Cybersecurity Threats and Trends - 06/12/2025

From sophisticated AI data theft to novel covert channels using smartwatches, this week's threats demonstrate the continuous evolution of attack techniques targeting both emerging technologies and traditional infrastructure.

Author

J.W. Croley
June 12, 2025

In partnership with

Discover the many benefits of global hiring

Global hiring and remote work are rising. Deel’s here to help. With our Business Case for Global Hiring Guide, we’ll guide you through everything.

Learn more about:

  • Benefits of global hiring

  • Global hiring methods

  • Costs of global hiring

  • Solutions to global hiring challenges

Isn't it time you dive into a world of global hiring capabilities? Explore the ins and outs of global hiring with our free, ready-to-use guide.

While you were busy trying to remember if you actually turned on MFA for your personal email, the cyber underworld was busy innovating new ways to ruin your Monday. Let's dive into this week's digital dumpster fires, shall we?

1. 'EchoLeak' AI Attack Enables Theft of Sensitive Data via Microsoft 365 Copilot

Primary Threat: Security researchers have discovered a critical vulnerability in Microsoft 365 Copilot that allowed attackers to perform zero-click attacks to steal sensitive data from AI conversations.

Risk: HIGH

Microsoft recently patched CVE-2025-32711, dubbed "EchoLeak," a vulnerability that could have been exploited to extract sensitive information from Copilot conversations without any user interaction. The flaw allowed attackers to craft specially designed prompts that could trick the AI into revealing confidential data from previous conversations, including credentials, business strategies, and intellectual property. This vulnerability highlights the emerging security challenges in AI-assisted productivity tools that have access to vast amounts of organizational data.

Detection and Remediation Tips:

  • Apply Microsoft's latest security updates immediately to patch the EchoLeak vulnerability

  • Review your organization's Microsoft 365 Copilot usage policies and implement data boundaries

  • Train employees on safe AI interaction practices, including not sharing sensitive information with AI tools

  • Monitor Copilot logs for suspicious activity or unusual prompt patterns

  • Consider implementing additional data loss prevention controls for AI-assisted tools

2. Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management

Primary Threat: Ransomware operators are actively exploiting vulnerabilities in SimpleHelp Remote Monitoring and Management software to compromise utility billing systems.

Risk: HIGH

CISA has released an advisory warning that ransomware actors are leveraging unpatched SimpleHelp RMM software to compromise utility billing providers. The attackers exploit these vulnerabilities to gain initial access, move laterally through networks, and deploy ransomware payloads. This campaign specifically targets critical infrastructure organizations, with several municipal water utilities already affected. The advisory notes that attackers are exploiting CVE-2025-28764, a critical authentication bypass vulnerability with a CVSS score of 9.8.

Detection and Remediation Tips:

  • Immediately patch SimpleHelp RMM software to the latest version (5.1.2 or later)

  • Implement network segmentation to isolate critical operational technology networks from IT networks

  • Review remote access solutions and implement multi-factor authentication for all remote access

  • Monitor for indicators of compromise detailed in the CISA advisory

  • Develop and test incident response plans specifically for ransomware scenarios affecting critical systems

3. Smartwatch Attack Technique Captures Ultrasonic Covert Communication in Air-Gapped Environments

Primary Threat: Researchers have demonstrated a novel attack technique that uses smartwatches to capture ultrasonic covert communications in air-gapped environments, enabling data exfiltration.

Risk: MEDIUM

Security researchers revealed a new attack method called "UltraLeap" that leverages smartwatches' microphones to capture ultrasonic signals transmitted by compromised air-gapped computers. The attack works by first infecting an air-gapped system with malware that encodes stolen data into ultrasonic sound waves inaudible to humans. Nearby smartwatches can then capture these signals through their microphones, store the encoded data, and later transmit it when connected to the internet. This technique could potentially bypass traditional air-gap security measures that rely on physical isolation.

Detection and Remediation Tips:

  • Implement strict policies regarding wearable devices in sensitive air-gapped environments

  • Consider RF-shielded rooms for the most sensitive air-gapped systems

  • Deploy acoustic monitoring solutions capable of detecting ultrasonic transmissions

  • Ensure endpoint protection on air-gapped systems to prevent initial compromise

  • Review and update air-gap security protocols to address emerging covert channel techniques

Did you know...?

Air-gapped systems, like those targeted by the UltraLeap smartwatch attack, have a fascinating history of being compromised through increasingly creative covert channels. Traditional air-gapping involves physically isolating a computer or network from unsecured networks, including the internet. However, researchers have demonstrated numerous ways to breach these gaps using electromagnetic emissions (Van Eck phreaking), thermal manipulations, acoustic techniques, and even LED status lights. The Israeli research team that discovered the original "AirHopper" technique in 2014 demonstrated data exfiltration through FM radio signals, and subsequent research has shown that even a computer's cooling fans can be manipulated to transmit data acoustically. Perhaps most surprisingly, researchers have shown that malware can extract encryption keys by simply listening to the sound a computer makes while processing cryptographic operations…

Proving that in cybersecurity, no gap is truly unbridgeable when attackers are sufficiently motivated and creative.

4. Cyberattack on NHS Professionals Leads to Theft of Active Directory Data

Primary Threat: NHS Professionals, a staffing organization for the UK's National Health Service, has suffered a significant data breach involving the theft of Active Directory data.

Risk: HIGH

According to security reports, attackers compromised NHS Professionals' network and exfiltrated Active Directory data containing information on thousands of healthcare workers. The stolen data includes usernames, email addresses, role information, and hashed passwords. While patient data was not directly compromised, the breach creates significant risks for targeted phishing attacks against healthcare workers and potential lateral movement into connected healthcare systems. NHS Professionals has temporarily disabled remote access while investigating the incident.

Detection and Remediation Tips:

  • If you're an NHS Professional, change your password immediately and enable multi-factor authentication

  • Be vigilant for targeted phishing attempts using stolen information

  • Healthcare organizations should monitor for suspicious authentication attempts using compromised credentials

  • Review Active Directory security configurations and implement least-privilege access controls

  • Consider implementing privileged access management solutions for sensitive healthcare systems

5. Fog Ransomware Attack Uses Unusual Mix of Legitimate and Open-Source Tools

Primary Threat: A new ransomware variant called Fog is using an unusual combination of legitimate and open-source tools to evade detection and encrypt victim systems.

Risk: HIGH

Security researchers discovered that the Fog ransomware group is employing a sophisticated attack chain that leverages legitimate system administration tools and open-source security software to establish persistence and move laterally through networks. The group uses PowerShell Empire for command and control, Mimikatz for credential theft, and a modified version of the open-source Rclone tool for data exfiltration. This "living off the land" approach makes detection particularly challenging as the tools themselves appear legitimate until used maliciously.

Detection and Remediation Tips:

  • Implement application allowlisting to control which tools can run in your environment

  • Deploy advanced endpoint detection and response (EDR) solutions that can detect suspicious behavior patterns

  • Monitor for unusual PowerShell activity, especially scripts that disable security features

  • Implement network segmentation to limit lateral movement opportunities

  • Regularly audit the use of administrative tools and establish baselines for normal behavior

6. Radware Cyber Survey Uncovers Critical Weaknesses in Application Security Measures

Primary Threat: A comprehensive survey by Radware reveals widespread critical weaknesses in application security measures across industries, with 68% of organizations experiencing successful API-based attacks in the past year.

Risk: MEDIUM

According to Radware's latest cyber survey findings, organizations are struggling to secure their expanding application footprints, particularly APIs. The survey of over 1,000 cybersecurity professionals found that 68% of organizations experienced successful API attacks in the past 12 months, yet only 24% have comprehensive API security solutions in place. Additionally, 57% of respondents admitted they lack visibility into shadow or zombie APIs, creating significant blind spots in their security posture.

Detection and Remediation Tips:

  • Conduct a comprehensive inventory of all APIs in your environment, including shadow APIs

  • Implement API security solutions that provide visibility, monitoring, and protection

  • Develop and enforce secure API development practices and standards

  • Regularly test APIs for security vulnerabilities through penetration testing

  • Consider implementing API gateways to centralize management and security controls

IN SUMMARY:

The exploitation of remote management tools in critical infrastructure and the theft of Active Directory data from healthcare organizations highlight the ongoing risks to essential services, while the Fog ransomware's innovative use of legitimate tools shows how threat actors continue to adapt their methods to evade detection.

🚨 Key Takeaways:

✔️ AI-powered productivity tools introduce new attack surfaces and data security challenges that require specialized protection measures.
✔️ Critical infrastructure remains highly vulnerable to ransomware attacks, particularly through remote management software.
✔️ Air-gapped systems are increasingly at risk from sophisticated covert channels that leverage everyday devices like smartwatches.
✔️ Healthcare organizations continue to be prime targets for cyberattacks, with employee data often serving as an entry point.
✔️ Ransomware groups are increasingly using legitimate tools and "living off the land" techniques to evade traditional security controls.
✔️ API security remains a significant blind spot for many organizations despite the growing number of successful attacks targeting these interfaces.

🔎 Immediate Actions:

✔️ Apply Microsoft's latest security updates to address the EchoLeak vulnerability in Microsoft 365 Copilot.
✔️ Patch SimpleHelp RMM software immediately if used in your environment, especially for critical infrastructure.
✔️ Implement strict policies regarding wearable devices in sensitive air-gapped environments.
✔️ Review Active Directory security configurations and implement least-privilege access controls.
✔️ Deploy advanced endpoint detection solutions capable of identifying suspicious behavior patterns, even from legitimate tools.
✔️ Conduct a comprehensive inventory of all APIs in your environment and implement proper security controls.

💡 Stay vigilant, patch promptly, and remember that in cybersecurity, paranoia isn't a disorder – it's a job requirement. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)

Not conservative. Not liberal. Just Christian.

Trust in media is at an all-time low (shocking… we know), but let’s keep “walking around completely uninformed” as a backup plan.

The Pour Over provides concise, politically neutral, and entertaining summaries of the world’s biggest news paired with reminders to stay focused on eternity.