Vercara’s Open-Source Intelligence (OSINT) Report – May 29 – June 5, 2025

DDoS Attacks on Financial Sector Surge in Scale and Sophistication 

(TLP: CLEAR) A recently published intelligence report titled, “From Nuisance to Strategic Threat: DDoS Attacks Against the Financial Sector”, details the transformation of distributed denial-of-service (DDoS) attacks into sophisticated, strategic threats targeting financial institutions. The report highlights an exponential surge in attack volume, with financial services facing nearly 350 DDoS events in October 2024 alone, marking the sector as the most targeted for two consecutive years (2023–2024). Additionally, a 23% increase in application-layer attacks in April 2024 broadened the gap between financial institutions and other industries such as gaming and tech. Recent reporting suggests that beyond attack scale and volume, threat actors now employ advanced multi-vector campaigns, involving systematic reconnaissance, persistent low-volume probing, and evasion tactics to bypass network edge devices. These attacks, driven by hacktivist groups such as BlackMeta, RipperSec, and NoName057(16), are fueled by geopolitical tensions, notably the Russia-Ukraine and Israel-Hamas conflicts, with a significant example being coordinated DDoS attacks on Australian financial institutions in October 2024 tied to Ukraine-related geopolitical events. The report recommends implementing sophisticated DDoS attack mitigations, including geo-IP filtering, dynamic traffic shaping, defense-in-depth, pre-agreed scrubbing center activation, allowlisting, threat intelligence integration, and regular simulation testing. Lastly, the report introduces a five-tier DDoS Maturity Model to help institutions assess and enhance their resilience. 

(TLP: CLEAR) Comments: The exponential rise in both frequency and sophistication—culminating in nearly 350 discrete DDoS incidents in October 2024 alone demonstrates the shifting role of DDoS from opportunistic to deliberate and coordinated. This trend, particularly the 23% surge in application-layer attacks, highlights adversaries’ increasing awareness of the vulnerabilities within the complex web of APIs, login endpoints, and user-facing infrastructure that financial institutions rely on. 

(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Develop an organization DDoS response plan. The response plan should guide your organization through identifying, mitigating, and rapidly recovering from DDoS attacks. All internal stakeholders—including your organization’s leaders and network defenders—and service providers should understand their roles and responsibilities through all stages of a DDoS attack. At a minimum, the plan should include understanding the nature of a DDoS attack, confirming a DDoS attack, deploying mitigations, monitoring and recovery. 

(TLP: CLEAR) Vercara: Vercara’s DDoS Solution, Vercara UltraDDoS Protect scrubs malicious traffic away from your infrastructure, defusing the large, complex attacks that make headlines every day and threaten your operational stability. Powerful automation allows you to activate on-demand cloud protection through means that include DNS Redirection, BGP Redirection, and API-triggering. The result is an incredibly fast response against DDoS trouble when you need it most.   
Source: https://www.infosecurity-magazine.com/news/ddos-financial-sector-surge/  

Chinese Hackers and User Lapses Turn Smartphones into a “Moble Security Crisis” 

(TLP: CLEAR) Recent intelligence reporting confirms the wave of unexplained smartphone crashes in late 2024 signaled the emergence of a sophisticated Chinese cyberespionage campaign. This operation exploited zero-click vulnerabilities, allowing threat actors to silently infiltrate mobile devices, without any user interaction. According to reporting, the campaign primarily targeted individuals in sectors critical to national security, including defense, policy, and critical infrastructure. Additionally, attribution points to Chinese state-sponsored actors, operating under the direction of the People’s Liberation Army (PLA) and Chinese intelligence services. These threat groups escalated their operations in 2024, successfully compromising the communications of U.S. citizens and attempting to breach high-profile political targets, including then-presidential candidate Donald Trump and Vice-Presidential candidate JD Vance. Attackers also impersonated aides such as Susie Wiles in social engineering campaigns aimed at infiltrating political networks via contact exfiltration and spoofed messaging. Intelligence reporting also mentions the 2025 launch of the U.S. Cyber Trust Mark program and how it was a positive step towards certifying consumer devices meeting minimum cybersecurity standards. However, security experts have stressed that certification alone cannot deter nation-state actors. It was later assessed that China and other nations will attempt to continue take advantage of such lapses, and national security officials must take steps to prevent them from recurring. 

(TLP: CLEAR) Comments: The aforementioned cyberespionage campaign showcases a persistent and low-noise surveillance model, leveraging infrastructure reconnaissance, silent probing, and application-layer exploitation. The campaign aligns with ongoing geopolitical tensions and demonstrates the strategic use of Chinese telecom footholds in both U.S. and global networks. These footholds raise the risk not only of espionage, but of potential distributed denial-of-service (DDoS) attacks, disruption campaigns, and long-term infrastructure compromise. This particular campaign underscores a growing mobile security attack vector, where smartphones have become the weakest link in network defenses due to inadequate application security, unpatched third-party devices, and user lapses. 

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:  

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.  
• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.  
• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy.   

Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections. Vercara UltraDDoS Protect can detect DDoS attacks and scrub your internet traffic through countermeasures, processes, and practices that are built upon more than 20 years of expertise in thwarting threats, delivered through a carrier-grade global infrastructure that has been engineered to provide the highest standards of availability, reliability, and scale.  
Source: https://www.securityweek.com/chinese-hackers-and-user-lapses-turn-smartphones-into-a-mobile-security-crisis/  

Whole Foods Distributor United Natural Foods Hit by Cyberattack 

(TLP: CLEAR) On June 5, 2025, United Natural Foods, Inc. (UNFI), North America’s largest wholesale grocery distributor and primary supplier to Amazon’s Whole Foods, detected unauthorized access to its systems and network which ultimately lead to a cyberattack that disrupted its day to day operations. While UNFI has not released full details of the attack, reporting suggests that cybersecurity analysts suspect ransomware, though no group has claimed responsibility or disclosed a ransom demand as of June 10, 2025. The company, generating over $30 billion annually, is collaborating with cybersecurity experts and law enforcement in order to further investigate and restore affected systems, coinciding with its Q3 earnings release where executives prioritized rapid recovery and customer workarounds. The breach, which led to a nearly 7% drop in UNFI’s stock price, follows a wave of ransomware attacks on UK retailers and aligns with Google’s warnings of increased targeting of U.S. retail and logistics firms, highlighting the sector’s vulnerability due to just-in-time logistics and legacy systems. The attack comes amid ongoing supply chain volatility, inflationary pressures, and internal operational shifts. The UNFI attack highlights the growing national risk posed by cyberattacks against food and logistics infrastructure. As ransomware groups evolve in sophistication and scale, critical supply nodes like UNFI represent both high-value targets and high-impact vulnerabilities.  

(TLP: CLEAR) Comments: UNFI’s reliance on just-in-time logistics and legacy operational technology (OT) infrastructure mirrors systemic vulnerabilities that are prevalent across the retail and food distribution sector. While these models offer cost efficiency and streamlined operations under normal conditions, they leave little room for delay or disruption. 

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”  

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them.  
Source: https://www.bleepingcomputer.com/news/security/grocery-wholesale-giant-united-natural-foods-hit-by-cyberattack/  

New Mirai Botnet Infect [sic] TBK DVR Devices via Command Injection Flaw 

(TLP: CLEAR) In early June 2025, a new variant of the Mirai malware botnet began exploiting a critical command injection vulnerability, CVE-2024-3721, in TBK DVR-4104 and DVR-4216 devices, enabling remote code execution to hijack systems for distributed denial-of-service (DDoS) attacks. Previously disclosed back in April 2024, the bug allows attackers to manipulate HTTP POST request parameters (mdb and mdc) in order to execute shell commands, deploying an ARM32 malware binary that connects compromised devices to a command-and-control (C2) server. Reporting indicates that Kaspersky’s Linux honeypots confirmed active exploitation, with the botnet targeting around 50,000 internet-exposed devices, down from an estimated 114,000, primarily in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil. The affected TBK DVRs, widely rebranded under names like Novo, QSee, and Night OWL, complicate patch availability, and no fix from TBK Vision has been confirmed as of June 2025. This campaign reflects a broader 2024 trend of rapid weaponization of IoT vulnerabilities, including D-Link flaws, by agile threat actors. The Mirai variant’s capabilities include launching volumetric DDoS attacks, proxying malicious traffic, and lateral movement in IoT environments. Analysts urge organizations to audit for vulnerable devices, isolate IoT systems, monitor outbound traffic, apply patches, or retire unpatched end-of-life systems to mitigate risks to the internet ecosystem.  

(TLP: CLEAR) Comments: As of June 2025, it is still unclear whether TBK Vision, the OEM behind the DVR models, has released a patch for CVE-2024-3721. This rebranding makes identifying and patching affected devices significantly more difficult for both consumers and enterprises. This coupled with the resurgence of Mirai variants and exploitation of CVE-2024-3721 reinforces the critical need for visibility and security in IoT and embedded systems. As botnets continue to evolve and pivot to new embedded targets, unpatched and unmanaged DVRs remain prime launch points for DDoS campaigns and botnet expansion, posing risks not only to the device owners but to the broader internet ecosystem. 

(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. “While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy. “WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.” NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected” Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real time, such as Vercara’s UltraDDoS Protect.  

(TLP: CLEAR) Vercara: Vercara’s DDoS Solution, Vercara UltraDDoS Protect, provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources. 
Source: https://www.bleepingcomputer.com/news/security/new-mirai-botnet-infect-tbk-dvr-devices-via-command-injection-flaw/   

Malicious PyPI, npm, and Ruby Packages Exposed in Ongoing Open-Source Supply Chain Attacks 

(TLP: CLEAR) Recent intelligence reporting highlights the surge in malicious packages across PyPI, npm, and RubyGems repositories, exploiting the open-source software supply chain in order to execute credential harvesting, cryptocurrency wallet draining, codebase destruction, and data exfiltration. On PyPI, Solana-themed packages by threat actor “cappership” stole wallet private keys via runtime monkey-patching, encrypting and exfiltrating them through Solana Devnet transactions, while 11 others, posing as price-fetching libraries like solana-live, extracted Python scripts and Jupyter Notebooks. Typosquatted packages mimicking colorama deployed remote access payloads to steal environment variables and evade detection on Windows and Linux. On npm, the xlsx-to-json-lh package, a typosquat of xlsx-to-json-lc, connected to a command and control (C2) server to purge project directories upon a remote “kill” command, and packages like pancake_uniswap_validators_utils_snipe drained 80–85% of Ethereum and BSC wallet funds, amassing over 2,100 downloads. RubyGems saw two clones of fastlane-plugin-telegram exfiltrating Telegram API credentials and messages via a threat actor’s proxy server, exploiting Vietnam’s Telegram ban context. A novel tactic involved a PyTorch model in PyPI’s aliyun-ai-labs-snippets-sdk, embedding a Python infostealer targeting .gitconfig and AliMeeting data, highlighting malware concealment in machine learning artifacts. These attacks, leveraging typosquatting, runtime manipulation, blockchain-based exfiltration, and destructive payloads, underscore the vulnerability of open-source ecosystems. 

(TLP: CLEAR) Comments: The aforementioned attacks highlight significant security gaps in open-source package ecosystems, where trust and ease of use are frequently exploited by threat actors. In order to mitigate risk, developers and organizations must adopt automated dependency analysis and integrity verification tools, prioritize packages from verified maintainers with reliable update histories, and actively monitor CI/CD pipelines for suspicious activity. 

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION   

Control:   

• Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.   
• Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures.   
• Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection.  
• Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.  

NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing, and other abuses: 

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars. 
• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click. 
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature. 
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR  

Source: https://thehackernews.com/2025/06/malicious-pypi-npm-and-ruby-packages.html