📋 Top Headlines at a Glance

1. Security Affairs newsletter Round 568 by Pierluigi Paganini – INTERNATIONAL EDITION
2. Trivy vulnerability scanner breach pushed infostealer via GitHub Actions
3. FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks
4. Critical Quest KACE Vulnerability Potentially Exploited in Attacks

   Executive Summary: Today's intelligence highlights a diverse and escalating threat landscape. Key concerns include sophisticated supply chain attacks distributing infostealers, targeted phishing campaigns by state-sponsored actors against high-value individuals using commercial messaging applications, and the active exploitation of critical vulnerabilities in enterprise software. Ransomware continues to impact municipal infrastructure, underscoring the persistent and varied nature of cyber risks demanding immediate, multi-faceted defensive strategies.

🌍 Technical Intelligence Breakdown

📰 Security Affairs newsletter Round 568 by Pierluigi Paganini – INTERNATIONAL EDITION

This intelligence round-up identifies two distinct threat vectors. The WorldLeaks ransomware group has reportedly breached the City of Los Angels, indicating ongoing threats to municipal entities. Additionally, a PolyShell flaw has been identified, which exposes systems running Magento and Adobe Commerce.

• Ransomware Impact: The WorldLeaks group's breach of City of Los Angels highlights the critical need for robust ransomware defenses, including immutable backups, strong access controls, and incident response planning for public sector organizations.
• Vulnerability Exposure: The PolyShell flaw affecting Magento and Adobe Commerce platforms necessitates immediate patching and security reviews for organizations utilizing these e-commerce solutions to prevent potential exploitation.

⛓️ Trivy vulnerability scanner breach pushed infostealer via GitHub Actions

A significant supply-chain attack has compromised the Trivy vulnerability scanner. Threat actors, identified as TeamPCP, leveraged this compromise to distribute credential-stealing malware. The distribution vector included official releases and exploitation of GitHub Actions.

• Attack Vector: Compromise of a widely used security tool, Trivy, demonstrates the high impact of supply chain attacks.
• Malware Distribution: The infostealer was pushed through trusted channels, specifically official releases and GitHub Actions, making detection challenging.
• Threat Actor: TeamPCP is attributed to this sophisticated operation.
• Defensive Measures:
  • Verify integrity of all downloaded software, especially security tools, using hashes or digital signatures.
  • Implement strict security policies for CI/CD pipelines, particularly GitHub Actions, to prevent unauthorized code injection.
  • Monitor for unusual network activity or credential access attempts following software updates.

🎣 FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have issued a warning regarding phishing campaigns conducted by threat actors affiliated with Russian Intelligence Services. These campaigns specifically target commercial messaging applications (CMAs) such as WhatsApp and Signal. The objective is to seize control of accounts belonging to individuals deemed to have high intelligence value.

• Targeted Platforms: WhatsApp and Signal are being exploited due to their widespread use and perceived security.
• Threat Actor Attribution: The campaigns are linked to Russian Intelligence Services.
• Objective: Account takeover to access sensitive communications and data from high-value targets.
• Defensive Actions:
  • Enable multi-factor authentication (MFA) on all messaging applications.
  • Exercise extreme caution with unsolicited messages or links, even from known contacts.
  • Educate high-value personnel on advanced phishing techniques and social engineering.

🚨 Critical Quest KACE Vulnerability Potentially Exploited in Attacks

A critical vulnerability, tracked as CVE-2025-32975, affecting Quest KACE products has been identified. There is a potential that this vulnerability has already been exploited in active attacks, with a specific focus on the education sector.

• Vulnerability Identified: CVE-2025-32975 in Quest KACE.
• Potential Exploitation: Evidence suggests this flaw may be actively leveraged by threat actors.
• Target Sector: The education sector is noted as a primary target for these potential attacks.
• Attack Path (Potential): Vulnerable Quest KACE System --> Exploitation of CVE-2025-32975 --> Unauthorized Access/Control
• Mitigation:
  • Organizations using Quest KACE should immediately apply any available patches or workarounds for CVE-2025-32975.
  • Conduct thorough audits of Quest KACE installations, especially within the education sector, for signs of compromise.
  • Isolate affected systems if patching is not immediately feasible.

📰 Security Affairs newsletter Round 568 by Pierluigi Paganini – INTERNATIONAL EDITION

Dataset provides limited detail, reiterating the content from a previous item. This newsletter round-up once again highlights the breach of the City of Los Angels by the WorldLeaks ransomware group and the PolyShell flaw impacting Magento and Adobe Commerce. The repeated mention underscores the ongoing relevance and severity of these threats.

• Persistent Threats: The re-emphasis on WorldLeaks ransomware and the PolyShell flaw indicates these are current and significant concerns.
• Defensive Focus: Organizations should prioritize patching known vulnerabilities, particularly those affecting widely used platforms like Magento and Adobe Commerce. Implementing robust ransomware protection and incident response plans remains critical for all sectors, including municipal governments.

📉 Threat Landscape & Trends

• Supply Chain Vulnerabilities: The compromise of a widely used security scanner (Trivy) via GitHub Actions highlights the increasing sophistication and impact of supply chain attacks, turning trusted software into a distribution vector for malicious payloads like infostealers.
• State-Sponsored Phishing: Russian Intelligence Services continue to conduct targeted phishing campaigns, focusing on high-value individuals and leveraging popular commercial messaging applications (WhatsApp, Signal) for account takeover, indicating a persistent threat to sensitive communications.
• Ransomware Persistence: The WorldLeaks ransomware group's breach of the City of Los Angels demonstrates that ransomware remains a critical and active threat to public sector infrastructure, necessitating robust defensive postures.
• Rapid Exploitation of Critical Vulnerabilities: The potential exploitation of CVE-2025-32975 in Quest KACE shortly after its discovery, particularly targeting the education sector, underscores the urgency for prompt patching and vulnerability management.
• Broad Attack Surface: Threats span from enterprise software vulnerabilities (Quest KACE, Magento, Adobe Commerce) to individual communication platforms, requiring comprehensive security strategies.

📌 Strategic Takeaway

Organizations must adopt a proactive, multi-layered defense strategy that prioritizes supply chain security, implements robust phishing awareness and multi-factor authentication for all users, maintains an aggressive patch management program for critical vulnerabilities, and develops resilient incident response capabilities to counter the diverse and evolving threat landscape.

---

🔗 References

1. Security Affairs newsletter Round 568 by Pierluigi Paganini – INTERNATIONAL EDITION
2. Trivy vulnerability scanner breach pushed infostealer via GitHub Actions
3. FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks
4. Critical Quest KACE Vulnerability Potentially Exploited in Attacks