Daily Threat Intelligence Report - June 25, 2025

News By Daniel Michan Published on June 25

Executive Summary

On June 25, 2025, the cybersecurity landscape saw a surge in vulnerabilities and attacks targeting diverse systems and regions. Critical vulnerabilities in IBM i and Brother products, alongside sophisticated ransomware and nation-state attacks, highlight the need for immediate patching and robust defense strategies. Social media discussions on platforms like X emphasize active exploitation of remote access tools, underscoring the urgency for organizations to enhance monitoring and response capabilities.

Key Threat Highlights

1. Critical Vulnerabilities

  • IBM i Privilege Escalation (CVE-2025-36004)
  • A critical flaw in IBM i (versions 7.2–7.5) allows users to gain elevated privileges due to an unqualified library call in IBM Facsimile Support for i. Malicious actors could execute user-controlled code with administrator privileges, posing a severe risk to affected systems. Immediate patching is recommended.
  • Russian APT Targets Ukrainian Government
  • A Russian APT group deployed new malware via the Signal messaging app, targeting Ukrainian government entities. This critical threat demonstrates advanced social engineering and persistence, requiring heightened vigilance for organizations in geopolitically sensitive regions.

2. High-Severity Vulnerabilities and Exploits

  • Brother Products Vulnerabilities
  • Multiple vulnerabilities in Brother printers and driver installers for Windows enable remote code execution and privilege escalation. An unauthenticated information leak also affects Brother, FUJIFILM, RICOH, and Toshiba devices, potentially exposing sensitive data. Organizations should apply patches and restrict device access.
  • SiteOrigin Widgets Bundle Stored XSS
  • The WordPress SiteOrigin Widgets Bundle plugin (up to v1.68.4) is vulnerable to stored cross-site scripting (XSS) via the data-url DOM element, allowing unauthenticated attackers to inject malicious scripts. Update to the latest version to mitigate.
  • SonicWall NetExtender and ConnectWise Exploits
  • Cybercriminals are distributing trojanized SonicWall NetExtender applications and exploiting ConnectWise vulnerabilities to steal credentials and deploy malware. These attacks, discussed widely on X, involve fake websites and malicious installers, emphasizing the need for software verification and endpoint protection.
  • North Korea-linked Supply Chain Attack
  • The Lazarus Group targeted developers with malicious npm packages, aiming to infiltrate software supply chains. This high-severity attack underscores the importance of vetting third-party dependencies.

3. Ransomware and Data Breaches

  • Teamxxx, Worldleaks, and Incransom Attacks
  • Ransomware groups Teamxxx, Worldleaks, and Incransom targeted Nationwidecare.org, T.O. Brasil, and FONPER, respectively, causing significant data breaches. These high-severity incidents highlight the persistent threat of ransomware to critical infrastructure.
  • Mainline Health and Select Medical Breaches
  • Data breaches impacted 100,000 individuals, exposing sensitive personal information. Organizations must enhance data encryption and incident response measures.
  • Pro-Iranian Hacktivist Group Data Leak
  • A pro-Iranian group leaked personal records from the 2024 Saudi Games, demonstrating the growing threat of hacktivism in geopolitical conflicts.

4. Emerging Threats

  • AI-Driven Malware and Phishing
  • Cybercriminals are leveraging large language models for phishing campaigns and malware development, including a prototype using AI prompt injection for evasion. These high-severity threats require advanced detection mechanisms.
  • WordPress Malware Mimicking Cloudflare
  • Malware targeting WordPress checkout pages imitates Cloudflare, compromising e-commerce platforms. Site owners should inspect themes and plugins for malicious scripts.

5. Medium-Severity Threats

  • GROWI Denial of Service (DoS)
  • A DoS vulnerability in GROWI (prior to v7.1.6) allows logged-in users to disrupt services via inefficient regular expression complexity. Upgrade to v7.1.6 to address this issue.
  • SourceCodester Best Salon Management System SQL Injection
  • An SQL injection flaw in this system enables attackers to extract sensitive data. Apply vendor patches and implement input validation.

Recommendations

  1. Patch Management: Prioritize updates for IBM i, Brother products, and WordPress plugins to address critical and high-severity vulnerabilities.
  2. Software Verification: Validate the integrity of software installers, especially for remote access tools like SonicWall NetExtender and ConnectWise.
  3. Supply Chain Security: Audit third-party dependencies, particularly npm packages, to prevent supply chain attacks.
  4. Monitoring and Detection: Enhance monitoring for unusual activity, such as unauthorized privilege escalation or malicious scripts on WordPress sites.
  5. Incident Response: Strengthen ransomware defenses with regular backups, encryption, and rapid response plans to mitigate data breaches.
  6. User Awareness: Train staff to recognize phishing attempts and verify communications, especially in regions targeted by nation-state actors.

Conclusion

The threat landscape on June 25, 2025, reflects a complex mix of vulnerabilities, ransomware, and nation-state activities. Organizations must act swiftly to patch systems, verify software, and bolster defenses against AI-driven and supply chain attacks. Social media insights from X highlight the active exploitation of remote access tools, reinforcing the need for proactive cybersecurity measures.