Featured image of post Cybersecurity Week in Review: June 10–16, 2025
NEWS

Cybersecurity Week in Review: June 10–16, 2025

Cyberattacks, data breaches, zero-days, and global responses—discover the biggest cybersecurity headlines of this week.

Major Data Breaches and Leaks

  • Zoomcar Breach (8.4 Million Users): Indian car-sharing company Zoomcar disclosed that a hacker accessed personal data of 8.4 million customers, including names, phone numbers, and car registration numbers. The incident was identified on June 9 after employees received extortion emails from a threat actor. Zoomcar’s SEC filing noted no evidence of financial data or passwords being compromised, and the firm activated its incident response plan, added cloud and network safeguards, and notified authorities.

  • T-Mobile Data Leak Claim (64 Million Records): Hackers on a dark web forum claimed to have leaked a database of 64 million T-Mobile customer records containing names, dates of birth, tax IDs, addresses, phone numbers, emails and more. T-Mobile denied any breach, saying the sample data “does not relate to T-Mobile or our customers”. Investigators could not fully verify the dump’s authenticity, but warned that if legitimate, exposure of such extensive PII would pose serious risks of identity theft and targeted attacks.

  • Texas Transportation Dept (TxDOT) Breach: The Texas DOT confirmed a breach of nearly 300,000 crash reports after a user account for its Crash Records Information System was compromised. The attacker downloaded a large volume of accident records, potentially exposing names, addresses, driver’s license numbers, license plates, and insurance policy details. TxDOT discovered unusual activity on May 12 and promptly disabled the affected account. While Texas law didn’t mandate disclosure, TxDOT is notifying impacted individuals by mail and has set up a helpline, as well as enhancing security to prevent similar incidents.

(Other notable breaches this week included news of a Massive Adecco data breach in France (72,000 victims) now at the center of a fraud trial, and SK Telecom’s ongoing response to a USIM data breach: the Korean carrier resumed new eSIM activations after replacing affected SIM cards from an April hack.)

Significant Cyberattacks and Incidents

  • Ransomware Disrupts Major Food Supplier: A cyberattack on United Natural Foods (UNFI) – the primary distributor for Whole Foods – severely disrupted operations, leaving grocery shelves empty across parts of the U.S. last week. Discovered on June 5, the incident (reportedly ransomware) crippled UNFI’s ordering systems, forcing manual “pen and paper” processes to fulfill orders. By June 16, UNFI reported “significant progress” in safely restoring electronic ordering and deliveries. Most distribution centers were shipping again, but the company continued to work with law enforcement and operate with workarounds while fully recovering. The attack underscored the real-world supply chain impact of cyber incidents.

  • Washington Post Journalists’ Emails Hacked: The Washington Post revealed that a state-sponsored threat actor likely breached its email system, compromising several journalists’ Office 365 accounts. The intrusion, discovered June 12, appeared to target reporters covering national security, economics, and China. In a June 15 internal memo, the Post warned staff of a “targeted unauthorized intrusion” and noted that Microsoft email accounts of a limited number of employees were affected. While details were not shared publicly, the attack fits a pattern of APT (advanced persistent threat) campaigns against media outlets, recalling past incidents where nation-state hackers exploited Exchange email server flaws. The Post is investigating with help from security partners, highlighting the ongoing risk to press organizations from espionage-motivated breaches.

  • Yes24 Ransomware Outage (South Korea): Leading Korean e-commerce and ticketing platform Yes24 suffered a ransomware attack on June 9 that paralyzed its website and apps for days. Customers were unable to buy books, tickets, or other items as the company worked to restore systems. By June 13 (five days later) Yes24 had brought core shopping features back online, though some account services remained unavailable. In the week following, Yes24’s co-CEOs issued a public apology and announced plans to compensate affected users for the disruption. The company is engaging external experts to investigate the breach and audit security, vowing to overhaul its defenses (including expanding the cybersecurity budget and bringing in advisors) to rebuild customer trust. This incident illustrates the significant business impact of ransomware, even on tech-savvy retailers, and the growing expectation of transparency and remediation for customers.

(Also of note: Canadian airline WestJet experienced a cyber incident that forced it to temporarily take down its website and mobile app, causing customer frustration as the company investigated. And fashion retailer Victoria’s Secret disclosed a cyberattack that disrupted some operations, though by week’s end it reported restoring all critical systems and said no customer data was leaked.)

Critical Vulnerabilities and Patches

  • Microsoft Patch Tuesday (June 2025): Microsoft’s monthly updates on June 10 addressed 66–67 security vulnerabilities across Windows, Office, .NET, and more. Notably, it included a fix for an actively exploited zero-day (CVE-2025-33053) – a WebDAV remote code execution flaw used by an APT group (“Stealth Falcon”) to deploy spyware in a Middle Eastern defense org. This exploit involved a malicious .url file triggering code from an attacker’s WebDAV server, allowing stealthy compromise of Windows systems. Microsoft also patched a publicly disclosed Windows SMB client bug (CVE-2025-33073) that could enable privilege escalation via a rogue SMB server. In total, 9 critical severity bugs were fixed. Administrators are urged to prioritize Windows OS updates (which resolve both the zero-day and SMB flaw).

  • SimpleHelp RMM Exploit Advisory: On June 12, the U.S. CISA warned that ransomware actors are exploiting unpatched instances of SimpleHelp remote management software. A path traversal vulnerability (CVE-2024-57727) in SimpleHelp (versions ≤5.5.7) has been used since January to breach a utility billing software provider and its customers. Attackers leveraged this flaw to gain downstream access, causing service outages and double-extortion ransomware incidents. CISA’s alert urged all organizations using SimpleHelp to search for signs of compromise and apply the available patch or mitigations immediately. (Notably, CISA had already added CVE-2024-57727 to its Known Exploited Vulnerabilities Catalog back in February.) This case underscores the danger of unpatched third-party IT tools and the importance of prompt patch management.

  • Other Vendor Updates: Google released Chrome updates recently to fix two actively exploited zero-day vulnerabilities in the browser (CVE-2025-5419 and CVE-2025-4664). Organizations should ensure Chrome and other browsers are updated, given the rapid cadence of fixes for high-profile flaws. Adobe issued patches for Acrobat, InDesign, Experience Manager, Commerce (Magento) and more, addressing a staggering 259 CVEs this month – administrators are advised to update Adobe software promptly, especially the Commerce/Magento update which fixed several critical issues. Security hardware firm Tenable also patched three high-severity bugs in its Nessus vulnerability scanner agent (Windows versions ≤10.8.4) that could allow privilege escalation or code execution; Nessus users are urged to upgrade agents to stay protected (CVE-2023-32635 et al.).

  • Apple Device Vulnerabilities: While Apple did not have a major iOS release this week, it updated its security advisories to note that two iPhone vulnerabilities were exploited in the wild by likely spyware attacks. One issue (CVE-2025-24200 in iOS 18.3.1) could let an attacker bypass lockscreen USB restrictions – Apple credits Citizen Lab for uncovering it and noted it was used in “extremely sophisticated” targeted attacks. Another bug in the Photos/Messages link handling (CVE-2025-43200) was also exploited via malicious iCloud photo sharing links. These were patched in earlier updates, but Apple’s acknowledgment this week highlights the real-world targeting of iOS zero-days by surveillance spyware. Users should always install iOS/iPadOS updates when available, and those at high risk (e.g. journalists, activists) should enable Lockdown Mode and other protections.

Government and Industry Cyber Responses

  • Global Infostealer Crackdown (Operation “Secure”): An INTERPOL-coordinated operation targeting information-stealing malware rings led to 32 arrests across Asia and the takedown of a massive criminal infrastructure. Law enforcement from 26 countries (with major actions in Vietnam, Hong Kong, and others) dismantled over 20,000 malicious IP addresses and domains used to distribute infostealer malware. They seized 41 servers and 100+ GB of stolen data, and proactively notified more than 216,000 victims to change passwords and secure accounts. Those arrested included a suspected ringleader who sold business accounts for criminal use. This sweep, dubbed Operation Secure, also saw private cybersecurity firms assist in identifying malware like Lumma, RisePro, and Meta stealer variants. The crackdown – which follows earlier takedowns of Lumma infrastructure in May – demonstrates growing international cooperation to disrupt cybercrime at scale, especially in the APAC region where infostealer activity had been surging.

  • U.S. Seizes Crypto from North Korean Scheme: The U.S. Department of Justice moved to forfeit $7.74 million in cryptocurrency tied to North Korea’s illicit IT worker program. According to a June 9 court filing, the funds were frozen from wallets allegedly controlled by North Korean operatives who posed as freelance IT developers to get jobs at global companies, then funneled their earnings to Pyongyang in violation of sanctions. This action builds on a 2023 indictment of a North Korean banker (Sim Hyon Sop) who laundered over $15 million from such schemes. U.S. officials say thousands of DPRK tech workers – often using fake IDs, AI-generated profiles, and third-party hiring platforms – have infiltrated companies worldwide, earning salaries (sometimes $300k+ per year each) that fund North Korea’s missile and cyber programs. The DOJ previously seized $1.5M and domains in this investigation and charged facilitators in the U.S.. By confiscating these crypto assets, authorities aim to claw back illicit proceeds and deter companies from inadvertently employing sanction-evading actors.

  • Australia’s Mandatory Ransomware Payment Reporting: A new Australian ransomware payment reporting regime went into effect on May 30, with impacts felt this week as businesses digest the requirements. Under the law, any company with over AUD $3 million in turnover – as well as entities in critical infrastructure sectors like energy, telecom, finance, etc. – must report to the government if they make a ransomware or cyber extortion payment. Reports must be filed via the Australian Cyber Security Centre within 72 hours of payment, and cover any ransom paid (whether in money, crypto, or even non-monetary compensation). The rule even extends to payments made on a victim’s behalf by third parties (such as insurers or contractors). Failure to report can incur penalties (up to 60 units, i.e. tens of thousands in fines). This landmark mandate is intended to improve government visibility into ransomware impact and discourage payouts fueling criminal enterprises. Cybersecurity officials in Australia say the data collected will feed into threat intelligence and help coordinate responses, while also pushing executives to treat ransomware incidents as a governance and board-level issue. The channel and infosec community is now focused on helping businesses integrate these reporting obligations into incident response plans and ensure compliance.

  • Other Notable Actions: The UK Parliament continued debates on strengthening cyber regulations, and the U.S. Congress weighed reauthorizing cybersecurity programs (like CISA’s mandate) with additional funding and oversight, though no new legislation passed this week. Meanwhile, CISA and international agencies issued several security advisories – beyond the SimpleHelp alert above, CISA released Industrial Control Systems advisories for vulnerabilities in widely used SCADA products on June 10 and June 12, urging critical infrastructure operators to patch urgently. And in the private sector, an alliance of tech companies announced an initiative to create a public “Who’s Who” database of cybercriminal groups and state-sponsored hackers (a collaborative effort to improve threat actor attribution and information sharing). These moves reflect a broader trend of public-private collaboration and policy responses to the evolving cyber threat landscape.

Miscellaneous Developments

  • Verizon DBIR 2025 – Key Trends: Verizon released its annual Data Breach Investigations Report, offering a mid-year reality check on cyber trends. The 2025 DBIR analyzed over 12,000 breaches and found ransomware now appears in 44% of them – up sharply from 32% the year prior. Ransomware has essentially overtaken stolen credentials as the top action in breaches, and is nearly on par with all phishing/DoS incidents combined in frequency. Small and mid-sized businesses are especially hard-hit: a striking 88% of SMB breaches involved ransomware, versus ~39% for large enterprises. The report also highlighted a third-party risk explosion – breaches involving a vendor or partner doubled to 30% of cases (vs. 15% last year), underscoring supply-chain security concerns. Additionally, vulnerability exploitation as an initial attack vector jumped by 34%, now accounting for 20% of breaches – surpassing phishing as the second most common entry point (stolen credentials remain #1 at ~22%). On a positive note, median ransomware payments have declined (to ~$115k, down from $150k) as more victims refuse to pay (64% in 2024 vs 50% in 2022). The DBIR’s broad message is that despite some defensive gains, organizations face intensifying threats from ransomware gangs and supply chain attacks, and must double down on basics like patching (many breaches exploited old vulns on VPNs/edge devices) and third-party due diligence. It also reinforces that cyber incidents are not just IT problems but business-wide crises, given the operational disruptions and financial costs.

  • Commercial Spyware in New Places: Researchers and governments continue to track the spread of mercenary spyware. This week brought news that “Predator” spyware (a Pegasus-like surveillance tool) was observed in Mozambique for the first time – indicating such spyware is proliferating beyond traditional hot spots. Predator, sold by an Israeli company, has previously been linked to targeted spyware attacks in Europe and the Middle East; its appearance in Africa underscores the global availability of these hacking-for-hire tools. The discovery in Mozambique (reportedly on a device belonging to a politician) highlights the ongoing threat to civil society and political figures from commercial spyware and the challenges in curbing its use. In related news, the UK and Canadian governments issued statements condemning the misuse of spyware against activists and journalists, aligning with the U.S. executive order from March that limits federal use of spyware. These developments keep the spotlight on digital surveillance abuses and may spur further regulations on spyware vendors.

  • AI and Phishing/Defense: The impact of AI on cybersecurity was a recurring theme. Security analysts noted a surge in AI-generated phishing emails and deepfakes used by threat actors for social engineering. (In fact, the DBIR data suggests AI-crafted scam emails doubled in prevalence, though overall social engineering still relies heavily on human gullibility.) Conversely, defenders are leveraging AI for threat detection and user training – e.g., new tools that simulate AI-generated phishing to teach employees, and AI-based anomaly detection in SOCs. One report this week highlighted that 15% of employees at a sample of companies have used generative AI tools (e.g. ChatGPT) for work tasks – often via personal accounts – raising worries about data leakage and privacy. CISOs are now evaluating guidelines for safe AI use internally. Meanwhile, at the RSA Asia Pacific & Japan conference and other events, experts discussed how to harness AI for automated incident response while guarding against its risks. The consensus is that AI will be a “double-edged sword” in cybersecurity – accelerating both attack techniques and defensive capabilities – meaning organizations must innovate but also remain vigilant about new AI-driven threat vectors.

  • Other Notes: Numerous research reports were released or discussed, such as an analysis of the emerging “Fog” ransomware group using unconventional living-off-the-land tools to evade detection, and a Proofpoint study urging “human-centric” defenses as AI phishing rises. Law enforcement also scored wins against cybercriminals beyond infostealers: Europol announced the takedown of the “Archetyp” dark web marketplace for drugs and hacking tools, arresting its alleged administrator. Additionally, this week saw the 10th anniversary of the NotPetya attack (June 2015), prompting retrospectives on how that destructive malware changed disaster recovery planning. Major cybersecurity conferences on the horizon include Black Hat USA (August) and the first Global Ransomware Summit, reflecting the intense focus on ransomware’s impact. In sum, the week’s happenings show a cybersecurity field that is dynamic and interconnected – from local breaches to international police ops – demanding constant awareness from security professionals.

Conclusion

This week’s developments reinforce several key takeaways for security leaders and practitioners:

  • Data breaches remain rampant across industries and geographies – from tech startups to government agencies – often exposing millions of individuals’ data. Organizations must have strong data protection and incident response plans, and be ready to notify and support affected users. The Zoomcar and TxDOT cases show that even if certain data (like financial info) isn’t stolen, the loss of personal information at scale can trigger regulatory scrutiny and erode public trust.

  • Ransomware and disruptive cyberattacks continue to dominate the threat landscape. We saw critical services and businesses knocked offline, whether it’s a food distribution giant or a popular e-commerce site. These incidents highlight the need for robust business continuity and backups, network segmentation (to limit blast radius), and rapid response playbooks. Victims are increasingly refusing to pay ransoms, which is encouraging, but that also means firms must be confident in their recovery capabilities. Cross-sector impacts (like a supplier outage affecting grocery stores nationwide) underline that cybersecurity is not just about data loss – it can halt operations and revenue, making it a board-level risk.

  • Patch management and vulnerability mitigation are as urgent as ever. A common thread in many attacks (ransomware deployments, state-sponsored hacks, etc.) is the exploitation of known vulnerabilities or insecure configurations. The fact that ransomware actors are exploiting months-old SimpleHelp RMM bugs, and that Microsoft’s report shows unpatched flaws becoming a top attack vector, should spur organizations to accelerate their update cycles and adopt a risk-based patching strategy. Regularly monitor threat advisories (like CISA’s alerts) and prioritize fixes for any software in the KEV (Known Exploited Vulnerabilities) catalog. Where immediate patching isn’t possible, implement compensating controls or workarounds.

  • Threat actors are evolving – leveraging new techniques (living-off-the-land tools, AI for phishing, novel malware like “fileless” ransomware) and targeting the weakest links (such as smaller suppliers or unmonitored accounts). Meanwhile, nation-state hackers persist in highly targeted intrusions (as seen with the journalist email hack), reminding us that advanced persistent threats will probe even well-secured organizations via spear-phishing or zero-days. A multi-layered defense, user awareness training, and monitoring for abnormal access are crucial to countering these subtle incursions.

  • Government and industry collaboration is increasing in response to cyber threats. This week saw major law enforcement successes and new regulations – a clear signal that authorities are stepping up efforts to deter cybercrime and improve visibility (through mandatory reporting, asset seizures, etc.). Organizations should take advantage of government resources (like threat intel sharing, free scanning tools, cyber hygiene programs) and ensure compliance with any new laws in their jurisdictions (such as Australia’s reporting rules). Public-private partnerships, along with international cooperation, will be key to tackling issues like ransomware and state-backed hacking at their root.

Going forward, organizations and security teams should internalize these lessons. Resilience is the watchword: it’s not about if a cyber incident happens, but when, so preparation is paramount. That includes everything from technical measures (keeping systems hardened and backups ready) to executive-level plans (crisis management, legal implications, communications). This week’s incidents also highlight the ripple effects one attack can have across a supply chain or society, reinforcing that cybersecurity is a shared responsibility. By staying informed of weekly developments, adopting best practices from both successes and failures, and fostering a culture of security, we can better navigate the ever-changing threat landscape.

Sources

© 2025 Senthorus Blog