{"id":19698,"date":"2025-06-26T15:06:36","date_gmt":"2025-06-26T13:06:36","guid":{"rendered":"https:\/\/kordon.app\/?p=19698"},"modified":"2025-07-01T14:09:39","modified_gmt":"2025-07-01T12:09:39","slug":"9-cybersecurity-news-from-this-week-worth-your-attention-june-2025","status":"publish","type":"post","link":"https:\/\/kordon.app\/et\/9-cybersecurity-news-from-this-week-worth-your-attention-june-2025\/","title":{"rendered":"9 Cybersecurity News from This Week Worth Your Attention (June 2025)"},"content":{"rendered":"<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>I scan more than 20+ cybersecurity news sites every week to highlight only the most interesting and actionable news to information security managers. Some weeks there are 20, some weeks like this I find 9 worth sharing.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">1. Purported 16 Billion Credential Leak Likely Old Aggregated Data<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>What was billed as a new massive breach is likely just an aggregation of older exposed account credentials, say security experts.<\/strong> Organizations maintaining strong passwords, multifactor authentication, and passkey-based logins remain protected against recycled data.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cybernews reported 30 data sets since January, <strong>totaling 16 billion entries for major services (Apple, Google, Facebook).<\/strong><\/li>\n\n\n\n<li>Check Point\u2019s Thomas Boele attributes the collection to an old \u201cDatenhalde\u201d repository, not a new breach.<\/li>\n\n\n\n<li>Germany\u2019s BSI confirms there\u2019s no new incident and stresses standard precautions suffice.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Audit critical accounts for password strength and reuse<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4012489\/16-billion-credential-leak-or-just-old-data.html\">CSO Online (dpa)<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2. Michigan Healthcare Provider McLaren Health Care Notifies 743,131 Individuals of Ransomware Data Breach (2nd time in 2 years)<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>On August 5, McLaren Health Care discovered a ransomware intrusion that ran from July 17 to August 3, exposing personal and protected health information of 743,131 patients.<\/strong> As the second ransomware-related breach in two years, this incident underscores ongoing cybersecurity gaps in healthcare and elevates regulatory, financial, and reputational risks for the organization.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Attack disclosed to Maine AGO: ransomware compromised PII and PHI including names, SSNs, driver\u2019s licenses, insurance and medical records.<\/li>\n\n\n\n<li>Network access window: July 17 \u2013 August 3, 2024; attack discovered on August 5.<\/li>\n\n\n\n<li>Response: 12 months of free credit monitoring and fraud-protection guidance offered to impacted individuals.<\/li>\n\n\n\n<li>Prior breach: <strong>Alphv\/BlackCat ransomware group impacted 2.2 million records at McLaren in July 2023.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.securityweek.com\/743000-impacted-by-mclaren-health-care-data-breach\/\">SecurityWeek<\/a>, <a href=\"https:\/\/therecord.media\/michigan-hospital-system-struggling-after-cyberattack\">The Record<\/a> ja <a href=\"https:\/\/www.maine.gov\/agviewer\/content\/ag\/985235c7-cb95-4be2-8792-a1252b4f8318\/79a56f34-ffbe-4621-a74c-9b1e49477904.html\">Maine AG<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Actors Exploit Exposed Docker APIs and Tor to Stealthily Deploy XMRig Miners<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Trend Micro researchers have uncovered a campaign where threat actors leverage misconfigured Docker Remote APIs and Tor anonymization to infiltrate containerized environments and deploy XMRig cryptocurrency miners. <strong>The attack mounts the host root, spins up a torified container to fetch a hidden \u201cdocker-init.sh\u201d script from a .onion server, and uses an internal dropper with zstd compression to optimize mining while avoiding external downloads. <\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Attack chain: mount \/hostroot, install Tor inside container, fetch &amp; execute \u201cdocker-init.sh\u201d via .onion URL<\/li>\n\n\n\n<li>Dropper bundles XMRig miner and execution steps internally; uses zstd to compress miner for performance<\/li>\n\n\n\n<li><strong>All traffic and DNS resolution routed through Tor\u2019s socks5h proxy for stealth<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Audit and close exposed Docker Remote API endpoints immediately<\/li>\n\n\n\n<li>Restrict API access via network whitelisting and enforce TLS client authentication<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/cloud-security\/attackers-docker-apis-tor-anonymity-crypto-heist\">Dark Reading<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Chinese \u2018Salt Typhoon\u2019 Group Exploits Cisco Flaw to Target Canadian Telcos<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">In mid-February 2025, Canadian authorities and the FBI linked Chinese state-sponsored <strong>Salt Typhoon to compromises of Cisco network devices at a Canadian telecom<\/strong>, exploiting CVE-2023-20198 to retrieve configurations and create GRE tunnels for traffic collection. This espionage campaign, mirroring earlier U.S. attacks, puts call records and private communications of government and political figures at risk. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Three Cisco devices at a Canadian telco were compromised<\/strong> in mid-February 2025.<\/li>\n\n\n\n<li>Attackers exploited CVE-2023-20198 to extract running configs and deploy GRE tunnels.<\/li>\n\n\n\n<li>Salt Typhoon previously used this vulnerability in espionage operations against U.S. telecoms.<\/li>\n\n\n\n<li>U.S. firm Viasat also reported unauthorized access via a compromised device, with no customer impact.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Apply Cisco\u2019s CVE-2023-20198 patches immediately.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.securityweek.com\/chinas-salt-typhoon-hackers-target-canadian-telecom-firms\/\">SecurityWeek<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Critical Authentication Bypass Flaw Patched in Teleport<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Teleport has released patches for a <strong>critical SSH authentication bypass<\/strong> (CVE-2025-49825, CVSS 9.8) that <strong>could let remote attackers access managed servers without valid credentials.<\/strong> Cloud customers were auto-patched; self-hosted instances must upgrade immediately to avoid unauthorized access and operational disruption.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Patches released in Teleport 17.5.2, 16.5.12, 15.5.3, 14.4.1, 13.4.27 and 12.4.35.<\/li>\n\n\n\n<li>Impacts SSH agents, OpenSSH-integrated deployments, and Git proxy setups.<\/li>\n\n\n\n<li>No public exploits or in-the-wild attacks reported to date.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Upgrade all Teleport nodes to the matching patched major version.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.securityweek.com\/critical-authentication-bypass-flaw-patched-in-teleport\/\" target=\"_blank\" rel=\"noopener\" title=\"\">SecurityWeek<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6. DHS Warns Pro-Iranian Hackers Will Target U.S. Infrastructure After Iranian Nuclear Strikes<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>The U.S. Department of Homeland Security and FBI have issued a joint advisory warning that pro-Iranian hacktivist groups are likely to launch disruptive cyberattacks\u2014ranging from DDoS to ransomware and website defacements\u2014against American critical infrastructure<\/strong> if Iran conducts nuclear strikes. Energy, water treatment, healthcare and government networks face the highest risk, underscoring an urgent need for targeted defensive measures.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The joint DHS\/FBI advisory was published on June 24, 2025, under CISA Alert AA25-163A.<\/li>\n\n\n\n<li>Identified hacktivist cells (e.g., Green Commandos, HoldResist) plan DDoS, web defacement, ransomware.<\/li>\n\n\n\n<li><strong>Primary targets include energy, water treatment, healthcare, government and defense contractor networks.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable DDoS protection on public-facing applications.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2025\/06\/dhs-warns-pro-iranian-hackers-likely-to.html\">The Hacker News<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Echo Chamber Jailbreak Enables LLMs to Generate Harmful Content<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Neural Trust researchers have unveiled the \u201cEcho Chamber\u201d jailbreak, a six-step, multi-turn context-poisoning technique that coaxes <strong>leading LLMs into policy-violating outputs without explicit harmful prompts.<\/strong> In evaluations across <strong>GPT-4.1-nano, GPT-4o, Gemini-2 and others<\/strong>, the attack<strong> achieved over 90% success in triggering hate speech, violence, sexism and pornography within 1\u20133 turns, and above 80% in misinformation and self-harm scenarios.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The six-step method plants benign \u201cpoisonous\u201d and \u201csteering\u201d seeds to subtly shift model context over multiple turns.<\/li>\n\n\n\n<li>Fully black-box: no access to model weights or architecture required, making it widely applicable to commercial LLMs.<\/li>\n\n\n\n<li>Usual token-level filters fail, as the attack relies on indirect references and inference rather than explicit toxic language.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Educate employees on different ways LLMs can be manipulated to raise their critical thinking towards LLM outputs.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/cybersecuritynews.com\/echo-chamber-attack\/\">Cyber Security News<\/a> ja <a href=\"https:\/\/thehackernews.com\/2025\/06\/echo-chamber-jailbreak-tricks-llms-like.html\">The Hacker News<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Another reason to take care of your persona IOT devices: Iran Targets Israeli CCTV Systems to Refine Missile Strikes<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Israeli officials warn that Iranian actors are accessing internet-connected security cameras to observe missile impact sites and improve targeting accuracy. <\/strong>Citizens are urged to disconnect CCTV systems as unpatched IoT cameras have become a real-time intelligence source in modern conflicts. This tactic echoes documented use of compromised surveillance feeds in Ukraine and along the Russia\u2013Ukraine front.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Officials say attempts spiked in the past 2\u20133 days, per former cyber official Refael Franco.<\/li>\n\n\n\n<li>Similar exploits recorded in Ukraine, where Russian intelligence streamed compromised camera feeds.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Alwats apply the latest firmware patches to all IOT devices<\/li>\n\n\n\n<li>Isolate IOT networks from operational and control systems<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2025-06-20\/iran-hijacking-home-security-cameras-to-spy-within-israel\">Bloomberg<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Meta\u2019s Llama 3.1 70B Model Memorizes Full Texts of Copyrighted Books<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Research by Stanford, Cornell and West Virginia University shows Meta\u2019s Llama 3.1 70B can reproduce 91% of The Sorcerer\u2019s Stone and large passages of 1984, indicating the model internally \u201cmemorizes\u201d copyrighted texts rather than purely generating new content. This raises significant infringement risks for organizations deploying or distributing the model and challenges AI vendors\u2019 defense that their systems are only \u201cinspired by\u201d training data. Security, legal and procurement teams must reassess LLM sourcing, usage controls and monitor evolving copyright litigation.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Researchers split 56 books into overlapping 100-token strings and prompted the model with 50 tokens to extract the next 50.<\/li>\n\n\n\n<li>Llama 3.1 70B reproduced 91% of the first Harry Potter book and significant chunks of other copyrighted works.<\/li>\n\n\n\n<li>Model\u2019s popularity (~1 million downloads) amplifies potential legal exposure if distribution is deemed unauthorized copying.<\/li>\n\n\n\n<li>Variability across Llama versions suggests particular training choices\u2014like retaining duplicates\u2014drove memorization.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>If 91% of Harry Potter books can be reproduced, so could your company&#8217;s internal documents used in prompts. Review if and how your LLM providers use content uploaded to their services.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.404media.co\/the-404-media-podcast\/\">404 Media<\/a> ja <a href=\"https:\/\/arxiv.org\/pdf\/2505.12546\">ArXiv<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><\/h2>\n\n\n\n<p><\/p>\n\n\n                <div class=\"ml-embedded\" data-form=\"pKq7EM\"><\/div>","protected":false},"excerpt":{"rendered":"<p>9 actionable and interesting cybersecurity news from the last week of June 2025 summaries.<\/p>","protected":false},"author":1,"featured_media":19771,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-19698","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/19698","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/comments?post=19698"}],"version-history":[{"count":77,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/19698\/revisions"}],"predecessor-version":[{"id":19776,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/19698\/revisions\/19776"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media\/19771"}],"wp:attachment":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media?parent=19698"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/categories?post=19698"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/tags?post=19698"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}