Cybersecurity Threats and Trends - 06/10/2025

In partnership with

You found global talent. Deel’s here to help you onboard them

Deel’s simplified a whole planet’s worth of information. It’s time you got your hands on our international compliance handbook where you’ll learn about:

• Attracting global talent

• Labor laws to consider when hiring

• Processing international payroll on time

• Staying compliant with employment & tax laws abroad

With 150+ countries right at your fingertips, growing your team with Deel is easier than ever.

Get the guide

While you were busy trying to remember if you actually turned on MFA for your personal email, the cyber underworld was busy innovating new ways to ruin your Monday. Let's dive into this week's digital dumpster fires, shall we?

3. Former Black Basta Members Use Microsoft Teams and Python Scripts in 2025 Attacks

Primary Threat: Former members of the Black Basta ransomware operation have been observed using Microsoft Teams and Python scripts in their email bombing campaigns targeting finance, insurance, and construction sectors.

Risk: HIGH

Security researchers revealed that these threat actors are leveraging legitimate collaboration tools like Microsoft Teams to establish initial contact with victims, posing as corporate help desks responding to supposed spam attacks. After gaining the victim's trust, they deploy custom Python scripts and cURL commands to deliver malware. This technique allows them to bypass traditional email security controls and exploit the inherent trust users place in official communication channels.

Detection and Remediation Tips:

• Train employees to verify the identity of IT support staff, even when contacted through legitimate channels

• Implement strict policies for handling unexpected IT support communications

• Deploy advanced email security solutions that can detect and block email bombing campaigns

• Restrict the execution of scripts and unauthorized applications on endpoint devices

• Establish clear escalation procedures for employees to report suspicious IT support requests

4. 295 Malicious IPs Launch Coordinated Brute-Force Attack on Apache Tomcat Manager

Primary Threat: Threat intelligence firm GreyNoise has warned of a coordinated brute-force attack targeting Apache Tomcat Manager interfaces from 295 malicious IP addresses.

Risk: HIGH

According to GreyNoise, who warned of the attack, the company observed a surge in brute-force and login attempts on June 5, 2025, indicating deliberate efforts to identify and compromise vulnerable Apache Tomcat instances. The attacking IPs were primarily located in the US, UK, Germany, Netherlands, and France. Once compromised, these servers could be used for cryptocurrency mining, data theft, or as launching points for further attacks on internal networks.

Detection and Remediation Tips:

• Change default credentials on all Apache Tomcat Manager interfaces immediately

• Implement IP-based access restrictions for management interfaces

• Deploy multi-factor authentication for administrative access

• Consider using Web Application Firewalls to detect and block brute-force attempts

• Monitor server logs for unauthorized access attempts and suspicious activities

5. Adobe Releases Patch Fixing 254 Vulnerabilities, Closing High-Severity Security Gaps

Primary Threat: Adobe has released security updates to address a total of 254 security flaws impacting its software products, with a majority affecting Experience Manager and Creative Cloud.

Risk: HIGH

Adobe on Tuesday pushed security updates to address a staggering 254 security flaws across its product line. The most severe vulnerabilities could allow attackers to execute arbitrary code, potentially taking complete control of affected systems. The updates impact both cloud-based and on-premises deployments, with Experience Manager accounting for the majority of the patched vulnerabilities. Some of the flaws could be exploited to achieve privilege escalation, information disclosure, or security feature bypass.

Detection and Remediation Tips:

• Apply Adobe's June 2025 security patches immediately across all affected products

• Prioritize updating internet-facing systems and those processing sensitive data

• Review your Adobe product inventory to ensure all instances are identified and patched

• Consider implementing application allowlisting to prevent unauthorized code execution

• Monitor for unusual activity that might indicate exploitation attempts

6. FIN6 Uses AWS-Hosted Fake Resumes on LinkedIn to Deliver More_eggs Malwarek

Primary Threat: The financially motivated threat actor FIN6 has been observed leveraging fake resumes hosted on AWS infrastructure to deliver More_eggs malware via LinkedIn.

Risk: MEDIUM

Security researchers reported that FIN6 is targeting recruiters and HR professionals with convincing fake resumes that link to malicious AWS-hosted portfolio websites. When victims click on the resume links, they're redirected to these sites, which deliver the More_eggs backdoor malware. This sophisticated malware facilitates credential theft, system access, and follow-on attacks, including ransomware deployment. FIN6 is known for targeting point-of-sale systems and stealing payment card data, with estimated thefts exceeding $400 million since 2018.

Detection and Remediation Tips:

• Train HR and recruitment staff to recognize suspicious resume links and attachments

• Implement advanced email security solutions with URL filtering capabilities

• Consider using isolated browsing environments when reviewing job applications

• Deploy endpoint detection and response (EDR) solutions to detect More_eggs indicators

• Establish clear procedures for verifying the legitimacy of job applicant materials

IN SUMMARY:

From international law enforcement operations dismantling malware infrastructure to critical vulnerabilities in GPS devices and sophisticated social engineering campaigns, this week's threats demonstrate the diverse and evolving nature of the cybersecurity landscape. The coordinated attacks against Apache Tomcat Manager and the massive Adobe patch release highlight the ongoing challenges organizations face in maintaining secure systems, while the FIN6 campaign shows how threat actors continue to innovate their tactics to bypass security controls.

🚨 Key Takeaways:

✔️ International cooperation remains crucial in disrupting cybercriminal operations, as demonstrated by INTERPOL's Operation Secure.
✔️ IoT security vulnerabilities can have real-world physical implications, as seen with the SinoTrack GPS device flaws.
✔️ Threat actors are increasingly leveraging legitimate collaboration tools like Microsoft Teams to establish initial access.
✔️ Coordinated brute-force attacks continue to target common administrative interfaces, highlighting the importance of strong authentication.
✔️ The sheer volume of vulnerabilities in popular software like Adobe products creates significant patching challenges for organizations.
✔️ Social engineering tactics are becoming more sophisticated, with threat actors creating convincing fake personas to deliver malware.

🔎 Immediate Actions:

✔️ Change default passwords on all network-connected devices, especially IoT devices like GPS trackers.
✔️ Apply Adobe's June 2025 security patches immediately across all affected products.
✔️ Implement strict verification procedures for IT support communications, even when through legitimate channels.
✔️ Secure Apache Tomcat Manager interfaces with strong authentication and IP restrictions.
✔️ Train HR and recruitment staff to recognize suspicious resume links and attachments.
✔️ Update antivirus and anti-malware solutions to protect against the latest information-stealing malware variants.

💡 Stay vigilant, patch promptly, and remember that in cybersecurity, paranoia isn't a disorder – it's a job requirement. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)