Cyber News Roundup for June 6, 2025
Google warns a threat group is targeting Salesforce customers
Google has warned that threat group UNC6040 is targeting Salesforce customers in a widespread voice phishing (vishing) and data extortion campaign. The group impersonates IT support staff in phone calls, tricking employees into approving access for a modified Salesforce Data Loader app. This unauthorized tool allows attackers to exfiltrate sensitive data, which is later used for extortion. Around 20 organizations across sectors like education, retail, and hospitality in the Americas and Europe have been hit. UNC6040 often leverages social engineering alone—no Salesforce vulnerabilities were exploited. Once inside, they move laterally to platforms like Microsoft 365 and Okta. The group claims ties to ShinyHunters and shows overlap with tactics used by ‘The Com’ collective, including Scattered Spider. Google highlights this as part of a rising trend of attackers targeting IT support roles for initial access.
Researchers discover what may be China’s largest ever data leak
In what may be China’s largest data leak ever, over 4 billion personal records—totaling 631 GB—were exposed from an unsecured database. The leak includes sensitive financial data, WeChat and Alipay information, ID numbers, addresses, and more, potentially affecting hundreds of millions of users. Cybernews and researcher Bob Dyachenko discovered 16 data collections containing massive databases with hundreds of millions of records each. The data appears to be meticulously compiled, likely for surveillance or profiling purposes. The database was quickly taken offline, leaving no clear attribution or recourse for victims. Experts warn the data could fuel phishing, fraud, blackmail, or state-level espionage. This leak dwarfs previous Chinese breaches and underscores the severe privacy risks at play.
CrowdStrike cooperates with federal authorities following last year’s major software bug
CrowdStrike is cooperating with federal authorities following a major software bug last July that knocked millions of computers offline. In a recent SEC filing, the company revealed that the Justice Department and SEC are investigating the incident, as well as CrowdStrike’s revenue-recognition practices and reporting of annual recurring revenue. Other agencies and third parties have also requested information, with some customers threatening legal action. The July 19 outage, triggered by a flaw in the Falcon software, disrupted flights, back-end systems, and user devices. CrowdStrike disclosed the update alongside its fiscal Q1 report, showing a swing to a loss and a weaker outlook due to ongoing costs from the incident. Shares dropped 5.3% following the news, though the stock remains up 35% over the past year.
Stolen Kettering Health data published
Following up on a story we covered last month, while the not-for-profit Ohio-based healthcare network Kettering Health has been rebuilding and restoring its systems and services, the Interlock ransomware gang appears to have posted “941 GB of data from the organization, including ID cards, financial reports, payment data, and more.” According to Security Week, “while the healthcare provider has not said much about the type of cyberattack it fell victim to, it appears that it did not give in to the threat actor’s extortion attempts and did not pay a ransom.”
Cisco ISE Auth Bypass Flaw impacts cloud deployments on AWS, Azure, and OCI
This flaw, flaw impacting the Identity Services Engine (ISE) could allow unauthenticated actors to carry out malicious actions on susceptible systems. With a CVE number (CVE-2025-20286) and a CVSS score of 9.9, it is described as a static credential vulnerability. Cisco also acknowledges the existence of a proof-of-concept (PoC) exploit but says there is no evidence that it has been maliciously exploited in the wild.
Ohio, Oklahoma, Puerto Rico governments suffer cyberattacks
Ransomware attacks have caused problems for residents of the city of Durant, Oklahoma, resulting in some issues for digital and credit card payments, and network outages for its police department. Meanwhile, the Justice Department of Puerto Rico has announced a cyberattack impacting the Criminal Justice Information Office. As part of its preventive measures for safeguarding the integrity of its data, the office has undertaken to suspend some services.
Iranian APT ‘BladedFeline’ Hides in Network for 8 Years
An Iranian state-sponsored threat group known as BladeFeline has been covertly operating inside an unnamed Middle Eastern telecommunications network for over eight years. According to a report from SentinelLabs, the group leveraged a combination of living-off-the-land techniques and legitimate administrative tools to evade detection, including remote administration utilities like PuTTY, AnyDesk, and SecureCRT. By avoiding custom malware and using normal network traffic patterns, BladeFeline was able to maintain long-term persistence and exfiltrate sensitive data without triggering traditional security alerts. Investigators uncovered evidence suggesting that the group targeted high-value accounts, demonstrating a high level of operational discipline and intent. The campaign is another example of how advanced persistent threats (APTs) are refining stealth tactics to remain embedded within critical infrastructure environments over long periods.
FBI warns about NFT scheme
A new advisory from the FBI warns about a new NFT airdrop scheme operating on the Hedera Hashgraph network. Threat actors target victims by sending unsolicited NFTs to a wallet, along with memos asking them to click a URL to claim a reward, but instead send them to phishing pages that ask for wallet seed phrases and passwords. This campaign also uses standard phishing emails, social media ads, and fake sites to draw in victims. The FBI advises verifying any NFT drops from official sources rather than emails. If you’re not familiar, hashgraph is a next-generation distributed ledger introduced in 2018, similar to a blockchain but based on a protocol aimed at speed, scale, and energy efficiency.
PumaBot stalks vulnerable IoT devices
Researchers at PolySwarm have uncovered a stealthy new Linux-based botnet named PumaBot, targeting vulnerable IoT devices, especially surveillance systems. Written in Go, PumaBot differs from typical malware by using curated IP lists from command-and-control servers instead of scanning the internet broadly. This targeted approach helps it avoid detection.
PumaBot brute-forces SSH credentials to gain access, with a particular focus on devices from Pumatronix, a surveillance equipment maker. Once inside, it establishes persistence by disguising itself as legitimate services like Redis or MySQL and embeds into system directories to survive reboots.
Its main goal is cryptocurrency mining, executing tools like “xmrig” to generate illicit profits. The malware also gathers system data and sends it back to attackers, who maintain inventories of infected devices. PumaBot’s emergence underscores growing IoT risks tied to default credentials and weak security practices.
Fortinet Reports Surge in AI-Driven Cyberthreats
Fortinet’s latest report highlights a significant increase in cyberthreats driven by AI and automation, with global automated scanning activities rising to 36,000 scans per second. Cybercriminals are increasingly targeting vulnerable digital assets such as Remote Desktop Protocol, IoT systems, and Session Initiation Protocols earlier in attack cycles. The report also notes a 42% surge in credential-based targeted attacks, emphasizing the need for organizations to adopt modern defense strategies including AI, zero trust architectures, and real-time threat management.
LevelBlue Report: Healthcare Organizations Face Higher Risk
Healthcare organizations are facing a mounting wave of cyberattacks, yet many remain unprepared to effectively respond, according to a new report from LevelBlue. Theresa Lanowitz, Chief Evangelist at LevelBlue, highlights that nearly half of healthcare executives report an increase in cybersecurity incidents, including ransomware and data breaches. Despite this rise, many organizations lack the tools, personnel, and strategies to build resilience. The report calls for greater adoption of managed security service providers (MSSPs), which can offer 24/7 threat monitoring, incident response, and compliance support. Lanowitz emphasizes that as healthcare continues its digital transformation, ensuring cybersecurity is not optional—it’s mission-critical to protect patient trust and ensure continuity of care.
Experts warn congress that Chinese infiltrations are preparations for war
Retired Lt. Gen. H.R. McMaster warned lawmakers that China’s deep infiltration into U.S. telecommunications and critical infrastructure is part of a broader war preparation strategy. Speaking at a House Homeland Security Committee field hearing, McMaster linked recent cyber campaigns like Volt Typhoon to China’s growing military ambitions, including a 44-fold defense budget increase and a possible first-strike nuclear capability. He also cited Chinese surveillance balloons aimed at U.S. strategic communications. Palo Alto Networks’ Wendi Whitmore echoed concerns, noting that China, alongside Russia, Iran, and North Korea, is becoming more aggressive in cyberspace. Palo Alto blocks up to 31 billion attacks daily, including millions of new threats. Whitmore stressed the need for faster, two-way public-private collaboration and supported legislation to strengthen the Joint Cyber Defense Collaborative.
Exclusive: One-third of top U.S. cyber force has left since Trump took office
Axios reports that nearly 1,000 people in the U.S. Cybersecurity and Infrastructure Security Agency (CISA) workforce have left in the latest US administration. This includes 600 recent voluntary buyouts and 174 deferred resignations, with additional cuts hitting contract teams like election integrity and DEI units. Critics warn the loss of key figures and shrinking resources could undermine U.S. cyber defenses amid rising threats. CISA leadership says it’s still mission-ready.
(Axios)
Black Owl group poses a threat to Russia
Researchers at Kaspersky released a report on the threat group Black Owl, also known as BO Team, which recently carried out a cyberattack in Russia that wiped out a large part of the Russian national electronic court filing system. The group first appeared online in 2024, operating exclusively against organizations in Russia. Unlike typical pro-Ukrainian hacktivists, Black Owl seems to work independently, showing no signs of coordination, collaboration, or tool-sharing with others. The group typically gains access through phishing emails, and can wait up to months to set up an attack. They use backdoors DarkGate, BrockenDoor and Remcos, and have been known to deploy Babuk ransomware as well.
Fire panel security flaws could put OT systems in hot water
Consilium Safety makes fire- and gas-detection systems used across various sectors with an estimated installed base of 85,000. CISA issued an advisory about two flaws impacting its CS5000 Fire Panel. One flaw allows for a device takeover using a default account preinstalled. While owners can change this account over SSH, CISA found “t has remained unchanged on every installed system observed.” The other flaw comes from a hardcoded password that runs on a VNC server, which is, you know, bad. Consilium said it was aware of the flaws but chose not to mitigate them. Instead, it recommended that customers upgrade to its newer line of products.
Microsoft and CrowdStrike partner to link threat actor names
The two companies announced a partnership to connect aliases used for specific threat groups. Unfortunately, this won’t set a single naming standard. Instead, Microsoft updated its threat actor reference guide with a linked map of common threat groups using each company’s naming system. The idea is to make attribution faster and clearer so defenders can maintain a comprehensive view of malicious campaigns. Microsoft also said Google/Mandiant and Palo Alto Networks’ Unit 42 will be contributing their information and would welcome support for the initiative from other companies.
Demand for cybersecurity professionals surges with AI threat, cybersecurity and ethical hackers leading the pack
Data centers are deliberately throttling AI GPU performance to prevent regional power grid blackouts, highlighting a growing intersection between energy infrastructure and cybersecurity. As AI workloads surge, particularly from companies training large language models and other compute-intensive systems, energy consumption has spiked to unsustainable levels in some areas. This has prompted some facilities to intentionally slow GPU operations to avoid overwhelming local power grids. In response, Gridmatic, a California-based AI energy optimization firm, is proposing a smarter alternative: using predictive AI models to better manage electricity loads and reduce strain without compromising performance. The situation underscores the emerging risks at the intersection of AI, data center infrastructure, and national energy resilience, with implications for operational continuity and physical security.
Decoding AI hallucinations with physics
No one truly knows how AI works—not even the people who build it. But physicist Neil Johnson and his colleague Frank Yingjie Huo have taken a swing at decoding the mystery by applying first-principle physics to AI’s Attention mechanism, the bit that decides what words an AI should “focus” on when generating text. Their theory treats words like quantum particles in a “spin bath,” where bad training data can skew outcomes, resulting in hallucinations or bias. Johnson likens current AI models to a 2-body Hamiltonian (two-particle system), which, it turns out, is about as stable as a toddler on espresso. A 3-body system might be better—but like railway gauges, the QWERTY keyboard and the Windows Registry, early design choices tend to stick. Still, Johnson’s math offers hope: with the right actuarial-style metrics, we may one day predict just when our friendly LLM might lose the plot. Literally.
Hackers Exploit PuTTY SSH Client to Deploy Malware on Windows Systems
A sophisticated malware campaign has been uncovered wherein attackers weaponize the legitimate PuTTY SSH client to install backdoors on Windows systems. By distributing trojanized versions of PuTTY, the attackers gain unauthorized access and maintain persistence on compromised machines. Security experts advise users to download software only from official sources and to verify digital signatures to prevent such intrusions.
Exploit for maximum severity Cisco IOS XE flaw now public
Following up on a story we covered at the start of May, details are now becoming available regarding the upload flaw, which suggests a working exploit may be available soon. As quoted in BleepingComputer, “a write-up by Horizon3 researchers does not contain a ‘ready-to-run’ proof of concept RCE exploit script, but it does provide enough information for a skilled attacker or even an LLM to fill in the missing pieces.” Given the immediate risk of weaponization and widespread use in attacks, it is recommended that impacted users act now to protect their endpoints. This flaw impacts software for wireless LAN controllers.
Hackers exploiting critical flaw in vBulletin forum software
There are actually two flaws, with CVE numbers and CVSS v3 scores of 10.0 and 9.0 respectively, and the affect open-source forum software vBulletin. One of these has been confirmed as actively exploited in the wild. The flaws are an API method invocation and a remote code execution (RCE) via template engine abuse. They affect vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 when the platform runs on PHP 8.1 or later. Patches were released last year, meaning the danger lies with sites that have not upgraded. CVE-2025-48827 and CVE-2025-4882
ConnectWise warns of nation-state attack on its ScreenConnect customers
The company says it “recently learned of suspicious activity… [that it believes] …was tied to a sophisticated nation state actor.” This activity affected a very small number of ScreenConnect customers. ScreenConnect is IT remote management and monitoring software used by governments and large businesses. According to The Record, “hackers have frequently targeted vulnerabilities in the software, using it as a jumping off point for ransomware attacks and data thefts.” ConnectWise said it has launched an investigation with forensic experts from Mandiant.
