Scam operations disrupted across Asia.

Interpol’s Operation Secure dismantles a major cybercrime network, and Singapore takes down scam centers. GitLab patches multiple vulnerabilities in its DevSecOps platform. Researchers unveil a covert method for exfiltrating data using smartwatches. EchoLeak allows for data exfiltration from Microsoft Copilot. Journalists are confirmed targets of Paragon’s Graphite spyware. France calls for comments on tracking pixels. Fog ransomware operators deploy an unusual mix of tools. Skeleton Spider targets recruiters by posing as job seekers on LinkedIn and Indeed. Erie Insurance suffers ongoing outages following a cyberattack. Our N2K Lead Analyst Ethan Cook shares insights on Trump’s antitrust policies. DNS neglect leads to AI subdomain exploits.

Today is Thursday, June 12th, 2025 and I’m Dave Bittner. This is your CyberWire Intel Briefing.

Interpol’s Operation Secure dismantles a major cybercrime network, and Singapore takes down scam centers. 

Interpol’s Operation Secure, a joint effort by 26 countries across Asia and the South Pacific, has dismantled a major cybercrime network. The operation removed 20,000 malicious IP addresses and domains tied to infostealer malware. Authorities seized 41 servers and over 100GB of data, identifying 117 command-and-control servers used for phishing, fraud, and stealing sensitive data like passwords and crypto wallet info. Hong Kong Police played a key role in the analysis. Over 216,000 individuals were alerted to potential risks. The crackdown also led to 32 arrests, including suspects in Vietnam, Sri Lanka, and Nauru. Interpol worked with cybersecurity firms like Group-IB and Kaspersky to share intel, highlighting the value of international collaboration in combating global cyber threats.

Meanwhile, Singapore led a month-long multinational crackdown—Operation Frontier+—targeting scam syndicates responsible for roughly $225 million in fraud. Coordinating with police from Hong Kong, South Korea, Malaysia, the Maldives, Thailand, and Macao, authorities investigated nearly 34,000 suspects tied to over 9,200 scams. These ranged from fake investments to romance and job scams. Over 1,800 arrests were made, 32,000 bank accounts frozen, and $20 million seized. Singapore alone arrested 106 suspects linked to $30 million in fraud, recovering $8 million. Charges include hacking and ID theft. The operation, which began in April, relied on rapid cross-border collaboration to trace and freeze stolen funds. Officials stress the growing sophistication of these scams and the need for a global response. Similar efforts are underway in the U.S., India, and Japan.

GitLab patches multiple vulnerabilities in its DevSecOps platform. 

GitLab has issued urgent security updates to patch multiple vulnerabilities in its DevSecOps platform. The flaws include account takeover risks and the ability for attackers to inject malicious jobs into CI/CD pipelines. The fixes are included in GitLab versions 18.0.2, 17.11.4, and 17.10.8. Critical issues addressed include HTML injection (CVE-2025-4278), missing authorization (CVE-2025-5121), cross-site scripting (CVE-2025-2254), and a denial-of-service flaw (CVE-2025-0673). GitLab.com is already patched, and users of self-managed instances are urged to upgrade immediately.

Researchers unveil a covert method for exfiltrating data using smartwatches. 

Researchers in Israel have unveiled “SmartAttack,” a covert method for exfiltrating data from air-gapped systems using smartwatches. The attack involves malware on a secure, isolated computer emitting ultrasonic signals via built-in speakers. These inaudible tones, modulated to carry data, are picked up by a smartwatch microphone worn nearby. The watch then transmits the data via Wi-Fi, Bluetooth, or cellular networks. Though challenging and theoretical, the attack shows how insider threats can bypass physical isolation. Experts recommend banning smartwatches and disabling speakers in sensitive areas to mitigate risk.

EchoLeak allows for data exfiltration from Microsoft Copilot. 

Microsoft has disclosed a critical vulnerability in its 365 Copilot AI assistant, marking the first known zero-click attack on an AI agent. Dubbed “EchoLeak” (CVE-2025-32711, CVSS 9.3), the flaw allowed attackers to exfiltrate sensitive data by exploiting a new “LLM Scope Violation.” Attackers sent emails with hidden prompt injections disguised as business content. When users later asked Copilot related questions, its RAG engine retrieved the malicious emails as context. The AI then embedded stolen data into links that triggered automatic requests to an attacker-controlled server, bypassing content security policies. No user clicks were needed—just a crafted email and a relevant query. Discovered by Aim Security in January 2025, Microsoft patched the issue in May with server-side updates. There’s no sign it was exploited in the wild, and no action is needed by customers.

Journalists are confirmed targets of Paragon’s Graphite spyware. 

Citizen Lab has confirmed the first known infections by Paragon’s Graphite spyware, targeting Italian journalist Ciro Pellegrino and an unnamed European journalist. Both were compromised through a zero-click iMessage exploit, allowing surveillance without user interaction. Paragon’s spyware, linked to Italian intelligence agencies AISI and AISE, was reportedly active during the hacks, despite Italy’s denials. The spyware scandal has widened, with other victims including journalists and migrant aid workers. Pellegrino, unaware he was a target, criticized the lack of support from Italy’s government. A recent parliamentary report claimed no journalists were targeted, but Citizen Lab’s forensic evidence challenges that narrative. Israel’s Paragon ended its ties with Italy after the government refused to investigate. Citizen Lab continues examining additional cases, as the spyware’s full reach and intent remain unclear.

France calls for comments on tracking pixels. 

France’s data watchdog CNIL has launched a public consultation on its draft recommendation for regulating tracking pixels in emails. These invisible 1x1 pixel images are used to monitor when emails are opened, raising privacy concerns. The proposal aims to clarify consent requirements and ensure compliance, especially as complaints about email tracking increase. The draft applies to all organizations using email tracking and their service providers. The consultation runs until July 24, 2025, and CNIL is also collecting input on the economic impact of regulation.

Fog ransomware operators deploy an unusual mix of tools. 

Fog ransomware operators are deploying an unusual mix of tools, blending open-source utilities with legitimate software to evade detection. First observed in May 2024, the group initially used stolen VPN credentials, “pass-the-hash” attacks, and exploited known flaws in Veeam and SonicWall systems. In a recent attack on an Asian financial institution, Symantec uncovered a novel toolset that included Syteca—an employee monitoring software used to capture credentials—and GC2, a rare backdoor using Google Sheets or SharePoint for command-and-control. Other tools included Stowaway for stealthy delivery, SMBExec and PsExec for lateral movement, and Adapt2x C2 for post-exploitation. The attackers also used 7-Zip, MegaSync, and FreeFileSync for data exfiltration. Symantec notes the atypical toolkit, especially Syteca and GC2, signals an evolving strategy that challenges standard ransomware detection methods.

Skeleton Spider targets recruiters by posing as job seekers on LinkedIn and Indeed. 

Cybercriminal group FIN6, also known as Skeleton Spider, is using a new tactic to infect recruiters with malware by posing as job seekers on LinkedIn and Indeed. According to DomainTools, the group sends convincing phishing emails with no clickable links, requiring recipients to manually enter URLs leading to fake resume websites hosted on trusted platforms like AWS. These sites use CAPTCHA and traffic filters to bypass security tools and deliver the MoreEggs backdoor, a malware-as-a-service tool used to steal credentials and enable ransomware attacks. FIN6, historically known for stealing payment card data from PoS systems, is now shifting toward broader enterprise threats. The use of professional messaging and cloud hosting allows them to evade detection, signaling a more sophisticated approach to targeting organizations through social engineering.

Erie Insurance suffers ongoing outages following a cyberattack. 

Erie Insurance and Erie Indemnity Company confirmed a cyberattack on June 7 caused ongoing outages and business disruptions. Customers have been unable to access the portal, file claims, or receive documents. The company activated its incident response and is working with law enforcement and cybersecurity experts to investigate. While the nature and impact of the attack are still unclear, Erie emphasized it won’t request payments via email or phone during the outage. There’s no confirmation yet if ransomware or data theft is involved.

 

 

Coming up next, we share a selection from today’s Caveat podcast where my co-host Ben Yelin and I are joined by N2K’s Lead Analyst, Ethan Cook. We take a Policy Deep Dive into the Trump administration’s antitrust stance. We’ll be right back.

Welcome back. You can find a link to today’s full episode of Caveat in the show notes and stay tuned for new episodes each Thursday in your favorite podcast app.  

 

DNS neglect leads to AI subdomain exploits. 

And finally, our “It’s always DNS desk”  takes us on  a scenic stroll through the internet’s lesser-maintained cul-de-sacs, where tech debt and laziness collide in a wonderfully absurd mess.

First, 404 Media visits the “WowLazy” empire—a junkyard of AI-generated nonsense squatting on once-pristine subdomains from the likes of NPR, Stanford, and Nvidia. Thanks to poor subdomain hygiene, spammers found abandoned plots and moved in, posting content like “Gay Firry Porn” (Yes, really.) These AI-sploited subdomains don’t just confuse search engines—they make your brand look like it’s moonlighting as a bizarre fanfic site.

Much of this is the result of the elegant disaster of “dangling DNS records.” Here’s the deal: when you point a subdomain (say, events.yoursite.com) to a service (like a third-party event platform) and later stop using that service—but forget to delete the DNS pointer—you’ve left the digital back door wide open. Hackers can swoop in, claim that service, and hijack your subdomain to host phishing sites, malware, or… more furry content. (Not that there’s anything inherently wrong with furry content.)

The fix? Scrub your DNS like it’s a crime scene.

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.