Exploitation of Microsoft SharePoint Vulnerabilities

• Last Sunday, July 20, the Cybersecurity and Infrastructure Security Agency (CISA) added a known exploited vulnerability to its catalog
  • CVE-2025-53770 Microsoft SharePoint Server Remote Code Execution Vulnerability

• CISA also created an alert on the new KVE, which the agency updated on Tuesday and Thursday.

• The Wall Street Journal reported on July 21,
  • “Microsoft issued an alert about “active attacks” targeting its server software and urged customers to install new security updates that have been released.
  • “Microsoft’s Security Response Center said in a blog post over the weekend that the attacks target on-premises SharePoint server customers and exploit vulnerabilities that were partially addressed by a July security update.
  • “Organizations typically use Microsoft SharePoint to create intranet websites, store and organize information, and facilitate file-sharing among workers. Cloud-based SharePoint Online in Microsoft 365 isn’t affected, the company said.
  • “By Monday, cybersecurity investigators said that the SharePoint attacks were widespread. At least one of the “multiple” hacking groups involved in the attacks was linked to China, according to Google’s Mandiant cybersecurity group.
  • “Microsoft declined to comment beyond its blog post.
  • “Hackers exploiting the SharePoint flaws then stole cryptographic keys that could be used to run commands on the affected server in the future, even if it had been patched, cybersecurity investigators said on Monday.”
• and added on July 24,
  • Last year, Satya Nadella pledged to make security priority number one at Microsoft. A new hack involving China is showing just how difficult that can be.
  • The attack involves several versions of Microsoft’s SharePoint software that serve as a document storage platform for customers who don’t want to use the cloud. Microsoft released patches for a pair of SharePoint bugs earlier this month, but the fixes were quickly bypassed, allowing China-linked hackers to break into hundreds of organizations, according to security researchers.
  • Instead of protecting customers, the faulty patches may have served as a road map for hackers to hone their attacks, the researchers said.
  • It’s the latest in a string of lapses by the technology giant that have benefited China’s vast and global cyber-espionage operations, a top U.S. national security threat. * * *
  • “In the SharePoint attack * * * the issue began in May 2025, at a hacking contest in Berlin where the Vietnamese researcher [and pentester] Dinh Khoa (LinkedIn page) won $100,000 and a laptop.
  • “This is a very hard target so we spent a lot of time digging into it,” Khoa said in an interview posted online after the contest.
  • “To the applause of audience members, he showed how to break into a SharePoint system and was soon escorted into a private room where he explained the bugs to a representative from Microsoft and Dustin Childs, head of threat awareness with cybersecurity company Trend Micro’s Zero Day Initiative. Two months later, on July 8, Microsoft fixed the bugs. They were two of the 130 bugs that Microsoft fixed that month.” * * *
  • “On Saturday [July 19], Microsoft took the unusual step of issuing two emergency patches, which contain “more robust protections” to the bugs that Khoa had found, the company said. SharePoint customers should also change the cryptographic keys used by their servers, a move that—when combined with the new patches—effectively closes the back door created by the attack, Microsoft said.”

• Cyberscoop noted on July 24,
  • The fallout from an attack spree targeting defects in on-premises Microsoft SharePoint servers continues to spread nearly a week after zero-day exploits were discovered, setting off alarms across the globe. More than 400 organizations have been actively compromised across four waves of attacks, according to Eye Security.
  • Multiple government agencies, including the Departments of Energy, Homeland Security and Health and Human Services, have been hit. The California Independent System Operator, which operates some of the state’s wholesale electric grid, was also impacted.
  • As more victims confirm varying levels of compromise from the attack spree, researchers are learning and sharing more details about post-exploit activities. One of the China-based attackers behind the initial wave of attacks, Storm-2603, deployed Warlock ransomware starting July 18, Microsoft Threat Intelligence said Wednesday in an updated blog post.
  • The Chinese government-affiliated threat groups Linen Typhoon and Violet Typhoon — which have been active for at least a decade — are also actively exploiting the zero-day vulnerabilities, Microsoft said. Linen Typhoon has focused on stealing intellectual property and Violet Typhoon is an espionage threat group. Storm is a moniker Microsoft uses for threat groups in development.

• NextGov/FCW discusses the impact of the Sharepoint vulnerabilities on federal government agencie here (Homeland Security, among other agencies affected) and there (Defense Department not affected).

From the cybersecurity breaches and vulnerabilities front,

• Security Week informs us,
  • “The Alcohol & Drug Testing Service (TADTS) is notifying roughly 750,000 people that their personal information was compromised in a July 2024 data breach.
  • “TADTS is based in Texas and was until recently known as the Texas Alcohol and Drug Testing Service. It provides workplace and individual alcohol and drug testing services in Texas and other states.
  • “The incident, TADTS says, was identified on July 9, 2024, and involved unauthorized access to and the theft of data maintained in its systems.
  • “The investigation into the potentially compromised information, conducted with the assistance of a professional data mining team, was concluded only recently, and determined that personal information was included in the stolen data.” * * *
  • “While TADTS did not share details on the type of cyberattack it fell victim to, the infamous BianLian ransomware group took credit for the intrusion on July 14, 2024, claiming the theft of roughly 218 gigabytes of data.
  • “It is unclear whether the hackers released the stolen information publicly, as their Tor-based leak site is currently offline and the group has been quiet for months, with their last known victim announced on March 31.”
• and
  • “Marketing software and services company Cierant Corporation and law firm Zumpano Patricios have independently disclosed data breaches, each impacting more than 200,000 individuals.
  • “What the Cierant and Zumpano Patricios incidents have in common is that the number of impacted people was brought to light in recent days by the healthcare data breach tracker maintained by the US Department of Health and Human Services (HHS).
  • “The Zumpano Patricios breach impacts nearly 280,000 individuals. The law firm, which has offices in several major US cities, is representing healthcare providers in disputes with health insurance companies over medical service payments to patients. 
  • “Zumpano Patricios is informing impacted individuals that it had detected an intrusion in its IT network on May 6, 2025, but could not determine the date and time of initial access. 
  • “An investigation revealed that the hackers accessed and possibly exfiltrated files containing information such as patient name, date of birth, Social Security number, provider name, health insurer information, dates of service, and amounts charged by the provider and payments they received.”

• Cybersecurity Dive tells us,
  • “Hackers breached the Philadelphia Indemnity Insurance Company in June and stole customer data, the company said in a filing with the California Attorney General’s office. 
  • “An unauthorized party accessed customer data during an intrusion discovered between June 9 and June 10, according to the disclosure.
  • “The company previously called the incident a network outage, however it said there was no ransomware and no encryption. The company did report the incident to law enforcement and retained outside forensic experts to investigate.”

• In addition to the June 20 addition discussed above, CISA added six known exploited vulnerabilities to its catalog this week.
  • July 22, 2025
    • “CVE-2025-49704 Microsoft SharePoint Code Injection Vulnerability
    • “CVE-2025-49706 Microsoft SharePoint Improper Authentication Vulnerability”
      • Cybersecurity Dive explains,
        • “The [Sharefile] intrusions are exploiting ToolShell, an attack sequence that combines remote code injection and network spoofing vulnerabilities tracked as CVE-2025-49704 and CVE-2025-49706.” 
  • Also July 22, 2025,
    • CVE-2025-54309 CrushFTP Unprotected Alternate Channel Vulnerability
      • Tenable discusses the CrushFTP vulnerability
    • CVE-2025-6558 Google Chromium ANGLE and GPU Improper Input Validation Vulnerability
      • Cyber Security News discusses this KVE.
    • CVE-2025-2776 SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
    • CVE-2025-2775 SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
      • Security Week discusses the SisAid KVEs.

• Security Week notes,
  • “SonicWall on Wednesday announced patches for a critical vulnerability in Secure Mobile Access (SMA) 100 series secure access gateways, urging organizations to take immediate action in the wake of the recently disclosed Overstep malware attacks.
  • “The newly addressed flaw, tracked as CVE-2025-40599 (CVSS score of 9.1), is described as an arbitrary file upload issue in the SMA 100’s web management interface.
  • “The bug can be exploited by remote attackers to upload arbitrary files to the system, which could lead to remote code execution (RCE). The attackers need administrative privileges to exploit the security defect, SonicWall’s advisory reads.”
• and
  • “The Lumma Stealer has returned after Microsoft and law enforcement caused significant disruption to its infrastructure, Trend Micro reported on Tuesday.” * * *
  • “The ability of Lumma Stealer’s operators to regroup and innovate poses a continued risk to organizations and individuals worldwide,” Trend Micro said. “This emphasizes the need for ongoing vigilance, proactive threat intelligence, and sustained collaboration between law enforcement and the cybersecurity community. Without this, even the most significant takedowns might only offer temporary relief from evolving cyber threats.”

• Per Dark Reading,
  • “A suspected Chinese nation-state threat group is conducting an extensive cyberespionage campaign that takes advantage of vulnerable VMware ESXi and vCenter environments.
  • “Since early 2025, researchers at Sygnia have responded to multiple incidents tied to a cyberespionage campaign they track as “Fire Ant.” According to research published Thursday, Fire Ant actors are establishing initial access in organizations’ VMware systems, which have become popular targets for attackers in recent years.
  • “More importantly, Fire Ant actors used deep knowledge of the target environments and strong capabilities to consistently bypass segmentations and reach isolated portions of the network.”

From the ransomware front,

• In line with this week’s theme, Bleeping Computer points out,
  • “A China-based hacking group is deploying Warlock ransomware on Microsoft SharePoint servers vulnerable to widespread attacks targeting the recently patched ToolShell zero-day exploit chain.
  • “Non-profit security organization Shadowserver is currently tracking over 420 SharePoint servers that are exposed online and remain vulnerable to these ongoing attacks.
  • “Although Microsoft has observed this threat actor deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives,” the company said in a Wednesday report.”

• July 22, 2025, CISA issued an alert and advisory on Interlock ransomware.

• Per Bleeping Computer,
  • “Law enforcement has seized the dark web extortion sites of the BlackSuit ransomware operation, which has targeted and breached the networks of hundreds of organizations worldwide over the past several years.
  • “The U.S. Department of Justice confirmed the takedown in an email earlier today, saying the authorities involved in the action executed a court-authorized seizure of the BlackSuit domains.
  • “Earlier today, the websites on the BlackSuit.onion domains were replaced with seizure banners announcing that the ransomware gang’s sites were taken down by the U.S. Homeland Security Investigations federal law enforcement agency as part of a joint international action codenamed Operation Checkmate.”

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “The Trump administration’s new AI Action Plan calls for companies and governments to lean into the technology when protecting critical infrastructure from cyberattacks.
  • “But it also recognizes that these systems are themselves vulnerable to hacking and manipulation, and calls for industry adoption of “secure by design” technology design standards to limit their attack surfaces.
  • “The White House plan, released Wednesday, calls for critical infrastructure owners — particularly those with “limited financial resources” — to deploy AI tools to protect their information and operational technologies.
  • “Fortunately, AI systems themselves can be excellent defensive tools,” the plan said. “With continued adoption of AI-enabled cyberdefensive tools, providers of critical infrastructure can stay ahead of emerging threats.” * * *
  • “The Trump plan states that “all use of AI in safety-critical or homeland security applications should entail the use of secure-by-design, robust, and resilient AI systems that are instrumented to detect performance shifts, and alert to potential malicious activities like data poisoning or adversarial example attacks.”
  • “The plan also recommends the creation of a new AI-Information Sharing and Analysis Center (AI-ISAC) led by the Department of Homeland Security to share threat intelligence on AI-related threats.”

• Cybersecurity Dive lets us know,
  • “Sean Plankey, President Donald Trump’s nominee to lead the Cybersecurity and Infrastructure Security Agency, faced sharp questions during a Senate confirmation hearing Thursday about the looming expiration of an information-sharing law and CISA’s work on election security.
  • Plankey — currently a senior adviser to Secretary of Homeland Security Kristi Noem — explained his vision for leading an agency that has experienced major workforce cuts and faces significant budget reductions in Trump’s Fiscal Year 2026 spending proposal.”
  • The Senate Homeland Security and Governmental Affairs Committee will vote on whether to send Mr. Plankey’s nomination to the Senate floor at a business meeting next Thursday.

• Cyberscoop adds,
  • “President Donald Trump’s pick to lead the Cybersecurity and Information Security Agency told senators Thursday that he would prioritize evicting China from the U.S. supply chain, and wouldn’t hesitate to ask for more money for the shrunken agency if he thought it needed it.
  • “If confirmed it will be a priority of mine to remove all Chinese intrusions, exploitations or infestation into the American supply chain,” Sean Plankey told Rick Scott, R-Fla., at his confirmation hearing before the Homeland Security and Governmental Affairs Committee. Scott had asked Plankey about reports of Chinese infiltration of U.S. energy infrastructure.”

• Per a National Institute of Standards and Technology news release,
  • “NIST has issued draft updates to Special Publication (SP) 800-53 to provide additional guidance on how to securely and reliably deploy patches and updates in response to the Executive Order 14306, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144. A two-week expedited public comment period on the draft updates is open through August 5, 2025.” 
    
• Per a July 23, 2025, HHS news release,
  • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Syracuse ASC, LLC doing business as Specialty Surgery Center of Central New York, for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules. Syracuse ASC is a single-facility, ambulatory surgery center located in Liverpool, New York that provides ophthalmic and ENT surgical services and pain management procedures to patients.” * * *
  • “The settlement resolves an OCR investigation concerning a ransomware breach of ePHI that affected 24,891 individuals. OCR initiated the investigation in October 2021 after Syracuse ASC reported to HHS that an unauthorized individual had accessed its network in March 2021. Further investigation revealed that Syracuse ASC was affected by a ransomware attack involving the PYSA ransomware variant, which is a cross-platform cyber weapon known to target the healthcare industry. OCR’s investigation found that Syracuse ASC never conducted an accurate and thorough risk analysis to determine the risks and vulnerabilities to the ePHI it held. OCR also found that Syracuse ASC failed to timely notify affected individuals and the Secretary of the breach.
  • “Under the terms of the resolution agreement, Syracuse ASC agreed to implement a corrective action plan that OCR will monitor for 2 years and paid $250,000 to OCR.”

• Cyberscoop reports,
  • “Ukrainian authorities Tuesday [July 22, 2025] arrested the alleged administrator of XSS.is, a Russian-language cybercrime forum, following a four-year investigation by the Paris public prosecutor’s office. 
  • “Law enforcement officials from France and Europol seized the domain of the influential forum following the arrest. Authorities have not named the suspected administrator of XSS.is.
  • “The forum, which was active since 2013, had more than 50,000 registered users and was a key marketplace for stolen data, malware, access to compromised systems and ransomware services, officials said. “It has long been a central platform for some of the most active and dangerous cybercriminal networks, used to coordinate, advertise and recruit,” Europol said in a news release.”

• Dark Reading alerts us,
  • “A “laptop farmer” [Christina Marie Chapman] in Arizona responsible for enabling North Korean IT worker infiltration into US companies is going to jail for eight and a half years, after raising $17 million in illicit funds for Kim Jong-Un’s regime. That news, however, is merely a drop in the justice bucket, and DPRK’s efforts to siphon salaries off of American companies is unlikely to wane anytime soon. So, US organizations need to wrap their heads around the magnitude of the threat.
  • “North Korea’s multiyear HR-compromise effort has the twin goals of earning money for the hermit kingdom’s nuclear program and other efforts via salaries, as well as gaining a foothold inside corporate networks for the purpose of planting cryptominers or malware for stealing secrets.”

• Cybersecurity Dive adds,
  • “The U.S. Department of the Treasury on Thursday [July 24, 2025] sanctioned three North Koreans and their company for participating in remote IT worker scams and other operations designed to generate revenue for Pyongyang.
  • “The sanctions target the North Korean firm Korea Sobaeksu Trading Co., Sobaeksu employee Kim Se Un, Sobaeksu “IT team leader” Jo Kyong Hun and Kim’s associate Myong Chol Min. 
  • “The Treasury Department calls Sobaeksu a front for North Korea’s Munitions Industry Department, which oversees the country’s nuclear weapons program. North Korea “has previously utilized Sobaeksu to send teams of IT workers overseas, including to Vietnam, in order to generate revenue,” the department said.”

From the cybersecurity defenses front,

• HelpNet Security explains “Why we must go beyond tooling and CVEs to illuminate security blind spots.”

• SC Media discusses “exposure management [, which is] a new blueprint for modern cyber defense.

• The Hacker News considers “From Backup to Cyber Resilience: Why IT Leaders Must Rethink Backup in the Age of Ransomware.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “Congress is set to revisit Stuxnet — the malware that wreaked havoc on Iran’s nuclear program 15 years ago — next week in the hopes that the pioneering attack can guide today’s critical infrastructure policy debate, CyberScoop has learned.
  • “The House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection will hold a hearing July 22 to examine the operation that, according to independent reports, was carried out by the U.S. and Israeli governments and targeted Iran’s nuclear enrichment facilities in Natanz.
  • “Witnesses listed for the hearing are Tatyana Bolton, executive director of the Operational Technology Cybersecurity Coalition; Kim Zetter, cybersecurity journalist and author of “Countdown to Zero Day”; Dragos CEO Robert Lee; and Nate Gleason, Lawrence Livermore National Laboratory program leader, according to a copy of the notice.”

• The Cybersecurity and Infrastructure Security Agency (CISA) released a blog post titled “Securing Core Cloud Identity Infrastructure: Addressing Advanced Threats through Public-Private Collaboration.”
  • “In recent years, the cloud landscape has faced increasingly sophisticated threat activity targeting identity and authentication systems. As cloud infrastructure has become more ubiquitous—underpinning key government and critical infrastructure data—sophisticated nation-state affiliated actors have exposed limitations in token authentication, key management, logging mechanisms, third-party dependencies, and governance practices. These threats reaffirm the critical role that public-private collaboration plays to safeguard cloud infrastructure and address the evolving technical and security challenges confronting our nation.”  
    
• Cyberscoop informs us,
  • “An international law enforcement operation conducted this week targeted the members of and infrastructure used by NoName057(16), a pro-Russian hacktivist group that has conducted distributed denial-of-service (DDoS) attacks across Europe since early 2022.
  • “Operation Eastwood disrupted over 100 servers worldwide and resulted in two arrests, seven international arrest warrants, and 24 house searches across multiple jurisdictions. The operation, coordinated by Europol and Eurojust with participation from 12 countries, broke up a cybercrime network that had mobilized an estimated 4,000 members who conducted attacks against entities in countries across Europe and in Israel.”
• and
  • “An Armenian national is in federal custody and faces charges stemming from their alleged involvement in a spree of attacks in 2019 and 2020 involving Ryuk ransomware, the Justice Department said Wednesday.
  • “Karen Serobovich Vardanyan, 33, was extradited from Ukraine to the United States on June 18 and pleaded not guilty to the charges in his first appearance in federal court June 20. Vardanyan is awaiting a seven-day jury trial scheduled to begin Aug. 26.”

• Security Week informs us,
  • “A former US soldier accused of hacking into AT&T and Verizon systems and leaking presidential call logs pleaded guilty to fraud and identity theft charges, the US Department of Justice announced.
  • “According to court documents, the individual, Cameron John Wagenius, 21, engaged in hacking and extortion activities between April 2023 and December 2024, while on active duty with the US Army.
  • “Using the nickname ‘kiberphant0m’, Wagenius and his co-conspirators aimed to defraud at least 10 organizations after obtaining login credentials for their networks.”

From the cybersecurity breaches and vulnerabilities front,

• Cybersecurity Dive reports,
  • “United Natural Foods, Inc.’s commercial operating capacity has returned to “normalized levels” as of this week following the cyberattack that temporarily brought down its online systems in June, the grocery distributor disclosed Wednesday.
  • “The company expects to lose between $350 million and $400 million in sales as a result of the attack, with the overall operational impact of the incident mostly limited to its current quarter.
  • “Despite the cyberattack, UNFI has modestly raised its sales expectations for its current fiscal year, although the company expects a higher loss than it had earlier projected.”
• and
  • “One in four CISOs has experienced an AI-generated attack on their company’s network in the past year, and AI risks now top their priority lists, according to a report released Thursday from cybersecurity firm Team8.
  • “The true number of companies targeted by AI-powered attacks “may be even higher,” Team8 said in its report, “as most AI-driven threats mimic human activity and are difficult to detect without advanced metrics like time to exploitation and velocity indicators.”
  • “AI outranked vulnerability management, data loss prevention and third-party risk on CISOs’ priority lists, according to the report, which is based on interviews with more than 110 security leaders from major enterprises.”

• Per Dark Reading,
  • “Automated firmware-analysis tools and the falling cost of the technical hardware needed to inspect computer processors and memory are leading to a surge in reports of firmware vulnerabilities and motherboard security weaknesses.
  • “In the latest example, motherboard manufacturer Gigabyte disclosed on July 10 that a set of four firmware vulnerabilities had persisted in its platform, even though the original issues — in the firmware provided by independent BIOS vendor AMI — were patched years ago. The issues affect the System Management Mode (SMM) modules on older Intel-based systems, Gigabyte stated in its disclosure.”
• and
  • “When it comes to managing cybersecurity profiles for office printers, just 36% of IT teams are patching their firmware promptly — leaving a glaring gap in defenses that attackers could exploit to devastating effect.
  • “That’s according to HP Wolf Security, which found evidence of widespread failures across every stage of the printer life cycle in a global survey of 800+ IT and security decision-makers.
  • “Failure to promptly apply firmware updates to printers unnecessarily exposes organizations to threats that could lead to damaging impacts, such as cybercriminals exfiltrating critical data or hijacking devices,” according to the report, released today.”

• Infosecurity Magazine tells us,
  • “Cybercriminals have been observed adopting AI-powered cloaking tools to bypass traditional security measures and keep phishing and malware sites hidden from detection.
  • “According to new research from SlashNext, Platforms like Hoax Tech and JS Click Cloaker are offering “cloaking-as-a-service” (CaaS), allowing threat actors to disguise malicious content behind seemingly benign websites.
  • “Using advanced fingerprinting, machine learning and behavioral targeting, these tools selectively show scam pages only to real users while feeding safe content to automated scanners.
  • “I think that this is a clear example of a technology and set of tools being used in a bad way,” said Andy Bennett, CISO at Apollo Information Systems.”

• Per HelpNet Security,
  • “A new report from Living Security and the Cyentia Institute sheds light on the real human element behind cybersecurity threats, and it’s not what most organizations expect.
  • “The Risky Business: Who Protects & Who Puts You at Risk report analyzes data from over 100 organizations and challenges conventional thinking by revealing that a small portion of users, just 10 percent, are responsible for nearly 73 percent of all risky behavior in the enterprise.
  • “The riskiest users aren’t who and where you think,” the report notes. Surprisingly, remote and part-time workers are often less risky than full-time, in-office employees. Meanwhile, 78 percent of users help reduce cyber risk more than they contribute to it.”

• Dark Reading explains “How Criminal Networks Exploit Insider Vulnerabilities. Criminal networks are adapting quickly, and they’re betting that companies won’t keep pace. Let’s prove them wrong.”

• CISA added two known exploited vulnerabilities to its catalog this week.
  • July 14, 2025
    • CVE-2025-47812 Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability
      • Cybersecurity News discusses this KVE here.
  • July 18, 2025
    • CVE-2025-25257 Fortinet FortiWeb SQL Injection Vulnerability
      • The Hacker News discusses this KVE here.

From the ransomware front,

• IT Pro lets us know,
  • “Ransomware attacks come with an average recovery cost of $4.5 million, according to a recent survey, which also found a high proportion of businesses have fallen prey to the malware in the past year.
  • “Data from Absolute Security, which surveyed 500 CISOs based in the US through Censuswide, found 72% of respondents’ firms had dealt with ransomware attacks in the 12 months prior to the survey.
  • “Respondents registered extreme concern over the potential cost of ransomware attacks, with nearly three quarters (73%) indicating a successful ransomware attack could critically incapacitate their business.”

• Chief Healthcare Executive reports,
  • “While hospitals have endured the threat of attacks from ransomware groups for years, other providers are targets for attacks.
  • “Ransomware groups are going after ambulatory surgical centers, physician practices and specialty care groups, says Steve Cagle, the CEO of Clearwater, a cybersecurity firm.
  • “We’ve seen this trend for some time now,” Cagle tells Chief Healthcare Executive®. “It’s more attacks on specialty or ambulatory …. physician practice management, specialty care groups.”
  • “Radiology centers, imaging centers, health clinics and dental clinics are also being targeted for attacks, Cagle says. More than 300 breaches of health data have already been reported to the Department of Health & Human Services in the first half of the year.”

• Cybersecurity Dive points out,
  • “DragonForce, a cyber criminal group connected to a series of attacks against retail firms in recent months, is claiming credit for an attack on the North Carolina-based department store chain Belk.
  • “The group claimed on its leak site that it has approximately 156 gigabytes of data stolen from the company. 
  • “Researchers have linked DragonForce to an April attack on Marks & Spencer, one of the first breaches in a months-long attack spree linked to Scattered Spider. DragonForce claimed credit for the intrusion, but M&S officials believe the group was working with Scattered Spider during the attack.” 

• Morphisec discusses “Matanbuchus [which} is a malware loader that has been available as a Malware-as-a-Service (MaaS) since 2021. It is primarily used to download and execute secondary payloads on compromised Windows systems, making it a critical first step in various cyberattacks.”
  
• Infosecurity Magazine informs us,
  • “The Interlock ransomware gang has been detected targeting organizations with a new remote access trojan (RAT) in a widespread campaign, according to researchers from The DFIR Report in partnership with Proofpoint.
  • “The new malware, observed since June 2025, uses the general-purpose PHP programming language. This differs from the previously identified JavaScript-based ‘NodeSnake’ RAT deployed by Interlock.
  • “In certain cases, the deployment of the PHP variant of the Interlock RAT has led to the deployment of the Node.js version.
  • “PHP is a common web scripting language, which can be leveraged across various platforms and databases.”

• Bleeping Computer reports,
  • “The Japanese police have released a Phobos and 8-Base ransomware decryptor that lets victims recover their files for free, with BleepingComputer confirming that it successfully decrypts files.
  • “Phobos is a ransomware-as-a-service operation that launched in December 2018, enabling other threat actors to join as affiliates and utilize their encryption tool in attacks. In exchange, any ransom payments were split between the affiliate and the operators.
  • “While the ransomware operation did not receive as much media attention as other ransomware operations, Phobos is considered one of the most widely distributed ransomware operations, responsible for many attacks on businesses worldwide.”

From the cybersecurity research front,

• Cyberscoop tells us,
  • “A financially motivated threat group is attacking organizations using fully patched, end-of-life SonicWall Secure Mobile Access 100 series appliances, Google Threat Intelligence Group said in a report released Wednesday [July 16].
  • “The group, which Google identifies as UNC6148, is using previously stolen admin credentials to gain access to SonicWall SMA 100 series appliances, remote access VPN devices the vendor stopped selling and supporting earlier this year. UNC6148 is likely intruding networks to steal data for extortion and possibly deploy ransomware, according to researchers.
  • “The attacks stress the consistent risk SonicWall customers have confronted via exploited vulnerabilities, especially a series of defects affecting the outdated SonicWall SMA 100 series devices.”

• Per Bleeping Computer,
  • “Hackers have adopted the new technique called ‘FileFix’ in Interlock ransomware attacks to drop a remote access trojan (RAT) on targeted systems.
  • “Interlock ransomware operations have increased over the past months as the threat actor started using the KongTuke web injector (aka ‘LandUpdate808’) to deliver payloads through compromised websites.
  • “This shift in modus operandi was observed by researchers at The DFIR Report and Proofpoint since May. Back then, visitors of compromised sites were prompted to pass a fake CAPTCHA + verification, and then paste into a Run dialog content automatically saved to the clipboard, a tactic consistent with ClickFix attacks.”

• Per Cybersecurity Dive,
  • “Microsoft on Wednesday said it has seen the cybercrime group Scattered Spider using new techniques in attacks on the airline, insurance and retail industries since April. 
  • “The hacker group, which Microsoft tracks as Octo Tempest, is still using its trademark social-engineering tactics to gain access to companies by impersonating users and contacting help desks for password resets, according to the Microsoft Defender Security ResearchTeam blog post. 
  • “But the hackers are also abusing short messaging services and using adversary-in-the-middle tactics. And in recent attacks, the threat group has deployed the DragonForce ransomware and concentrated on breaching VMWare ESX hypervisor environments.” 

• Per Dark Reading,
  • “A threat actor known as “PoisonSeed” was credited with a novel attack technique that is able to bypass FIDO-based protections in an organization.
  • “That’s according to a report this week from MDR vendor Expel, titled “PoisonSeed bypassing FIDO keys to ‘fetch’ user accounts.” FIDO, or Fast Identity Online, refers to a technology-agnostic set of specifications for authentication. The technology, which was originally developed by the FIDO Alliance, is considered a gold standard in security, commonly seen in non-password authentication technologies like physical security keys.
  • “Expel’s research concerns a strategy for gaining access to a victim through the cross-device sign-in features available in FIDO security keys in a way that can bypass certain safeguards. Though the report does not concern a vulnerability in FIDO technology itself, it acts as a reminder to the defender that security does not end with a phishing-resistant security key.”

From the cybersecurity defenses front,

• Cybersecurity Dive interviews Mark Ryland who is Amazon’s security director.

• CSO calls attention to “eight tough trade-offs every CISO must navigate.”

• Blocks and Files explains how a “simulated ransomware attack reveals gaps in recovery planning.”

• Here’s a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cybersecurity Dive reports,
  • “U.S. government officials said critical infrastructure operators should be on alert for Iranian cyberattacks.
  • “In a threat advisory published Monday [June 30], multiple agencies said Iran might target U.S. firms “for near-term cyber operations” due to “the current geopolitical environment” — a reference to the Trump administration joining Israel’s aerial campaign against Iran’s nuclear program and related assets.
  • “Defense contractors, especially firms that have relationships with Israeli companies, are likely at heightened risk of targeting, according to the advisory.”
• and
  • “The Department of Justice on Monday [June 30] announced a series of actions as part of an investigation into the North Korean government’s deployment of its citizens abroad to pose as IT workers and illicitly earn money for the regime.
  • “Newly unsealed charging documents describe two separate schemes to trick U.S. companies into hiring people who funneled their paychecks to the North Korean government and exploited their access to the companies’ networks to steal sensitive information and cryptocurrency.
  • “Law enforcement officials, who have repeatedly issued alerts about Pyongyang’s IT worker schemes, warned U.S. businesses on Monday to carefully screen their remote employees to avoid falling victim to similar ruses.

• Cyberscoop tells us,
  • “The Chinese hackers behind the massive telecommunications sector breach are “largely contained” and “dormant” in the networks, “locked into the location they’re in” and “not actively infiltrating information,” the top FBI cyber official told CyberScoop.
  • “But Brett Leatherman, new leader of the FBI Cyber division, said in a recent interview that doesn’t mean the hackers, known as Salt Typhoon, no longer pose a threat.
  • “While there’s been some debate about whether Salt Typhoon should be getting more attention than fellow Chinese hackers Volt Typhoon — whom federal officials have said are prepositioned in U.S. critical infrastructure, poised for destructive action in the event of a conflict with the United States — Leatherman said the groups aren’t as different as some think.
  • “Salt Typhoon, even though it was [an] espionage campaign, had access to telecommunications infrastructure,” he said. “You can pivot from access in support of espionage to access in support of destructive action.”
• and
  • “Federal authorities levied sanctions Tuesday on Aeza Group, a bulletproof hosting service provider based in Russia, for allegedly supporting a broad swath of ransomware, malware and infostealer operators.
  • “Aeza Group has provided servers and specialized infrastructure to the Meduza, RedLine and Lumma infostealer operators, BianLian ransomware and BlackSprut, a Russian marketplace for illicit drugs, according to the Treasury Department’s Office of Foreign Assets Control. Lumma infected about 10 million systems before it was dismantled through a coordinated global takedown in May.
  • “The Treasury Department’s action against Aeza Group follows a wave of cybercrime crackdowns across the globe. Prolific cybercriminals have been arrested, and infostealers, malware loaders, counter antivirus and crypting services, cybercrime marketplaces, ransomware infrastructure and DDoS-for-hire operations have all been seized, taken offline or severely disrupted by global coordinated campaigns since May.
  • “Officials accused Aeza Group of helping cybercriminals target U.S. defense companies and technology vendors.”

From the cybersecurity breaches and vulnerabilities front,

• Cybersecurity Dive informs us,
  • “Australian carrier Qantas said hackers who breached one of its call centers stole a significant quantity of customer data.
  • “The airline said on its website that it detected unusual activity on Monday [June 30] on a third-party platform that one of its call centers used. The airline took immediate action and was able to contain the attack, which it blamed on a criminal hacker.
  • “Qantas said it is investigating the extent of the intrusion but warned that the hackers accessed a “significant” amount of customer data, including names, addresses, phone numbers, dates of birth and frequent-flyer numbers. 
  • “The breach did not compromise any credit card details, personal financial information or passport information, Qantas said, because those are stored in a separate system. The intrusion also did not expect login information for customers’ frequent-flyer accounts.
  • “Qantas said it was working with government authorities, including the Australian Cyber Security Centre and the National Cyber Security Coordinator, as well as independent forensic experts to investigate the breach.
  • “All of Qantas’ systems are now secure and the airline is operating normally, according to the company. It said it was in the process of contacting customers to alert them to the incident.” 

• Per Security Week,
  • “Missouri healthcare provider Esse Health is notifying over 263,000 people that their personal information was stolen in a disruptive April 2025 cyberattack.
  • “The incident was discovered on April 21 and impacted the organization’s access to the electronic medical record system, while also taking down its phone system.
  • “By May 13, the healthcare provider had restored certain systems and was able to fulfill scheduled appointments or procedures. The phone systems were restored in early June, along with other primary patient-facing network systems, the organization said in an incident notice.
  • “On June 20, Esse Health said its investigation into the attack determined that a threat actor breached its network on April 21 and stole files containing personal information.
  • “The exfiltrated data included names, addresses, dates of birth, Social Security numbers, medical record numbers, patient account numbers, health information, and health insurance details.”
• and
  • “Benefits and payroll solutions firm Kelly & Associates Insurance Group (dba Kelly Benefits) has informed authorities that a recent data breach impacts more than 550,000 people.
  • “The company revealed in April that hackers had gained access to its systems in December 2024, and an investigation had shown that the threat actor managed to steal files storing personal information.
  • “The incident resulted in the theft of information such as name, date of birth, Social Security number, tax ID number, medical information, health insurance information, and financial account information. 
  • “Kelly Benefits is notifying impacted individuals on behalf of more than 40 affected customers, including Aetna Life Insurance Company, Amergis, Beam Benefits, Beltway Companies, CareFirst, The Guardian Life Insurance Company of America, Fidelity Building Services Group, Intercon Truck of Baltimore, Humana Insurance ACE, Merritt Group, Publishers Circulation Fulfilment, Quantum Real Estate Management, United Healthcare, and Transforming Lives.
  • “Data breach reports submitted by Kelly Benefits to the Maine Attorney General’s Office since early April show that the number of impacted individuals has steadily increased as the company’s investigation progressed.” 

• The Center for Medicare and Medicaid Services announced on June 30,
  • The Centers for Medicare & Medicaid Services (CMS) is notifying Medicare beneficiaries whose personal information may have been involved in a data incident affecting Medicare.gov accounts. CMS identified suspicious activity related to unauthorized creation of certain beneficiary online accounts using personal information obtained from unknown external sources. CMS takes this situation very seriously. The safeguarding and security of personally identifiable information is of the utmost importance to CMS. 
  • Following detection of the incident, CMS worked quickly to deactivate affected accounts, assess the scope and impact of the compromise, and mitigate the effects on impacted individuals. CMS is working closely with appropriate parties to investigate this situation.
  • Approximately 103,000 beneficiaries may have been impacted. Notifications to affected individuals are being mailed, informing them of the incident, outlining steps being taken to protect their information, and providing guidance on actions they may wish to take. 

• The Cybersecurity and Infrastructure Security Agency added five known exploited vulnerabilities to its catalog this week.
  • June 30, 2025
    •  CVE-2025-6543 Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability
      • Netscaler explains this KVE here.
  • July 1, 2025
    • CVE-2025-48927 TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability
    • CVE-2025-48928 TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability
      • Cyber Press explains these KVEs here.
  • July 2, 2025
    • CVE-2025-6554 Google Chromium V8 Type Confusion Vulnerability
      • Bleeping Computer explains this KVE here.

• Dark Reading warns
  • “While browser extensions add useful functionality to Web browsers, such as blocking ads, managing passwords, and taking notes, they also increase the organization’s security and privacy risks.
  • “Browser extensions require certain levels of permissions that are attractive to attackers. Some extensions need access to the user’s location, browsing history, or the user’s clipboard to see what data the user has copied. Some extensions go further, requesting access to nearly all of the data stored on the user’s computer as well as the data accessed while visiting different websites. Attackers can exploit extensions with these heightened permissions to access potentially sensitive information, such as Web traffic, saved credentials, and session cookies.
  • “Even extensions with relatively modest permissions can manipulate those permissions to obtain access to the inner workings of every Web page displayed on a user’s screen, warns LayerX CEO and co-founder Or Eshed. LayerX research shows that 53% of enterprise users have installed extensions labeled with “high” or “critical” permissions scope. This is why browser extensions are a prime avenue for exploitation by threat actors, he adds.  
  • “[Attackers] can use it to copy or rewrite data or exploit Web page permissions for even more access,” Eshed says.”

• Security Week adds,
  • A vulnerability in the Forminator WordPress plugin could allow attackers to take over more than 400,000 impacted websites.
  • A popular form builder plugin with more than 600,000 active installations, Forminator supports the creation of various types of forms, including contact and payment forms, polls, and more.
  • The WordPress plugin was found vulnerable to CVE-2025-6463 (CVSS score of 8.8), an arbitrary file deletion flaw that exists because file paths are not sufficiently validated in a function used to delete a form submission’s uploaded files.

From the ransomware front,

• Bleeping Computer reports,
  • “The Hunters International Ransomware-as-a-Service (RaaS) operation announced today that it has officially closed down its operations and will offer free decryptors to help victims recover their data without paying a ransom.
  • “After careful consideration and in light of recent developments, we have decided to close the Hunters International project. This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with,” the cybercrime gang says in a statement published on its dark web leak earlier today.
  • “As a gesture of goodwill and to assist those affected by our previous activities, we are offering free decryption software to all companies that have been impacted by our ransomware. Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms.” * * *
  • “Threat intelligence firm Group-IB also revealed in April that Hunters International was rebranding with plans to focus on data theft and extortion-only attacks and had launched a new extortion-only operation known as “World Leaks.”
    
• Security Week advises,
  • The key tool for surviving ransomware, or any attack scenario, is an IR plan. But an IR plan is only worthwhile if it’s comprehensive, current, and tested. IR plans are not “best practices”, nor singular documents stored in a safe place. They are living resources that require attention and maintenance. In this way, the proof of an IR plan’s efficacy is in that organizational muscle memory – most effectively trained through Tabletop exercises.  So, what are the primary “muscles,” and the repetitive “exercises” in which you can train an organization to respond decisively, immediately, confidently, and automatically.”
    • Plan your workout
    • Warm up
    • Train, recover, repeat
    • Measure your gains 

From the cybersecurity defenses and business front,

• Withum offers guidance on how to align your firm’s cybersecurity practices with Labor Department best practices for ERISA plan fiduciaries.

• Per Security Week,
  • Cloudflare has reversed its block on AI-crawling from optional to default, allowing finer grained crawling but only with agreement from all parties concerned.
  • LLMs are what they learn. From their inception the biggest source of learning has been the internet, so there has been a natural tendency for AI developers to scrape the internet as widely as possible.
  • Cloudflare has now introduced an option for their customers to accept or reject website scraping by AI vendors. Hitherto, internet scraping has been a major part of gathering training data for large LLM (gen-AI) developers; but the process has raised questions and objections over legality, copyright infringement, and accuracy.

• Dark Reading lets us know,
  • “How businesses can align cyber defenses with real threats. Companies that understand the motivations of their attackers and position themselves ahead of the competition will be in the best place to protect their business operations, brand reputation, and their bottom line.”
• and
  • “One year after a buggy CrowdStrike update knocked IT systems offline, organizations seeking to strike the right balance between security and productivity have viewed the incident as a learning opportunity.
  • “The cost of the CrowdStrike outage was estimated at $5.4 billion, affecting payment systems, airline reservations, and a variety of other industries. The impact of the outage highlights why many operational technology (OT) teams are as sensitive to patches and other updates in their critical infrastructure, as they are highly averse to outages that can happen if such updates are defective.
  • “But when balancing security and productivity, it is imperative not to view the CrowdStrike outage as a reason to forgo patching completely. The ever-growing volume of vulnerabilities and threats requires organizations to remain resilient and anti-fragile — that is, to have the ability to proactively respond to issues and continuously improve.”

• Per Security Week,
  • “LevelBlue announced on Tuesday [July 1] that it’s acquiring managed detection and response (MDR) services company Trustwave from The Chertoff Group’s MC² Security Fund.
  • “LevelBlue, formerly known as AT&T Cybersecurity, was launched in May 2024 as a joint venture between WillJam Ventures and AT&T. 
  • “The company’s acquisition of Trustwave comes shortly after it announced plans to buy Aon’s cybersecurity consulting business. The deals are part of a plan to become the largest pure-play managed security services provider (MSSP). 
  • “Once the acquisition has been completed, LevelBlue’s expertise in strategic risk management and cybersecurity infrastructure will be integrated with Trustwave’s platform and MDR service.”

• Here’s a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Federal News Network reports,
  • “House appropriators have advanced a homeland security spending bill that endorses many of the Trump administration’s budget proposals, while rejecting steep cuts to cybersecurity and artificial intelligence personnel.
  • “The fiscal 2026 homeland security appropriations measure includes $66.36 billion in discretionary spending. The GOP-led committee passed the bill Tuesday [June 24, 2025] on a 36-27 vote.
  • “The bill follows the broad contours of Trump administration policies by prioritizing funding for Customs and Border Protection and Immigration and Customs Enforcement. Appropriators are also expecting significant funding for the Department of Homeland Security to be included in the budget reconciliation bill.”

• Cyberscoop tells us,
  • “With time running short before expiration of a cyber information-sharing law highly valued by the private sector, Congress is taking a look at the possibility of a short-term extension.
  • “The 2015 Cybersecurity Information Sharing Act, which provided legal safeguards for companies to share threat data, is due to sunset at the end of September, and Congress doesn’t tend to work much in August.
  • “A bipartisan pair of senators have introduced a bill to simply extend it for another 10 years. But a House bill is still in the works and might take a different approach that involves making changes to the law going forward, industry officials told CyberScoop on Wednesday. Getting competing proposals through both chambers, then settling differences and finalizing a bill to get to the president’s desk, could take significant time.
  • “There are other things that are being considered in the mix,” said John Miller, senior vice president of policy for trust, data and technology and general counsel at the Information Technology Industry Council. One would be attaching language to a continuing resolution funding measure that would extend the 2015 law for a short period of time.”

• Cybersecurity Dive informs us,
  • “Federal officials and private-sector security leaders said Tuesday [June 24, 2025] that they are closely monitoring for cyberattacks related to the Iran conflict but thus far have not observed any significant activity. 
  • “The Department of Homeland Security warned Sunday that Iran-linked actors or hacktivist groups may launch attacks against U.S. critical infrastructure operators, citing a recent history of attacks against poorly configured water utilities and other systems. 
  • “An apparent truce announced late Monday by President Donald Trump appeared to lower international tensions, but officials remain on guard for any potential threat activity.
  • “The Cybersecurity and Infrastructure Security Agency (CISA) “is actively coordinating with government, industry, and international partners to share actionable intelligence and strengthen collective defense,” CISA spokesperson Marci McCarthy said in a statement. “There are currently no specific credible threats against the homeland.”

• NextGov/FCW notes,
  • “Morgan Adamski is leaving her role as executive director of U.S. Cyber Command, handing the reins to Patrick Ware.
  • “After 17 years of service at the National Security Agency, I’ve decided to turn the page to an exciting new chapter in my career. It has been an extraordinary journey contributing to the defense of our Nation and advancing the cybersecurity mission across the U.S. Government,” Adamski wrote in a LinkedIn post Friday [June 27, 2025].
  • “The number three spot in the combatant command is typically held by a civilian on detail from the National Security Agency.
  • “Though Adamski did not clarify where she would be headed next, she noted her commitment to ensuring there were cyber solutions on “both sides of the fence.”

• CISA and the National Security Agency have released a report titled “Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development.’

• The National Institute of Standards and Technology has published final “Special Publication (SP) 800-228, Guidelines for API Protection for Cloud-Native Systems.”

• Per Cyberscoop,
  • Kai West, a prolific cybercriminal better known for operating under the moniker “IntelBroker,” was arrested in France earlier this year and faces federal charges for allegedly stealing data from more than 40 organizations during a two-year period, the Justice Department said Wednesday [June 25, 2025]. 
  • Federal prosecutors unsealed a four-count indictment charging West, a British national, with conspiracy to commit computer intrusions, accessing a protected computer to obtain information and wire fraud. The United States is seeking his extradition for the charges, which each carry maximum sentences of five to 20 years in prison. 

From the cybersecurity breaches and vulnerabilities front,

• Beckers Health IT identifies the top ten states for healthcare data breaches between February 2023 and April 2025.

• CISA added three known exploited vulnerabilities to its catalog this week.
  • June 25, 2025
    • CVE-2024-54085 AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability
      • Network World discusses this KVE here.
    • CVE-2024-0769 D-Link DIR-859 Router Path Traversal Vulnerability
      • Cybersecurity News discusses this KVE here.
    • CVE-2019-6693 Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability
      • Cybersecurity News discusses this KVE here.

• Cyberscoop reports,
  • Citrix on Wednesday [June 25, 2025] disclosed an actively exploited zero-day vulnerability affecting multiple versions of NetScaler products, an alarming development from a vendor that’s been widely targeted in previous attack sprees.
  • The zero-day (CVE-2025-6543) was disclosed by Citrix nine days after it issued a security bulletin for a pair of defects (CVE-2025-5777 and CVE-2025-5349) in the same products. All three vulnerabilities affect the company’s networking security appliance NetScaler ADC and its virtual private network NetScaler Gateway. 
  • “Exploits of CVE-2025-6543 on unmitigated appliances have been observed,” Citrix said in a security bulletin for the zero-day. Citrix did not respond to a request for comment. 
  • Citrix described the critical zero-day CVE-2025-6543, which has a base score of 9.2 on the CVSS scale, as a memory overflow defect that attackers can exploit for unintended control flow and denial of service. Exploitation can only occur if targeted NetScaler instances are configured as a gateway or an authentication, authorization and accounting (AAA) virtual server, according to Citrix.”
• and
  • “The aviation industry has seemingly become the latest target of Scattered Spider, a sophisticated cybercriminal group that has shifted its focus from retail and insurance companies to airlines in what cybersecurity experts describe as a coordinated campaign against the sector.
  • “Hawaiian Airlines disclosed a cybersecurity incident Friday [June 27, 2025] affecting some of its IT systems while maintaining that flights continued operating safely and on schedule. The attack, first detected June 23, according to SEC filings, prompted the airline to engage federal authorities and cybersecurity experts for investigation and remediation efforts.
  • “Multiple incident responders have attributed the Hawaiian Airlines attack to Scattered Spider, also known as Muddled Libra or UNC3944. The assessment comes as cybersecurity firms Unit 42 and Mandiant issued warnings about the group’s apparent pivot to targeting aviation companies.
  • “Charles Carmakal, chief technology officer at Mandiant Consulting – Google Cloud, confirmed his company is “aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider.” The group has demonstrated a pattern of focusing intensively on single industries before moving to new sectors.”

• Per Hacker News,
  • “Unknown threat actors have been distributing a trojanized version of SonicWall’s SSL VPN NetExtender application to steal credentials from unsuspecting users who may have installed it.
  • “NetExtender enables remote users to securely connect and run applications on the company network,” SonicWall researcher Sravan Ganachari said. “Users can upload and download files, access network drives, and use other resources as if they were on the local network.”
  • “The malicious payload delivered via the rogue VPN software has been code named SilentRoute by Microsoft, which detected the campaign along with the network security company.” * * *
  • “The development comes as G DATA detailed a threat activity cluster dubbed EvilConwi that involves bad actors abusing ConnectWise to embed malicious code using a technique called authenticode stuffing without invalidating the digital signature.
  • “The German cybersecurity company said it has observed a spike in attacks using this technique since March 2025. The infection chains primarily leverage phishing emails as an initial access vector or through bogus sites advertised as artificial intelligence (AI) tools on Facebook.”

From the ransomware front,

• Bleeping Computer notes,
  • “Ahold Delhaize, one of the world’s largest food retail chains, is notifying over 2.2 million individuals that their personal, financial, and health information was stolen in a November ransomware attack that impacted its U.S. systems.
  • “The multinational retailer and wholesale company operates over 9,400 local stores across Europe, the United States, and Indonesia, employing more than 393,000 people and serving approximately 60 million customers each week in-store and online.” * * *
  • “In a Thursday filing with Maine’s Attorney General, the retail giant revealed that the attackers behind the November breach stole the data of 2,242,521 individuals after gaining access to the company’s internal U.S. business systems on November 6, 2024.”Mich
    
• Michigan Health Watch adds,
  • “After 10 months, McLaren Health Care has begun to notify more than 740,000 patients that had sensitive personal data and health records exposed during the hospital system’s August 2024 ransomware attack.
  • “The extent of the data extortion scheme, which delayed critical care for chronically ill patients at the Karmanos Cancer Institute and facilities across the state, came to light in recent days as the 12-hospital system based in Grand Blanc posted notice on its website and informed  state agencies about the incident.”

• Dark Reading reports,
  • “A newly discovered ransomware group dubbed “Dire Wolf” has already taken a bite out of 16 organizations globally since its emergence only last month, mainly across the technology and manufacturing sectors, researchers have found.
  • “The group uses a double extortion tactic with a monthlong turnaround time for paying ransom, and deploys custom encryptors tailored to specific victims, security firm Trustwave revealed in a blog post published June 24. Researchers from Trustwave SpiderLabs recently uncovered and observed a ransomware sample from the emerging threat group and gained insights on how it operates, they said.
  • “So far, the group’s victims have spanned 11 countries, with the US and Thailand reporting the highest numbers of attacks, followed by Taiwan. So far, five of the 16 victims listed on the group’s data leak site have data scheduled to be uploaded by the end of June, presumably because they didn’t pay the ransom, according to the post.”

• Per Cybersecurity Dive,
  • “Only half of ransomware attacks on organizations this year have involved data encryption, once the attack’s defining feature, according to a Sophos report published on Tuesday [June 24, 2025].
  • “Both the average ransom demand and average ransom payment have dropped significantly over the past year (by 34% and 50%, respectively).
  • “Less than a third of respondents in the survey who paid a ransom said the amount matched the attackers’ initial demand, with 53% of victims paying less and 18% paying more.”

From the cybersecurity defenses front,

• Cyberscoop reports,
  • “When a faulty software update from cybersecurity firm CrowdStrike last year caused possibly the largest IT outage in history, Microsoft ended up taking much of the blame.
  • “CrowdStrike’s Falcon endpoint detection and response was on millions of Windows devices worldwide, and like most antivirus products that need broad access to different systems to do their job, the software had direct access to the Windows kernel.
  • “When CrowdStrike’s update crashed, so did millions of Windows-powered systems and devices around the world. A series of security announcements by Microsoft on Thursday [June 26, 2025] are designed to reduce the possibility of future third-party outages and other security threats that can take an organization’s IT out of commission for extended durations.
  • “Among those changes: antivirus software like the kind installed by CrowdStrike and other third-party cybersecurity will no longer have direct access to the Windows kernel. The company will be previewing a new endpoint security platform to vendors next month that requires security updates to go through layers of testing and review before they ship to Windows devices and systems worldwide.”

• Per Cybersecurity Dive,
  • “Cybersecurity insurance premiums declined 2.3% year over year to roughly $7.1 billion in 2024, according to a new report released on Monday [June 23, 2025] by credit rating agency AM Best.
  • “Meanwhile, cyber insurance providers’ loss ratio — the proportion of premiums they use to pay out claims — remained below 50%, indicating that the market remains profitable.
  • “AM Best offered several possible explanations for the slight premium decline.”
• and
  • “Two reports — one that KPMG released on Thursday and one that Thales released last month — illustrate how generative AI is raising security concerns for business leaders.
  • “Business leaders surveyed by KPMG reported prioritizing security oversight in their generative AI budgeting decisions, with 67% saying they plan to spend money on cyber and data security protections for their AI models. Fifty-two percent cited risk and compliance as a budgetary priority.
  • “Those spending decisions reflect corporate executives’ growing worries about AI security. ***

• WEDI is offering a free healthcare cybersecurity webinar on June 15, 2025, at 1:00 pm ET.

• Dark Reading discusses the U.S. military’s refined approach to zero trust and how to create and track a vulnerability debt figure.

• The ISACA Blog considers Proactive Approaches to Identify Cyberthreats.

• Here is a link to Dark Reading’s CISO Corner.