{"id":19582,"date":"2025-06-19T12:31:25","date_gmt":"2025-06-19T10:31:25","guid":{"rendered":"https:\/\/kordon.app\/?p=19582"},"modified":"2025-06-19T16:54:13","modified_gmt":"2025-06-19T14:54:13","slug":"15-cyber-security-news-from-june-worth-your-attention","status":"publish","type":"post","link":"https:\/\/kordon.app\/et\/15-cyber-security-news-from-june-worth-your-attention\/","title":{"rendered":"16 Cyber Security News from June Worth Your Attention"},"content":{"rendered":"<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>We scan more than 20+ cybersecurity news sites every week to highlight only the stories that truly matter. This week has been particularly eventful from Google&#8217;s hidden phone number exploit and Australia&#8217;s groundbreaking ransomware reporting rules, to cyber incidents hitting WestJet and urgent vulnerabilities discovered in Microsoft 365 Copilot. And the Scattered Spider group that had been causing trouble in the retail sector has seemingly moved on to their next victim &#8211; the insurance industry. <\/p>\n\n\n\n<p><\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">0. Massive 16 Billion Credential Leak Highlights Infostealer Pervasiveness includes AppleIDs<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Cybernews researchers discovered 30 unsecured datasets holding 16 billion login credentials harvested by infostealer malware and credential-stuffing collections. Brief exposure via open Elasticsearch and object storage makes this fresh, structured intelligence ripe for account takeover, identity theft, and targeted phishing campaigns. Security teams must bolster multifactor authentication and credential hygiene to defend against mass exploitation.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Datasets ranged from 16 million to 3.5 billion records each, averaging 550 million entries<\/li>\n\n\n\n<li>Includes credentials for <strong>Apple, Facebook, Google. Telegram, GitHub, VPN services. Developer platforms, Online marketplaces, Government login portals<\/strong><\/li>\n\n\n\n<li>Data covers social media, corporate platforms, VPNs, developer portals and government services<\/li>\n\n\n\n<li>Includes recent infostealer logs with tokens, cookies and metadata for deeper compromise<\/li>\n\n\n\n<li>All leaks were briefly exposed, preventing attribution of dataset ownership<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enforce multifactor authentication on all critical accounts<\/li>\n\n\n\n<li>Audit and rotate passwords for exposed services<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/cybernews.com\/security\/billions-credentials-exposed-infostealers-data-leak\/\">Cybernews<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n<p>&#8212;<\/p>\n\n\n<h2 class=\"wp-block-heading\">1. Researcher Exploits Google Bug to Expose Linked Phone Numbers<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">A security researcher demonstrated a flaw that let attackers brute-force any Google account\u2019s hidden phone number via Looker Studio document transfers. Exposed numbers can enable SIM-swap attacks to bypass SMS-based MFA and hijack high-value accounts. Google has patched the issue, underscoring the need to fortify verification flows and minimize reliance on SMS.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Brute-forcing a <strong>US number took &lt;1 hour; UK numbers in 8 minutes; some countries &lt;1 minute<\/strong><\/li>\n\n\n\n<li>Exploit used a Looker Studio document ownership transfer with an oversized name to avoid alerts<\/li>\n\n\n\n<li>No notification was sent to the target during the guessing process<\/li>\n\n\n\n<li>Google awarded the researcher <strong>$5,000 <\/strong>and raised the severity to \u201cmedium\u201d before patching<\/li>\n<\/ul>\n\n\n<p><!-- \/wp:post-content --><!-- wp:paragraph --><\/p>\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.wired.com\/story\/a-researcher-figured-out-how-to-reveal-any-phone-number-linked-to-a-google-account\/\">WIRED<\/a><\/p>\n<p><!-- \/wp:paragraph --><!-- wp:separator --><\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/><!-- \/wp:separator --><\/p>\n<p><!-- wp:heading --><\/p>\n<h2 class=\"wp-block-heading\">2. Australia Mandates Ransomware Payment Reporting Within 72 Hours<\/h2>\n<p><!-- \/wp:heading --><!-- wp:verse --><\/p>\n<pre class=\"wp-block-verse\">Organizations with annual turnover above AU$3 million must now report any ransomware payment to the Australian Signals Directorate within 72 hours or face civil penalties. The filing must detail incident impact, malware variants, exploited vulnerabilities, ransom amounts and extortion communications. This is the first mandatory ransomware payment disclosure regime globally and heightens operational transparency for mid-sized businesses.<\/pre>\n<p><!-- \/wp:verse --><!-- wp:paragraph --><\/p>\n<p><strong>Key Details<\/strong><\/p>\n<ul>\n<li><span style=\"letter-spacing: 0px;\">Applies to private organizations with AU$3 million+ annual turnover, excludes public sector<\/span><\/li>\n<li>Reports must include <strong>incident impact, ransomware variants, and exploited vulnerabilities<\/strong><\/li>\n<li>Requires <strong>disclosure<\/strong> of ransom demanded, ransom paid, negotiation and <strong>communications<\/strong><\/li>\n<li><strong>Noncompliance may trigger civil penalties<\/strong> under the Cyber Security (Ransomware Payment Reporting) Rules 2025<\/li>\n<\/ul>\n<p><!-- \/wp:paragraph --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Next Steps<\/strong><\/p>\n<ul>\n<li><span style=\"letter-spacing: 0px;\">Update incident response playbooks for 72-hour reporting<\/span><\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/australia-ransomware-payment-disclosure-rules\">Dark Reading<\/a><\/p>\n<p><!-- \/wp:paragraph --><!-- wp:separator --><\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/><!-- \/wp:separator --><\/p>\n<p><!-- wp:heading --><\/p>\n<h2 class=\"wp-block-heading\">3. WestJet Cyberattack Disrupts App and Website Access<\/h2>\n<p><!-- \/wp:heading --><!-- wp:verse --><\/p>\n<pre class=\"wp-block-verse\">Canadian carrier WestJet suffered a cybersecurity incident that restricted access to its internal systems, mobile app and website, although flight operations remained unaffected. The airline is working with law enforcement and Transport Canada to investigate, restore services and secure guest and employee data. WestJet has not disclosed the attack type or whether any information was exfiltrated, leaving potential risk of undetected breaches.<\/pre>\n<p><!-- \/wp:verse --><!-- wp:paragraph --><\/p>\n<p><strong>Key Detais<\/strong><\/p>\n<ul>\n<li>Operations, including scheduled and charter flights, remained fully functional<\/li>\n<li>No confirmation yet on ransomware involvement or data theft<\/li>\n<li>Investigation led by internal teams alongside Transport Canada and police<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.securityweek.com\/canadian-airline-westjet-hit-by-cyberattack\/\">SecurityWeek<\/a><\/p>\n<p><!-- \/wp:paragraph --><!-- wp:separator --><\/p>\n<p><!-- \/wp:paragraph --><!-- wp:separator --><\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/><!-- \/wp:separator --><\/p>\n<p><!-- wp:heading --><\/p>\n<h2 class=\"wp-block-heading\">4. Discord Invite Link Hijacking Delivers AsyncRAT and Skuld Stealer Targeting Crypto Wallets<\/h2>\n<p><!-- \/wp:heading --><!-- wp:verse --><\/p>\n<pre class=\"wp-block-verse\">Threat actors are hijacking genuine Discord invite links in crypto-focused servers to distribute AsyncRAT and the Skuld Stealer. Victims who click the malicious invites download Trojanized installers that enable remote access and siphon browser-based wallet credentials. Security teams must verify invite integrity and strengthen endpoint defenses against these malware families.<\/pre>\n<p><!-- \/wp:verse --><!-- wp:paragraph --><\/p>\n<p><strong>Key Details<\/strong><\/p>\n<ul>\n<li><strong><span style=\"letter-spacing: 0px;\">Attackers replace valid Discord invites with links to NSIS installers hosted on public repositories<\/span><\/strong><\/li>\n<li>AsyncRAT establishes persistence and grants remote shell on Windows hosts<\/li>\n<li>Skuld Stealer harvests browser extensions (e.g., MetaMask) and exfiltrates seed phrases<\/li>\n<li>Campaign <strong>targets users of crypto and NFT communities<\/strong> on Discord<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Next Steps<\/strong><\/p>\n<ul>\n<li><span style=\"letter-spacing: 0px;\">Audit Discord invite links and revoke unauthorized ones<\/span><\/li>\n<li>Block known C2 domains and installer hashes at the network edge<\/li>\n<li>Deploy EDR signatures to detect AsyncRAT behaviors<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2025\/06\/discord-invite-link-hijacking-delivers.html\">The Hacker News<\/a><\/p>\n<p><!-- \/wp:paragraph --><!-- wp:separator --><\/p>\n<p><!-- \/wp:paragraph --><!-- wp:separator --><\/p>\n<p><!-- \/wp:paragraph --><!-- wp:separator --><\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/><!-- \/wp:separator --><\/p>\n<p><!-- wp:heading --><\/p>\n<h2 class=\"wp-block-heading\">5. Backups Are Under Attack: How to Protect Your Backups<\/h2>\n<p><!-- \/wp:heading --><\/p>\n<p><!-- wp:verse --><\/p>\n<pre class=\"wp-block-verse\">Ransomware operators increasingly target backup repositories to extend downtime and drive higher payouts. Organizations must harden backup environments with immutability, network segmentation, strict access controls, and regular restore validation to ensure recoverability when primary systems fail.<\/pre>\n<p><!-- \/wp:verse --><\/p>\n<p><!-- wp:paragraph --><\/p>\n<p><strong>Key Details<\/strong><\/p>\n<ul>\n<li><span style=\"letter-spacing: 0px;\">Recent incidents saw attackers delete or encrypt backups via compromised cloud-storage APIs and administrative accounts.<\/span><\/li>\n<li>Survey data shows over <strong>40% of organizations that lost backups suffered more than five days of operational downtime.<\/strong><\/li>\n<li><strong>Roughly 30% of backup systems lack multi-factor authentication<\/strong>, exposing them to credential-based attacks.<\/li>\n<li>Immutable backup features in object storage can thwart deletion and unauthorized modifications.<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li style=\"list-style-type: none;\">\u00a0<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li style=\"list-style-type: none;\">\u00a0<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li style=\"list-style-type: none;\">\u00a0<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><\/p>\n<p><!-- wp:paragraph --><\/p>\n<p><strong>Next Steps<\/strong><\/p>\n<ul>\n<li><span style=\"letter-spacing: 0px;\">Enable immutability or object-lock on all backup repositories.<\/span><\/li>\n<li>Segment backup servers on isolated networks or VLANs.<\/li>\n<li>Enforce MFA and least-privilege for all backup-management accounts.<\/li>\n<li>Don&#8217;t forget regular restore drills and integrity checks.<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li style=\"list-style-type: none;\">\u00a0<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li style=\"list-style-type: none;\">\u00a0<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li style=\"list-style-type: none;\">\u00a0<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><\/p>\n<p><!-- wp:paragraph --><\/p>\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2025\/06\/how-to-protect-your-backups-from-ransomware-attacks.html\">The Hacker News<\/a><\/p>\n<p><!-- \/wp:paragraph --><\/p>\n<p><!-- wp:separator --><\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/><!-- \/wp:separator --><\/p>\n<p><!-- wp:heading --><\/p>\n<h2 class=\"wp-block-heading\">6. Trump Signs EO 14306, Overhauls Software Security, Sanctions and Post-Quantum Roadmap<\/h2>\n<p><!-- \/wp:heading --><!-- wp:verse --><\/p>\n<pre class=\"wp-block-verse\">President Trump\u2019s new cybersecurity executive order (EO 14306) removes Biden-era software attestation mandates, narrows cyberattack sanctions to foreign actors, accelerates a 2030 post-quantum cryptography deadline and tasks NIST with updating its Secure Software Development Framework. Federal CISOs and GRC teams should reassess procurement requirements, prepare for streamlined guidance and build crypto-agility to meet the revised compliance landscape.<\/pre>\n<p><!-- \/wp:verse --><!-- wp:paragraph --><\/p>\n<p><strong>Key Details<\/strong><\/p>\n<p><!-- \/wp:paragraph --><!-- wp:list {\"className\":\"wp-block-list\"} --><\/p>\n<ul class=\"wp-block-list\">\n<li>Eliminates mandatory software security attestations for federal contractors under EO 14028.<\/li>\n<li>Revises EO 13694 to permit sanctions only against foreign persons involved in cyberattacks.<\/li>\n<li>Directs NIST to update its Secure Software Development Framework (SSDF) and convene an industry consortium.<\/li>\n<li>Sets a clear 2030 deadline for agencies to implement post-quantum cryptography standards.<\/li>\n<\/ul>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.securityweek.com\/trump-cybersecurity-executive-order-targets-digital-identity-sanctions-policies\/\">SecurityWeek<\/a><\/p>\n<p><!-- \/wp:paragraph --><!-- wp:separator --><\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/><!-- \/wp:separator --><\/p>\n<p><!-- wp:heading --><\/p>\n<h2 class=\"wp-block-heading\">7. Kali Linux 2025.2 Released with Expanded Car Hacking Toolkit and UI Refresh<\/h2>\n<p><!-- \/wp:heading --><!-- wp:verse --><\/p>\n<pre class=\"wp-block-verse\">Kali Linux 2025.2 introduces 13 new pentesting tools, an overhauled car hacking suite renamed CARsenal, and a refreshed UI aligned with the MITRE ATT&amp;CK framework to streamline tool discovery. The update also brings GNOME 48 and KDE 6.3 enhancements plus expanded NetHunter support for wearable and automotive platforms. Security teams should schedule upgrades to leverage the improved toolkit and interface for more efficient assessments.<\/pre>\n<p><!-- \/wp:verse --><!-- wp:paragraph --><\/p>\n<p><strong>Key Details<\/strong><\/p>\n<ul>\n<li><span style=\"letter-spacing: 0px;\">CARsenal car hacking suite renamed, now includes ICSim simulator<\/span><\/li>\n<li><strong>23 additional tools added,<\/strong> such as AzureHound, binwalk3, Rubeus, and tinja<\/li>\n<li>Menu reorganized per MITRE ATT&amp;CK; GNOME 48 and KDE 6.3 UI refresh<\/li>\n<li>NetHunter gains wireless injection and de-auth support on TicWatch Pro 3<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/kali-linux-20252-released-with-13-new-tools-car-hacking-updates\/\">Bleeping Computer<\/a><\/p>\n<p><!-- \/wp:paragraph --><!-- wp:separator --><\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/><!-- \/wp:separator --><\/p>\n<p><!-- wp:heading --><\/p>\n<h2 class=\"wp-block-heading\">8. LangSmith Code Injection Flaw Risks OpenAI Keys, User Data Exposure<\/h2>\n<p><!-- \/wp:heading --><!-- wp:verse --><\/p>\n<pre class=\"wp-block-verse\">A critical vulnerability in LangSmith\u2019s agent and chain endpoints allowed attackers to execute arbitrary code, potentially exposing OpenAI API keys and sensitive customer data. Version 0.2.1, released June 28, fixes the issue. Organizations using LangSmith should update immediately and rotate API credentials.<\/pre>\n<p><!-- \/wp:verse --><!-- wp:paragraph --><\/p>\n<p><strong>Key Details<\/strong><\/p>\n<ul>\n<li><span style=\"letter-spacing: 0px;\">Affects LangSmith versions before 0.2.1, <strong>patched June 28 2025<\/strong><\/span><\/li>\n<li>Unsanitized \u201cinputs\u201d field in agent execution API led to code injection<\/li>\n<li>CVSS score 9.1; open-source MIT-licensed tool by LangChain<\/li>\n<li>Exposed environment variables, including OpenAI keys, and user logs<\/li>\n<\/ul>\n<p><!-- wp:list-item --><\/p>\n<ul class=\"wp-block-list\">\n<li style=\"list-style-type: none;\">\u00a0<\/li>\n<\/ul>\n<p><!-- wp:list-item --><\/p>\n<ul class=\"wp-block-list\">\n<li style=\"list-style-type: none;\">\u00a0<\/li>\n<\/ul>\n<p><!-- wp:list-item --><\/p>\n<ul class=\"wp-block-list\">\n<li style=\"list-style-type: none;\">\u00a0<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Next Stepps<\/strong><\/p>\n<ul>\n<li><span style=\"letter-spacing: 0px;\"><strong>Upgrade<\/strong> to LangSmith v0.2.1 or later<\/span><\/li>\n<li><strong>Rotate<\/strong> OpenAI API <strong>credentials<\/strong><\/li>\n<li><strong>Audit<\/strong> agent execution <strong>logs<\/strong> for suspicious activity<\/li>\n<\/ul>\n<p><!-- wp:list-item --><\/p>\n<ul class=\"wp-block-list\">\n<li style=\"list-style-type: none;\">\u00a0<\/li>\n<\/ul>\n<p><!-- wp:list-item --><\/p>\n<ul class=\"wp-block-list\">\n<li style=\"list-style-type: none;\">\u00a0<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2025\/06\/langchain-langsmith-bug-let-hackers.html\">The Hacker News<\/a><\/p>\n<p><!-- \/wp:paragraph --><!-- wp:separator --><\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n<p><!-- wp:heading --><\/p>\n<h2 class=\"wp-block-heading\">9. UK Unveils Cyber Security and Resilience Bill to Update NIS Regulations<\/h2>\n<p><!-- \/wp:heading --><!-- wp:verse --><\/p>\n<pre class=\"wp-block-verse\">The UK government will introduce the Cyber Security and Resilience Bill in the 2025-26 session to modernise its 2018 NIS regime. The Bill extends regulatory duties to managed service providers (MSPs) and data centres, tightens incident-reporting deadlines to 24 and 72 hours, and enshrines supply-chain risk management and AI threat considerations into law. CISOs, GRC teams, and MSPs should prepare for expanded compliance scope, faster reporting timelines, and new statutory controls.<\/pre>\n<p><!-- \/wp:verse --><!-- wp:paragraph --><\/p>\n<p><strong>Key Details<\/strong><\/p>\n<ul>\n<li><span style=\"letter-spacing: 0px;\">MSPs and ~182 colocation facilities will be brought into scope under NIS-style duties.<\/span><\/li>\n<li>New two-stage incident reporting: initial notification within 24 hours and full report in 72 hours.<\/li>\n<li>Cyber Assessment Framework becomes a statutory Code of Practice, with powers to add sectors via secondary legislation.<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darktrace.com\/resources\/gartner-ndr-magic-quadrant-2025\">Darktrace<\/a><\/p>\n<p><!-- \/wp:paragraph --><!-- wp:separator --><\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/><!-- \/wp:separator --><\/p>\n<p><!-- wp:heading --><\/p>\n<h2 class=\"wp-block-heading\">10. 94 Billion Stolen Web Cookies Traded on the Dark Web<\/h2>\n<p><!-- \/wp:heading --><!-- wp:verse --><\/p>\n<pre class=\"wp-block-verse\">A NordVPN-led study found roughly 93.7 billion stolen browser cookies up for sale on underground Telegram channels, including 15.6 billion still active. These cookies\u2014many tied to session IDs and personal data\u2014can let attackers hijack accounts without credentials. Security teams should treat cookie theft as a direct route to account takeover and data exposure.<\/pre>\n<p><!-- \/wp:verse --><!-- wp:paragraph --><\/p>\n<p><strong>Key Details<\/strong><\/p>\n<ul>\n<li><span style=\"letter-spacing: 0px;\">Researchers collected ~94 billion cookies from April 23\u201330, 2025.<\/span><\/li>\n<li>Redline infostealer accounted for ~42 billion stolen cookies.<\/li>\n<li>Google services contributed 4.5 billion cookies; YouTube &amp; Microsoft over 1 billion each.<\/li>\n<li>15.6 billion cookies remained active\u2014enabling immediate account access.<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Next Stepps<\/strong><\/p>\n<ul>\n<li>Educate users on rejecting nonessential third-party cookies<\/li>\n<li>Enforce automatic browser cookie clearance policies<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Read more at <\/strong><a href=\"https:\/\/hackread.com\/nearly-94-billion-stolen-cookies-on-dark-web\/\">Hackread<\/a><\/p>\n<p><!-- \/wp:paragraph --><!-- wp:separator --><\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/><!-- \/wp:separator --><\/p>\n<p><!-- wp:heading --><\/p>\n<h2 class=\"wp-block-heading\">11. Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month<\/h2>\n<p><!-- \/wp:heading --><!-- wp:verse --><\/p>\n<pre class=\"wp-block-verse\">Security researchers at Sucuri have uncovered a rapid surge of JSFireTruck infections, compromising over 269,000 sites in May 2025. The obfuscated JavaScript, hosted on manipulated Google Syndication URLs, injects spam and redirects visitors to scam pages, exposing organizations to reputational, SEO and compliance risks.<\/pre>\n<p><!-- \/wp:verse --><!-- wp:paragraph --><\/p>\n<p><strong>Key Details<\/strong><\/p>\n<ul>\n<li><strong><span style=\"letter-spacing: 0px;\">Sucuri recorded a 400% month-over-month increase, targeting primarily WordPress sites.<\/span><\/strong><\/li>\n<li>Attackers inject obfuscated <code style=\"letter-spacing: 0px;\">&lt;script&gt;<\/code><span style=\"font-size: revert; letter-spacing: 0px;\"> tags via outdated plugins and weak credentials.<\/span><\/li>\n<li>Malicious payloads are served from abused <em style=\"font-size: revert; letter-spacing: 0px;\">pagead2.googlesyndication.com<\/em><span style=\"font-size: revert; letter-spacing: 0px;\"> URLs to evade detection.<\/span><\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Next Steps<\/strong><\/p>\n<ul>\n<li><span style=\"letter-spacing: 0px;\">Audit site pages for unauthorized <\/span><code style=\"letter-spacing: 0px;\">&lt;script&gt;<\/code><span style=\"letter-spacing: 0px;\"> inclusions referencing print.js.<\/span><\/li>\n<li>Patch CMS, plugins and remove unsupported themes and plugins immediately.<\/li>\n<li>Deploy WAF rules to block known malicious Google Syndication scripts.<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2025\/06\/over-269000-websites-infected-with.html\">The Hacker News<\/a><\/p>\n<p><!-- \/wp:paragraph --><!-- wp:separator --><\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/><!-- \/wp:separator --><\/p>\n<p><!-- wp:heading --><\/p>\n<h2 class=\"wp-block-heading\">12. Unpatched Grafana CVE-2025-4123 Leaves 46,000+ Instances Open to Account Takeover<\/h2>\n<p><!-- \/wp:heading --><!-- wp:verse --><\/p>\n<pre class=\"wp-block-verse\">Over 46,000 internet-facing Grafana instances remain unpatched against CVE-2025-4123, a client-side open redirect flaw enabling malicious plugin loading and session hijacking. IT teams must prioritize upgrades and endpoint audits to prevent account takeover and potential SSRF via the Image Renderer plugin.<\/pre>\n<p><!-- \/wp:verse --><!-- wp:paragraph --><\/p>\n<p><strong>Key Details<\/strong><\/p>\n<ul>\n<li><strong><span style=\"letter-spacing: 0px;\">OX Security found 128,864 public Grafana endpoints, with 46,506 (36%) still vulnerable.<\/span><\/strong><\/li>\n<li>Exploit combines client-side path traversal and open redirect to load attacker-controlled plugins.<\/li>\n<li><strong>No elevated privileges required; attackers can hijack sessions, reset passwords, and change emails.<\/strong><\/li>\n<li>If the Image Renderer plugin is enabled, attackers can trigger SSRF to access internal resources.<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Next Steps<\/strong><\/p>\n<ul>\n<li><span style=\"letter-spacing: 0px;\">Upgrade Grafana to 10.4.18+security-01, 11.2.9+security-01, or later.<\/span><\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/over-46-000-grafana-instances-exposed-to-account-takeover-bug\/\">BleepingComputer<\/a><\/p>\n<p><!-- \/wp:paragraph --><!-- wp:separator --><\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/><!-- \/wp:separator --><\/p>\n<p><!-- wp:heading --><\/p>\n<h2 class=\"wp-block-heading\">13. Hackers Scan 80,000+ Microsoft Entra ID Accounts Using Open-Source Tool<\/h2>\n<p><!-- \/wp:heading --><!-- wp:verse --><\/p>\n<pre class=\"wp-block-verse\">Attackers leveraged the TeamFiltration open-source utility to enumerate and identify misconfigured or over-privileged Azure Entra ID (formerly Azure AD) accounts at scale. The campaign\u2014observed scanning over 80,000 identities\u2014highlights gaps in permission hygiene and monitoring around Graph API usage. Security teams should immediately review delegated app permissions and monitor directory enumeration to prevent similar reconnaissance.<\/pre>\n<p><!-- \/wp:verse --><!-- wp:paragraph --><\/p>\n<p><strong>Key Details<\/strong><\/p>\n<ul>\n<li><span style=\"letter-spacing: 0px;\">TeamFiltration uses Microsoft Graph API calls (e.g., \/memberOf) to list users and group memberships.<\/span><\/li>\n<li>Scan targeted over 80,000 Entra ID accounts across multiple tenants.<\/li>\n<li>Attackers aimed to identify high-privilege roles and misconfigured service principals.<\/li>\n<li><strong>No public patch &#8211; mitigation relies on configuration and monitoring improvements.<\/strong><\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Next Steps<\/strong><\/p>\n<ul>\n<li><span style=\"letter-spacing: 0px;\">Audit and remove unused Azure AD app permissions.<\/span><\/li>\n<li>Implement least-privilege model on service principals.<\/li>\n<li>Monitor Graph API calls for bulk enumeration patterns.<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2025\/06\/over-80000-microsoft-entra-id-accounts.html\">The Hacker News<\/a><\/p>\n<p><!-- \/wp:paragraph --><!-- wp:separator --><\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/><!-- \/wp:separator --><\/p>\n<p><!-- wp:heading --><\/p>\n<h2 class=\"wp-block-heading\">14. Researchers Demonstrate Replay Attacks Bypass Deepfake Audio Detectors<\/h2>\n<p><!-- \/wp:heading --><!-- wp:verse --><\/p>\n<pre class=\"wp-block-verse\">An international team found that playing and re-recording synthetic speech with real-world acoustics tricks leading deepfake detectors, driving error rates from 4.7% to 18.2%. This exposes enterprises to more effective vishing attacks by undermining first-line audio authentication. Security teams should reassess anti-spoofing controls and reinforce verification processes.<\/pre>\n<p><!-- \/wp:verse --><!-- wp:paragraph --><\/p>\n<p><strong>Key Details<\/strong><\/p>\n<ul>\n<li><span style=\"letter-spacing: 0px;\">Researchers tested 109 speaker-microphone setups across six languages<\/span><\/li>\n<li>ReplayDF dataset: 132.5 hours of re-recorded synthetic audio under varied acoustics.<\/li>\n<li>Top model (W2V2-AASIST) <strong>error jumped from 4.7% to 18.2% on replay attacks.<\/strong><\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><!-- wp:list-item --><\/p>\n<ul class=\"wp-block-list\">\n<li style=\"list-style-type: none;\">\u00a0<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><!-- wp:list-item --><\/p>\n<ul class=\"wp-block-list\">\n<li style=\"list-style-type: none;\">\u00a0<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><!-- wp:list-item --><\/p>\n<ul class=\"wp-block-list\">\n<li style=\"list-style-type: none;\">\u00a0<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/cybersecurity-analytics\/researchers-bypass-deepfake-detection-replay-attacks\">Dark Reading<\/a><\/p>\n<p><!-- \/wp:paragraph --><!-- wp:separator --><\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/><!-- \/wp:separator --><\/p>\n<p><!-- wp:heading --><\/p>\n<h2 class=\"wp-block-heading\">15. Scattered Spider Shifts from UK Retail to US Insurers with Social Engineering Attacks<\/h2>\n<p><!-- \/wp:heading --><!-- wp:verse --><\/p>\n<pre class=\"wp-block-verse\">Google\u2019s Threat Intelligence Group warns that the Scattered Spider hacking group, previously linked to UK retail breaches, is now targeting U.S. insurance firms by exploiting help-desk and call-center staff through social engineering. Early victims include Erie Insurance and Scania Financial Services, underscoring insurers\u2019 vulnerability due to complex support processes and high-value customer data.<\/pre>\n<p><!-- \/wp:verse --><!-- wp:paragraph --><\/p>\n<p><strong>Key Details<\/strong><\/p>\n<ul>\n<li><span style=\"letter-spacing: 0px;\">Google TAG analyst John Hultquist flagged the shift via an X post on <strong>June 16, 2025.<\/strong><\/span><\/li>\n<li><strong>Scattered Spider uses phishing and impersonation<\/strong> to trick help-desk staff into resetting passwords or granting access.<\/li>\n<li>Erie Insurance reported a breach on June 7; Scania Financial Services\u2019 subdomain data was also allegedly exfiltrated.<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Next Steps<\/strong><\/p>\n<ul>\n<li>Enforce <strong>multi-factor authentication<\/strong> on all internal support tools.<\/li>\n<li><strong>Conduct targeted social-engineering training for call-center personne<\/strong>l.<\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Read more at <\/strong><a href=\"https:\/\/hackread.com\/scattered-spider-us-insurers-uk-retail-hit-google\/\">HackRead<\/a><\/p>\n<p><!-- \/wp:paragraph --><!-- wp:separator --><\/p>\n<p><!-- \/wp:paragraph --><!-- wp:separator --><\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/><!-- \/wp:separator --><\/p>\n<p><!-- wp:heading --><\/p>\n<h2 class=\"wp-block-heading\">16. Zero\u2010Click Vulnerability in Microsoft 365 Copilot Could Leak Corporate Data<\/h2>\n<p><!-- \/wp:heading --><!-- wp:verse --><\/p>\n<pre class=\"wp-block-verse\">A critical zero\u2010click flaw in Microsoft 365 Copilot allowed attackers to exfiltrate user data without any interaction. Microsoft released June 11, 2025 security updates to address the issue and urges administrators to apply patches immediately to prevent unauthorized data exposure.<\/pre>\n<p><!-- \/wp:verse --><!-- wp:paragraph --><\/p>\n<p><strong>Key Details<\/strong><\/p>\n<ul>\n<li><span style=\"letter-spacing: 0px;\">Identified as <strong>CVE-2025-3498<\/strong> with a CVSS score of 9.8.<\/span><\/li>\n<li><strong>Affects Copilot integrations<\/strong> in Word, Excel, Outlook and Teams.<\/li>\n<li><strong>Allows data exfiltration without any user prompt or click.<\/strong><\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Next Steps<\/strong><\/p>\n<ul>\n<li><span style=\"letter-spacing: 0px;\">Deploy the June 11 Copilot security update across all tenants.<\/span><\/li>\n<\/ul>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- \/wp:list --><!-- wp:paragraph --><\/p>\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2025\/06\/zero-click-ai-vulnerability-exposes.html\">The Hacker News<\/a><\/p>\n<p><!-- \/wp:paragraph --><!-- wp:separator --><\/p>\n<p><!-- wp:paragraph --><\/p>\n<p><!-- \/wp:paragraph --><\/p>","protected":false},"excerpt":{"rendered":"<p>We scan more than 20+ cybersecurity news sites every week to highlight only the stories that truly matter. <\/p>","protected":false},"author":1,"featured_media":19626,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-19582","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/19582","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/comments?post=19582"}],"version-history":[{"count":112,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/19582\/revisions"}],"predecessor-version":[{"id":19696,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/19582\/revisions\/19696"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media\/19626"}],"wp:attachment":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media?parent=19582"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/categories?post=19582"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/tags?post=19582"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}