9 Cybersecurity News from This Week Worth Your Attention (June 2025)

I scan more than 20+ cybersecurity news sites every week to highlight only the most interesting and actionable news to information security managers. Some weeks there are 20, some weeks like this I find 9 worth sharing.

1. Purported 16 Billion Credential Leak Likely Old Aggregated Data

What was billed as a new massive breach is likely just an aggregation of older exposed account credentials, say security experts. Organizations maintaining strong passwords, multifactor authentication, and passkey-based logins remain protected against recycled data.

Key Details

• Cybernews reported 30 data sets since January, totaling 16 billion entries for major services (Apple, Google, Facebook).
• Check Point’s Thomas Boele attributes the collection to an old “Datenhalde” repository, not a new breach.
• Germany’s BSI confirms there’s no new incident and stresses standard precautions suffice.

Next Steps

• Audit critical accounts for password strength and reuse

Read more at CSO Online (dpa)

2. Michigan Healthcare Provider McLaren Health Care Notifies 743,131 Individuals of Ransomware Data Breach (2nd time in 2 years)

On August 5, McLaren Health Care discovered a ransomware intrusion that ran from July 17 to August 3, exposing personal and protected health information of 743,131 patients. As the second ransomware-related breach in two years, this incident underscores ongoing cybersecurity gaps in healthcare and elevates regulatory, financial, and reputational risks for the organization.

Key Details

• Attack disclosed to Maine AGO: ransomware compromised PII and PHI including names, SSNs, driver’s licenses, insurance and medical records.
• Network access window: July 17 – August 3, 2024; attack discovered on August 5.
• Response: 12 months of free credit monitoring and fraud-protection guidance offered to impacted individuals.
• Prior breach: Alphv/BlackCat ransomware group impacted 2.2 million records at McLaren in July 2023.

Read more at SecurityWeek, The Record and Maine AG

3. Actors Exploit Exposed Docker APIs and Tor to Stealthily Deploy XMRig Miners

Trend Micro researchers have uncovered a campaign where threat actors leverage misconfigured Docker Remote APIs and Tor anonymization to infiltrate containerized environments and deploy XMRig cryptocurrency miners. The attack mounts the host root, spins up a torified container to fetch a hidden “docker-init.sh” script from a .onion server, and uses an internal dropper with zstd compression to optimize mining while avoiding external downloads. 

Key Details

• Attack chain: mount /hostroot, install Tor inside container, fetch & execute “docker-init.sh” via .onion URL
• Dropper bundles XMRig miner and execution steps internally; uses zstd to compress miner for performance
• All traffic and DNS resolution routed through Tor’s socks5h proxy for stealth

Next Steps

• Audit and close exposed Docker Remote API endpoints immediately
• Restrict API access via network whitelisting and enforce TLS client authentication

Read more at Dark Reading

4. Chinese ‘Salt Typhoon’ Group Exploits Cisco Flaw to Target Canadian Telcos

In mid-February 2025, Canadian authorities and the FBI linked Chinese state-sponsored Salt Typhoon to compromises of Cisco network devices at a Canadian telecom, exploiting CVE-2023-20198 to retrieve configurations and create GRE tunnels for traffic collection. This espionage campaign, mirroring earlier U.S. attacks, puts call records and private communications of government and political figures at risk. 

Key Details

• Three Cisco devices at a Canadian telco were compromised in mid-February 2025.
• Attackers exploited CVE-2023-20198 to extract running configs and deploy GRE tunnels.
• Salt Typhoon previously used this vulnerability in espionage operations against U.S. telecoms.
• U.S. firm Viasat also reported unauthorized access via a compromised device, with no customer impact.

Next Steps

• Apply Cisco’s CVE-2023-20198 patches immediately.

Read more at SecurityWeek

5. Critical Authentication Bypass Flaw Patched in Teleport

Teleport has released patches for a critical SSH authentication bypass (CVE-2025-49825, CVSS 9.8) that could let remote attackers access managed servers without valid credentials. Cloud customers were auto-patched; self-hosted instances must upgrade immediately to avoid unauthorized access and operational disruption.

Key Details

• Patches released in Teleport 17.5.2, 16.5.12, 15.5.3, 14.4.1, 13.4.27 and 12.4.35.
• Impacts SSH agents, OpenSSH-integrated deployments, and Git proxy setups.
• No public exploits or in-the-wild attacks reported to date.

Next Steps

• Upgrade all Teleport nodes to the matching patched major version.

Read more at SecurityWeek

6. DHS Warns Pro-Iranian Hackers Will Target U.S. Infrastructure After Iranian Nuclear Strikes

The U.S. Department of Homeland Security and FBI have issued a joint advisory warning that pro-Iranian hacktivist groups are likely to launch disruptive cyberattacks—ranging from DDoS to ransomware and website defacements—against American critical infrastructure if Iran conducts nuclear strikes. Energy, water treatment, healthcare and government networks face the highest risk, underscoring an urgent need for targeted defensive measures.

Key Details

• The joint DHS/FBI advisory was published on June 24, 2025, under CISA Alert AA25-163A.
• Identified hacktivist cells (e.g., Green Commandos, HoldResist) plan DDoS, web defacement, ransomware.
• Primary targets include energy, water treatment, healthcare, government and defense contractor networks.

Next Steps

• Enable DDoS protection on public-facing applications.

Read more at The Hacker News

7. Echo Chamber Jailbreak Enables LLMs to Generate Harmful Content

Neural Trust researchers have unveiled the “Echo Chamber” jailbreak, a six-step, multi-turn context-poisoning technique that coaxes leading LLMs into policy-violating outputs without explicit harmful prompts. In evaluations across GPT-4.1-nano, GPT-4o, Gemini-2 and others, the attack achieved over 90% success in triggering hate speech, violence, sexism and pornography within 1–3 turns, and above 80% in misinformation and self-harm scenarios.

Key Details

• The six-step method plants benign “poisonous” and “steering” seeds to subtly shift model context over multiple turns.
• Fully black-box: no access to model weights or architecture required, making it widely applicable to commercial LLMs.
• Usual token-level filters fail, as the attack relies on indirect references and inference rather than explicit toxic language.

Next Steps

• Educate employees on different ways LLMs can be manipulated to raise their critical thinking towards LLM outputs.

Read more at Cyber Security News and The Hacker News

8. Another reason to take care of your persona IOT devices: Iran Targets Israeli CCTV Systems to Refine Missile Strikes

Israeli officials warn that Iranian actors are accessing internet-connected security cameras to observe missile impact sites and improve targeting accuracy. Citizens are urged to disconnect CCTV systems as unpatched IoT cameras have become a real-time intelligence source in modern conflicts. This tactic echoes documented use of compromised surveillance feeds in Ukraine and along the Russia–Ukraine front.

Key Details

• Officials say attempts spiked in the past 2–3 days, per former cyber official Refael Franco.
• Similar exploits recorded in Ukraine, where Russian intelligence streamed compromised camera feeds.

Next Steps

• Alwats apply the latest firmware patches to all IOT devices
• Isolate IOT networks from operational and control systems

Read more at Bloomberg

9. Meta’s Llama 3.1 70B Model Memorizes Full Texts of Copyrighted Books

Research by Stanford, Cornell and West Virginia University shows Meta’s Llama 3.1 70B can reproduce 91% of The Sorcerer’s Stone and large passages of 1984, indicating the model internally “memorizes” copyrighted texts rather than purely generating new content. This raises significant infringement risks for organizations deploying or distributing the model and challenges AI vendors’ defense that their systems are only “inspired by” training data. Security, legal and procurement teams must reassess LLM sourcing, usage controls and monitor evolving copyright litigation.

Key Details

• Researchers split 56 books into overlapping 100-token strings and prompted the model with 50 tokens to extract the next 50.
• Llama 3.1 70B reproduced 91% of the first Harry Potter book and significant chunks of other copyrighted works.
• Model’s popularity (~1 million downloads) amplifies potential legal exposure if distribution is deemed unauthorized copying.
• Variability across Llama versions suggests particular training choices—like retaining duplicates—drove memorization.

Next Steps

• If 91% of Harry Potter books can be reproduced, so could your company’s internal documents used in prompts. Review if and how your LLM providers use content uploaded to their services.

Read more at 404 Media and ArXiv