Microsoft’s June 2025 security update giveth, and Microsoft’s June 2025 security update taketh away
Microsoft’s June 2025 security update has created a critical dilemma for IT admins: install a patch that breaks DHCP services or leave servers vulnerable to serious exploits. The update, released June 10, disrupts DHCP failover configurations on Windows Server 2016 through 2025, causing network outages. Microsoft confirms the bug but has yet to issue a fix—forcing some to uninstall the update, exposing systems to 66 vulnerabilities, including two zero-days. One is an actively exploited WebDAV flaw used by the Stealth Falcon group. The same update has also caused issues with Surface Hub devices and L2TP VPN connections. Experts warn this reflects a growing problem: rushed patches causing major system failures. Admins are effectively left testing mission-critical updates in production environments.
16 billion passwords exposed in record-breaking data breach, opening access to Facebook, Google, Apple, and any other service imaginable
According to research by Cybernews, more than 9.9 billion unique credential pairs have been found in databases collected from various infostealer malware operations. These logs contain not only usernames and passwords but also cookies, autofill data, and credit card information stolen from infected devices. Infostealers like RedLine, Raccoon, and Vidar quietly harvest this data from unsuspecting users’ browsers and software, often going unnoticed by endpoint security solutions. The leaked credentials have been aggregated over time and are now widely available on hacker forums and Telegram channels. Researchers warn that this treasure trove of data significantly increases the risk of credential stuffing, account takeover, and supply chain attacks unless organizations and users act quickly to reset passwords and enforce multi-factor authentication.
Cisco, Atlassian fix high-severity vulnerabilities
Cisco’s release is related to firmware updates for Meraki devices. The vulnerability in question affects the AnyConnect VPN server and could allow attackers to make these products restart, leading to a DoS condition. This vulnerability has a CVE number and CVSS score of 8.6. The bug can be exploited remotely. Atlassian “announced patches for five vulnerabilities in third-party dependencies in Bamboo, Bitbucket, Confluence, Crowd, and Jira.” These also have CVE numbers which are listed in the show notes for this episode.
CVE-2025-22228 (an improper authorization in Spring), CVE-2025-24970 (a DoS flaw in the Netty framework), CVE-2024-38816 (a path traversal related to the WebMvc.fn and WebFlux.fn web frameworks), CVE-2024-57699 (a DoS bug in Netplex Json-smart), and CVE-2025-31650 (DoS in Apache Tomcat).”
Telecom company Viasat attacked by Salt Typhoon
The satellite communications company Viasat has announced it has become the latest telecom industry victim of China’s Salt Typhoon cyber-espionage group. Viasat provides satellite broadband services to “governments worldwide and aviation, military, energy, maritime, and enterprise customers.” It has 189,000 broadband subscribers in the U.S. As reported by Bloomberg, “the company discovered the Salt Typhoon breach earlier this year and has been working with federal authorities to investigate the attack.”
Krispy Kreme discusses November breach impact
The donut company has now released information on the cyberattack that it suffered last November. Its filing with Maine’s Attorney General shows that cybercriminals accessed data belonging to more than 160,000 people. Along with standard PII, the haul also included financial account information including credit or debit card information along with access information, as well as: email addresses and passwords. biometric data, USCIS or Alien Registration Numbers, U.S. military ID numbers, medical or health information and health insurance information. Some experts question the company’s need to collect this much data as well as the quality of their pre-breach security.
North Korea’s tricky ClickFake deepfake scam
A cautionary tale from the crypto world, but equally applicable to regular businesses and organizations. Security firm Huntress reports on a deepfake/social engineering scam in which an employee of a cryptocurrency foundation was invited to talk with a collection of executives of an external company, via Zoom. The short version of this story: upon accepting the Calendly invite, the employee “joined a group Zoom meeting that included several deepfakes of known members of the senior leadership of their company, along with other external contacts.” The employee found that his microphone was not being heard on the call, at which point the deepfake personas sent him a Zoom extension which had been altered to stealthily download a next-stage payload from a remote server. This is now being referred to as a ClickFake interview since it has a similar “I can fix it” vibe as the better-known ClickFix campaigns. The longer version of this story is available through the show notes to this episode.
Linux distros vulnerable to LPE vulnerabilities
Researchers at the Qualys Threat Research Unit discovered two new local privilege escalation (LPE) vulnerabilities impacting many prominent Linux distributions. One flaw in the Pluggable Authentication Modules framework on SUSE Linux 15 allows attackers to obtain “allow_active” user privileges. The other s the udisks daemon, a default storage management service on most distributions, that allows the same privilege escalation through a flaw in libblockdev. While these can be chained easily to attack SUSE systems, the researchers also created POCs to obtain root privileges on Ubuntu, Debian, and Fedora. Patches for both are available now.
Operation Fluffy Narwhal thinks it’s time to rethink adversary naming
And finally, when a Russian military unit hacks an election, but we call them “Fancy Bear,” it’s no wonder folks think cybersecurity is some elaborate comic book. In a sharply wry op-ed for Just Security, Jen Easterly and Ciaran Martin argue it’s time to stop branding our cyber adversaries like Pokémon and start naming them for what they are: nation-states and criminals. Microsoft and CrowdStrike’s recent alliance to align threat actor names is a welcome baby step. But Easterly and Martin say it’s not enough. Until the cybersecurity world adopts a single, clear, vendor-neutral naming system, we’ll keep confusing defenders and glamorizing adversaries. The idea that naming can’t be standardized is, they argue, nonsense—we do it in medicine, defense, and even for missiles. So why not malware? It’s time to ditch the marketing mascots. Let’s trade “Charming Kitten” for “Iranian espionage” and call the cyber criminals what they are—without the flair.
North Korea’s Kimsuky targets academic institutions using password-protected research documents
A new malware campaign by North Korea-linked Kimsuky is targeting academic institutions using password-protected research documents to deliver multi-stage malware. Disguised as review requests from professors, phishing emails contain Hangul Word Processor (HWP) files with malicious OLE objects. These bypass security tools and trick recipients into opening them, launching a sophisticated infection chain. Upon activation, the malware installs six files, performs system reconnaissance, and establishes remote access using AnyDesk. The campaign exploits academic trust and collaboration, making detection harder and expanding risks to connected government and private networks. The malware uses obfuscation techniques and disguises malicious actions under the appearance of legitimate documents. Analysts warn this campaign marks an evolution in social engineering, blending technical precision with realistic academic bait, and urge institutions to remain vigilant.
Organizations warned of vulnerability exploited against discontinued TP-Link routers
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are exploiting a critical command injection flaw, affecting multiple discontinued TP-Link router models. Agencies must remove affected devices by July 7. CISA also flagged active exploitation of Apple products, a media-processing flaw used in targeted attacks—patched in February with iOS 18.3.1 and macOS 15.3.1.
Silver Fox APT targets Taiwan with complex Gh0stCringe and HoldingHands RAT malware
Researchers at Fortinet warn of a phishing campaign by China-linked group Silver Fox APT targeting Taiwan with two Gh0st RAT variants: Gh0stCringe and HoldingHands. Delivered via fake emails posing as government or business communications, the malware uses PDF and ZIP attachments to deploy shellcode through DLL sideloading, enabling remote access, data theft, and additional payload downloads. The attackers use sophisticated anti-VM and privilege escalation techniques, continuously refining their tools and methods across recent campaigns, including the earlier Winos 4.0 attacks.
Google warns of Scattered Spider attacks targeting IT support teams at U.S. insurance firms
Google’s Threat Intelligence Group says the cybercrime gang Scattered Spider (aka UNC3944) is now actively targeting IT support teams at major U.S. insurance firms. Known for social engineering tactics, the group impersonates employees, bypasses MFA, and exploits help desks—often gaining broad access via MSPs and contractors. Google and Mandiant warn the group is likely seeking high-value enterprise targets. Experts recommend tightening identity controls, restricting access, and training support staff to verify identities before account changes.
Attackers can disable Secure Boot on many Windows devices by exploiting a firmware flaw
Researchers at Binarly uncovered a vulnerability (CVE-2025-3052) that allows attackers to disable Secure Boot on many Windows devices by exploiting a flaw in UEFI firmware. The flaw, found in a module by a rugged display vendor, allows arbitrary memory writes via the IhisiParamBuffer variable, stored in non-volatile RAM. This could let attackers overwrite Secure Boot variables without detection, even though the OS still appears protected. While the exploit requires admin and physical access, the risk is significant due to UEFI’s pre-OS role. Some UEFI distributions are immune, but most systems remain vulnerable. The flaw has likely circulated since October 2022. Microsoft has patched the issue and revoked certificates for 14 affected modules in its June 2025 Patch Tuesday update.
Beware the SMS 2FA middleman
An anonymous whistleblower provided Bloomberg Businessweek and Lighthouse Reports with autogenerated login codes related to roughly 1 million SMS messages with two-factor authentication codes sent in June 2023. All these messages passed through the Swiss company Fink Telecom Services, which cybersecurity researchers have previously found worked with government and private surveillance contracts to track user locations and spy on phones. Fink Telecom is one of the many intermediaries that process SMS factors for other platforms. Fink CEO Andreas Fink told Bloomberg that legal restrictions prevent them from seeing message content and that it no longer works in surveillance. Fink generally operates as a subcontractor for other SMS processors, so the platforms sending the codes have no direct business relationship or oversight of them.
Wiz’s acquisition faces antitrust scrutiny
Bloomberg’s sources say the US Department of Justice opened an antitrust investigation into Google’s planned $32 billion acquisition of Wiz. That deal was announced in March. The investigation is in the early stages and could stretch on for months. A block on the deal wouldn’t just deny Google adding a strong cloud security portfolio, as a $3.2 billion breakup fee is attached. The DOJ also investigated Google’s 2022 acquisition of Mandiant, but eventually cleared the deal.
NIST publishes new ZTA guidance
This new guidance is meant to serve as a foundational starting point for organizations building their own zero-trust architecture, although it cautions that all of these need to be custom-built for a given context. NIST includes 19 examples of zero-trust architectures built by organizations using commercial, off-the-shelf tools and technologies. The guidance is meant to augment NIST’s previous conceptual-level ZTA documentation, released in 2020. It emphasizes a phased deployment that starts by identifying and cataloging assets, building out access policies, and eventually achieving continuous monitoring and improvement.
CISA issues multiple advisories
CISA warns that ransomware actors are exploiting CVE-2024-57727, a path traversal flaw in SimpleHelp RMM software, to target customers of a utility billing software provider. The vulnerability, with a CVSS score of 7.5, allows attackers to steal credentials and API keys. It was patched in January 2025, along with two related flaws. DragonForce ransomware previously exploited this in May. CISA urges immediate patching, disconnection of vulnerable systems, and threat hunting, especially for users running SimpleHelp version 5.5.7 or earlier.
CISA also issued ten new ICS advisories addressing vulnerabilities in products from Siemens, AVEVA, and PTZOptics. These advisories cover critical systems including Siemens SCALANCE, RUGGEDCOM, SIMATIC S7-1500 CPUs, Tecnomatix Plant Simulation, and AVEVA’s PI software suite. One advisory also targets pan-tilt-zoom cameras. CISA urges industrial system administrators to review these advisories for detailed vulnerability information and recommended mitigations to protect against potential exploits in industrial environments.
Uncle Sam wants an AI chatbot
Less than a month from launch, the federal government is preparing to unveil AI.gov, a new initiative designed to bring artificial intelligence tools into widespread use across agencies. Discovered through a GitHub repository that has since been archived, the site appears to be a central hub to help agencies integrate AI into their operations.
Led by Thomas Shedd, a former Tesla software engineering manager and current head of the General Services Administration’s Technology Transformation Services (TTS), the project is built around three core features: a chatbot, an “all-in-one API” to connect with models from providers like OpenAI and Google, and a tool called CONSOLE for monitoring AI usage across agencies.
According to the staging site, the platform will use FedRAMP-certified services via Amazon Bedrock, although one listed model—by Cohere—may not yet be certified. AI.gov is expected to launch July 4, signaling a major push to modernize federal operations through artificial intelligence.
Finally, a chatbot to fix government inefficiency. What could possibly go wrong?
UK woefully unprepared for undersea cable sabotage, says report
Following up on a story that we have been covering over the past few months, a report from the China Strategic Risks Institute (CSRI) showed that 10 out of 12 incidents of alleged undersea cable sabotage between January 2021 and April 2025, eight of the suspected vessels were directly linked to China or Russia through flag-state registration or company ownership. As described in The Guardian, “99% of intercontinental data transmission takes place through submarine cable systems, playing a vital role in civilian and defense infrastructure. Without these cables, much of the economy – from international banking and cloud computing to virtual communications and global logistics – would cease to function.” The report continues that “the UK’s defense infrastructure is woefully inadequate in protecting against such grey-zone tactics.”
