CISA, Microsoft warn of Windows zero-day used in attack on ‘major’ Turkish defense org
Microsoft patched a high-severity Windows zero-day used in a March attack on a major Turkish defense organization. Discovered by Check Point, the flaw affects the WebDAV component and was exploited via a phishing email using a disguised .url file. The attack was linked to Stealth Falcon, a UAE-associated APT known for zero-days and custom malware. The group used tools like Horus Agent and Horus Loader to evade detection in a multi-stage espionage campaign. The bug has been added to CISA’s exploited vulnerabilities catalog.
40K IoT cameras worldwide stream secrets to anyone with a browser
Security researchers at Bitsight accessed 40,000 internet-connected cameras globally—mostly in the U.S.—revealing live feeds from datacenters, hospitals, factories, and homes. Many required no hacking, just a web browser. About 78% used HTTP, the rest RTSP. The findings back a DHS warning that exposed, often Chinese-made cameras in critical infrastructure that could aid spies or criminals. Researchers also found IP feeds being shared on forums, showing bedrooms and workshops, potentially for stalking or extortion. DHS flagged risks like data theft or tampering with safety systems.
Marks & Spencer begins taking online orders again, out for seven weeks due to cyberattack
Marks & Spencer has reopened online shopping six weeks after a cyberattack forced it to pause orders, costing the retailer an estimated £25M per week. Deliveries to England, Scotland, and Wales have resumed, with other services to follow. The hack—linked to Scattered Spider—could cost up to £300M. M&S also confirmed that customer data was stolen. CEO Stuart Machin called it a “setback,” not a crisis, and plans to accelerate a full IT overhaul originally slated for three years to just 18 months.
PoC Code escalates Roundcube Vuln threat
A critical Roundcube webmail flaw with a CVSS score of 9.9 is now a major threat after proof-of-concept code was publicly released. The 10-year-old bug lets authenticated attackers execute remote code via a malicious URL exploiting PHP’s object handling. Over 85,000 unpatched servers are exposed globally. Login credentials are required to exploit it, but attackers can pair it with older credential-theft bugs for full compromise. A patch is available , but researchers warn organizations to update immediately and monitor for malicious activity.
Huge thanks to our sponsor, Vanta
With Vanta, GRC can be so. much. easier—while also strengthening your security posture and driving revenue for your business. Vanta automates key areas of your GRC program—including compliance, risk, and customer trust—and streamlines the way you manage information.
The impact is real: A recent IDC analysis found that compliance teams using Vanta are one hundred and twenty nine percent more productive.
Get back time to focus on strengthening security and scaling your business. Get started at Vanta.com/headlines.
ConnectWise rotating code signing certificates over security concerns
ConnectWise is replacing digital code signing certificates for ScreenConnect, Automate, and RMM tools after a researcher flagged a potential configuration abuse issue. The flaw requires system-level access but could be exploited to distribute tampered installers. While no breach is linked to this move, the update comes amid phishing campaigns using fake, signed ConnectWise clients. DigiCert planned to revoke the old certs June 10, but ConnectWise got an extension to June 13. Cloud users get auto-updates, but all users are urged to update agents before the deadline.
A bit more on Twitter/X’s new encrypted messaging
Johns Hopkins cryptographer Matthew Green analyzed X’s new end-to-end encrypted messaging system, XChat, and found major flaws. Unlike Signal, XChat lacks forward secrecy and stores private keys on X’s servers, encrypted with weak user PINs. The keys are managed using a protocol called Juicebox, which splits keys across servers — but all servers appear to be controlled by X and likely don’t use Hardware Security Modules (HSMs), despite vague internal claims. Without verifiable HSM use or multi-party server control, X can potentially access any user’s messages, undermining the core promise of end-to-end encryption.
Poisoned npm Packages disguised as utilities aim for system wipeout
Researchers at Socket Security found two malicious npm packages that include backdoors capable of deleting all files in production environments. Published by a user named “botsailer,” the packages pose as developer utilities but are designed for sabotage, not theft. One activates file-deletion on the first HTTP request, while the other gathers system intel and adapts its attack to the OS. Socket warns this trend marks a shift toward destruction-based attacks targeting software supply chains. Both packages have been flagged and removed.
Stolen Ticketmaster data from Snowflake attacks briefly for sale again
Over the weekend, extortion group Arkana listed what it claimed was new stolen Ticketmaster data—but it turned out to be the same 569GB of data taken in the 2024 Snowflake attacks. BleepingComputer confirmed the files match previously leaked samples. The post referenced “RapeFlake,” a tool used in the original breach. While it’s unclear if Arkana acquired the data or is connected to ShinyHunters, the listing was taken down on June 9. Ticketmaster had already confirmed the breach and notified affected customers.