Microsoft has released its monthly security update for June 2025, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.”

Tuesday, June 10, 2025 17:45

Microsoft has released its monthly security update for June 2025, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.” 

In this month's release, none of the included vulnerabilities have been observed by Microsoft being actively exploited in the wild. Out of eleven "critical" entries, nine are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Windows Remote Desktop Service, Windows Schannel (Secure Channel), KDC Proxy service, Microsoft Office, Word and SharePoint server. There are two elevation of privilege vulnerabilities affecting Windows NetLogon and Power Automate. 

CVE-2025-32710 is the RCE vulnerability in Windows Remote Desktop Services and is given CVSS 3.1 score of 8.1. Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker could successfully exploit this vulnerability by attempting to connect to a system with the Remote Desktop Gateway role, triggering the race condition to a use-after-free scenario, and then leveraging this to execute arbitrary code. Microsoft has assessed that the attack complexity is “high,” and exploitation is "less likely." 

CVE-2025-29828 is an RCE vulnerability in Windows Schannel (Secure Channel), a security support provider (SSP) in the Windows operating system that implements Secure Sockets layer (SSL) and Transport Layer Security (TLS) Protocols. It is part of the Security Support Provider Interface (SSPI) and is used to secure network communications. Microsoft noted that a missing release of memory by Windows Cryptographic Services could trigger this vulnerability, allowing an unauthorized attacker to execute code over a network. An attacker can exploit this vulnerability through the malicious use of fragmented ClientHello messages to a target server that accepts TLS connections. Microsoft has assessed that the attack complexity is “high”, and exploitation is "less likely".  

CVE-2025-33071 is the RCE vulnerability in Windows KDC Proxy Service (KPSSVC) given CVSS 3.1 score of 8.1. To successfully exploit this vulnerability, an unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Kerberos Key Distribution Center Proxy Service to perform remote code execution against the target. Microsoft has noted that this vulnerability only affects Windows servers that are configured as a Kerberos key Distribution Center (KDC) Proxy Protocol server, and Domain controllers are not affected. Microsoft has assessed that the attack complexity is “high”, and exploitation is "more likely".  

CVE-2025-47172 is the RCE vulnerability in Microsoft SharePoint server given CVSS 3.1 score of 8.8. Microsoft noted that this vulnerability in Microsoft Office SharePoint is due to improper neutralization of special elements used in a SQL command which would allow an authorized attacker to execute code over a network. To exploit this vulnerability an authenticated attacker in a network-based attack, with a minimum of Site Member permission, could execute arbitrary code remotely on the SharePoint server. Microsoft has assessed that the attack complexity is “low,” and exploitation is “less likely." 

CVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953 are RCE vulnerabilities in Microsoft Office. The vulnerabilities CVE-2025-47164 and CVE-2025-47953 are "use after free” (UAF) vulnerabilities that occur when Microsoft Office tries to access memory that has already been freed. CVE-2025-47162 is a heap-based buffer overflow in Microsoft Office and the CVE-2025-47167 is a "type confusion" vulnerability which is triggered when Microsoft Office interprets a block of memory as the wrong data type. An unauthorized attacker exploits these vulnerabilities and executes arbitrary code on the victim's machine. Microsoft has assessed that for CVE-2025-47162, CVE-2025-47164 and CVE-2025-47167, the attack complexity is "low," and exploitation is "more likely." For CVE-2025-47953, the attack complexity is "low," and exploitation is "less likely."  

Microsoft listed two critical elevations of privilege vulnerabilities. 

CVE-2025-33070 is an elevation of privilege critical vulnerability in Windows Netlogon. An attacker could exploit the vulnerability by leveraging an authentication bypass in the Windows Netlogon service using uninitialized resources. An attacker, by successfully exploiting this vulnerability, could gain domain administrator privileges. Microsoft has assessed that the attack complexity is “high,” and exploitation is “more likely."  

Microsoft noted that the CVE-2025-47966 is a critical elevation of privilege vulnerability in Power Automate in the Windows OS. Power Automate is a Microsoft tool for automating repetitive tasks and business processes across different applications and services. This vulnerability in Power Automate exposed sensitive information to an unauthorized actor, allowing privilege escalation over a network. Microsoft has reported that this vulnerability with CVSS 3.1 base score of 9.8 has been fully mitigated and no further action is required by the users.  

Talos would also like to highlight the following "important" vulnerabilities as Microsoft has determined that exploitation is "more likely:" 

*   CVE-2025-32713 - Windows Common Log File System Driver Elevation of Privilege Vulnerability. 
*   CVE-2025-32714 - Windows Installer Elevation of Privilege Vulnerability. 
*   CVE-2025-47962 - Windows SDK Elevation of Privilege Vulnerability. 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.  

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 55802, 56290, 65030-65043. There are also these Snort 3 rules: 301220, 301250-301255.

Microsoft Patch Tuesday for June 2025 — Snort rules and prominent vulnerabilities

President Trump’s deployment of more than 700 Marines to Los Angeles—following ICE raids and mass protests—has ignited a fierce national debate over state sovereignty and civil-military boundaries.

As hundreds of United States Marines deploy in Los Angeles under presidential orders to protect federal property amid growing protests over immigration enforcement, constitutional scholars and civil rights attorneys warn of long-term implications for American democracy and civil-military relations.

President Donald Trump revealed Monday that he had ordered the deployment of more than 700 activity-duty Marines out of Camp Pendleton—an extraordinary use of military force in response to civil unrest. The move, widely condemned by his critics, follows Trump’s federalization of the National Guard. Some 3,800 guardsmen have since been deployed in California against the objections of its government, spurring debate among legal observers over the limits of the president’s power to send troops into American streets.

Trump ordered the deployments in response to thousands of Angelenos who took to the streets on Friday in protests. LA residents responded after Immigration and Customs Enforcement (ICE) agents carried out sweeping raids of local businesses, arresting, among others, dozens of day laborers who were vying for work outside a local Home Depot. Larger demonstrations soon formed and remained largely peaceful until residents were engaged by police with riot shields and crowd control weapons. Over the weekend, the clashes between police and protesters escalated across many neighborhoods with large immigrant populations. Numerous buildings were vandalized with anti-ICE messages, and several Waymo autonomous vehicles were set ablaze.

Videos captured by protest attendees show police firing upon demonstrators with rubber bullets and other crowd control agents, including waves of asphyxiating CS gas. Members of the press shared images online showing injuries they incurred from the police assault. In widely shared footage, a law enforcement officer appears to intentionally target an Australian reporter, Lauren Tomasi, shooting her from feet away with a rubber bullet as she delivers a monologue into a camera. On Monday, CNN correspondent Jason Carroll was arrested live on air.

California governor Gavin Newsom condemned Trump’s troop deployment in posts on social media, calling the president’s actions an “unmistakable step toward authoritarianism.” His attorney general, Rob Bonta, has filed a lawsuit in federal court claiming the order violated the state’s sovereignty, infringing on Newsom’s authority as the California National Guard’s commander in chief.

In response to a request for comment, the Department of Defense referred WIRED to a US Northern Command press release detailing the deployment of Marines and National Guardsmen.

Federal troops in the United States are ordinarily barred from participating in civilian law enforcement activities. This rule, known as “posse comitatus,” may be suspended, however, by a sitting president in cases of civil unrest or outright rebellion. This exception—permitted under the Insurrection Act—allows the president to deploy troops when circumstances make it “impracticable” for state authorities to enforce federal law by “ordinary” means.

While these powers are most often invoked at the request of a state government, the president may also invoke the act when a state chooses to ignore the constitutional rights of its inhabitants—as happened multiple times in the mid-20th century, when southern states refused to desegregate schools after the Supreme Court’s landmark _Brown v. Board of Education_ decision.

President Trump, however, has so far not invoked the Insurrection Act, relying instead on a theory of “inherent authority” advanced by the US Justice Department in 1971 during the height of the anti–Vietnam War protests. This interpretation of presidential power finds that troops may be deployed in an effort to “protect federal property and functions.” Notably—unlike the Insurrection Act—this does not permit troops to engage in activities that are generally the purview of civilian law enforcement agencies.

Trump also invoked statutory power granted to him by Congress under Title 10 of the US Code, which enabled him to federalize elements of California’s National Guard. These activations typically occur when guardsmen are needed to support overseas military operations, as happened routinely this century during the wars in Iraq and Afghanistan. Domestically, however, guardsmen are not usually federalized without the agreement of a state’s governor—unless the Insurrection Act has been invoked.

Legal experts interviewed by WIRED offered a range of opinions on the president’s authority to deploy active-duty military troops or federalize the National Guard. While most believe it is likely within Trump’s power to ignore Newsom’s express objections, doing so without an invocation of the Insurrection Act, they say, is a decision fraught with legal complexities that carries serious implications, from altering—perhaps permanently—the fundamental relationship between Americans, states, and the federal government, to disturbing the delicate balance between civilian governance and military power.

Liza Goitein, senior director of the Brennan Center's Liberty and National Security Program, underscores the “unprecedented” nature of Trump’s approach. “He’s trying to basically exercise the powers of the Insurrection Act without invoking it,” she says. A key issue for Goitein is that the memorandum signed by Trump last week federalizing the National Guard makes no mention of Los Angeles or California. Rather, it states that the guardsmen are being mobilized to address protests that are both “occurring” and “likely to occur.”

In essence, the memo “authorizes the deployment of federal troops anywhere in the country,” Goitein says, “including places where there are no protests yet. We’re talking about preemptive deployment.”

Goitein argues that the administration’s justifications could undermine both judicial accountability and civil‑military boundaries. Under the Insurrection Act, federal troops can take on the responsibilities of local and state police. But without it, their authority should be quite limited. Neither the guardsmen nor the Marines, for instance, should engage with protesters acting peacefully, according to Goitein. “He says they’re there to protect federal property,” she says. “But it looks a lot like quelling civil unrest.”

Anthony Kuhn, a 28-year US Army veteran and managing partner at Tully Rinckey, believes, meanwhile, that there is really “no question” that Trump would be justified in declaring a “violent rebellion” underway in California, empowering him to ignore Newsom’s objections. The images and video of protesters hurling rocks and other items at police and lighting cars on fire all serve as evidence toward that conclusion.

“I know people in California, the governor, the mayor, are trying to frame it as a protest. But at this point,” says Kuhn, “it’s a violent rebellion. You can draw your own conclusions from the pictures and videos floating around.” Kuhn argues that the intentions of the protesters, the politics fueling the demonstrations, don’t matter. “They’re attacking federal facilities. They’re destroying federal property. So in an attempt to restore the peace, the president has the authority under Title 10 to deploy troops. It’s pretty straightforward.”

In contrast, Rutgers University professor Bruce Afran says deploying military forces against Americans is “completely unconstitutional” in the absence of a true state of domestic insurrection. “There was an attack on ICE’s offices, the doorways, there was some graffiti, there were images of protesters breaking into a guardhouse, which was empty,” he says. “But even if it went to the point of setting a car on fire, that's not a domestic insurrection. That's a protest that is engaged in some illegality. And we have civil means to punish it without the armed forces.”

Afran argues that meddling with the expectations of civilians, who naturally anticipate interacting with police but not armed soldiers, can fundamentally alter the relationship between citizens and their government, even blurring the line between democracy and authoritarianism. “The long-term danger is that we come to accept the role of the army in regulating civilian protest instead of allowing local law enforcement to do the job,” he says. “And once we accept that new paradigm—to use a kind of BS word—the relationship between the citizen and the government is altered forever.”

“Violent rioters in Los Angeles, enabled by Democrat governor Gavin Newsom, have attacked American law enforcement, set cars on fire, and fueled lawless chaos," Abigail Jackson, a White House spokesperson, tells WIRED. "President Trump rightfully stepped in to protect federal law enforcement officers. When Democrat leaders refuse to protect American citizens, President Trump will always step in.”

As the orders to mobilize federal troops have come down, some users on social media have urged service members to consider the orders unlawful and refuse to obey—a move that legal experts say would be very difficult to pull off.

David Coombs, a lecturer in criminal procedure and military law at the University of Buffalo and a veteran of the US Army’s Judge Advocate General's Corps, says it’s hypothetically possible that troops could question whether Trump has the authority to mobilize state guardsmen over the objection of a state governor. “I think ultimately the answer to that will be yes,” he says. “But it is a gray area. When you look at the chain of command, it envisions the governor controlling all of these individuals.”

Separately, says Coombs, when troops are ordered to mobilize, they could—again, hypothetically—refuse to engage in activities that are beyond the scope of the president’s orders, such as carrying out immigration raids or making arrests. “All they can do in this case, under Title 10 status, is protect the safety of federal personnel and property. If you go beyond that, then it violates the Posse Comitatus Act.” Federal troops, for instance, would need civilian police to step in at the point that local authorities want peaceful protesters to disperse.

The San Francisco Chronicle reports that, in a letter on Sunday, Homeland Security Secretary Kristi Noem requested that military troops be directed to detain alleged “lawbreakers” during protests “or arrest them,” which legal experts almost universally agree would be illegal under ordinary circumstances. The letter was addressed to Defense Secretary Pete Hegseth and accused the anti-ICE protesters of being “violent, insurrectionist mobs” aiming to “protect invaders and military aged males belonging to identified foreign terrorist organizations.”

Khun, who warns there’s a big difference between philosophizing over what constitutes an unlawful order and disobeying commands, dismisses the idea that troops, in the heat of the moment, will have an option. “It’s not going to be litigated in the middle of an actual deployment,” he says. “There’s no immediate relief, no immediate way to prove that an order is unlawful.”

Khun says that were he deployed into a similar situation, “me and my junior soldiers would not respond to a nonviolent or peaceful protest.” Asked what protesters should expect, should they engage with federal troops trained for combat overseas, Kuhn says the Marines will hold their ground more firmly than police, who are often forced to retreat as mobs approach. In addition to being armed with the same crowd control weapons, Marines are extensively trained in close-quarters combat.

“I would expect a defensive response,” he says, “but not lethal force.”

_Additional reporting by Alexa O’Brien._

_Updated at 1:40 pm ET, June 10, 2025: Added clarifying language around the less-lethal shooting of Lauren Tomasi and fixed a typo in the California attorney general's name._

The ‘Long-Term Danger’ of Trump Sending Troops to the LA Protests

Cisco Talos discovers PathWiper, a destructive new malware targeting critical infrastructure in Ukraine, highlighting ongoing cyber threats amidst the Russia-Ukraine conflict.

A newly identified malware named PathWiper was recently used in a cyberattack targeting essential services in Ukraine. Cybersecurity experts at Cisco Talos reported the incident this week and shared details with Hackread.com.

For your information, wipers are a type of malware designed to erase or corrupt data on computer systems, making them unusable. In this attack, the cybercriminals managed to get into a legitimate system that manages computer networks. They likely had inside knowledge of this system, which allowed them to send harmful commands and spread PathWiper to connected devices, researchers noted.

“Throughout the course of the attack, filenames and actions used were intended to mimic those deployed by the administrative utility’s console, indicating that the attackers had prior knowledge of the console and possibly its functionality within the victim enterprise’s environment,” the company wrote in its blog post.

The malware works by replacing important parts of a computer’s file system with random information. It finds all connected storage devices, including hard drives and network drives, and then overwrites their contents. The attackers tried to make their actions look like normal operations of the network management tool to avoid detection.

Cisco Talos believes that a Russian-backed Advanced Persistent Threat (APT) actor is behind this disruptive attack. Their confidence comes from observing similar attack methods and the capabilities of this wiper malware, which match previously seen attacks on Ukrainian targets.

****Similarities and Differences to Other Attacks****

PathWiper shares some features with another wiper malware called HermeticWiper, which also targeted Ukrainian entities in 2022. Both PathWiper and HermeticWiper aim to damage key parts of a computer’s storage, like the Master Boot Record (MBR) and files related to the New Technology File System (NTFS).

However, there’s a key difference in how they corrupt drives. PathWiper is more advanced; it carefully identifies all connected drives, even those that are temporarily disconnected, and verifies them before wiping. In contrast, HermeticWiper uses a simpler method of just trying to corrupt a range of physical drives.

The attack shows the continuing danger to Ukraine’s critical infrastructure as the conflict with Russia carries on. It is recommended to use security products for endpoint protection, email security, firewalls, network analysis, and malware analysis. These tools help organizations detect and prevent malicious activity, block harmful emails and websites, and provide multi-factor authentication to allow access only to authorized users.

New PathWiper Malware Strikes Ukraine’s Critical Infrastructure

A critical infrastructure entity within Ukraine was targeted by a previously unseen data wiper malware named PathWiper, according to new findings from Cisco Talos.
"The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, that was then used to issue malicious commands and deploy PathWiper across

New PathWiper Data Wiper Malware Disrupts Ukrainian Critical Infrastructure in 2025 Attack

Cisco Talos researchers observed the new wiper malware in a destructive attack against an unnamed critical infrastructure organization.

'PathWiper' Attack Hits Critical Infrastructure In Ukraine

The vulnerability, with a 9.9 CVSS score on a 10-point scale, results in different Cisco ISE deployments all sharing the same credentials as long as the software release and cloud platform remain the same.

Cisco Warns of Credential Vuln on AWS, Azure, Oracle Cloud

In this week's newsletter, Martin emphasizes that awareness, basic cyber hygiene and preparation are essential for everyone, and highlights Talos' discovery of the new PathWiper malware.

Thursday, June 5, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

I’ve discovered that being a rent guarantor for someone is an involved experience. While I’m glad that I can help out a loved one secure a better rental property, the process of verifying my identity and ability to cover any missed payments required handing over far more personal and financial data than I was comfortable with. 

I asked the agent about their information security policies and cybersecurity posture. I was relieved to hear that they delete all the personal data within two weeks of processing, but I was concerned that the person dealing with my dossier didn’t think that they were at risk of a cyber attack. They believed that because they had a low online profile and their organisation was small, they didn’t present as a target. 

Not wanting to jeopardise my position as a guarantor, I didn’t argue further beyond offering a few words of advice. The truth is that everyone is a target. Many criminals do not discriminate; they seek to compromise anyone and see how they can make money from a compromise once access is achieved. Sophisticated criminals research their targets and their wider ecosystem of suppliers and partners in depth to identify potential weak points. It only takes a moment’s inattention for anyone to fall for a phishing or social engineering scam. 

Cybersecurity training needs to reinforce the fact that anyone can be a victim of a cyber attack. No matter how careful you might be, how insignificant you think that you might be, an attack can still catch you off guard. The good news is that by ensuring basic cyber hygiene, we can make a lot of progress towards preventing harm. 

Impressing on users the need to install updates promptly, the importance of having end-point protection and using multi-factor authentication is not a panacea, but it is a basic foundation upon which more advanced protection can be built. 

Good cybersecurity begins with an awareness of the threat, an acknowledgement that we are all at risk, and knowing the potential consequences. Nobody is too insignificant, too small or too well hidden to escape the risk of cyber attack. Suitable protection follows from reflecting on what is at risk and what could possibly go wrong.

**The one big thing **

Talos has uncovered a destructive attack on Ukrainian critical infrastructure involving a new wiper malware, "PathWiper," deployed through a legitimate endpoint administration framework. Talos attributes this attack to a Russia-linked APT actor, underscoring the persistent threat to Ukraine's infrastructure amid the ongoing war. 

**Why do I care? **

This attack highlights the sophisticated tactics of state-sponsored threat actors and the risks critical infrastructure entities face, which could have global implications for cybersecurity and geopolitical stability. 

**So now what? **

Organizations, particularly those managing critical infrastructure, should strengthen their endpoint security, monitor for unusual administrative activity, and stay informed on evolving threats to mitigate potential risks.

**Top security headlines of the week**

**New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch**   
The high-severity flaw is being tracked as CVE-2025-5419 (CVSS score: 8.8), and has been flagged as an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine. (The Hacker News) 

**Vanta bug exposed customers’ data to other customers**   
Compliance company Vanta has confirmed that a bug exposed the private data of some of its customers to other Vanta customers. The company told TechCrunch that the data exposure was a result of a product code change and not caused by an intrusion. (TechCrunch) 

**Data Breach Affects 38K UChicago Medicine Patients**   
UChicago Medicine released a statement that the data of 38K patients may have been exposed by a third-party debt collector's system breach. The exposed data may include SSNs, addresses, dates of birth, medical information, and financial account information. (UPI)

**Can’t get enough Talos? **

**Fake AI installers target businesses.** Catch up on the ransomware and malware threats Talos discovered circulating in the wild and masquerading as legit AI tool installers. Read the blog or listen to our most recent Talos Takes to hear Hazel and Chetan, the author, discuss the blog more in-depth.

**Talos at Cisco Live 2025**. From sessions featuring a live IR tabletop session to learning how to outsmart identity attacks, there’s plenty of Talos to keep you going in San Diego next week. Browse sessions Talos is participating in, and we'll see you there!

**Upcoming events where you can find Talos **

*   Cisco Live U.S. (June 8 – 12) San Diego, CA 
*   REcon (June 27 – 29) Montreal, Canada 
*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2–  7) Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details    
Typical Filename: IMG001.exe    
Detection Name: Simple\_Custom\_Detection 

**SHA 256:**   
**9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Detection Name: Simple\_Custom\_Detection 

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**   
MD5: 8c69830a50fb85d8a794fa46643493b2    
Typical Filename: AAct.exe    
Claimed Product: N/A    
Detection Name: PUA.Win.Dropper.Generic::1201

Everyone's on the cyber target list

Ransomware has been discovered by security researchers in fake installers posing as Chat GPT, Nova Leads, and InVideo AI.

Artificial intelligence (AI) and small business tools are being abused as smokescreens to hit unsuspecting victims with ransomware.

In the masquerade campaigns discovered by Cisco Talos, cybercriminals hid malware behind software and install packages that mimicked the websites or names of the lead monetization service Nova Leads, the enormously popular Chat GPT, and an AI-empowered video tool called InVideo AI.

As small businesses quickly adopt AI tools—a recent survey from the US Chamber of Commerce and the strategy firm Teneo revealed that 98% of small businesses already use at least one AI-powered product and 40% use generative AI—these cybercriminal lures pose the next, big threat to sole proprietors and boutique shops.

According to the researchers at Cisco Talos, the threat is twofold.

“Unsuspecting businesses in search of AI solutions may be deceived into downloading counterfeit tools in which malware is embedded,” Talos said. “This practice poses a significant risk, as it not only compromises sensitive business data and financial assets but also undermines trust in legitimate AI market solutions.”

In the first potential online attack, Talos found that cybercriminals created a fake website that closely resembled that of the legitimate company Nova Leads. The company helps businesses with lead monetization through acquisition, conversion, and content creation. But rather than simply copying the look and feel of Nova’s website, the cybercriminals also offered a completely fake, AI-powered product called “Nova Leads AI.”

On the malicious website, users were prompted to download Nova Leads AI for ”free access” for 12 months. If users downloaded and installed the fake software, the ransomware CyberLock was instead deployed. Researchers at Talos analyzed how CyberLock moved throughout a network and retrieved the ransom note left behind by the cybercriminals. In it, the ransomware gang claimed, falsely, that their attacks were altruistic.

“We want to assure you that your payment does not go to us,” the ransomware gang said in its note. “It will instead go to support affected women and children in Palestine, Ukraine, Africa, Asia, and other regions where injustices are a daily reality.”

In the note, victims are directed to pay $50,000 in cryptocurrency. The ransomware campaign is particularly dangerous as cybercriminals managed to manipulate SEO practices to rank their malicious website near the top of relevant online searches. This method, called “SEO poisoning,” is deployed by scammers, hackers, and shady websites.

In a second potential attack, Talos found that a software installer labeled “ChatGPT 4.0 full version – Premium.exe” was actually hiding the ransomware Lucky\_Gh0$t. Interestingly, the files contained within the installer also contained legitimate open-source AI tools from Microsoft, likely as an evasion technique to ward off any antivirus tools inspecting the package for malware.

Though the Lucky\_Gh0$t ransom note did not include a specific dollar amount, the cybercriminals displayed a starkly different attitude from CyberLock’s alleged humanitarianism:

> “We are not a politically motivated group and we do not need anything other than your money.”

In the last potential attack, Talos found a new malware that the team dubbed “Numero.” Though it is not officially a form of ransomware, Talos found that, once deployed, it effectively renders systems “completely unusable.”

Talos discovered that the malware’s internal data co-opted the product and organizations names of the service InVideo AI, an AI-powered video generation service that can be used for marketing, content, and more.

While cybercriminals have long disguised their malware under popular brands, the emergence of AI—and its popularity for small businesses—highlight the dangers that small shops face simply for trying to do business online. But there is help at hand.

****How to protect your small business from ransomware****

As is true with all malware infections, the best defense to a ransomware attack is to never allow an attack to occur in the first place. Take on the following steps to secure your business from this existential threat:

*   **Block common forms of entry.** Patch known vulnerabilities in internet-facing software and disable or harden the login credentials for remote work tools like RDP ports and VPNs.
*   **Prevent intrusions and stop malicious encryption.** Stop threats early before they can infiltrate or infect your endpoints. Use always-on cybersecurity software that can prevent exploits and malware used to deliver ransomware.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated an outbreak and stopped a first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

 Ransomware hiding in fake AI, business tools 

Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper.”

Thursday, June 5, 2025 06:00

*   Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper”. 
*   The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, that was then used to issue malicious commands and deploy PathWiper across connected endpoints. 
*   Talos attributes this disruptive attack and the associated wiper to a Russia-nexus advanced persistent threat (APT) actor. Our assessment is made with high confidence based on tactics, techniques and procedures (TTPs) and wiper capabilities overlapping with destructive malware previously seen targeting Ukrainian entities.  
*   The continued evolution of wiper malware variants highlights the ongoing threat to Ukrainian critical infrastructure despite the longevity of the Russia-Ukraine war. 

**Proliferation of PathWiper **

Any commands issued by the administrative tool’s console were received by its client running on the endpoints. The client then executed the command as a batch (BAT) file, with the command line partially resembling that of Impacket command executions, though such commands do not necessarily indicate the presence of Impacket in an environment.

The BAT file consisted of a command to execute a malicious VBScript file called ‘uacinstall.vbs’, also pushed to the endpoint by the administrative console: 

C:\\WINDOWS\\System32\\WScript.exe C:\\WINDOWS\\TEMP\\uacinstall.vbs

Upon execution, the VBScript wrote the PathWiper executable, named ‘sha256sum.exe’, to disk and executed it: 

C:\\WINDOWS\\TEMP\\sha256sum.exe 

Throughout the course of the attack, filenames and actions used were intended to mimic those deployed by the administrative utility’s console, indicating that the attackers had prior knowledge of the console and possibly its functionality within the victim enterprise’s environment.

**PathWiper capabilities **

On execution, PathWiper replaces the contents of artifacts related to the file system with random data generated on the fly. It first gathers a list of connected storage media on the endpoint, including: 

*   Physical drive names 
*   Volume names and paths 
*   Network shared and unshared (removed) drive paths 

Although most storage devices and volumes are discovered programmatically (via APIs), the wiper also queries ‘HKEY\_USERS\\Network\\<drive\_letter>| RemovePath’ to obtain the path of shared network drives for destruction. 

Once all the storage media information has been collected, PathWiper creates one thread per drive and volume for every path recorded and overwrites artifacts with randomly generated bytes. The wiper reads multiple file systems attributes, such as the following from New Technology File System (NTFS). PathWiper then overwrites the contents/data related to these artifacts directly on disk with random data: 

*   MBR 
*   $MFT 
*   $MFTMirr 
*   $LogFile 
*   $Boot 
*   $Bitmap 
*   $TxfLog 
*   $Tops 
*   $AttrDef 

Before overwriting the contents of the artifacts, the wiper also attempts to dismount volumes using the ‘FSCTL\_DISMOUNT\_VOLUME IOCTL’ to the MountPointManager device object. PathWiper also destroys files on disk by overwriting them with randomized bytes. 

PathWiper’s mechanisms are somewhat semantically similar to another wiper family, HermeticWiper, previously seen targeting Ukrainian entities in 2022. HermeticWiper, also known as FoxBlade or NEARMISS, is attributed to Russia’s Sandworm group in third-party reporting with medium to high confidence. Both wipers attempt to corrupt the master boot record (MBR) and NTFS-related artifacts.  

 A significant difference between HermeticWiper and PathWiper is the corruption mechanisms used against recorded drives and volumes. PathWiper programmatically identifies all connected (including dismounted) drives and volumes on the system, identifies volume labels for verification and documents valid records. This differs from HermeticWiper's simple process of enumerating physical drives from 0 to 100 and attempting to corrupt them. 

**Coverage **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

Snort 2 rules: 64742, 64743 

Snort 3 rules: 301174

**Indicators of compromise (IOCs) **

7C792A2B005B240D30A6E22EF98B991744856F9AB55C74DF220F32FE0D00B6B3

Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine

Cisco has released security patches to address a critical security flaw impacting the Identity Services Engine (ISE) that, if successfully exploited, could allow unauthenticated actors to carry out malicious actions on susceptible systems.
The security defect, tracked as CVE-2025-20286, carries a CVSS score of 9.9 out of 10.0. It has been described as a static credential vulnerability.
"A

Tag

#cisco