MSP cybersecurity news digest, July 7, 2025

Google has issued a security update to fix a zero-day vulnerability in Chrome, tracked as CVE-2025-6554, which is currently being exploited in the wild.

The flaw is a type confusion issue in Chrome’s V8 JavaScript engine, allowing attackers to read or write arbitrary memory via a malicious HTML page. These types of bugs can lead to code execution, data theft, or crashes — often triggered just by visiting a compromised website. Google quickly mitigated the threat with a configuration change and pushed updates to the Stable channel for all platforms. While details about the attackers remain undisclosed, users are urged to update Chrome to the latest version, with similar patches expected soon for Chromium-based browsers like Edge and Brave.

Following Google's disclosure, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-6554 to its Known Exploited Vulnerabilities (KEV) Catalog, citing active exploitation as a serious risk to the federal enterprise. In line with Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies are required to remediate the flaw by the specified deadline. Although the directive targets FCEB entities, CISA urges all organizations to patch KEV-listed vulnerabilities promptly as part of a broader vulnerability management strategy. This marks the fourth Chrome zero-day addressed by Google in 2025.

Qantas, Australia's largest airline, disclosed a cyberattack after threat actors accessed a third-party customer servicing platform linked to its call center and obtained access to six million customer records.

The airline confirmed the breach has been contained, though a significant amount of customer data — including names, emails, phone numbers, birthdates, and frequent flyer numbers — is believed to have been stolen. Qantas emphasized that no credit card, financial information, or login credentials were compromised. Authorities including the Australian Cyber Security Centre and the Australian Federal Police have been notified, and investigations are ongoing.

The incident follows recent warnings from cybersecurity firms about the hacking group Scattered Spider, which has increasingly targeted the aviation sector. While Qantas has not confirmed the attackers' identity, the breach shares tactics seen in other Scattered Spider campaigns involving social engineering and identity abuse. Similar attacks have hit Hawaiian Airlines, WestJet and major companies like MGM Resorts and Twilio.

The Zurich-based nonprofit Radix, which provides health education in Switzerland, suffered a ransomware attack by the Sarcoma group, resulting in the theft of 1.3TB of data. The stolen data, now published on Sarcoma’s dark web leak site, includes information linked to several Swiss federal offices.

Although Radix confirmed the breach occurred on June 16, 2025, it assured that attackers did not gain direct access to federal administration systems. The Swiss National Cyber Security Center (NCSC) is investigating the scope of the data breach, and which entities were affected. Radix stated it maintains backups and quickly revoked access to compromised systems, but warns the stolen data could be used in phishing or fraud attempts.

The nonprofit is still determining how the attackers infiltrated their systems, and no sensitive data from partner organizations appears to be impacted. Victims have been personally notified, although the total number affected remains unknown. Sarcoma, a fast-growing ransomware group active since late 2024, is known for using phishing, RDP abuse, and supply-chain tactics to steal and encrypt data.

North Korean threat actors are targeting Web3 and cryptocurrency firms using a new malware family dubbed NimDoor, written in the Nim language and leveraging advanced techniques such as process injection, SIGTERM-based persistence and encrypted WebSocket communication on macOS.

The attack chain starts with social engineering on platforms like Telegram, where victims are lured into installing a fake Zoom update that triggers AppleScript-based backdoors and information stealers. At the core of this campaign is a C++ loader called InjectWithDyldArm64, which injects encrypted payloads to maintain control and extract data from browsers and apps like Telegram. The malware is designed for persistence, periodically beaconing out to C2 servers and relaunching itself if terminated, showing resilience against basic defensive measures.

In a parallel campaign named BabyShark, North Korean-linked group Kimsuky continues to deploy spear-phishing emails with deceptive themes, such as interview requests or meeting agendas, tricking targets into executing VBS or PowerShell scripts. A recurring tactic, ClickFix, misleads users into running commands via Windows Run dialogs, granting remote access using tools like Chrome Remote Desktop and AutoIt. Kimsuky’s infrastructure includes fake job portals and spoofed academic emails to drop malware like Xeno RAT, using Dropbox and GitHub for staging and exfiltration. Recent campaigns reveal the use of password-protected weaponized documents and GitHub Personal Access Tokens to download and manage malware, reflecting Kimsuky’s evolving and persistent threat activity.

Researchers warn of rising phishing campaigns using fake brand identities and PDF attachments to lure victims into calling attacker-controlled phone numbers, a tactic known as TOAD (telephone-oriented attack delivery).

The research revealed that brands like Microsoft, DocuSign, Norton, PayPal and Geek Squad are often impersonated in these scams. These attacks frequently involve PDFs with embedded QR codes or annotations that direct users to phishing sites or fake login pages. Victims are manipulated into calling fake support numbers where attackers impersonate legitimate staff to steal credentials or install malware. TOAD attacks often use scripted conversations, spoofed caller IDs, and VoIP numbers to seem authentic and avoid detection.

A recent FBI alert highlighted the Luna Moth group’s use of such methods, including remote access tools like AnyDesk. Attackers are also abusing Microsoft 365's Direct Send to spoof internal emails and target organizations more effectively. Separately, threat actors are exploiting AI tools by poisoning training data or tricking chatbots into suggesting malicious URLs, adding a new layer to phishing risks.