By the CyberWire staff
At a glance.
- Spyware industry news.
- Patch Tuesday notes.
- UK calls for blood donors following last year's cyberattack.
- United Natural Foods disrupted by cyberattack.
- Trump Administration amends cybersecurity policies.
- Law enforcement disrupts scam operations across Asia.
Spyware industry news.
The University of Toronto’s Citizen Lab has published a report on the Italian government's use of Paragon's Graphite spyware to target journalists and activists. COPASIR, the Italian government’s parliamentary committee overseeing Italy’s intelligence services, acknowledged that the government had used Graphite to target activists Luca Casarini and Dr. Giuseppe Caccia, but said it did not know who deployed Graphite against journalist Francesco Cancellato. Paragon, which is based in Israel, ended its contract with Italy after the Italian government refused to allow the company to investigate the targeting of Cancellato.
Notably, Citizen Lab says this is the first forensic confirmation of Graphite's use against iOS devices. The spyware used a zero-click attack that exploited CVE-2025-43200, a logic issue that surfaced while processing a maliciously crafted photo or video shared via an iCloud Link. Apple patched the flaw in iOS 18.3.1.
Separately, Recorded Future's Insikt Group says the government of Mozambique appears to be a new customer of Intellexa's Predator spyware. The researchers note, "This aligns with the broader observation that Predator is highly active in Africa, with over half of its identified customers located on the continent." Insikt Group says other suspected Predator users include Angola, Armenia, Botswana, the Democratic Republic of the Congo, Egypt, Indonesia, Kazakhstan, Mongolia, Mozambique, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago.
Intellexa Group is a murky and complicated web of entities spread across Europe and the Middle East. The US government sanctioned some of its Europe-based companies last year, alleging that the spyware was "used to target Americans, including U.S. government officials, journalists, and policy experts." Recorded Future notes, "Sanctions and other pressures are likely to drive efforts to increase the complexity of corporate structures, making operations harder to trace and disrupt."
Control what runs in your environment. Reduce your attack surface.
ThreatLocker helps organizations reduce risk by allowing trusted applications to run while limiting their access to only the resources they need. It’s a straightforward, default deny approach that gives you more control and visibility—without slowing down operations. Explore how ThreatLocker can help simplify your security strategy.
Patch Tuesday notes.
Microsoft on Tuesday issued fixes for 67 Windows vulnerabilities, including one actively exploited zero-day, KrebsOnSecurity reports. The zero-day (CVE-2025-33053) affects the Windows implementation of Web Distributed Authoring and Versioning (WebDAV), and can lead to remote code execution. WebDAV is not enabled by default on Windows systems. The Register notes that Microsoft is throttling the Patch Tuesday update for Windows 11 24H2 after identifying "a compatibility issue affecting a limited set of these devices."
Check Point says the Stealth Falcon APT exploited the WebDAV zero-day to target a Turkish defense company. The threat actor sent a malicious .url file in a spearphishing email designed to deliver a custom implant for the Mythic C2 open-source framework.
Adobe released patches for 259 vulnerabilities across six of its products. The majority of the fixes involved the Experience Manager CMS.
Google and Mozilla have issued new versions of their respective browsers, fixing several high-severity vulnerabilities in Chrome and Firefox.
SecurityWeek has a roundup of patches issued by ICS vendors, including Siemens, Schneider Electric, and Aveva.
UK calls for blood donors following last year's cyberattack.
The UK's National Health Service (NHS) has issued a call for one million blood donors to make up for shortages caused by a July 2024 ransomware attack against pathology service provider Synnovis, the Record reports. The NHS says there is an urgent need for O-negative donors, and for donors of Black heritage who have the Ro blood subtype.
The NHS stated, "In July 2024, NHSBT issued an Amber alert due to a severe shortage of O negative blood triggered by the cyber-attack on London hospitals. Blood stocks have remained low and following several bank holidays in quick succession, there is now a pressing need to avoid a Red Alert which would mean demand far exceeds capacity, threatening public safety. This can be avoided if more donors come forward to fill the available appointment slots – particularly in the town and city centre donor centres."
The Qilin ransomware attack against Synnovis last July disrupted pathology services across London, preventing hospitals from performing blood matching tests and forcing them to rely on universal O-negative blood for transfusions.
United Natural Foods disrupted by cyberattack.
Rhode Island-based United Natural Foods, the largest publicly traded wholesale food distributor in the US and Canada, has disclosed a cyberattack that forced it to shut down some systems, BleepingComputer reports. The company said the incident, which occurred on June 5th, has affected its ability to fulfill customer orders.
The company said in an SEC filing, "The incident has caused, and is expected to continue to cause, temporary disruptions to the Company’s business operations. The Company is working actively to assess, mitigate, and remediate the incident with the assistance of third-party cybersecurity professionals and has notified law enforcement. Pursuant to its business continuity plans, the Company has implemented workarounds for certain operations in order to continue servicing its customers where possible. The Company is continuing to work to restore its systems to safely bring them back online."
Trump Administration amends cybersecurity policies.
President Trump signed an Executive Order on Friday revising cybersecurity-related orders from the Obama and Biden administrations (13694 and 14144, respectively). Notably, the new order "limits the application of cyber sanctions only to foreign malicious actors, preventing misuse against domestic political opponents and clarifying that sanctions do not apply to election-related activities." The EO also removes Biden-era digital identity mandates, which the White House claims "risked widespread abuse by enabling illegal immigrants to improperly access public benefits."
POLITICO notes that the order includes a number of "less controversial directives" related to secure software development, encryption protocols, post-quantum cryptography, and AI-assisted vulnerability management.
Law enforcement disrupts scam operations across Asia.
An international law enforcement operation led by the Singapore Police Force (SPF) resulted in the arrest of 1,800 individuals suspected of involvement in scam operations, the Record reports. The SPF stated, "The subjects, aged between 14 and 81, are believed to be involved in more than 9,200 scam cases, comprising mainly government official impersonation scams, investment scams, rental scams, internet love scams, friend impersonation scams, job scams, and e-commerce scams, where victims reportedly lost over S$289 million (approximately USD225 million)." The police also shuttered dozens of scam centers and seized more than $20 million from 32,600 bank accounts.
