Cybersecurity Threats and Trends - 06/26/2025

Today's news highlights the persistent challenges facing critical infrastructure security, from new CitrixBleed variants to nation-state targeting of telecommunications systems.

Author

J.W. Croley
June 26, 2025

In partnership with

You found global talent. Deel’s here to help you onboard them

Deel’s simplified a whole planet’s worth of information. It’s time you got your hands on our international compliance handbook where you’ll learn about:

  • Attracting global talent

  • Labor laws to consider when hiring

  • Processing international payroll on time

  • Staying compliant with employment & tax laws abroad

With 150+ countries right at your fingertips, growing your team with Deel is easier than ever.

While you were busy debating whether AI will replace your job, threat actors were busy proving that human stupidity is still the most reliable attack vector. This week's cybersecurity roundup features everything from law enforcement victories to critical infrastructure vulnerabilities – because apparently, we can't have nice things without someone trying to break them.

1. CitrixBleed 2.0 Vulnerability Allows Session Hijacking

Primary Threat: A new critical vulnerability in Citrix NetScaler ADC and Gateway devices is allowing unauthenticated attackers to hijack user sessions and bypass multi-factor authentication.

Risk: CRITICAL

Security researchers have discovered a new critical vulnerability (CVE-2025-5777) in Citrix NetScaler devices that's being dubbed "CitrixBleed 2" due to its similarity to the devastating 2023 vulnerability. The flaw allows unauthenticated attackers to access memory and steal session tokens, credentials, and sensitive data from over 56,500 publicly exposed endpoints. The vulnerability affects NetScaler devices configured as gateways or AAA virtual servers in versions before 14.1-43.56 and 13.1-58.32.

Mandiant CTO Charles Carmakal warns that many organizations failed to terminate sessions after patching the original CitrixBleed, allowing continued exploitation even after patches were applied. This led to nation-state espionage and ransomware deployments.

Detection and Remediation Tips:

  • Apply emergency patches immediately for affected NetScaler versions

  • Terminate all active ICA and PCoIP sessions after patching using kill icaconnection -all and kill pcoipconnection -all

  • Review existing sessions for suspicious activity before termination

  • Implement enhanced monitoring for unusual authentication patterns

  • Audit all external-facing NetScaler deployments for proper security configurations

2. French Police Arrest Major BreachForums Operators

Primary Threat: Law enforcement has successfully disrupted one of the world's largest cybercrime forums by arresting five key operators in France.

Risk: HIGH (Positive Development)

French police have arrested five operators of BreachForums, including notorious threat actors "ShinyHunters," "IntelBroker," "Hollow," "Noct," and "Depressed." The coordinated raids by Paris police cybercrime unit represent a major blow to the cybercrime ecosystem. ShinyHunters was linked to the massive Snowflake attacks affecting Santander, Ticketmaster, and AT&T, while IntelBroker breached Europol, AMD, HPE, and DC Health Link.

Detection and Remediation Tips:

  • Monitor for migration of BreachForums users to alternative platforms

  • Review your organization's exposure on previous BreachForums leaks

  • Implement enhanced monitoring for credential stuffing attacks

  • Strengthen third-party risk management processes

3. Salt Typhoon APT Exploits Cisco Flaw in Telecom Attacks

Primary Threat: Chinese state-sponsored hackers are exploiting a critical Cisco vulnerability to compromise global telecommunications infrastructure for espionage purposes.

Risk: HIGH

Canadian and U.S. authorities have issued warnings about Salt Typhoon APT group exploiting CVE-2023-20198 (CVSS 10.0) to target telecommunications providers. The attackers compromised a Canadian telecom company in February 2025, modifying configuration files to establish GRE tunnels for persistent data collection. The campaign extends to telecom providers in the U.S., South Africa, and Italy.

Detection and Remediation Tips:

  • Immediately patch all Cisco IOS XE devices, especially internet-facing systems

  • Monitor for unauthorized GRE tunnel creation and unusual network traffic

  • Audit edge network devices for signs of compromise

  • Implement network segmentation to limit the impact of infrastructure device compromise

Did you know...?

The original CitrixBleed vulnerability (CVE-2023-4966) was so devastating that it became a case study in how a single infrastructure flaw can cascade into global security incidents. Despite patches being available, many organizations failed to follow the critical step of terminating active sessions, allowing attackers to continue using stolen session tokens for months after the vulnerability was "fixed." This oversight led to some of the most significant nation-state espionage campaigns and ransomware deployments of 2023-2024, proving that patching alone isn't enough – proper remediation procedures are equally critical.

4. Scattered Spider Causes £440M Damage to UK Retailers

Primary Threat: The notorious Scattered Spider cybercrime group has caused up to £440 million in damages through coordinated attacks on major UK retailers.

Risk: HIGH

The UK Cyber Monitoring Centre has classified April 2025 attacks on Marks & Spencer and Co-op as a "single combined cyber event" with a financial impact between £270-440 million. Scattered Spider used sophisticated social engineering to target IT help desks, impersonating IT personnel to gain access. The group is now targeting U.S. insurance companies, following their pattern of sector-focused attacks.

Detection and Remediation Tips:

  • Implement comprehensive social engineering training for IT help desk staff

  • Establish strict verification procedures for IT support requests

  • Deploy call-back verification systems for sensitive system changes

  • If in insurance sector, implement heightened security measures immediately

5. McLaren Health Care Breach Affects 743,000 Patients

Primary Threat: A major healthcare system has disclosed a data breach affecting 743,000 patients following a ransomware attack by the INC gang.

Risk: HIGH

McLaren Health Care has disclosed that 743,000 patients were impacted by a July 2024 ransomware attack by the INC gang. The $6.6 billion healthcare system discovered the attack in August 2024, but the forensic investigation wasn't completed until May 2025. This marks McLaren's second major breach in two years, following a 2023 ALPHV/BlackCat attack affecting 2.2 million people.

Detection and Remediation Tips:

  • Healthcare organizations should implement comprehensive offline backup strategies

  • Deploy advanced endpoint detection tuned for healthcare environments

  • Establish network segmentation between medical and administrative systems

  • Develop incident response procedures accounting for healthcare operational requirements

6. Microsoft Exchange Servers Targeted in Keylogger Campaign

Primary Threat: Unidentified threat actors are conducting a long-term campaign targeting Microsoft Exchange servers with keylogger malware to harvest credentials.

Risk: MEDIUM-HIGH

Positive Technologies researchers have identified a persistent campaign targeting 65 Exchange servers across 26 countries, injecting JavaScript keyloggers into Outlook login pages. The campaign, active since 2021, exploits ProxyShell and ProxyLogon vulnerabilities to modify authentication pages. Twenty-two compromised servers belong to government organizations, with attacks spanning Vietnam, Russia, Taiwan, China, and other countries.

Detection and Remediation Tips:

  • Audit all publicly exposed Exchange servers for unauthorized page modifications

  • Implement file integrity monitoring on Exchange web directories

  • Deploy web application firewalls to detect malicious JavaScript injection

  • Review authentication logs for unusual patterns indicating credential harvesting

IN SUMMARY:

While law enforcement scored a significant victory with BreachForums arrests, the healthcare sector continues struggling with ransomware, and long-running campaigns like the Exchange keylogger attacks demonstrate how patient adversaries can operate undetected for years.

🚨 Key Takeaways:

✔️ Critical infrastructure vulnerabilities require immediate patching AND proper session management
✔️ Law enforcement successes provide temporary relief but don't eliminate underlying threats
✔️ Nation-state actors increasingly focus on telecommunications for long-term espionage
✔️ Social engineering remains highly effective against help desk personnel
✔️ Healthcare organizations need comprehensive security beyond basic compliance
✔️ Patient, low-profile campaigns can operate undetected for extended periods

🔎 Immediate Actions:

✔️ Patch Citrix NetScaler devices immediately and terminate active sessions
✔️ Strengthen social engineering training for IT help desk staff
✔️ Audit Exchange servers for unauthorized modifications
✔️ Monitor for GRE tunnels and unusual network traffic on critical infrastructure
✔️ Implement comprehensive healthcare security assessments
✔️ Establish baseline configurations for network infrastructure with change detection

💡 Stay vigilant, patch promptly, and remember that in cybersecurity, paranoia isn't a disorder – it's a job requirement. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)

Organizations that need security choose Proton Pass

Proton Pass Business helps teams securely share passwords, manage access, and simplify onboarding.

Trusted by 50,000+ businesses and featured in The Verge and TechCrunch, Pass was built by the teams behind Proton Mail’s and SimpleLogin for startups, nonprofits, and enterprises alike. Secure your accounts, no training required.