16 Cyber Security News from June Worth Your Attention

We scan more than 20+ cybersecurity news sites every week to highlight only the stories that truly matter. This week has been particularly eventful from Google’s hidden phone number exploit and Australia’s groundbreaking ransomware reporting rules, to cyber incidents hitting WestJet and urgent vulnerabilities discovered in Microsoft 365 Copilot. And the Scattered Spider group that had been causing trouble in the retail sector has seemingly moved on to their next victim – the insurance industry.

0. Massive 16 Billion Credential Leak Highlights Infostealer Pervasiveness includes AppleIDs

Cybernews researchers discovered 30 unsecured datasets holding 16 billion login credentials harvested by infostealer malware and credential-stuffing collections. Brief exposure via open Elasticsearch and object storage makes this fresh, structured intelligence ripe for account takeover, identity theft, and targeted phishing campaigns. Security teams must bolster multifactor authentication and credential hygiene to defend against mass exploitation.

Key Details

• Datasets ranged from 16 million to 3.5 billion records each, averaging 550 million entries
• Includes credentials for Apple, Facebook, Google. Telegram, GitHub, VPN services. Developer platforms, Online marketplaces, Government login portals
• Data covers social media, corporate platforms, VPNs, developer portals and government services
• Includes recent infostealer logs with tokens, cookies and metadata for deeper compromise
• All leaks were briefly exposed, preventing attribution of dataset ownership

Next Steps

• Enforce multifactor authentication on all critical accounts
• Audit and rotate passwords for exposed services

Read more at Cybernews

—

1. Researcher Exploits Google Bug to Expose Linked Phone Numbers

A security researcher demonstrated a flaw that let attackers brute-force any Google account’s hidden phone number via Looker Studio document transfers. Exposed numbers can enable SIM-swap attacks to bypass SMS-based MFA and hijack high-value accounts. Google has patched the issue, underscoring the need to fortify verification flows and minimize reliance on SMS.

Key Details

• Brute-forcing a US number took <1 hour; UK numbers in 8 minutes; some countries <1 minute
• Exploit used a Looker Studio document ownership transfer with an oversized name to avoid alerts
• No notification was sent to the target during the guessing process
• Google awarded the researcher $5,000 and raised the severity to “medium” before patching

Read more at WIRED

2. Australia Mandates Ransomware Payment Reporting Within 72 Hours

Organizations with annual turnover above AU$3 million must now report any ransomware payment to the Australian Signals Directorate within 72 hours or face civil penalties. The filing must detail incident impact, malware variants, exploited vulnerabilities, ransom amounts and extortion communications. This is the first mandatory ransomware payment disclosure regime globally and heightens operational transparency for mid-sized businesses.

Key Details

• Applies to private organizations with AU$3 million+ annual turnover, excludes public sector
• Reports must include incident impact, ransomware variants, and exploited vulnerabilities
• Requires disclosure of ransom demanded, ransom paid, negotiation and communications
• Noncompliance may trigger civil penalties under the Cyber Security (Ransomware Payment Reporting) Rules 2025

Next Steps

• Update incident response playbooks for 72-hour reporting

Read more at Dark Reading

3. WestJet Cyberattack Disrupts App and Website Access

Canadian carrier WestJet suffered a cybersecurity incident that restricted access to its internal systems, mobile app and website, although flight operations remained unaffected. The airline is working with law enforcement and Transport Canada to investigate, restore services and secure guest and employee data. WestJet has not disclosed the attack type or whether any information was exfiltrated, leaving potential risk of undetected breaches.

Key Detais

• Operations, including scheduled and charter flights, remained fully functional
• No confirmation yet on ransomware involvement or data theft
• Investigation led by internal teams alongside Transport Canada and police

Read more at SecurityWeek

4. Discord Invite Link Hijacking Delivers AsyncRAT and Skuld Stealer Targeting Crypto Wallets

Threat actors are hijacking genuine Discord invite links in crypto-focused servers to distribute AsyncRAT and the Skuld Stealer. Victims who click the malicious invites download Trojanized installers that enable remote access and siphon browser-based wallet credentials. Security teams must verify invite integrity and strengthen endpoint defenses against these malware families.

Key Details

• Attackers replace valid Discord invites with links to NSIS installers hosted on public repositories
• AsyncRAT establishes persistence and grants remote shell on Windows hosts
• Skuld Stealer harvests browser extensions (e.g., MetaMask) and exfiltrates seed phrases
• Campaign targets users of crypto and NFT communities on Discord

Next Steps

• Audit Discord invite links and revoke unauthorized ones
• Block known C2 domains and installer hashes at the network edge
• Deploy EDR signatures to detect AsyncRAT behaviors

Read more at The Hacker News

5. Backups Are Under Attack: How to Protect Your Backups

Ransomware operators increasingly target backup repositories to extend downtime and drive higher payouts. Organizations must harden backup environments with immutability, network segmentation, strict access controls, and regular restore validation to ensure recoverability when primary systems fail.

Key Details

• Recent incidents saw attackers delete or encrypt backups via compromised cloud-storage APIs and administrative accounts.
• Survey data shows over 40% of organizations that lost backups suffered more than five days of operational downtime.
• Roughly 30% of backup systems lack multi-factor authentication, exposing them to credential-based attacks.
• Immutable backup features in object storage can thwart deletion and unauthorized modifications.

Next Steps

• Enable immutability or object-lock on all backup repositories.
• Segment backup servers on isolated networks or VLANs.
• Enforce MFA and least-privilege for all backup-management accounts.
• Don’t forget regular restore drills and integrity checks.

Read more at The Hacker News

6. Trump Signs EO 14306, Overhauls Software Security, Sanctions and Post-Quantum Roadmap

President Trump’s new cybersecurity executive order (EO 14306) removes Biden-era software attestation mandates, narrows cyberattack sanctions to foreign actors, accelerates a 2030 post-quantum cryptography deadline and tasks NIST with updating its Secure Software Development Framework. Federal CISOs and GRC teams should reassess procurement requirements, prepare for streamlined guidance and build crypto-agility to meet the revised compliance landscape.

Key Details

• Eliminates mandatory software security attestations for federal contractors under EO 14028.
• Revises EO 13694 to permit sanctions only against foreign persons involved in cyberattacks.
• Directs NIST to update its Secure Software Development Framework (SSDF) and convene an industry consortium.
• Sets a clear 2030 deadline for agencies to implement post-quantum cryptography standards.

Read more at SecurityWeek

7. Kali Linux 2025.2 Released with Expanded Car Hacking Toolkit and UI Refresh

Kali Linux 2025.2 introduces 13 new pentesting tools, an overhauled car hacking suite renamed CARsenal, and a refreshed UI aligned with the MITRE ATT&CK framework to streamline tool discovery. The update also brings GNOME 48 and KDE 6.3 enhancements plus expanded NetHunter support for wearable and automotive platforms. Security teams should schedule upgrades to leverage the improved toolkit and interface for more efficient assessments.

Key Details

• CARsenal car hacking suite renamed, now includes ICSim simulator
• 23 additional tools added, such as AzureHound, binwalk3, Rubeus, and tinja
• Menu reorganized per MITRE ATT&CK; GNOME 48 and KDE 6.3 UI refresh
• NetHunter gains wireless injection and de-auth support on TicWatch Pro 3

Read more at Bleeping Computer

8. LangSmith Code Injection Flaw Risks OpenAI Keys, User Data Exposure

A critical vulnerability in LangSmith’s agent and chain endpoints allowed attackers to execute arbitrary code, potentially exposing OpenAI API keys and sensitive customer data. Version 0.2.1, released June 28, fixes the issue. Organizations using LangSmith should update immediately and rotate API credentials.

Key Details

• Affects LangSmith versions before 0.2.1, patched June 28 2025
• Unsanitized “inputs” field in agent execution API led to code injection
• CVSS score 9.1; open-source MIT-licensed tool by LangChain
• Exposed environment variables, including OpenAI keys, and user logs

Next Stepps

• Upgrade to LangSmith v0.2.1 or later
• Rotate OpenAI API credentials
• Audit agent execution logs for suspicious activity

Read more at The Hacker News

9. UK Unveils Cyber Security and Resilience Bill to Update NIS Regulations

The UK government will introduce the Cyber Security and Resilience Bill in the 2025-26 session to modernise its 2018 NIS regime. The Bill extends regulatory duties to managed service providers (MSPs) and data centres, tightens incident-reporting deadlines to 24 and 72 hours, and enshrines supply-chain risk management and AI threat considerations into law. CISOs, GRC teams, and MSPs should prepare for expanded compliance scope, faster reporting timelines, and new statutory controls.

Key Details

• MSPs and ~182 colocation facilities will be brought into scope under NIS-style duties.
• New two-stage incident reporting: initial notification within 24 hours and full report in 72 hours.
• Cyber Assessment Framework becomes a statutory Code of Practice, with powers to add sectors via secondary legislation.

Read more at Darktrace

10. 94 Billion Stolen Web Cookies Traded on the Dark Web

A NordVPN-led study found roughly 93.7 billion stolen browser cookies up for sale on underground Telegram channels, including 15.6 billion still active. These cookies—many tied to session IDs and personal data—can let attackers hijack accounts without credentials. Security teams should treat cookie theft as a direct route to account takeover and data exposure.

Key Details

• Researchers collected ~94 billion cookies from April 23–30, 2025.
• Redline infostealer accounted for ~42 billion stolen cookies.
• Google services contributed 4.5 billion cookies; YouTube & Microsoft over 1 billion each.
• 15.6 billion cookies remained active—enabling immediate account access.

Next Stepps

• Educate users on rejecting nonessential third-party cookies
• Enforce automatic browser cookie clearance policies

Read more at Hackread

11. Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month

Security researchers at Sucuri have uncovered a rapid surge of JSFireTruck infections, compromising over 269,000 sites in May 2025. The obfuscated JavaScript, hosted on manipulated Google Syndication URLs, injects spam and redirects visitors to scam pages, exposing organizations to reputational, SEO and compliance risks.

Key Details

• Sucuri recorded a 400% month-over-month increase, targeting primarily WordPress sites.
• Attackers inject obfuscated <script> tags via outdated plugins and weak credentials.
• Malicious payloads are served from abused pagead2.googlesyndication.com URLs to evade detection.

Next Steps

• Audit site pages for unauthorized <script> inclusions referencing print.js.
• Patch CMS, plugins and remove unsupported themes and plugins immediately.
• Deploy WAF rules to block known malicious Google Syndication scripts.

Read more at The Hacker News

12. Unpatched Grafana CVE-2025-4123 Leaves 46,000+ Instances Open to Account Takeover

Over 46,000 internet-facing Grafana instances remain unpatched against CVE-2025-4123, a client-side open redirect flaw enabling malicious plugin loading and session hijacking. IT teams must prioritize upgrades and endpoint audits to prevent account takeover and potential SSRF via the Image Renderer plugin.

Key Details

• OX Security found 128,864 public Grafana endpoints, with 46,506 (36%) still vulnerable.
• Exploit combines client-side path traversal and open redirect to load attacker-controlled plugins.
• No elevated privileges required; attackers can hijack sessions, reset passwords, and change emails.
• If the Image Renderer plugin is enabled, attackers can trigger SSRF to access internal resources.

Next Steps

• Upgrade Grafana to 10.4.18+security-01, 11.2.9+security-01, or later.

Read more at BleepingComputer

13. Hackers Scan 80,000+ Microsoft Entra ID Accounts Using Open-Source Tool

Attackers leveraged the TeamFiltration open-source utility to enumerate and identify misconfigured or over-privileged Azure Entra ID (formerly Azure AD) accounts at scale. The campaign—observed scanning over 80,000 identities—highlights gaps in permission hygiene and monitoring around Graph API usage. Security teams should immediately review delegated app permissions and monitor directory enumeration to prevent similar reconnaissance.

Key Details

• TeamFiltration uses Microsoft Graph API calls (e.g., /memberOf) to list users and group memberships.
• Scan targeted over 80,000 Entra ID accounts across multiple tenants.
• Attackers aimed to identify high-privilege roles and misconfigured service principals.
• No public patch – mitigation relies on configuration and monitoring improvements.

Next Steps

• Audit and remove unused Azure AD app permissions.
• Implement least-privilege model on service principals.
• Monitor Graph API calls for bulk enumeration patterns.

Read more at The Hacker News

14. Researchers Demonstrate Replay Attacks Bypass Deepfake Audio Detectors

An international team found that playing and re-recording synthetic speech with real-world acoustics tricks leading deepfake detectors, driving error rates from 4.7% to 18.2%. This exposes enterprises to more effective vishing attacks by undermining first-line audio authentication. Security teams should reassess anti-spoofing controls and reinforce verification processes.

Key Details

• Researchers tested 109 speaker-microphone setups across six languages
• ReplayDF dataset: 132.5 hours of re-recorded synthetic audio under varied acoustics.
• Top model (W2V2-AASIST) error jumped from 4.7% to 18.2% on replay attacks.

Read more at Dark Reading

15. Scattered Spider Shifts from UK Retail to US Insurers with Social Engineering Attacks

Google’s Threat Intelligence Group warns that the Scattered Spider hacking group, previously linked to UK retail breaches, is now targeting U.S. insurance firms by exploiting help-desk and call-center staff through social engineering. Early victims include Erie Insurance and Scania Financial Services, underscoring insurers’ vulnerability due to complex support processes and high-value customer data.

Key Details

• Google TAG analyst John Hultquist flagged the shift via an X post on June 16, 2025.
• Scattered Spider uses phishing and impersonation to trick help-desk staff into resetting passwords or granting access.
• Erie Insurance reported a breach on June 7; Scania Financial Services’ subdomain data was also allegedly exfiltrated.

Next Steps

• Enforce multi-factor authentication on all internal support tools.
• Conduct targeted social-engineering training for call-center personnel.

Read more at HackRead

16. Zero‐Click Vulnerability in Microsoft 365 Copilot Could Leak Corporate Data

A critical zero‐click flaw in Microsoft 365 Copilot allowed attackers to exfiltrate user data without any interaction. Microsoft released June 11, 2025 security updates to address the issue and urges administrators to apply patches immediately to prevent unauthorized data exposure.

Key Details

• Identified as CVE-2025-3498 with a CVSS score of 9.8.
• Affects Copilot integrations in Word, Excel, Outlook and Teams.
• Allows data exfiltration without any user prompt or click.

Next Steps

• Deploy the June 11 Copilot security update across all tenants.

Read more at The Hacker News