Serious Intelligence Briefing: 10th June 2025

What's Happening in Security This Week

Welcome to our weekly security briefing. This week has been dominated by sophisticated Chinese cyber espionage activities, critical infrastructure vulnerabilities, and emerging threats to AI platforms. Here's what you need to know:

🇨🇳 Chinese Cyber Espionage Campaign: PurpleHaze

A major year-long espionage operation has been uncovered:

Chinese threat actors conducted extensive reconnaissance targeting over 70 global organisations including governments and media outlets
PurpleHaze campaign demonstrates China's persistent efforts to compromise security supply chains
SentinelOne revealed the operation's scope affecting critical infrastructure and sensitive organisations worldwide
Supply chain security assessments now urgently required for IT service providers and logistics partners

📧 Critical Email and Web Vulnerabilities

Multiple platforms face urgent security issues:

Over 84,000 Roundcube webmail instances vulnerable to critical remote code execution flaws (CVE-2025-49113)
Google patched serious security vulnerability allowing attackers to expose users' phone numbers through brute-force attacks
vBulletin installations require immediate updates to address newly disclosed vulnerabilities (CVE-2025-48827, CVE-2025-48828)
CISA added Roundcube and SSH vulnerabilities to its Known Exploited Vulnerabilities catalogue

🤖 AI Platform Security Concerns

Artificial intelligence services face new threats:

OpenAI banned ChatGPT accounts linked to nation-state threat actors using the platform for malicious activities
Meta and Yandex caught using covert tracking methods that de-anonymise Android users through Internet protocol exploitation
AI data protection evaluation required to implement safeguards against unauthorised data access
Nation-state actor monitoring needed for AI platform usage within organisations

🍽️ Food Supply Chain Disruption

Critical infrastructure attacks continue:

UNFI (Whole Foods supplier) reported significant security breach disrupting wholesale food distribution operations
Food supply chain vulnerabilities highlighted by successful attack on major distributor
Critical infrastructure protection measures require assessment against MITRE's latest recommendations

🎮 Gaming and Social Platform Threats

New malware delivery methods emerge:

Blitz malware spreads through game chats and abuses Hugging Face platform for command and control
Gaming application environments require enhanced detection mechanisms
Social engineering through gaming platforms presents new threat vector for organisations

☁️ Cloud Security Vulnerabilities

Cloud platforms face multiple security challenges:

AWS IAM Roles Anywhere investigation revealed potential security risks requiring careful implementation
Azure OpenAI DNS resolution misconfiguration could have led to data leaks (quickly addressed by Microsoft)
Linux vulnerabilities discovered allowing local attackers to access sensitive information through race condition bugs in crash reporting systems (CVE-2025-5054, CVE-2025-4598)

🛡️ Infrastructure and Warfare Developments

Physical and digital security converge:

Ukraine lost control of nearly one-fifth of Internet space to Russian control or address brokers since 2022
Operation Spiderweb demonstrates vulnerabilities in military infrastructure against drone warfare
Counter-drone systems assessment required for critical infrastructure protection

What You Need To Do

🚨 Do These Today

Patch Roundcube webmail instances immediately - over 84,000 instances vulnerable to remote code execution
Update vBulletin installations to address CVE-2025-48827 and CVE-2025-48828 vulnerabilities
Review Google Account security settings and implement additional authentication measures following phone number exposure vulnerability
Audit supply chain relationships with IT service providers and logistics partners following PurpleHaze campaign disclosure

⚠️ Do These This Week

Implement AI platform monitoring to detect potential nation-state actor abuse within your organisation
Review Android app privacy settings to protect against new de-anonymisation techniques
Assess AWS IAM Roles Anywhere configurations and ensure proper security controls are in place
Update Linux security patches for CVE-2025-5054 and CVE-2025-4598 in crash reporting tools

🔔 Schedule These Soon

Develop cybersecurity culture framework based on NCSC's new guidance including leadership metrics
Evaluate post-quantum cryptography readiness using the newly released migration roadmap
Review critical infrastructure protection against MITRE's latest recommendations and develop contingency plans
Monitor for game-related malware if your organisation allows gaming applications

Security Landscape Overview

State-Sponsored Threat Activities

Government-backed cyber operations reach new levels of sophistication:
- Year-long reconnaissance campaigns targeting 70+ global organisations
- Supply chain compromise efforts affecting critical infrastructure
- AI platforms being exploited for malicious social engineering and espionage
- Nation-state actors adapting to use commercial platforms for operations

Critical Infrastructure Vulnerabilities

Essential services face increasing threats:
- Food supply chain disruption affecting wholesale distribution
- Internet infrastructure control shifting due to geopolitical conflicts
- Military infrastructure vulnerable to drone warfare tactics
- Healthcare sector requiring enhanced protection frameworks

Cloud and Platform Security

Digital platforms present evolving attack surfaces:
- Cloud configuration errors creating data exposure risks
- Covert tracking methods bypassing user privacy protections
- Gaming platforms becoming vectors for malware distribution
- AI services requiring enhanced monitoring for abuse detection

Special Focus: The Evolution of Supply Chain Threats

The PurpleHaze campaign represents a significant escalation in supply chain targeting, demonstrating how state actors are systematically compromising the technology and service providers that organisations depend on.

What Makes This Different: Rather than targeting end organisations directly, attackers are focusing on the suppliers, service providers, and logistics companies that support multiple clients. This allows a single compromise to affect dozens of downstream organisations.

Why This Matters: Your organisation's security is only as strong as your weakest supplier. Traditional security measures that focus on internal systems may not detect compromises that originate from trusted third-party relationships.

Key Risk Areas:
- IT service providers with access to internal systems
- Cloud service vendors handling sensitive data
- Logistics companies managing physical and digital supply chains
- Software vendors providing critical business applications

Protection Strategies:
- Conduct thorough security assessments of all critical suppliers
- Implement zero-trust principles for third-party access
- Require security certifications and regular audits from vendors
- Monitor for unusual activity patterns in supplier relationships
- Develop incident response procedures that account for supply chain compromises

Key Statistics

Over 84,000 Roundcube webmail instances remain vulnerable to critical remote code execution flaws, highlighting the widespread impact of email platform vulnerabilities.

Nearly one-fifth of Ukraine's Internet infrastructure has been compromised since 2022, demonstrating how cyber warfare extends to fundamental communications infrastructure.

Regulatory and Standards Development

NCSC's comprehensive guidance on cybersecurity culture emphasises the need for organisation-wide security awareness, moving beyond technical controls to address human and cultural factors in security effectiveness.

MITRE's latest critical infrastructure preparedness recommendations focus on cyber warfare scenarios, highlighting the increasing convergence of physical and digital security threats.

As always, if you need assistance implementing any of these recommendations, give us a shout!

Stay secure,

ISO Serious

Critical Security Tasks

Patch Roundcube Instances

Immediately update all Roundcube webmail instances to protect against active exploitation of CVE-2025-49113

Review Google Account Security

Implement additional authentication measures and review phone number recovery settings following the recent vulnerability disclosure

Monitor AI Platform Usage

Implement monitoring systems to detect potential nation-state actor abuse of AI platforms in your organization

Supply Chain Risk Assessment

Conduct thorough security assessments of IT service providers and logistics partners in light of recent targeting by Chinese threat actors

Audit Android App Privacy

Review and update Android app permissions and tracking settings to protect against new de-anonymization techniques

Implement Counter-Drone Measures

Assess and deploy counter-drone systems for critical infrastructure protection

Update Linux Security

Patch systems against new CVE-2025-5054 and CVE-2025-4598 vulnerabilities in crash reporting tools

Review AI Data Protection

Evaluate current AI data handling practices and implement safeguards against exfiltration

Review AWS IAM Roles Configuration

Audit existing AWS IAM Roles Anywhere implementations and ensure proper security controls are in place

Patch vBulletin Installations

Update all vBulletin installations to address newly disclosed vulnerabilities CVE-2025-48827 and CVE-2025-48828

Monitor for Game-Related Malware

Implement detection mechanisms for Blitz malware, particularly in environments where gaming applications are present

Audit DNS Configurations

Review DNS resolution settings in cloud services, particularly those involving Microsoft Azure OpenAI services

Implement Cybersecurity Culture Framework

Develop and implement an organization-wide cybersecurity culture framework based on NCSC's new guidance, including leadership KPIs and metrics

Review Critical Infrastructure Protection

Assess current critical infrastructure protection measures against MITRE's latest recommendations and develop contingency plans for cyber warfare scenarios

Evaluate Post-Quantum Cryptography Readiness

Begin assessment of systems and data for post-quantum cryptography migration using the newly released roadmap

Chinese Cyber Espionage and Critical Infrastructure Threats Dominate Week

News and Analysis

This week saw major developments in Chinese cyber espionage activities and critical infrastructure threats. SentinelOne revealed that Chinese threat actors conducted a year-long reconnaissance campaign targeting their infrastructure, affecting over 70 global organizations including governments and media outlets. The campaign, tracked as PurpleHaze, demonstrates China's persistent efforts to compromise security supply chains.

Significant vulnerabilities emerged in widely-used systems. Over 84,000 Roundcube webmail instances were found vulnerable to a critical remote code execution flaw, while Google patched a serious security hole that allowed attackers to expose users' phone numbers through brute-force attacks. CISA added both the Roundcube and Erlang SSH vulnerabilities to its Known Exploited Vulnerabilities catalog.

In infrastructure attacks, wholesale food giant UNFI, which supplies Whole Foods, reported a significant security breach that disrupted operations. Meanwhile, OpenAI took action by banning ChatGPT accounts linked to nation-state threat actors who were using the platform for malicious activities including social engineering and cyber espionage.

AI Security and Digital Threats: From Tracking to Warfare

Security Research

This week saw significant developments in AI security and digital surveillance. Meta and Yandex were caught using a new covert tracking method that de-anonymizes Android users by exploiting Internet protocols to convert web identifiers into persistent mobile app identities. OpenAI's latest report on malicious AI usage revealed widespread abuse across social engineering, cyber espionage, and influence operations, with significant activity originating from China.

Critical infrastructure concerns emerged as Ukraine lost control of nearly one-fifth of its Internet space to Russian control or address brokers since 2022. The implications of Operation Spiderweb demonstrated new vulnerabilities in military infrastructure against drone warfare, suggesting a need for significant investment in counter-drone systems.

On the regulatory front, testimony before the House Committee addressed AI's impact on federal government, particularly focusing on data exfiltration risks. New Linux vulnerabilities were discovered that could allow local attackers to access sensitive information through race condition bugs in crash reporting systems.

Cloud Security and Gaming Malware Take Center Stage

Threat Intelligence

This week saw significant developments in cloud security vulnerabilities and gaming-related malware. A critical investigation into AWS IAM Roles Anywhere revealed potential security risks in the service, highlighting the need for careful implementation of cloud access controls. Additionally, researchers uncovered an Azure OpenAI DNS resolution misconfiguration that could have led to data leaks, though Microsoft quickly addressed the issue.

In the malware landscape, security researchers identified Blitz malware, a sophisticated threat active since 2024 that spreads through game cheats and uniquely abuses Hugging Face for command and control operations. The week also saw a major breach at Optima Tax Relief, resulting in the theft of 69GB of sensitive data including customer information.

On the vulnerability front, vBulletin faced exploitation concerns with two new CVEs (CVE-2025-48827, CVE-2025-48828), demonstrating ongoing challenges with patch management in widely-used web platforms. These developments highlight the continuing evolution of both cloud security threats and traditional software vulnerabilities.

Evolving Cybersecurity Landscape: From Infrastructure Protection to Cultural Change

Vendor Updates

This week saw significant developments in cybersecurity across multiple fronts, with a particular focus on infrastructure protection and organizational culture. Mexico's digital transformation journey highlighted the growing pains of rapid technological adoption, as the country became one of the top six most-targeted nations globally. Meanwhile, the UAE strengthened its healthcare sector security through the expansion of ADHICS v2.0, addressing the critical need to protect valuable medical data.

Organizational cybersecurity culture emerged as a key theme, with the UK's NCSC releasing comprehensive guidance on creating effective security cultures. This coincided with new research showing that despite high compensation, many CISOs at large organizations are experiencing job dissatisfaction, highlighting the need for better alignment between security leadership and business objectives.

The week concluded with MITRE issuing a stark warning about critical infrastructure preparedness for cyber warfare, alongside the release of a new roadmap for adopting post-quantum cryptography. These developments underscore the increasing complexity of cybersecurity challenges and the need for comprehensive, culture-driven approaches to security.

Serious Intelligence Weekly