs align with known Scattered Spider activity—mirroring earlier intrusions at Hawaiian Airlines and WestJet. The FBI also issued a June 27 warning that the group is now targeting the airline ecosystem more broadly during peak season, including trusted vendors and contractors. In parallel, Scattered Spider has been observed using phishing frameworks like Evilginx and typosquatted domains impersonating IT service providers—enabling them to bypass MFA protections and harvest valid session tokens. These refinements enhance their ability to compromise cloud-first environments and escalate access rapidly

ClickFix attacks, a social engineering technique that tricks users into executing malicious code through fake error messages or counterfeit CAPTCHA verifications, have experienced a dramatic surge with incidents rising by more than 500% between December 2024 and May 2025 compared to the previous six months. The attack vector has rapidly evolved to become the second most common intrusion method after phishing, accounting for nearly 8% of all blocked attacks in the first half of 2025, and affects all major operating systems including Windows, Linux, and macOS.

ClickFix campaigns are delivering an expanding array of threats including infostealers, ransomware, remote access trojans, cryptominers, and custom malware from nation-state-aligned actors, with notable payloads including Lumma and SectopRAT malware families. The technique’s effectiveness stems from its exploitation of user trust in seemingly legitimate technical solutions, often bypassing traditional security controls by relying on direct user interaction to execute PowerShell commands and deploy subsequent malicious payloads.

Researchers have observed a significant spike in the abuse of Spain’s .es top-level domain (TLD) for phishing campaigns. According to Cofense, the use of .es domains for malicious activity has increased nineteenfold since January, making it the third most abused TLD behind only .com and .ru. Threat actors are primarily using these domains to host credential phishing pages impersonating well-known brands, with Microsoft-themed lures accounting for the majority of observed attacks.

The campaigns typically use well-crafted, workplace-themed phishing emails to deliver links to malicious subdomains, which are often randomly generated to avoid detection. Nearly all these .es domains are hosted via Cloudflare and frequently deploy Cloudflare Turnstile CAPTCHAs to appear more legitimate. The trend indicates that .es domain abuse is now a common tactic among a broad range of cybercriminals, highlighting the need for organizations to increase user awareness and strengthen phishing detection for unexpected country-code TLDs.

Researcher discovered a high-severity local privilege escalation vulnerability in the sudo utility, tracked as CVE-2025-32463 with a CVSS score of 7.8. Introduced in sudo v1.9.14, the flaw allows any local user—even without Sudo permissions—to escalate privileges to root by abusing the chroot option. The vulnerability stems from sudo executing chroot() during command matching, before checking permissions. An attacker can craft a writable chroot environment with a malicious nsswitch.conf and shared object (e.g., libnss_/woot1337.so.2), causing sudo to load and execute code as root. Exploitation was confirmed on Ubuntu 24.04.1 and Fedora 41 running vulnerable versions (1.9.15p5, 1.9.16p2). Affected versions range from 1.9.14 to 1.9.17, while older versions (≤1.8.32) are unaffected. The issue is fixed in sudo 1.9.17p1, which removes the unsafe chroot logic

A high-severity zero-day vulnerability, CVE-2025-6554 (CVSS Score N/A), has been addressed in Google Chrome following evidence of active exploitation. The flaw stems from a type confusion issue in Chrome’s V8 JavaScript and WebAssembly engine, which can allow remote attackers to perform arbitrary memory operations through a specially crafted HTML page. Given its exploitation prior to patch release, the vulnerability carries significant risk, particularly for users in sensitive roles or high-value environments.

CVE-2025-6554 (CVSS Score N/A) was reported in late June 2025 and mitigated the next day through a configuration change rolled out to the browser’s Stable channel. Type confusion vulnerabilities can lead to unpredictable program behavior, including memory corruption and code execution. In this case, attackers could exploit the flaw simply by tricking a user into visiting a malicious website, potentially allowing for silent compromise without further interaction.

This is the fourth zero-day vulnerability in Chrome patched in 2025, following CVE-2025-2783, CVE-2025-4664, and CVE-2025-5419.