June 9, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Jun 9, 2025
Kroll

This week’s briefing covers:

00:00 - Intro and Situational Awareness

Proof of Concept Exploit Released for CVE-2025-32756
Further to Kroll reporting in May regarding a critical zero-day vulnerability, CVE-2025-32756 in Fortinet, is now being actively exploited in the wild, with attackers using a crafted AuthHash cookie to gain control of affected systems.

01:27 [VULNERABILITY] Critical Roundcube Remote Code Execution Vulnerability
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP object deserialization. This means an attacker with a valid Roundcube login can craft a malicious request to exploit a deserialization flaw and execute arbitrary code on the server.

03:05 [CAMPAIGN] Spear-phishing Campaign Targeting Chief Financial Officers (CFOs)
Key Takeaways

  • Chief financial officers in banking, energy, insurance and investment were targeted in a spear phishing campaign.
  • The campaign was themed around a recruitment opportunity with Rothschild & Co.
  • The phishing infection chain led to the deployment of open-source remote access tool NetBird.
  • KTA465’s tactics have evolved and shifted from password sprays last 2024 to sophisticated AitM phishing on Q2 of 2025.

05:00 Ransomware Round Up
Key Takeaways

  • KTA379 or INTERLOCK is a newer ransomware group, active since September 2024, that has already targeted dozens of victims, focusing heavily on healthcare.
  • They use tactics like “ClickFix” attacks and phishing to impersonate IT tools and gain entry, especially against educational institutions.
  • A key tool in their arsenal is NODESNAKE, a stealthy JavaScript-based remote access trojan that hides via obfuscated code and a fake “ChromeUpdater” registry entry.
  • NODESNAKE is actively evolving with capabilities like real-time command execution and dynamic C2 behavior, showing INTERLOCK’s dedication to long-term access.
  • INTERLOCK exfiltrates large data volumes often leaking or using it for extortion.

CONTI Ransomware Internal Leak
Key Takeaways
The CONTI and TRICKBOT ransomware groups had many of their key operators exposed in a whistleblowing event by someone acting under the moniker “GangExposed.” GangExposed leaked thousands of personal videos, ransom negotiations and chat logs. He described his actions as a part of his fight against an organized society of criminals worldwide.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.