Featured image of post Cybersecurity Week in Review: June 24 – 30, 2025
NEWS

Cybersecurity Week in Review: June 24 – 30, 2025

Cyberattacks, data breaches, zero-days, and global responses—discover the biggest cybersecurity headlines of this week.

By Samuel Monsempes

Major Data Breaches and Leaks

  • Ahold Delhaize Breach (2.2 Million Affected): U.S. and European retail giant Ahold Delhaize – owner of grocery chains like Food Lion, Stop & Shop, Giant Food, and Hannaford – disclosed that a November 2024 cyberattack led to a data breach affecting 2.24 million individuals. The attack was confirmed to be a ransomware incident, with the INC Ransom gang claiming responsibility by listing the company on its leak site earlier this year. Stolen files included a wide range of sensitive information, such as personal identifiers (names, contact details, dates of birth, Social Security and driver’s license numbers), financial account numbers, health and workers’ compensation data, and employment records. While Ahold Delhaize had initially acknowledged a network intrusion in late 2024, the full scope became public through a filing with the Maine Attorney General on June 27, 2025. The company is notifying affected individuals and offering support, though it declined to confirm the attackers’ identity or whether any ransom was paid. This breach – one of the largest retail breaches of 2025 – underscores the long tail of ransomware incidents, as data from last year’s attack is only now coming to light.

  • Aflac Insurance Cyberattack: Supplemental insurance giant Aflac Incorporated revealed that hackers breached its U.S. network in mid-June, potentially compromising customers’ personal information including Social Security numbers and health-related data. Aflac detected suspicious activity on June 12 and claims it contained the intrusion within hours. In a June 20 regulatory filing, Aflac described the incident as part of a broader cybercrime campaign targeting multiple insurance companies, with the attack bearing the hallmarks of the “Scattered Spider” hacking group. (Scattered Spider is known for ambitious hacks against the telecom and insurance sectors.) While Aflac has not disclosed how many customers were affected, the company faced immediate fallout – by June 24, at least 11 class-action lawsuits were filed alleging Aflac failed to protect policyholders’ data and delayed notification of the breach. Aflac is providing 24 months of free credit monitoring and identity theft protection to those impacted. This incident highlights the insurance industry’s growing exposure to cyberattacks and the expectation that breached companies respond quickly and transparently.

Significant Cyberattacks and Incidents

  • Food Supply Chain Disruption (UNFI): A major cyberattack struck United Natural Foods Inc. (UNFI), the largest U.S. wholesale distributor for grocery stores (including Whole Foods). In its Q3 earnings report, UNFI confirmed that a cyber incident in early June forced a shutdown of its entire network, interrupting order fulfillment and deliveries across its supply chain. As of this week, UNFI reported it is only shipping to customers on a limited basis while it works to safely bring systems back online. External-facing portals (like supplier websites and VPN access) remain offline, and some Whole Foods locations experienced delayed product launches or even empty shelves. The company has not revealed the attack vector or culprit, but the ongoing operational disruptions suggest a serious ransomware or malware event. This incident underscores the ripple effect of cyberattacks on critical infrastructure and supply chains – a single breach at a distributor can impact hundreds of stores and potentially consumers nationwide.

  • CoinMarketCap Website Hack: CoinMarketCap, a popular cryptocurrency price tracking platform, fell victim to a supply-chain style attack on its website. Attackers compromised a piece of content on CoinMarketCap’s homepage (reportedly a small embedded “doodle” graphic) to inject malicious code. As a result, visitors to the site were silently redirected to a fraudulent crypto wallet draining service, leading to the theft of over $43,000 in cryptocurrency from users. CoinMarketCap acknowledged the incident and patched the vulnerability after discovering the unauthorized script. This sneaky attack highlights the dangers of web supply chain attacks, where inserting a few lines of malicious code on a trusted site can hijack users’ sessions or assets. Crypto users are urged to remain cautious of unexpected wallet interactions, even on legitimate platforms, and to use security measures like browser extensions that can detect or block malicious web3 scripts.

  • Hacktivist Attacks in Southeast Asia: A wave of hacktivist cyber attacks hit Thai government websites amid regional tensions. A Cambodian hacktivist group calling itself AnonsecKh (aka Bl4ckCyb3r) claimed responsibility for at least 73 attacks on Thai organizations in June. The campaign was spurred by a border clash on May 28 and the long-running dispute over the Preah Vihear temple region. The group launched DDoS attacks and defacements against Thai government and military domains, as well as some private-sector targets (over a quarter of targets were Thai manufacturing firms). Notably, between June 4–10 they disrupted websites for Thailand’s Ministry of Defense, Ministry of Foreign Affairs, and Bangkok city administration. Thai authorities responded by issuing arrest warrants for suspected members of the group. These incidents demonstrate how geopolitical conflicts are spilling into cyberspace: nationalist or politically motivated hackers are conducting retaliatory attacks on government infrastructure, adding a cyber dimension to regional conflicts.

  • Iranian Bank Attack by Predatory Sparrow: In the Middle East, a major Iranian financial institution (Sepah Bank) suffered a cyberattack amid escalating Iran-Israel tensions. The Israeli-aligned hacking group “Predatory Sparrow” (Gonjeshke Darande) claimed responsibility for the attack and even boasted that it “destroyed” some of the bank’s data. Sepah Bank, one of Iran’s largest state-owned banks, saw its online services disrupted in the attack, though officials said service was restored within hours and did not confirm any permanent data loss. Predatory Sparrow is known for previous destructive hacks on Iranian infrastructure, often in retaliation to Iranian actions. The incident, occurring during a week of military strikes and counterstrikes between Iran and Israel, highlights the ongoing cyber tit-for-tat in global conflicts. Financial institutions remain prime targets, and this case shows state-affiliated hacktivists are willing to sabotage data, not just steal it. Organizations in conflict zones should be on high alert for cyber espionage or sabotage attempts.

Critical Vulnerabilities and Patches

  • Citrix NetScaler Critical Flaws: Citrix administrators received an urgent warning this week: critical vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway appliances are being actively exploited in the wild. One flaw (tracked as CVE-2025-6543) is a buffer overflow that can lead to denial-of-service or even arbitrary code execution, allowing an attacker to hijack or crash the appliance. A second vulnerability (CVE-2025-5777) also affects NetScaler ADC, though details are limited. Citrix released patches for these issues and urged customers to update immediately. Given that NetScaler devices often sit at the network perimeter for load-balancing and remote access, an exploit could grant attackers a foothold into corporate networks. Organizations using these products should apply Citrix’s updates without delay and consider network mitigations or monitoring for any signs of compromise, as attackers are already scanning for unpatched systems.

  • Exploited Bugs Added to CISA Alert List: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three vulnerabilities to its Known Exploited Vulnerabilities catalog this week, indicating they pose significant risk if unpatched. The newly listed flaws are: CVE-2024-54085, an authentication bypass in AMI MegaRAC baseboard management controller software that allows full remote control of servers; CVE-2024-0769, a path traversal bug in the legacy D-Link DIR-859 router (now discontinued) which could let attackers access sensitive files or take over the device; and CVE-2019-6693, a hard-coded encryption key issue in older Fortinet products that has been exploited by the Akira ransomware gang to decrypt and steal VPN credentials. These additions highlight the breadth of exploited vulnerabilities – from enterprise hardware to home routers – and serve as a reminder for organizations to prioritize patching known critical flaws. Even older CVEs (like the Fortinet 2019 bug) are still being weaponized by threat actors, emphasizing the need to retire or update unsupported devices.

  • MOVEit Transfer Under Active Scanning: Threat intelligence reports indicate that the recently disclosed vulnerabilities in Progress MOVEit Transfer, a widely used file-transfer solution, are at risk of mass exploitation. Starting May 27, security firm GreyNoise observed a surge from near-zero to over 300 unique IP addresses per day scanning the internet for MOVEit servers. This spike in activity suggests attackers are probing for unpatched MOVEit instances, potentially in preparation for a large-scale attack campaign. (MOVEit was the target of a major data-extortion wave in 2023 via CVE-2023-34362, and that same vulnerability alongside CVE-2023-36934 is being actively attempted again.) Administrators are urged to ensure all MOVEit Transfer systems are fully updated with the latest patches, to isolate or disable servers if patching isn’t possible, and to monitor for any suspicious download or encryption activity. The heightened attention on this platform underscores how file-sharing apps with sensitive data are prime targets, and even previously known bugs can resurface if organizations lag on updates.

  • Other Notable Patches: No major Microsoft or Apple zero-day patches emerged during this week, but it’s worth noting that Microsoft’s June Patch Tuesday (released earlier in the month) included fixes for 66 vulnerabilities (9 critical and 1 actively exploited), and Apple’s latest security updates for iOS/macOS in May addressed several WebKit and kernel issues. Organizations should ensure those routine updates have been applied. Additionally, SonicWall issued a security alert warning customers that a trojanized installer of its NetExtender VPN client is being circulated by attackers to steal credentials. This isn’t a vulnerability in SonicWall’s code per se, but rather a malware distribution campaign – users should only download VPN software from official sources and verify signatures, as even trusted software can be repackaged maliciously. Overall, the theme for the week is rapid patch management: from network appliances to software and third-party tools, staying current on updates is vital as attackers swiftly exploit any known weaknesses.

Government and Industry Cyber Responses

  • Joint Advisory on Chinese Espionage (Salt Typhoon): In a collaborative move, the U.S. FBI and the Canadian Centre for Cyber Security issued a joint cybersecurity advisory warning about a China-linked threat actor dubbed “Salt Typhoon.” The alert, released on June 24, details how Salt Typhoon hackers have been breaching major telecom companies worldwide as part of a cyber-espionage campaign. Notably, the group exploited a critical Cisco IOS XE router vulnerability (CVE-2023-20198, CVSS 10.0) to compromise multiple network devices at a Canadian telecommunications firm back in February. The attackers even modified router configurations (using GRE tunnels) to quietly siphon traffic from the networks. Officials caution that Salt Typhoon likely targets telecom and network infrastructure beyond Canada, and that edge network devices (routers, firewalls) are high-value targets for Chinese state-sponsored hackers. This advisory is a clear government response to state-backed hacking – by publicizing the TTPs (tools, techniques, procedures) and urging patches (Cisco had issued fixes for the IOS XE flaw earlier), western agencies aim to blunt China’s reach into critical networks. It also reflects increased international cooperation in attributing and countering APT threats.

  • Crackdown on Cybercrime Forums: Law enforcement scored a victory against cybercriminal infrastructure this week. Authorities in Europe arrested four suspected operators of the notorious BreachForums hacking marketplace in a coordinated operation. The arrests took place in France and included individuals using the handles “ShinyHunters,” “Hollow,” “Noct,” and “Depressed,” who allegedly helped run BreachForums. (BreachForums has been a major underground forum for trading stolen data, malicious tools, and leaked databases.) These arrests follow the earlier takedown of the forum’s admin “Pompompurin” in 2023 and the arrest of another key administrator, British national Conor Brian Fitzpatrick (alias “IntelBroker” aka Kai West), in February 2025. U.S. prosecutors have since unsealed charges against West for hacking and stealing data from dozens of companies and offering that data for sale to others. According to the indictment, West (IntelBroker) allegedly trafficked stolen information from over 40 entities, causing an estimated $25 million in damages. The FBI traced him through a clever sting – agents bought a stolen API key from IntelBroker, linked it to a crypto wallet tied to West’s personal email and ID, which led to his unmasking. The combined actions in the U.S. and Europe demonstrate a global law enforcement push to dismantle cybercrime forums and hold their operators accountable, even across borders. It also delivers a strong message: those who facilitate the sale of breached data will be pursued internationally.

  • European Police Bust Fraud Ring: In another example of cross-border cooperation, law enforcement dismantled an e-commerce fraud ring operating across Europe. Romanian and German authorities, with support from Europol and Eurojust, investigated a criminal group that hacked over 400 seller accounts on a major online marketplace and used them to defraud customers of more than €400,000. The scheme involved phishing legitimate sellers to steal their credentials, then posting fake listings for high-value goods and collecting payments from unsuspecting buyers – essentially an elaborate online scam at scale. Seven suspects were initially arrested in raids in late 2024, but some members continued the fraud. This week (June 24, 2025), three remaining suspects were detained in Romania under European Arrest Warrants, and additional house searches yielded further IT evidence. This case highlights not only the financial damage from cyber-fraud but also the intense effort by European agencies to collaborate and arrest cybercriminals in multiple countries. By pooling resources and legal tools like the European Arrest Warrant, investigators can overcome jurisdictional hurdles. For businesses, this bust is a reminder to secure their seller accounts with strong authentication, since account takeovers can harm consumers and platform reputation alike.

  • Russian Handling of Ransomware Actors: In a noteworthy (and controversial) development, Russian authorities quietly released several members of the infamous REvil ransomware gang. This week it came to light that four individuals – arrested in Russia back in January 2022 for their involvement in REvil – have been freed after a court gave them suspended sentences or credit for time served. The suspects (Russian nationals) had pleaded guilty to lesser charges such as “carding” (credit card fraud) and malware distribution, and received five-year prison terms that were effectively nullified by the time they already spent in detention. REvil (a.k.a. Sodinokibi) was behind high-profile ransomware attacks in 2020–2021 (on JBS Foods, Kaseya, etc.), and Western governments had applauded Russia’s initial arrests as a sign of possible cooperation. However, this outcome suggests a different story: Russia appears unwilling to severely punish ransomware operators, especially those targeting Western victims. The release has been criticized by cybersecurity experts as a sign of impunity – raising concerns that these hackers might return to cybercrime. It also underscores the stark contrast in how nations approach cybercriminals: while some countries extradite or jail them, others may treat them more leniently. This divide complicates international efforts to curb ransomware. Companies and security leaders should note that some threat actors may operate from safe havens, making prevention and defense all the more critical since legal deterrence is not guaranteed.

  • Other Official Actions: Government agencies continued issuing security guidance. For example, the UK’s National Cyber Security Centre (NCSC) published an alert about new malware (“SHOE RACK” and “UMBRELLA STAND”) found on Fortinet FortiGate firewalls, linking them to Chinese state hackers’ toolkit. And in Australia, police arrested a former university student for hacking into Western Sydney University systems over several years – an insider incident that reportedly began with the hacker trying to obtain free parking but escalated to data theft and attempted sale of student records. Meanwhile, industry groups and regulators are increasingly discussing cybersecurity requirements: there were no major new laws this week, but ongoing initiatives (like U.S. SEC cybersecurity disclosure rules and EU’s NIS2 directive) remain in focus for security executives. The overall government tone this week has been proactive – advisories, arrests, and warnings – yet mixed with geopolitical complexity. Security leaders should leverage these official alerts and takedowns (e.g. apply NCSC and FBI guidance, and share threat intel) while recognizing the uneven global enforcement landscape.

Miscellaneous

  • Emerging Threat Campaigns: Cybersecurity researchers uncovered several sophisticated threat campaigns during the week, indicating that advanced threat actors continue to innovate. Notably, Trellix published research on an espionage operation dubbed “OneClik” targeting the global energy and oil & gas sector. Attackers in this campaign sent tailored phishing emails and abused Microsoft’s ClickOnce technology to deploy malware inside enterprise networks. This shows that even lesser-known Windows features can be weaponized for stealthy infiltration. In a different vein, security analysts reported on a long-running Chinese offensive named “LapDogs,” which since 2023 has compromised over 1,000 networks worldwide by hijacking vulnerable IoT and SOHO (small office/home office) routers. The LapDogs operators turn these routers into an army of “proxy” nodes (ORBs – Operational Relay Boxes) that route their malicious traffic, helping them mask operations and avoid detection. Such campaigns – one very targeted and one extremely broad – highlight both APT tactics and the growing exploitation of unsecure smart devices. Organizations in critical industries should harden less-monitored attack surfaces (like update deployment mechanisms), and all users should keep their routers and IoT gadgets updated, since nation-state attackers are now leveraging any weak link to establish persistence.

  • Cybercriminals Leverage AI Trends: The influence of artificial intelligence in cyber threats was evident in multiple reports this week. Researchers at Zscaler ThreatLabz warned of a malware campaign abusing the popularity of AI tools like ChatGPT and Luma AI. Threat actors created fake AI-themed websites (often using lookalike domains and SEO poisoning) that promised AI tools, but visiting these sites triggered hidden JavaScript that redirected users through a chain of sites, ultimately delivering infostealer malware such as Vidar, Lumma, or Legion Loader. These malware strains can steal credentials and sensitive data. The campaign cleverly used browser fingerprinting to target specific users and packed the malicious payloads in large files to evade antivirus detection. In another troubling trend, cybercriminal forum users have “jailbroken” new large language models (LLMs) – specifically the Mistral and xAI models – to remove their safety restrictions. According to a Cato Networks report, these uncensored AI models are being offered on underground markets, where they are used to generate convincing phishing emails, malicious code, and even how-to guides for hacking. Essentially, criminals are customizing AI to produce illicit output that the original models would normally forbid. This development has significant implications: it lowers the skill barrier for crafting malware and social engineering lures, potentially increasing the volume and sophistication of attacks. For defenders, it’s a call to invest in AI-powered security solutions and user education – as the bad actors are also arming themselves with AI. It also reinforces the need for vigilance when encountering anything that’s “too savvy” or personalized in phishing, since AI can dramatically improve scammers’ effectiveness.

  • Key Security Takeaways from the Week’s News: A few cross-cutting themes emerged. First, third-party risk and supply chain security are as critical as ever: from CoinMarketCap’s script hack to SonicWall’s fake installer warning to breaches via IT providers, many incidents started at a partner or supplier. This means businesses must vet and monitor the security of their vendors and use defense-in-depth (so one compromised component doesn’t lead to total breach). Second, we’re seeing the continued blurring of nation-state tactics and cybercrime – e.g., state actors like Salt Typhoon using router exploits, while criminal gangs possibly enjoy haven in certain countries. Organizations should consider threat intelligence about APTs and cybercriminal groups in their risk assessments. Finally, basic cyber hygiene is still a front-line defense: the biggest breach this week (16B passwords) fundamentally comes down to weak or reused credentials and infostealers; timely patching could have prevented many of the exploited vulnerabilities; and user awareness might have averted some phishing-based intrusions. As one expert quipped in response to Verizon’s annual report, most breaches still boil down to using stolen credentials and known flaws – problems we know how to fix. The challenge is execution at scale, something every CISO is grappling with.

Conclusion

This week’s developments reinforce several key lessons for security professionals and stakeholders:

  • Vigilance and Speed Matter: From massive data leaks to actively exploited zero-day vulnerabilities, the window for organizations to react is narrow. Companies that quickly detect incidents (as Aflac did within hours) and those that patch emergent threats promptly (as urged for Citrix and MOVEit flaws) will drastically reduce damage. Conversely, delays in response or disclosure can compound legal and reputational fallout, as seen with class actions following breaches. The takeaway is to invest in real-time threat monitoring, incident response drills, and agile patch management processes – assume that at any given week, new breaches or exploits will surface and readiness is everything.

  • Strengthen Fundamentals (While Adapting to New Trends): The recurring appearance of stolen credentials, unpatched devices, and phishing in this week’s news is a stark reminder that cybersecurity 101 is still not solved. Multi-factor authentication, least-privilege access, employee training, and asset patching are essential and should be relentlessly enforced. At the same time, emerging trends like AI-abetted attacks and IoT-based campaigns mean defenders must innovate too. Consider deploying AI-driven security tools that can detect anomalies (since attackers are using AI to create more convincing lures), and broaden your security coverage to include non-traditional IT (like network gear, smart devices, and cloud apps). Security strategies must evolve – blending tried-and-true controls with creative defenses for new threat vectors.

  • Collaboration and Transparency: Many stories this week highlight the value of sharing information and working together. Government advisories (like the FBI/Canadian alert on Salt Typhoon) provide crucial threat intel that private firms can act on. Law enforcement cooperation led to dismantling criminal operations spanning continents. On the industry side, companies that are transparent about breaches and engage with authorities/customers in the aftermath tend to fare better in the long run than those who stay silent. Going forward, organizations should actively participate in information-sharing communities (ISACs/CERTs), and when incidents happen, manage communications openly and honestly to maintain stakeholder trust. Cyber threats are a shared challenge, and no entity can tackle them alone.

In summary, the last week of June 2025 served as a microcosm of the cybersecurity landscape: massive data heists, aggressive hacks on critical systems, relentless exploitation of known flaws, and notable wins (and setbacks) in cyber law enforcement. For security leaders, the imperative is clear – double down on fundamentals, stay nimble against new threats, and engage with the broader security ecosystem. The threats will keep coming, but with preparation and collaboration, we can continue to mitigate risk and protect our organizations and users.

Sources

  • Tom’s Guide – D. Murphy, “16 billion password data breach hits Apple, Google, Facebook and more” (June 25, 2025) Source
  • BleepingComputer – S. Gatlan, “Retail giant Ahold Delhaize says data breach affects 2.2 million people” (June 27, 2025) Source
  • Insurance Journal – W. Rabb, “Aflac Hit With Class Action Over Data Breach of Customer Info” (June 25, 2025) Source
  • ID Agent (Kaseya) – “The Week in Breach News: 06/18/25 – 06/24/25” (June 24, 2025), covering Aflac, Krispy Kreme, Disney, Chain IQ, etc. Source
  • BrightDefense – T. Ahmed, “List of Recent Data Breaches in 2025” (blog, June 25, 2025) Source
  • CyberSecurity-Help.cz – “Cyber Security Week in Review: June 27, 2025” (June 27, 2025) Source
  • The Hacker News – R. Lakshmanan, “China-linked Salt Typhoon Exploits Critical Cisco Vulnerability to Target Canadian Telecom” (June 24, 2025) Source
  • The Hacker News – R. Lakshmanan, “MOVEit Transfer Faces Increased Threats as Scanning Surges…” (June 27, 2025) Source
  • TechCrunch – Z. Whittaker, “Cyberattack at US grocery distributor UNFI affecting customer orders” (June 10, 2025) Source
© 2025 Senthorus Blog