Weekly Report: New Hacking Techniques and Critical CVEs: June 24-30, 2025

The final week of June 2025 witnessed an unprecedented escalation in sophisticated cyber warfare, with critical infrastructure bearing the brunt of state-sponsored espionage campaigns and financially motivated ransomware operations. This period was marked by the convergence of traditional cybercrime tactics with cutting-edge AI-powered attack vectors, presenting a complex threat landscape that challenges conventional security paradigms.

Key developments include the active exploitation of CVE-2025-5777 (CitrixBleed 2) enabling session hijacking and MFA bypass, Google’s emergency patching of CVE-2025-5419 in Chrome’s V8 engine being exploited by commercial spyware vendors, and Microsoft’s June Patch Tuesday addressing 67 vulnerabilities including the actively exploited WebDAV zero-day CVE-2025-33053.

The week culminated in the discovery of a massive 16 billion credential aggregation—representing the largest password exposure in cybersecurity history—compiled from infostealer malware campaigns and left accessible on unsecured cloud storage. This mega-breach underscores the evolving threat landscape where traditional perimeter defenses prove inadequate against modern attack vectors.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Emerging Hacking Techniques and Advanced Persistent Threats

AI-Powered Social Engineering Campaigns

Iranian APT35 has pioneered the deployment of AI-generated content in spear-phishing operations targeting Israeli cybersecurity professionals and technology experts. The group, also known as Charming Kitten, employed large language models to craft grammatically perfect impersonation emails and WhatsApp messages, directing victims to sophisticated fake Gmail login pages and bogus Google Meet invitations.

Technical Analysis:

• MITRE ATT&CK Mapping: T1566.001 (Spear Phishing via Service), T1583.001 (Domains), T1598.003 (Spearphishing for Information)
• Attack Vector: Multi-platform social engineering leveraging AI-generated personas
• Target Profile: High-value individuals with privileged access to sensitive systems

CISO Takeaway:

Organizations must enhance authentication verification procedures beyond traditional MFA, implementing behavioral biometrics and out-of-band verification channels to combat AI-enhanced impersonation attacks.

JavaScript-Based Credential Harvesting on Microsoft Exchange

A novel attack technique emerged targeting Microsoft Exchange environments through malicious JavaScript injection in OWA (Outlook Web Access) sessions. Attackers leverage legitimate Exchange APIs to harvest credentials and session tokens without triggering traditional security controls.

Technical Implementation:

• Initial Access: Compromised user account or privileged Exchange service account
• Persistence: Malicious JavaScript embedded in custom OWA themes
• Collection: Real-time credential harvesting through DOM manipulation
• Exfiltration: HTTPS POST requests disguised as legitimate Exchange traffic

Docker API Cryptojacking via Tor Networks

Cybercriminals have developed sophisticated cryptojacking operations exploiting misconfigured Docker APIs while routing C2 communications through Tor networks for enhanced anonymity. This technique combines container orchestration abuse with advanced obfuscation methods.

Attack Flow:

1. Reconnaissance of exposed Docker APIs (typically port 2375/2376)
2. Deployment of cryptocurrency mining containers with resource limits evasion
3. C2 communication establishment through Tor exit nodes
4. Persistent mining operations with anti-forensics capabilities

Critical CVEs and Zero-Day Exploitations

CVE-2025-5777: CitrixBleed 2 – Critical NetScaler Vulnerability

Incident Date: June 17, 2025 (Disclosure)
Active Exploitation Confirmed: June 26, 2025

Overview:

A critical out-of-bounds read vulnerability in Citrix NetScaler ADC and Gateway devices enables remote attackers to bypass authentication mechanisms and hijack user sessions. The flaw, assigned CVSS 9.3, affects over 50,000 internet-exposed instances globally.

Technical Details:

• Affected Versions: NetScaler ADC/Gateway 14.1 before 14.1-43.56, 13.1 before 13.1-58.32
• Attack Vector: Crafted HTTP requests to vulnerable NetScaler endpoints
• Impact: Session token theft, MFA bypass, persistent access to corporate networks

Exploitation Evidence:

ReliaQuest researchers identified active exploitation patterns including hijacked Citrix sessions from NetScaler devices, authentication bypass without user knowledge, and LDAP reconnaissance activities using ADExplorer64.exe across multiple domain controllers.

CISO Takeaway:

Immediately apply Citrix security updates, restrict NetScaler management interfaces from internet exposure, and implement session monitoring to detect anomalous authentication patterns.

CVE-2025-5419: Chrome V8 Engine Zero-Day

Incident Date: May 27, 2025 (Reported)
Patch Release: June 4, 2025

Overview:

A high-severity out-of-bounds read/write vulnerability in Chrome’s V8 JavaScript engine allows remote code execution through crafted HTML pages. Google’s Threat Analysis Group confirmed active exploitation by commercial spyware vendors.

Technical Analysis:

• CVSS Score: 8.8 (High)
• Attack Vector: Malicious HTML pages triggering heap corruption
• Exploitation Timeline: 24-hour discovery-to-patch cycle
• Threat Actors: Commercial surveillance vendors, nation-state groups

Impact Assessment:

The vulnerability enables arbitrary code execution within browser sandboxes, potentially allowing attackers to escape containment and access system resources. Chrome’s rapid patching response indicates the severity of in-the-wild exploitation attempts.

CVE-2025-33053: Microsoft WebDAV Remote Code Execution

Incident Date: June 10, 2025 (Patch Tuesday)
Exploitation Status: Actively exploited zero-day

Overview:

Microsoft addressed a critical RCE vulnerability in WebDAV (Web Distributed Authoring and Versioning) protocol implementation. Despite WebDAV being deprecated since November 2023, the flaw affects all Windows versions and has been weaponized in targeted attacks.

Technical Specifications:

• CVSS Score: 8.8 (High)
• Attack Complexity: Low (no target environment preparation required)
• User Interaction: Required (malicious link click)
• Exploitation Method: Malicious WebDAV server interaction

Threat Intelligence:

Check Point researchers identified exploitation attempts leveraging legitimate Windows tools through working directory manipulations. The vulnerability’s inclusion in emergency patches for legacy Windows versions underscores its critical nature.

CVE-2025-3248: Langflow AI Platform Authentication Bypass

Incident Date: June 19, 2025
Exploitation: Flodrix Botnet Deployment

Overview:

A critical authentication bypass in Langflow AI servers (versions < 1.3.0) enables unauthenticated command execution, actively exploited to deploy the Flodrix IoT botnet for large-scale DDoS operations.

Attack Details:

• CVSS Score: 9.8 (Critical)
• Impact: Full remote code execution, data exfiltration, DDoS amplification
• Botnet Capacity: 100+ Gbps DDoS potential
• Target Infrastructure: AI development platforms, cloud-hosted ML services

Underground Intelligence: Dark Web Cyber Ecosystem

Hacktivist Data Operations and Geopolitical Cyber Warfare

“Cyber Fattah” Saudi Games Data Leak

• Incident Date: June 22, 2025
• Attribution: Pro-Iranian hacktivist collective
• Method: phpMyAdmin exploitation targeting Saudi Games infrastructure
• Data Exposed: 6,000+ athlete records including passport scans, medical certificates, IBAN details
• Distribution Channel: Dark web forum “ZeroDayX”

This operation represents the intersection of geopolitical tensions and cyber disruption, demonstrating how hacktivist groups leverage data breaches for propaganda and diplomatic pressure.

IoT Surveillance Network Exploitation

Dark web forums documented extensive discussions regarding mass exploitation of internet-connected surveillance cameras, with threat actors sharing automated scripts for RTSP/HTTP camera enumeration. Intelligence indicates over 14,000 vulnerable devices in the United States alone remain exposed due to default credentials and open network ports.

Technical Capabilities:

• Automated credential spraying against camera management interfaces
• Live feed extraction and archival systems
• Integration into Mirai-style DDoS botnets
• Pivot point establishment for corporate network infiltration

Ransomware-as-a-Service Evolution

CYFIRMA’s monitoring of underground forums revealed the emergence of “NightSpire,” a new ransomware operation launched in early 2025 with sophisticated affiliate management and multi-stage encryption capabilities. The group has already demonstrated aggressive tactics and well-structured operations despite its recent appearance.

Operational Characteristics:

• Advanced affiliate recruitment through vetted dark web channels
• Multi-platform encryption engines (Windows, Linux, ESXi)
• Double extortion with dedicated leak sites
• Cryptocurrency laundering through privacy coins

Supply Chain and Critical Infrastructure Attacks

Chinese Salt Typhoon Telecommunications Espionage

Incident Timeline: Mid-February 2025 (Compromise) – June 24, 2025 (Discovery)

Overview:

Chinese state-sponsored actors exploited CVE-2023-20198 in Cisco IOS XE to compromise critical telecommunications infrastructure belonging to a major Canadian provider. The campaign enabled persistent network-level espionage and covert data collection across global telecommunications traffic flows.

Technical Analysis:

• Initial Vector: Unauthenticated RCE in Cisco IOS XE (CVSS 10.0)
• Persistence: Modified device configurations with encrypted GRE tunnels
• Collection: Subscriber metadata and routing intelligence
• C2 Infrastructure: 192.0.2.45/203.0.113.12 tunnel endpoints

MITRE ATT&CK Mapping:

• T1190 (Exploit Public-Facing Application)
• T1133 (External Remote Services)
• T1557 (Adversary-in-the-Middle)
• T1090 (Proxy)

UNFI Food Distribution Cyberattack

Incident Date: June 5, 2025
Discovery: June 9, 2025

Overview:

United Natural Foods Inc. suffered a significant cyberattack that disrupted ordering and warehouse logistics systems, causing supply chain interruptions across 30,000 retail locations including Whole Foods and regional grocers.

Impact Assessment:

• Manual order processing implementation
• Empty shelves at major retail chains
• Revenue loss exceeding $50 million in first week
• Operational recovery extending beyond 14 days

Technical Indicators:

• Phishing-based initial access (T1566)
• Endpoint denial-of-service tactics (T1499)
• Systematic file tampering evidence
• PowerShell reconnaissance scripts (C:\scripts\unfi_recon.ps1)

ConnectWise Authenticode Stuffing Campaign

Campaign Duration: March-June 2025
Discovery: June 24, 2025

Overview:

The “EvilConwi” campaign demonstrated sophisticated abuse of ConnectWise’s code signing infrastructure through Authenticode stuffing techniques, enabling malware distribution while maintaining valid digital signatures.

Attack Methodology:

• Injection of malicious XML configuration into Authenticode certificates
• Preservation of vendor signature validation
• Distribution via spear-phishing with OneDrive→Canva redirect chains
• Remote access tool weaponization at scale

IOCs:

• ScreenConnect installer SHA-256: 0e5751c026e543b2e8ab2eb06099dda6
• Embedded XML tags: <ConnectWiseConfig>
• Certificate attribute anomalies indicating stuffing

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial