Cybersecurity Threats and Trends - 06/19/2025

Today's threats highlight the continued evolution of both nation-state and criminal cyber operations...

In partnership with

Optimize global IT operations with our World at Work Guide

Explore this ready-to-go guide to support your IT operations in 130+ countries. Discover how:

  • Standardizing global IT operations enhances efficiency and reduces overhead

  • Ensuring compliance with local IT legislation to safeguard your operations

  • Integrating Deel IT with EOR, global payroll, and contractor management optimizes your tech stack

Leverage Deel IT to manage your global operations with ease.

While you were busy convincing yourself that "Password123!" is totally secure because it has a special character, threat actors were busy turning your digital life into their personal playground. Buckle up for this week's cybersecurity horror show – no popcorn required, just pure anxiety.

1. Viasat Targeted in Cyberattack by Salt Typhoon APT Group

Primary Threat: Chinese state-sponsored hackers have compromised satellite communications provider Viasat in a sophisticated espionage campaign.

Risk: HIGH

Security researchers report that Viasat Inc. has been identified as the latest victim in a sweeping cyberespionage campaign attributed to the Chinese state-sponsored group Salt Typhoon. The attackers exploited a previously unknown vulnerability in Viasat's network management systems to gain persistent access to satellite communications infrastructure. This breach is particularly concerning as Viasat provides critical communications services to government agencies, military operations, and commercial enterprises worldwide. Intelligence agencies believe the attackers were primarily focused on intercepting sensitive communications and gathering intelligence rather than causing service disruptions, though the full extent of the compromise is still being assessed.

Detection and Remediation Tips:

  • If you're a Viasat customer, implement the emergency patches released by the company immediately

  • Review all authentication logs for suspicious access patterns dating back at least six months

  • Implement additional encryption for sensitive communications that may traverse satellite networks

  • Consider implementing out-of-band verification for critical communications

  • Develop contingency plans for communications in the event of satellite service disruptions

  • Monitor for any unusual network traffic patterns that could indicate an ongoing compromise

2. Chain IQ, UBS Data Stolen in Ransomware Attack

Primary Threat: A ransomware group has claimed the theft of millions of files from procurement service provider Chain IQ and 19 other companies.

Risk: HIGH

SecurityWeek reports that a major ransomware attack has compromised Chain IQ, a procurement services provider with ties to UBS and other financial institutions. The attackers claim to have exfiltrated over 7TB of sensitive data before encrypting systems. This breach is particularly significant because Chain IQ manages procurement processes for multiple financial institutions, creating a supply chain vulnerability that affects numerous organizations simultaneously. The threat actors have already published sample data on their leak site to prove the validity of their claims, including confidential contracts, financial documents, and customer information. The attack appears to have exploited a vulnerability in Chain IQ's external-facing portal that lacked proper multi-factor authentication controls.

Detection and Remediation Tips:

  • If you're a Chain IQ client, monitor for potential data exposure and notify affected customers

  • Review third-party risk management procedures for all service providers with access to sensitive data

  • Implement data loss prevention controls for sensitive financial information shared with vendors

  • Consider implementing just-in-time access controls for third-party service providers

  • Audit all external-facing portals for proper authentication and authorization controls

3. Google Chrome Zero-Day CVE-2025-2783 Exploited by TaxOff

Primary Threat: A now-patched security flaw in Google Chrome was exploited as a zero-day by a threat actor known as TaxOff.

Risk: HIGH

The Hacker News revealed that threat actors exploited CVE-2025-2783, a high-severity use-after-free vulnerability in Chrome's V8 JavaScript engine, to deploy a backdoor called TaxBackdoor. The vulnerability was discovered after security researchers identified a sophisticated spear-phishing campaign targeting financial professionals with tax-themed lures. When victims visited malicious websites, the exploit leveraged the Chrome vulnerability to escape the browser sandbox and install persistent malware capable of stealing authentication credentials and financial data. The TaxOff group appears to be financially motivated and has previously targeted accounting firms and financial institutions with similar tactics. Google has released an emergency patch.

Detection and Remediation Tips:

  • Update Google Chrome to the latest version immediately across all endpoints

  • Consider using browser isolation technology for high-risk browsing activities

  • Implement advanced endpoint protection with behavioral analysis capabilities

  • Train employees to recognize tax-themed phishing attempts, especially during tax season

  • Deploy network monitoring tools capable of detecting post-exploitation command and control traffic

Did you know...?

Satellite communications systems, like those targeted in the Viasat attack, represent one of the most challenging areas of cybersecurity due to their unique architecture and global reach. Unlike traditional networks, satellite systems must manage signals traveling through space, creating distinctive security challenges. The first documented cyberattack against satellite systems occurred in 1998 when hackers compromised the ROSAT X-ray satellite and redirected its solar panels toward the sun, permanently damaging its instruments. Of note, the 2022 Viasat KA-SAT attack, attributed to Russia, disrupted communications across Europe just as Russian forces invaded Ukraine. What makes these attacks particularly concerning is their potential for cascading effects across multiple sectors and countries simultaneously. A single compromised satellite can impact communications for military operations, emergency services, remote infrastructure monitoring, and even ATM networks across entire continents. This "one-to-many" attack surface makes satellite systems an increasingly attractive target for nation-state actors seeking maximum impact from a single intrusion point.

4. Active Exploitation of Critical Vulnerability in Langflow

Primary Threat: Security researchers have identified a new active campaign exploiting a critical vulnerability in the Langflow AI workflow tool.

Risk: HIGH

The Cyber Security Agency of Singapore warns that attackers are actively exploiting CVE-2025-3248, a critical vulnerability in Langflow that allows unauthenticated remote code execution. Organizations using this AI workflow tool are at significant risk. The vulnerability exists in the API component of Langflow, which fails to properly validate user input before passing it to internal functions that interact with the underlying operating system. Successful exploitation allows attackers to execute arbitrary code with the privileges of the application, potentially leading to complete system compromise. Security researchers have observed exploitation attempts originating from multiple threat actors, suggesting the vulnerability is being widely targeted after proof-of-concept code was published online last week.

Detection and Remediation Tips:

  • Apply the security patch for Langflow immediately if your organization uses this tool

  • Implement network segmentation for AI development environments to limit lateral movement

  • Review logs for indicators of compromise, focusing on unusual API calls and command executions

  • Consider temporarily disabling external access to Langflow instances until patching is complete

  • Implement web application firewalls with rules to detect and block exploitation attempts

5. Alleged Ryuk Ransomware Gang Member Arrested in Ukraine and Extradited to US

Primary Threat: A 33-year-old man arrested in Ukraine will face charges in the U.S. of working for the Ryuk cybercrime operation.

Risk: MEDIUM

The Record reports that law enforcement has arrested and extradited a key member of the Ryuk ransomware operation, responsible for hundreds of attacks against healthcare organizations and local governments since 2018. The suspect, identified as Mikhail Vasiliev, allegedly served as a developer for the group, creating custom encryption tools and managing the ransomware infrastructure. Court documents reveal that investigators were able to trace cryptocurrency transactions linking the suspect to multiple high-profile attacks. This arrest represents a significant blow to the Ryuk operation, which has been responsible for an estimated $150 million in ransom payments. However, security researchers caution that the group's core leadership remains at large and may rebrand under a new name.

Detection and Remediation Tips:

  • Remain vigilant, as ransomware operations often rebrand after arrests but maintain similar tactics

  • Review your ransomware response plan and backup strategies to ensure they're current

  • Consider cyber insurance that specifically covers ransomware incidents and extortion demands

  • Implement network monitoring for indicators of compromise associated with Ryuk and related malware

  • Share threat intelligence with industry peers to quickly identify new variants or rebranded operations

6. Russia Detects First SuperCard Malware Attacks Skimming Bank Data via NFC

Primary Threat: Russia has detected the first instances of SuperCard malware that skims bank data via NFC technology.

Risk: MEDIUM

According to The Record media, a new financial malware called SuperCard is using compromised point-of-sale terminals to steal payment card data via NFC, without requiring physical card insertion. The malware can capture data from contactless payments. This represents a significant evolution in card-skimming technology, as previous skimmers typically required physical card contact. The SuperCard malware infects the terminal's firmware and creates a hidden buffer that captures the encrypted NFC transaction data. It then uses a sophisticated decryption algorithm to extract the card details, which are exfiltrated to command and control servers when the terminal connects to payment processors. What makes this attack particularly concerning is that it leaves no physical evidence and can operate undetected for months, potentially compromising thousands of transactions.

Detection and Remediation Tips:

  • Monitor financial accounts for unauthorized transactions with immediate notification alerts

  • Consider using virtual cards with transaction limits for contactless payments

  • Enable transaction notifications for immediate fraud detection on all payment cards

  • For businesses, implement integrity monitoring on point-of-sale terminals

  • Regularly update terminal firmware and conduct security scans for unauthorized modifications

  • Consider implementing tokenization for all payment transactions to limit the exposure of actual card data

IN SUMMARY:

The Chinese APT group Salt Typhoon's targeting of Viasat demonstrates the ongoing focus on satellite communications as critical infrastructure, while the Chain IQ ransomware attack shows how third-party service providers continue to be leveraged to access data from multiple organizations simultaneously.

Meanwhile, the emergence of SuperCard malware represents an evolution in financial threats targeting contactless payment systems, and the ongoing exploitation of zero-day vulnerabilities in widely-used software like Google Chrome reminds us that even the most security-conscious organizations remain vulnerable.

🚨 Key Takeaways:

✔️ Nation-state actors are increasingly targeting satellite communications infrastructure for intelligence gathering and potential disruption capabilities.
✔️ Third-party service providers continue to be prime targets for ransomware groups seeking to maximize impact and financial gain.
✔️ Zero-day vulnerabilities in widely used software like Google Chrome remain a significant threat vector for sophisticated attackers.
✔️ AI development tools like Langflow are emerging as new attack surfaces as organizations rapidly adopt these technologies.
✔️ Law enforcement continues to make progress against ransomware operations, though these groups often rebrand and continue operations.
✔️ Financial malware is evolving to target contactless payment systems, requiring new approaches to transaction security.

🔎 Immediate Actions:

✔️ If you're a Viasat customer, implement their emergency security patches immediately and review authentication logs.
✔️ Update Google Chrome to the latest version to address the actively exploited zero-day vulnerability.
✔️ Patch Langflow installations immediately if your organization uses this AI workflow tool.
✔️ Review third-party risk management procedures, especially for procurement and financial service providers.
✔️ Enable transaction notifications for payment cards to quickly detect potential fraud from new financial malware.
✔️ Consider implementing browser isolation technology to mitigate the risk of browser-based attacks.

💡 Stay vigilant, patch promptly, and remember that in cybersecurity, paranoia isn't a disorder – it's a job requirement. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)

Start learning AI in 2025

Keeping up with AI is hard – we get it!

That’s why over 1M professionals read Superhuman AI to stay ahead.

  • Get daily AI news, tools, and tutorials

  • Learn new AI skills you can use at work in 3 mins a day

  • Become 10X more productive