HeadFlash Security: FBI VPN Takedown, North Korea Scam, Record Patches

FBI Boston Plays Key Role in Takedown of Crime-Enabled VPN Service

The Boston division of the FBI helped dismantle First VPN Service, a virtual private network purpose-built to shelter cybercriminals, in an international operation led by French and Dutch cybercrime units. The service had been active since about 2014, operating roughly 32 exit-node servers across an estimated 27 countries, including three in the United States. At least 25 ransomware groups, including Avaddon, relied on the network for reconnaissance, intrusions, botnet activity, and denial-of-service attacks. Dutch police dismantled 33 servers, seized user data, and swapped the VPN’s homepage for a law enforcement seizure notice. The suspected administrator was interviewed in Ukraine, and users were informed the network had gone offline. The FBI’s Boston office, working with the bureau’s national Cyber Division, has been supplying technical assistance and intelligence on the case since 2021. Ted E. Docks, special agent in charge, said the operation dealt a significant blow to a business that serviced and shielded cybercriminals. The advisory publishes indicators of compromise and mitigation steps for network defenders.

Boston FBI Joins Takedown Of ‘First VPN’ Used By Ransomware →

North Korean Hackers Use Elaborate Fake Job Interviews to Steal Crypto and Credentials

An investigation by Indicator has uncovered a sophisticated North Korean hiring scam that uses fake job interviews to deliver malware to tech workers. The operation, part of the Contagious Interview campaign, involves live coding exercises that secretly exfiltrate passwords and cryptocurrency wallets. A victim described the malware’s design as beautiful, simple, and clean. The scheme was corroborated by two security experts, Google Threat Intelligence Group, and TRM Labs. Hackers recruited unwitting freelancers in the Philippines, Nigeria, Colombia, and Bangladesh to conduct video interviews and manage candidate pipelines using internal Slack and scripts. One freelancer, a government employee in Bangladesh, was hired to obtain LinkedIn profiles. The boss, who used various names and stilted English, never showed his face or joined a phone call. Nick Carlsen of TRM Labs, a former FBI intelligence analyst, said the operation showcases the growing sophistication of North Korean hacking groups.

I got inside a North Korean hiring scam. What I found reveals a troubling shift in tactics →

CrowdStrike: China Behind 58% of State-Sponsored Cyber Attacks Targeting US AI Firms

CrowdStrike’s latest report warns that over 58% of state-sponsored cyberattacks on technology companies, especially those with AI assets, originate from China. The report, covering events until March 31, highlights groups such as SUNRISE PANDA targeting East and Southeast Asian tech firms, MURKY PANDA launching password-spraying attacks against hundreds of mostly U.S.-based organizations, and WARP PANDA exploiting vulnerabilities at North American tech companies for long-term access. CrowdStrike states that China-nexus adversaries are escalating espionage to steal AI capabilities and intellectual property they cannot build quickly enough due to U.S. restrictions on AI training chips. The report also notes North Korea-linked actors infiltrating IT workforces across North America, Europe, and Asia to generate income for the regime. The findings come after the U.S. Defense Department updated its 1260H list, adding companies like Alibaba, Baidu, and BYD, and as former FBI agent Stephanie Talamantez told Benzinga that North Korea’s state-backed hackers are exceptionally persistent.

CrowdStrike Warns China Is Behind 58% Of State-Backed Cyber Attacks As Chinese and North Korean Hackers Hunt US AI Secrets →

Microsoft Shatters Patch Tuesday Record With Nearly 200 Fixes and Three Zero-Days

Microsoft issued patches for approximately 200 flaws in its June Patch Tuesday update, surpassing the previous record of nearly 170 CVEs set in October 2025. The update includes 32 critical vulnerabilities and three zero-day flaws: CVE-2026-45586 (elevation of privilege in Windows Collaborative Translation Framework), CVE-2026-49160 (denial of service in HTTP.sys), and CVE-2026-50507 (security feature bypass in Windows BitLocker). Dustin Childs of TrendAI’s Zero Day Initiative warned that AI is supercharging flaw discovery at an uncontrollable scale, noting that Microsoft’s CVE count this year already exceeds the total for all of 2018. Chris Goettl of Ivanti declared a Patch Apocalypse, stating that the window from vendor release to exploitation has shortened to five days as of 2023. With additional fixes for Google Chrome and Edge and other third-party flaws, the total approaches 600 patches, prompting concerns about quality and the accelerating pace of vulnerability disclosure.

Microsoft smashes record for biggest ever Patch Tuesday update | Computer Weekly →

Critical Veeam Backup & Replication Flaw Allows Remote Code Execution on Domain-Joined Servers

Veeam has released a security update to fix a critical remote code execution vulnerability (CVE-2026-44963) in Backup & Replication, reported by WatchTowr researcher Sina Kheirkhah. The flaw affects VBR 12.3.2.4465 and all earlier version 12 builds, and is fixed in version 12.3.2.4854. Only installations joined to a Windows domain are exploitable, and any authenticated domain user with low privileges can trigger the RCE. Veeam noted that version 13.x is not affected due to architectural changes. While no active exploitation has been reported, Veeam warned that attackers often reverse-engineer patches soon after disclosure. Ransomware gangs have historically targeted Veeam backup servers to steal data, move laterally, and delete backups, with CISA flagging four previous VBR flaws as actively exploited. Past incidents involved groups like Akira, Fog, Frag, FIN7, and Cuba. Veeam urges customers to apply the patch immediately.

New Veeam vulnerability exposes backup servers to RCE attacks →