June 2025

10 Jul, 2025, No comments

Heatwave in Cyberspace — The State of Cyber-Security (June 2025)

While Europe sweltered in record temperatures, the digital world saw its own flare-ups: billion-record leaks, stealthy nation-state intrusions and a fresh crop of “10/10” vulnerabilities. Below is an analyst’s digest of the facts, figures and forward-looking advice from the past 30 days.

1. Key events of June 2025

EU adopts the new Cyber-Crisis Blueprint – the Council recommendation clarifies national and EU-level roles for large-scale incidents and dovetails with NIS 2 and NATO cyber-defence plans ➜(Rada UE)
BreachForums takedown – French police arrested five core ShinyHunters operators, disrupting the largest stolen-data market ➜(news.sophos.com)
“GOAT” credential leak (16 billion records) – researchers published the biggest ever combo-list, compiled from 30 breaches and infostealer logs ➜(Cybernews)
Viasat confirmed as victim of China-linked Salt Typhoon – investigators found intrusions into satellite core networks, but no customer impact ➜(Reuters)
United Natural Foods (UNFI) outage – ransomware-like disruption froze electronic ordering for ten days, denting quarterly EBIT by an estimated USD 15–20 million ➜(United Natural Foods)

2. June’s headline attacks

2.1 Lee Enterprises – Qilin ransomware hits the presses

Vector: ransomware + data exfiltration (≈ 350 GB)
Impact: printing halted, payment systems offline, 39 779 SSNs exposed; recovery cost ≈ USD 2 million ➜(Iowa Capital Dispatch)
Mitigation: network segmentation between editorial/printing, immutable backups, MFA on print services.

2.2 Kettering Health – Interlock in healthcare

Vector: spear-phishing → EHR encryption
Impact: 14 hospitals diverted ambulances; potential leak of 941 GB medical data ➜(Kettering Health)
Response: Epic EHR rebuilt in 13 days, staff phishing drills, micro-segmentation of OT/clinical VLANs.

2.3 United Natural Foods (UNFI) – supply-chain bottleneck

Vector: undisclosed (likely ransomware)
Impact: electronic purchase orders down 10 days; stock price dip; EBIT hit forecast at 15–20 M USD ➜(United Natural Foods)
Lesson: build resilient EDI paths and offline ordering fallback.

2.4 Optima Tax Relief – Chaos ransomware

Vector: vulnerable VPN appliance
Impact: 69 GB of tax data (SSNs, returns) leaked, raising ID-theft risk ➜(PR Newswire)
Controls: VPN patching cadence, key rotation, encrypted data at rest, Zero-Trust posture.

2.5 Viasat – Salt Typhoon espionage

Vector: unpatched Cisco IOS XE (CVE-2023-20198) on edge routers
Impact: access to call-metadata; no service disruption ➜(Reuters)
Countermeasures: immediate firmware updates, GRE-tunnel monitoring, continuous validation of router configs.

3. New vulnerabilities and patches

CVE	CVSS	Summary	Recommended action
CVE-2025-5777 “CitrixBleed 2”	9.8	NetScaler ADC/Gateway memory over-read enables session hijack ➜(TechRadar)	Upgrade to 13.1-59.19 / 14.1-47.46; force log-out and rotate auth tokens
CVE-2025-33053	8.8	Windows WebDAV zero-day used by APT “Stealth Falcon” ➜(Help Net Security)	Apply June Patch Tuesday (KB5038xxx), disable WebDAV if unused, WAF filtering
CVE-2025-20282	10.0	Cisco ISE 3.4 unauthenticated file-upload → root RCE ➜(SecurityWeek)	Install ISE 3.4 Patch 2; restrict API, run Nessus QID 240417
CVE-2025-5349 / 6543	9.1 / 8.3	NetScaler Gateway flaws enabling session capture & DoS ➜(wiz.io)	Patch, reset passwords, schedule forced log-outs
CVE-2025-47172	8.8	SQL-injection → RCE in SharePoint 2016/2019 ➜(nvd.nist.gov)	Apply KB5002729/KB5002732; isolate SharePoint farm; WAF rules

4. June 2025 in numbers

33 publicly disclosed incidents and 16 bn compromised records (highest on record) ➜(itgovernance.co.uk)
+37 % month-on-month surge in BEC volume; 46 % of cash-out remains pure credential phishing ➜(fortra.com)
86 victims claimed by Qilin – the most active ransomware crew in June ➜(cyble.com)
19× rise in malicious .es domains; 99 % impersonated Microsoft ➜(TechRadar)
65 CVEs fixed by Microsoft (2 zero-days) on 11 June Patch Tuesday ➜(tenable.com)

5. Outlook & recommendations (Q3 2025)

AI-powered RaaS will drive time-to-ransom below 48 h – speed up detection & response loops.
Edge device exploitation (VPN/ADC) will remain the APT entry zone; patch latency must drop below 7 days.
Third-party SaaS exposure – ticketing, e-commerce, HR portals are the next supply-chain targets.
Credential stuffing boom on the back of the 16 bn “GOAT” leak.
Regulatory pressure (DORA, NIS 2) will boost budgets for threat intel and resilience testing.

“If you can’t shrink mean time-to-detect to under a week, your cyber-insurance premium will do it for you.” — Marta Jasińska, Analyst, CERT-PL.

6. Action checklist

Patch NetScaler ADC/Gateway against CVE-2025-5777 immediately.
Deploy June Patch Tuesday fixes (KB5038xxx) across endpoints and servers.
Apply Cisco ISE 3.4 Patch 2 or isolate vulnerable nodes.
Rotate privileged passwords and enforce MFA organisation-wide.
Test restoration from offline (air-gapped) backups.
Tighten WAF rules for WebDAV and SQL-injection patterns.
Document and drill procedures for rapid isolation of critical OT/ICS assets.

7. Worth reading

CERT-EU Cyber Brief 25-07 (June 2025) – executive EU threat overview ➜(cert.europa.eu)
Verizon 2025 Data Breach Investigations Report – 20-year trendline analysis ➜(Verizon)
Fortra BEC Global Insights – June 2025 – granular BEC metrics and tactics ➜(fortra.com)
CISA Known Exploited Vulnerabilities catalog – filter by “Add date: June 2025” for prioritised patching.

Sources

Council of the EU, EU adopts blueprint to better manage European cyber crises and incidents, 6 Jun 2025. (Rada UE)
Sophos, Taking the shine off BreachForums, 26 Jun 2025. (news.sophos.com)
Cybernews, 16 billion passwords exposed in colossal data breach, 3 Jul 2025. (Cybernews)
Reuters, Viasat identified as victim in Chinese Salt Typhoon cyber-espionage, 17 Jun 2025. (Reuters)
UNFI, Systems update, 26 Jun 2025. (United Natural Foods)
Iowa Capital Dispatch, Lee Enterprises agrees to settlement after ransomware, 27 Jun 2025. (Iowa Capital Dispatch)
Kettering Health, Cyber-security incident FAQ, updated 20 Jun 2025. (Kettering Health)
PR Newswire, Optima Tax Relief data breach investigation, 24 Jun 2025. (PR Newswire)
TechRadar, CitrixBleed 2 exploits are now in the wild, 9 Jul 2025. (TechRadar)
Help Net Security, Microsoft fixes zero-day exploited for cyber-espionage (CVE-2025-33053), 11 Jun 2025. (Help Net Security)
SecurityWeek, Critical Cisco ISE vulnerabilities allow RCE, 26 Jun 2025. (SecurityWeek)
Wiz Blog, Critical vulnerabilities in NetScaler ADC exploited in the wild, 6 Jul 2025. (wiz.io)
NVD, CVE-2025-47172 detail, 10 Jun 2025. (nvd.nist.gov)
IT Governance, Global data breaches and cyber attacks in June 2025, 4 Jul 2025. (itgovernance.co.uk)
Fortra, BEC Global Insights Report – June 2025, 5 Jul 2025. (fortra.com)
Cyble, Top ransomware groups June 2025: Qilin reclaims top spot, 2 Jul 2025. (cyble.com)
TechRadar, Experts flag surge in .es phishing domains, 9 Jul 2025. (TechRadar)
Tenable, Microsoft’s June 2025 Patch Tuesday addresses 65 CVEs, 10 Jun 2025. (tenable.com)

May 2025

19 Jun, 2025, No comments

May 2025 under the Microscope: Rising Cyber-Threats, Record-Breaking Vulnerabilities and New Target Sectors

Early summer may signal relaxation for many industries, but in cyberspace May was another sizzling month. A surge of critical vulnerabilities and headline-grabbing incidents —from the Marks & Spencer breach to the ConnectWise compromise—proved that adversaries aren’t slowing down.

1. Key Events of May 2025

Marks & Spencer pegs cyber-attack cost at £300 million – The retailer revealed that, after a supplier breach, online sales were halted for 46 days; full service restoration is due in July 2025
CISA releases 22 ICS advisories in a single day – On 15 May the agency published a record batch of alerts for industrial systems, highlighting OT risk growth
Cisco patches CVE-2025-20188 (CVSS 10.0) in Wireless LAN Controllers; a public PoC dropped on 31 May
FBI: Play ransomware tops 900 victims – By May the gang had compromised more than 900 organisations
Suspected state-sponsored attack on ConnectWise – ScreenConnect provider confirmed a 29 May breach affecting some cloud customers

2. Top Attacks of May 2025

2.1 Marks & Spencer (retail, UK)

Vector: spear-phishing a third-party IT vendor → hijacked VPN account
Impact: 6-week e-commerce outage, 13 % share-price drop, projected £300 million operating-profit hit
Mitigation/Response: review of 600 systems, aggressive network segmentation, accelerated SaaS supplier code audit.

“The attack showed that today the supply chain is weaker than the most expensive firewalls.” – Stuart Machin, CEO, M&S

2.2 Coca-Cola (FMCG manufacturing)

Vector: data leak after ransom refusal; Everest ransomware posted samples on 22 May
Impact: exposure of 959 employees’ data at a Middle-East distributor; GDPR scrutiny.
Recommended controls: immediate password rotation, MFA, isolation of affected HR servers.

2.3 Kettering Health (14 hospitals, USA)

Vector: Interlock ransomware, likely RDP exploit
Impact: EHR outage, elective surgeries cancelled, switch to paper charts; 941 GB of patient data leaked
Mitigation: clinical-network segmentation, ≤ 24 h backup-restore tests, tabletop IR drills.

2.4 ConnectWise (MSP vendor, USA)

Vector: ASP.NET exploit in ScreenConnect (suspected APT)
Impact: access to some customer instances, supply-chain risk; forced certificate rotation.
Recommendations: upgrade to the latest build, monitor ScreenConnect audit logs, deploy YARA for published IoCs.

2.5 Gob.pe – Peruvian government portal

Vector: Rhysida ransomware; 5 BTC demanded to keep stolen docs private
Impact: temporary service outage, risk of regional tax-data exposure.
Counter-actions: government denied core-platform compromise, launched SIEM audit and WAF hardening.

3. New Vulnerabilities and Patches

CVE	Criticality	Description	Recommendations
CVE-2025-20188	10.0	Hard-coded JWT in Cisco IOS XE WLC; unauthenticated RCE	Firmware upgrade; ACL blocking AP-download interface
CVE-2025-30065	10.0	Deserialisation flaw in Apache Parquet; RCE via crafted file	Upgrade to 1.15.1; file-extension filtering, sandboxed I/O
CVE-2025-3248	9.8	Langflow – unauthorised /validate/code endpoint; full RCE	Update ≥ 1.3.0, isolate server in VPC, reverse-proxy with MFA
CVE-2025-29824	7.8	Windows CLFS LPE, zero-day used by Play & RansomEXX	Patch Tuesday April + May; disable PipeMagic, EDR click-to-run
CVE-2025-4632	9.8	Samsung MagicINFO 9 path traversal; arbitrary file read	Vendor patch, WAF regex “../../../”, restrict WAN interfaces

In May CISA added six flaws to the KEV catalogue (19 May) and three more (15 May)—nine actively exploited vulns to patch within 21 days.

4. Statistics

900 confirmed Play ransomware victims (FBI, May 2025)
70 vulnerabilities (including 5 zero-days) fixed by Microsoft on 14 May Patch Tuesday
22 ICS advisories issued by CISA on 15 May—single-day record
9 new KEV entries in one week (15–19 May), the fastest pace in 2025
97 billion+ exploitation attempts logged by FortiGuard in 2025; YoY increase 42 %
4 days – median ransomware dwell time (Sophos Active Adversary Report 2025)

5. Forecasts & Recommendations (June–August 2025)

Trend	Watch-For	Why It Matters
IT supply-chain exploitation	MSP vendors, open-source libs (Parquet, Langflow)	ConnectWise and AI-lib attacks show effortless pivot to hundreds of customers
Logistics & transport attacks	GRU campaign targeting logistics (CISA alert 21 May)	Supply-chain disruption rivaling ransomware losses
Automated phishing (CoGUI, RedFox)	580 million mails YTD; new Malware-as-a-Service	Higher success rates, lower campaign costs
Healthcare ransomware surge	Interlock, Medusa, Play—shorter dwell time	Critical services, high payment pressure
AI-assisted offense & defense	LLM-driven phishing; code-anomaly detection	Arms race—invest in AI SecOps

6. Action Checklist (June 2025)

Patch critical CVEs 2025-20188, 30065, 3248 within 7 days.
Audit MSP suppliers for MFA and ScreenConnect logging.
Run EHR/ERP outage drill – Kettering lesson: manual fallback.
Verify offline backups – especially OT/WLC systems.
Block macros & scripts in Office; enforce code-signing.
Track KEV catalogue – auto-alerts, 21-day patch SLA.
Phishing & BEC training – CoGUI/smishing scenarios, 30-day tests.

7. Worth Reading

Fortinet 2025 Global Threat Landscape Report – 97 bn exploit attempts, Cybercrime-as-a-Service boom
Sophos Active Adversary Report 2025 – 4-day median dwell time across 355 incidents
CISA/FBI “#StopRansomware: Play” – TTPs and 900 victims, 24 h patch guidance
CISA ICS Advisories 15-05-2025 – 22 new OT/SCADA bulletins

Sources

Reuters, “Britain’s M&S says cyberattack to cost $400 million”, 21 May 2025
M&S internal memo leak (via FT), 21 May 2025
CyberNews, “Hackers leaked Coca-Cola data after ransom threat”, 22 May 2025
BleepingComputer, “ConnectWise breached in cyberattack…”, 29 May 2025
BleepingComputer, “Kettering Health hit by system-wide outage…”, 21 May 2025
SecurityWeek, “Ransomware gang leaks alleged Kettering Health data”, 5 Jun 2025
The Record, “Peru denies ransomware attack following Rhysida claims”, 6 May 2025
BleepingComputer, “Exploit details for max-severity Cisco IOS XE flaw…”, 31 May 2025
BleepingComputer, “Play ransomware exploited Windows logging flaw…”, 7 May 2025
BleepingComputer, “PoC released for Apache Parquet CVE-2025-30065”, 6 May 2025
BleepingComputer, “Critical Langflow RCE flaw exploited…”, 6 May 2025
NVD/NIST, CVE-2025-4632 entry, 22 May 2025
CISA, “Adds six KEVs”, 19 May 2025
CISA, “Adds three KEVs”, 15 May 2025
CISA, “22 Industrial Control Systems Advisories”, 15 May 2025
CISA/FBI, “#StopRansomware: Play Ransomware”, 4 Jun 2025 (update)
KrebsOnSecurity, “Patch Tuesday, May 2025 Edition”, 14 May 2025
Fortinet, “2025 Global Threat Landscape Report”, 5 May 2025
Sophos, “Active Adversary Report 2025”, 2 Apr 2025
CISA Alert, “Russian GRU targeting logistics…”, 21 May 2025