Cybersecurity Threats and Trends - 06/17/2025

Today’s threats highlight the continued evolution of both criminal and nation-state cyber operations.

Author

J.W. Croley
June 17, 2025

Sponsored by

Looking for unbiased, fact-based news? Join 1440 today.

Join over 4 million Americans who start their day with 1440 – your daily digest for unbiased, fact-centric news. From politics to sports, we cover it all by analyzing over 100 sources. Our concise, 5-minute read lands in your inbox each morning at no cost. Experience news without the noise; let 1440 help you make up your own mind. Sign up now and invite your friends and family to be part of the informed.

As we navigate through today's digital minefield, remember that in cybersecurity, we don't just patch systems – we patch our collective paranoia to keep it at healthy levels. Let's dive into this week's top threats.

1. Anubis Ransomware Adds Wiper To Destroy Files Beyond Recovery

Primary Threat: The Anubis ransomware group has evolved their malware to include destructive wiper functionality, making file recovery impossible even if victims pay the ransom.

Risk: HIGH

According to H-ISAC's latest cyber headlines report, the Anubis ransomware group has implemented a dangerous new capability in their malware that permanently destroys files rather than just encrypting them. This represents a significant tactical shift in ransomware operations, as traditional ransomware preserves file integrity to enable decryption after payment. The new variant appears to selectively wipe critical system files and databases while encrypting others, creating a hybrid attack that maximizes damage while still attempting to extract payment. Security researchers note that this approach is particularly concerning for healthcare organizations, where data loss can directly impact patient care and safety.

Detection and Remediation Tips:

  • Implement comprehensive, air-gapped backup solutions that cannot be accessed from potentially compromised systems

  • Test restoration procedures regularly to ensure recovery capabilities are functional

  • Deploy advanced endpoint protection with behavioral analysis capabilities to detect wiper activity

  • Segment networks to limit lateral movement and contain potential damage

  • Develop incident response plans specifically for destructive malware scenarios, not just traditional ransomware

2. Stealth Falcon APT Exploits Microsoft RCE Zero-Day

Primary Threat: Nation-state adversaries are actively exploiting a zero-day vulnerability in Microsoft's WebDAV component.

Risk: HIGH

Security researchers discovered that the Stealth Falcon APT group is leveraging CVE-2025-33053, a critical remote code execution vulnerability in Microsoft's Web Distributed Authoring and Versioning (WebDAV) component. Microsoft has released an emergency patch outside their regular update cycle.

Detection and Remediation Tips:

  • Apply Microsoft's emergency patch immediately

  • Implement network monitoring for WebDAV exploitation attempts

  • Consider temporarily disabling WebDAV if not business-critical

3. Microsoft June Windows Server Security Updates Cause DHCP Issues

Primary Threat: Microsoft's June 2025 security updates are causing DHCP service disruptions on Windows Server installations.

Risk: MEDIUM

Microsoft has acknowledged that their June 2025 security updates are causing DHCP service failures on Windows Server installations, potentially disrupting network connectivity for client systems. A workaround is available while Microsoft develops a permanent fix.

Detection and Remediation Tips:

  • Test updates in non-production environments before deployment

  • Implement the recommended workaround if affected

  • Consider delaying non-critical updates until a fix is released

Did you know...?

Wiper malware, like the new variant deployed by the Anubis ransomware group, has a long and destructive history in cyber warfare. The first major wiper attack, Shamoon, targeted Saudi Aramco in 2012, destroying data on over 30,000 workstations. Unlike traditional ransomware, wipers are designed purely for destruction rather than financial gain. Notable examples include NotPetya (2017), which caused over $10 billion in damages worldwide while masquerading as ransomware, and WhisperGate, which targeted Ukrainian organizations in 2022. What makes the Anubis group's approach particularly insidious is the combination of ransomware and wiper functionality—creating the illusion of potential recovery while ensuring destruction regardless of payment. This hybrid approach represents a concerning evolution in destructive malware tactics, as it attempts to extract payment from victims while still achieving the strategic objective of permanent data destruction.

4. Critical SAP NetWeaver Vulnerability Under Active Exploitation

Primary Threat: A critical vulnerability in SAP NetWeaver Visual Composer allows unauthenticated remote code execution.

Risk: HIGH

Darktrace reports active exploitation of CVE-2025-31324, a critical SAP NetWeaver vulnerability with a CVSS score of 9.8. The flaw allows attackers to execute arbitrary code without authentication, potentially compromising entire SAP environments.

Detection and Remediation Tips:

  • Apply SAP's security patch immediately

  • Monitor for exploitation indicators in your environment

  • Implement network-level protections while patching is in progress

5. OpenAI Bans ChatGPT Accounts Linked to Nation-State Threat Actors

Primary Threat: OpenAI has banned ChatGPT accounts operated by state-backed actors from Russia and China.

Risk: MEDIUM

OpenAI has taken action against ChatGPT accounts linked to nation-state threat actors, particularly from Russia and China. The company detected these accounts were using the AI platform for reconnaissance and attack planning activities.

Detection and Remediation Tips:

  • Review your organization's AI usage policies

  • Implement controls on what information employees can share with AI tools

  • Monitor for unusual patterns in AI platform usage within your organization

6. Episource Medical Software Provider Suffers Ransomware Attack

Primary Threat: Episource, a medical software provider, experienced a ransomware attack compromising sensitive health and insurance data.

Risk: HIGH

Cyware reports that Episource suffered a ransomware attack between January and February 2025, exposing sensitive health and insurance information. The incident highlights the continued targeting of healthcare supply chain organizations to access protected health information.

Detection and Remediation Tips:

  • Verify if your organization has any relationship with Episource

  • Monitor for potential identity theft if your data may be affected

  • Implement supply chain security assessments for all healthcare vendors

IN SUMMARY:

The Anubis ransomware group's shift to destructive wiper tactics signals a concerning trend where even paying a ransom no longer guarantees data recovery. Meanwhile, zero-day vulnerabilities in Microsoft and SAP products demonstrate that sophisticated attackers continue to find and exploit critical flaws in widely-used enterprise software, while operational issues with Microsoft's security updates remind us that even security fixes can sometimes create their own problems.

🚨 Key Takeaways:
✔️ Ransomware is evolving beyond financial motivation to include purely destructive capabilities, requiring updated defense and recovery strategies.
✔️ Nation-state actors continue to leverage zero-day vulnerabilities in common software components for targeted attacks.
✔️ Security updates themselves can introduce operational risks that must be managed through proper testing procedures.
✔️ Critical vulnerabilities in enterprise applications like SAP represent significant risk due to their access to sensitive business data.
✔️ AI platforms are increasingly being targeted by nation-state actors for reconnaissance and attack planning.
✔️ Healthcare organizations and their supply chain partners remain prime targets for cybercriminals seeking valuable personal data.

🔎 Immediate Actions:
✔️ Review and test your backup and recovery procedures to ensure they can withstand destructive malware attacks.
✔️ Apply Microsoft's emergency patch for the WebDAV vulnerability (CVE-2025-33053) immediately.
✔️ Test Windows Server updates in non-production environments before deployment to avoid DHCP service disruptions.
✔️ Patch SAP NetWeaver systems to address the critical CVE-2025-31324 vulnerability.
✔️ Implement controls on what sensitive information employees can share with AI platforms like ChatGPT.
✔️ Assess your organization's exposure to the Episource breach if you operate in the healthcare sector.

💡 Stay vigilant, patch promptly, and remember that in cybersecurity, paranoia isn't a disorder – it's a job requirement. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)

Learn AI in 5 minutes a day

What’s the secret to staying ahead of the curve in the world of AI? Information. Luckily, you can join 1,000,000+ early adopters reading The Rundown AI — the free newsletter that makes you smarter on AI with just a 5-minute read per day.