CyberSecurity Newsletter June 16th, 2025
In this week’s news: RaaS operator has developed a “wipe mode” in the ransomware strain which permanently erases files, Virtual kidnapping claim a loved one has been abducted using AI-generated voices, social media details, and spoofed caller IDs, ransomware actors are targeting unpatched SimpleHelp Remote Monitoring and Management (RMM) instances to compromise customers, Microsoft is investigating an ongoing incident that is causing users to experience errors with some Microsoft 365 authentication features, Ox Security warned on Sunday that CVE-2025-4123 impacts 36% of public-facing Grafana instances – or over 46,000 worldwide, Microsoft is investigating a known issue that triggers Secure Boot errors and prevents Surface Hub v1 devices from starting up.
The Anubis ransomware-as-a-service (RaaS) operator has developed a novel dual threat capability to increase pressure on victims. Trend Micro researchers discovered a “wipe mode” in the ransomware strain which permanently erases files and is used alongside general encryption capabilities. This destructive capability makes file recovery impossible, increasing the pressure on victims to pay ransom demands.
https://www.infosecurity-magazine.com/news/anubis-ransomware-file-wiping/
Insik Group analyzed the new Predator spyware infrastructure and discovered it’s still gaining users despite U.S. sanctions since July 2023.
https://securityaffairs.com/179036/hacking/new-predator-spyware-infrastructure-revealed-activity-in-mozambique-for-first-time.html
Malicious actors could exploit the novel TokenBreak attack technique to compromise large language models' tokenization strategy and evade implemented safety and content moderation protections, reports The Hacker News.
https://www.scworld.com/brief/ai-moderation-guardrails-circumvented-by-novel-tokenbreak-attack
Google says an API management issue is behind Thursday's massive Google Cloud outage, which disrupted or brought down its services and many other online platforms. Google says the cloud outage started around 10:49 ET and ended at 3:49 ET, after causing issues for millions of users worldwide for over three hours.
https://www.bleepingcomputer.com/news/google/google-links-massive-cloud-outage-to-api-management-issue/
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday disclosed that ransomware actors are targeting unpatched SimpleHelp Remote Monitoring and Management (RMM) instances to compromise customers of an unnamed utility billing software provider. "This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025," the agency said in an advisory.
https://thehackernews.com/2025/06/ransomware-gangs-exploit-unpatched.html
Cybernews reports that Asefa, the Spanish arm of major French insurance firm SMABT, has confirmed having been impacted by a cyberattack that disrupted certain systems but not its core business after the Qilin ransomware gang alleged stealing 210 GB of data from the firm.
https://www.scworld.com/brief/french-insurers-subsidiary-discloses-attack-after-qilin-claims
Cybersecurity researchers are calling attention to a "large-scale campaign" that has been observed compromising legitimate websites with malicious JavaScript injections. According to Palo Alto Networks Unit 42, these malicious injects are obfuscated using JSFuck, which refers to an "esoteric and educational programming style" that uses only a limited set of characters to write and execute JavaScript code.
https://thehackernews.com/2025/06/over-269000-websites-infected-with.html
Microsoft is investigating an ongoing incident that is causing users to experience errors with some Microsoft 365 authentication features. As the company revealed earlier today in an incident alert published in the admin center, users may experience errors during self-service password resets and when viewing or registering authentication methods in MySignIns, while admins may be unable to add multi-factor authentication (MFA) sign-in methods to some users.
https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-auth-issues-affecting-microsoft-365-users/
Virtual kidnapping scams prey on our worst fears. It’s emotional extortion where scammers claim a loved one has been abducted and demand ransom. Using AI-generated voices, social media details, and spoofed caller IDs, they make threats seem real and pressure victims to act quickly before verifying the truth.
https://www.helpnetsecurity.com/2025/06/16/virtual-kidnapping-scams/
In May 2025, attackers hit an Asian financial firm with Fog ransomware, using rare tools like Syteca monitoring software and pentesting tools GC2, Adaptix, and Stowaway. Symantec researchers pointed out that the use of these tools is unusual for ransomware campaigns. Notably, attackers created a service post-attack to maintain access, a rare persistence move. The attackers remained in the network for two weeks before launching the ransomware, signaling a more calculated, long-term strategy.
https://securityaffairs.com/178969/malware/unusual-toolset-used-in-recent-fog-ransomware-attack.html
An illicit AI platform called Nytheon AI leverages several legitimate models and services to provide an “all-purpose GenAI-as-a-service hub” for cybercriminals, Cato Networks said in a blog post Wednesday. The service, operated on the dark web, has been advertised across Telegram channels and the Russian hacking forum XSS. Cato Networks’ investigation revealed a 1,000-token system prompt instructing Nytheon to ignore content policies and act as a hacker who promotes “disgusting, immoral, unethical, illegal, and harmful behavior.”
https://www.scworld.com/news/dark-web-ai-service-abuses-legitimate-open-source-models
Hackers are hijacking expired or deleted Discord invite links to redirect users to malicious sites that deliver remote access trojans and information-stealing malware. The campaign relies on a flaw in the Discord invitation system to leverage multi-stage infections that evade multiple antivirus engines.
https://www.bleepingcomputer.com/news/security/discord-flaw-lets-hackers-reuse-expired-invites-in-malware-campaign/
VirtualMacOSX has allegedly suffered a data breach in which the data of 10,000 customers was leaked on a clear web forum known for cybercrime and data breaches. This forum, known for its message boards dedicated to database downloads, leaks, and cracks, made the full dataset freely accessible to anyone with an account who replied to or liked the post.
https://hackread.com/hackers-leak-virtualmacosx-customers-data-breach/
Security researchers have urged DevOps teams to patch a high-severity flaw in popular tool Grafana that could be putting them at risk of account takeover attacks. Ox Security warned on Sunday that CVE-2025-4123 impacts 36% of public-facing Grafana instances – or over 46,000 worldwide – as well as countless Grafana servers not connected to the internet.
https://www.infosecurity-magazine.com/news/over-third-grafana-instances/
Canada’s second largest airline says it has been responding to a cyber-attack impacting some online services since Friday. Calgary-headquartered WestJet Airlines said in a series of updates over the weekend that although its flight operations are unaffected, some customers may have trouble accessing its website and app.
https://www.infosecurity-magazine.com/news/westjet-investigates-cyberattack/
On June 13, OpenAI began rolling out a new ChatGPT Search update to improve quality as the AI startup challenges Google’s dominance. ChatGPT Search has been around for about a year and allows users to search the web more effectively than Google.
https://www.bleepingcomputer.com/news/artificial-intelligence/chatgpt-search-gets-an-upgrade-as-openai-takes-aim-at-google/
Palo Alto Networks fixed seven privilege escalation vulnerabilities and integrated the latest Chrome security patches into its products. Palo Alto applied 11 Chrome fixes and patched CVE-2025-4233, a cache vulnerability impacting the Prisma Access Browser. The most severe vulnerability, tracked as CVE-2025-4232 (CVSS score of 7.1), is an authenticated code injection through wildcard on macOS.
https://securityaffairs.com/179000/security/palo-alto-networks-fixed-multiple-privilege-escalation-flaws.html
Resecurity has identified 7.4 million records containing personally identifiable information (PII) of Paraguayan citizens leaked on the dark web today. Last week, cybercriminals have offered information about all citizens of Paraguay for sale, demanding $7.4 million in ransom payments, $1 per citizen. A ransomware group was extorting the entire country in what is probably one of the most significant cybersecurity incidents in the nation’s history, with a symbolic deadline
https://securityaffairs.com/178970/data-breach/paraguay-suffered-data-breach-7-4-million-citizen-records-leaked-on-dark-web.html
Microsoft is investigating a known issue that triggers Secure Boot errors and prevents Surface Hub v1 devices from starting up. These boot problems only impact Surface Hub v1 systems running Windows 10, version 22H2, after installing the KB5060533 June 2025 Windows security update.
https://www.bleepingcomputer.com/news/microsoft/microsoft-kb5060533-update-triggers-boot-errors-on-surface-hub-v1-devices/
BleepingComputer reports that at least two journalists in Europe, including Italian Ciro Pellegrino, had their iPhones subjected to zero-click attacks exploiting the zero-day flaw, tracked as CVE-2025-43200, to deploy Paragon's Graphite spyware earlier this year.
https://www.scworld.com/brief/zero-click-attacks-target-journalists-iphones-with-graphite-spyware