June 05, 2025 – Cyber Briefing
👉 What’s going on in the cyber world today?
UNC6040 uses vishing to breach Salesforce, Chaos RAT variant hits Windows and Linux, and NFT airdrop scams drain Hedera wallets. Ukraine hacks Tupolev, KiranaPro loses all data, and Nervos Force Bridge is exploited. Oklahoma enacts new breach law, BidenCash marketplace is seized, and a $10M bounty targets RedLine hackers.
Listen to the full podcast
🚨 Cyber Alerts
1. UNC6040 Vishing Group Target Salesforce Data
Google has disclosed details of a financially motivated threat cluster, UNC6040, specializing in voice phishing (vishing) campaigns to breach organizations’ Salesforce instances for large-scale data theft and subsequent extortion. By impersonating IT support personnel in convincing telephone-based social engineering engagements, UNC6040 operators trick English-speaking employees into actions that grant them access or lead to credential sharing. A key tactic involves deceiving victims into authorizing a modified version of Salesforce’s Data Loader, which then allows attackers to exfiltrate data from Salesforce and move laterally to other platforms like Okta and Microsoft 365.
2. New Chaos RAT Variant Hits Windows and Linux
Security researchers are highlighting a new variant of the open-source Chaos RAT, written in Golang, which is being used in recent attacks targeting both Windows and Linux systems, often for cryptojacking. Distributed via phishing emails or disguised as network utilities, this RAT allows attackers to build payloads, establish sessions, and control compromised machines for reconnaissance or deploying other malware. While vulnerabilities in Chaos RAT’s own admin panel were addressed, threat actors continue to weaponize such open-source tools to their advantage, making attribution more difficult. This trend is concurrent with new campaigns like one targeting Trust Wallet desktop users with counterfeit software designed to steal browser credentials and cryptocurrency wallet data.
3. FBI Warns Hedera NFT Airdrop Crypto Scam
The FBI is alerting users of the Hedera Hashgraph network about a new scam where cybercriminals exploit NFT airdrops to steal cryptocurrency from their wallets. In these attacks, threat actors send unsolicited NFTs or tokens with memos prompting users to click a URL to claim a reward, which then leads to phishing sites designed to harvest sensitive information. Once victims input their account passwords or wallet recovery seed phrases on these fake sites or dApps, attackers use this information to hijack their wallets and drain the funds. The FBI advises users to always verify the legitimacy of airdrop alerts with official sources before engaging, never share sensitive credentials unless they initiated the contact, and regularly monitor their crypto accounts for suspicious activity, reporting any incidents to the IC3.
💥 Cyber Incidents
4. Ukraine GUR Claims Tupolev Data Theft Hack
Ukraine’s Main Intelligence Directorate (GUR) claims its hackers breached Russian aerospace and defense company Tupolev, a key developer of strategic bombers, stealing 4.4GB of classified data. The stolen information reportedly includes Tupolev personnel data, internal communications, procurement documents, and confidential meeting minutes, with GUR asserting nearly all of Tupolev’s secrets are now exposed. GUR sources stated they were in Tupolev’s network for a long time gathering intelligence that will impact Russia’s strategic aviation and also defaced the company’s website.
5. KiranaPro Startup Hacked All Data Wiped
Indian grocery delivery startup KiranaPro has suffered a devastating hack resulting in all its data being wiped, including app code and servers containing sensitive customer information like names, addresses, and payment details. The company’s founder confirmed hackers gained access to KiranaPro’s root accounts on AWS and GitHub around May 24–25, possibly through a former employee’s account, leaving the app online but unable to process orders. Launched in December 2024, KiranaPro served 55,000 customers across 50 cities with a voice-based interface and had ambitious expansion plans now disrupted by this total data loss. Despite using multi-factor authentication on its AWS account, KiranaPro is now investigating the breach with GitHub’s help and is filing cases against former employees while the exact attack vector remains unclear.
6. Nervos Bridge Paused After $3.9 Million Hack
Nervos Network’s Force Bridge was exploited on June 2nd for approximately $3.9 million in various cryptocurrencies, with attackers siphoning assets from both the Ethereum and BNB Chain sides of the bridge. Blockchain security firms reported the stolen funds were quickly funneled through crypto mixers like Tornado Cash, and the exploit occurred after multiple failed attempts by the attacker over a six-hour period. In response, Magickbase, a Nervos Network community developer, immediately halted all Force Bridge activity as a precaution while the team actively investigates the security incident.
📢 Cyber News
7. OK New Data Breach Law Effective 2026
Oklahoma recently enacted Senate Bill 626, amending its Security Breach Notification Act effective January 1, 2026, introducing new definitions for personal information and “reasonable safeguards.” The amendment mandates entities report data breaches affecting over 500 residents (or 1,000 for credit bureaus) to the Attorney General within 60 days of notifying individuals, though exceptions exist for smaller breaches and HIPAA-compliant entities. It also provides revised penalty provisions, including affirmative defenses for businesses that implement reasonable safeguards like risk assessments, employee training, and incident response plans. Oklahoma entities are now advised to inventory their data and update information security policies to ensure compliance with these new, more stringent cybersecurity rules.
8. US Dutch Bust BidenCash Cybercrime Market
U.S. and Dutch authorities, in a coordinated operation, have seized approximately 145 darknet and clear web domains and cryptocurrency funds associated with the notorious BidenCash marketplace. Operational since March 2022, BidenCash served over 117,000 users, trafficked more than 15 million stolen payment cards, and generated over $17 million in revenue by selling card data, PII, and compromised server access. To attract users, the marketplace periodically released millions of stolen credit card records for free, including full card details and personal information of victims. This takedown, supported by the FBI, Secret Service, and cybersecurity firms, marks a significant disruption to cyber-enabled financial crime, with seized domains now redirected to a law enforcement server.
9. US Puts $10M Bounty On RedLine Hackers
The U.S. Department of State is offering up to $10 million for information on state-sponsored hackers using the RedLine infostealer against U.S. critical infrastructure and its suspected Russian creator, Maxim Alexandrovich Rudometov. Rudometov was charged in the U.S. in October after “Operation Magnus,” where Dutch police also disrupted RedLine and META malware-as-a-service platforms linked to credential theft, arresting two suspects and seizing servers. He allegedly managed RedLine’s infrastructure and faces up to 35 years if convicted for computer intrusion, money laundering, and access device fraud, though his current arrest status is unclear. Cybersecurity firm ESET aided the crackdown by mapping over 1,200 servers linked to these malware operations and has released an online scanner for potential victims.
📈Cyber Stocks
As the U.S. stock market opens on Thursday, June 5, 2025, leading cybersecurity stocks are exhibiting varied performances, influenced by market volatility, earnings sentiment, and continued AI integration in cybersecurity platforms:
- CrowdStrike (CRWD): Trading at $460.56, down 5.77% after a pullback, despite strong fundamentals and leadership in endpoint protection.
- Palo Alto Networks (PANW): Shares at $194.07, down 1.55%, reflecting post-earnings profit-taking and sector-wide caution.
- Varonis (VRNS): Currently at $49.96, showing 0.36% daily growth with signs of increasing investor interest in data-centric security platforms.
- Zscaler (ZS): Trading at $296.85, up 0.62%, supported by optimism around cloud security adoption and recent product enhancements.
- Fortinet (FTNT): Priced at $101.62, down 1.22%, amid mixed sentiment following slower-than-expected international sales growth.
💡 Cyber Tip
Be cautious of unexpected IT support calls asking you to approve apps or share login details.
A cybercriminal group known as UNC6040 is impersonating IT support over the phone to trick employees into approving a fake Salesforce application. This gives them access to sensitive customer data and allows them to move into other systems like Microsoft 365 or Okta.
✅ What you should do
- Never approve new apps or tools on Salesforce, Okta, or any other platform without direct confirmation from your real IT team.
- Be skeptical of any phone call that asks you to take urgent action on a work system, especially if it involves downloading software or entering credentials.
- Report suspicious calls or requests to your cybersecurity or IT department immediately.
- If you’re unsure about the legitimacy of a request, hang up and contact IT using an internal, verified phone number or helpdesk portal.
✅ Why this matters
These vishing attacks are highly convincing and don’t rely on technical flaws, they rely on human trust. One wrong approval could give attackers full access to sensitive company data.
📚 Cyber Book
Russian Disinformation Efforts on Social Media by Elina Treyger, Joe Cheravitch, Raphael S. Cohen
Get Help
Online Scam Prevention & Recovery
Schedule a free consultation
A free 15-min cybersecurity consultation