Weekly One-Shot: June 22 - June 28, 2025

This week's threats and trends.

Author

J.W. Croley
June 28, 2025

In partnership with

Before we dive in, I would like to thank all of you for supporting us with your subscription! My goal is to bring both actionable insights and easy-to-digest information regarding cybersecurity threats to non-tech and technical professionals alike. If this sounds like something that would help someone you know, please share the newsletter!

Discover the many benefits of global hiring

Global hiring and remote work are rising. Deel’s here to help. With our Business Case for Global Hiring Guide, we’ll guide you through everything.

Learn more about:

  • Benefits of global hiring

  • Global hiring methods

  • Costs of global hiring

  • Solutions to global hiring challenges

Isn't it time you dive into a world of global hiring capabilities? Explore the ins and outs of global hiring with our free, ready-to-use guide.

This week's cybersecurity landscape felt like watching a master class in "How to Break Everything Important." We've got Chinese hackers building router botnets like they're collecting Pokémon cards, critical infrastructure vulnerabilities that make your session tokens about as secure as a screen door, and zero-day exploits dropping faster than my patience during vendor security assessments.

But hey, at least law enforcement finally arrested some BreachForums operators, proving that occasionally the good guys do win one. Of course, this happened right after threat actors caused nearly half a billion pounds in damage to UK retailers, because apparently the universe has a twisted sense of timing.

Patch immediately. Terminate sessions religiously… And maybe consider that your IT help desk needs better social engineering training than a used car salesman. Let's dive into this week's digital chaos.

This week in Cybersecurity

  1. Chinese APT LapDogs Campaign Builds Massive Router Botnet for Espionage

    China-linked APT built an operational network of over 1,000 backdoored SOHO routers for long-term espionage operations targeting multiple countries.
    June 24 Newsletter

  2. Salt Typhoon APT Exploits Cisco Flaw in Telecom Attacks
    Chinese state-sponsored hackers are exploiting a CVSS 10.0 Cisco vulnerability to compromise global telecommunications infrastructure for espionage.
    June 26 Newsletter

  3. Google Chrome Zero-Day CVE-2025-2783 Exploited by TaxOff
    TaxOff threat actors exploited a browser sandbox escape vulnerability to deploy Trinper backdoor in Operation ForumTroll targeting Russian organizations.
    June 24 Newsletter

  4. FreeType Zero-Day CVE-2025-27363 Exploited by Paragon Spyware
    Israeli surveillance firm Paragon exploited a WhatsApp vulnerability to deploy Graphite spyware through the messaging platform.
    June 24 Newsletter

  5. Scattered Spider Causes £440M Damage to UK Retailers
    The notorious cybercrime group caused massive financial damage to major UK retailers through sophisticated social engineering attacks targeting IT help desks.
    June 26 Newsletter

  6. McLaren Health Care Breach Affects 743,000 Patients
    McLaren disclosed a major data breach affecting 743,000 patients following a ransomware attack by the INC gang, marking their second breach in two years.
    June 26 Newsletter

  7. Microsoft Exchange Servers Targeted in Keylogger Campaign
    Long-running campaign since 2021 targeting 65 Exchange servers across 26 countries, injecting JavaScript keyloggers into Outlook login pages.
    June 26 Newsletter

  8. French Police Arrest Major BreachForums Operators
    Law enforcement successfully disrupted one of the world's largest cybercrime forums by arresting five key operators, including ShinyHunters and IntelBroker.
    June 26 Newsletter

  9. Zero-Day Vulnerabilities Surge in Critical Infrastructure
    Multiple zero-day discoveries in enterprise software platforms are creating significant patch management challenges for organizations.
    June 24 Newsletter

  10. Social Engineering Attacks Target IT Help Desks
    Sophisticated impersonation tactics by threat actors are specifically targeting IT personnel for initial access across multiple sectors.
    June 26 Newsletter

Biggest Threat This Week

CitrixBleed 2.0 Vulnerability Allows Session Hijacking

A new critical vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway devices is allowing unauthenticated attackers to hijack user sessions and bypass multi-factor authentication. Dubbed "CitrixBleed 2" due to its similarity to the devastating 2023 vulnerability, this flaw affects over 56,500 publicly exposed endpoints and allows attackers to access memory and steal session tokens, credentials, and sensitive data. The vulnerability affects NetScaler devices configured as gateways or AAA virtual servers in versions before 14.1-43.56 and 13.1-58.32. Mandiant's CTO warns that many organizations failed to terminate sessions after patching the original CitrixBleed, allowing continued exploitation even after patches were applied, leading to nation-state espionage and ransomware deployments. This vulnerability represents a critical threat to organizations relying on Citrix infrastructure for remote access and authentication.

Training Recommendation

Critical Infrastructure Vulnerability Management and Session Security

With the emergence of CitrixBleed 2.0 and multiple critical infrastructure vulnerabilities, organizations need comprehensive training on emergency patch management and proper session termination procedures. Focus areas should include understanding the criticality of session management beyond just patching, implementing proper session termination protocols, and developing rapid response procedures for critical infrastructure vulnerabilities. Additionally, with the rise of sophisticated social engineering attacks like those used by Scattered Spider, IT help desk staff need enhanced training on verification procedures and recognizing impersonation attempts. Organizations should also focus on zero-day response procedures and the importance of proper remediation steps that go beyond simple patching.

Train Now

Wrapping Up:

This week's cybersecurity landscape demonstrates the persistent and evolving nature of both nation-state and criminal cyber operations. From massive router botnets to critical infrastructure vulnerabilities, we're seeing threat actors become increasingly sophisticated in their targeting and persistence.

The arrest of BreachForums operators provides a rare bright spot, but the continued success of social engineering attacks and the emergence of new critical vulnerabilities like CitrixBleed 2.0 show that organizations must remain vigilant and proactive in their security posture.

The combination of zero-day exploits, critical infrastructure targeting, and large-scale data breaches underscores the need for comprehensive security strategies that address both technical vulnerabilities and human factors.

(P.S. Supporting our partners helps keep this newsletter running!)

Fact-based news without bias awaits. Make 1440 your choice today.

Overwhelmed by biased news? Cut through the clutter and get straight facts with your daily 1440 digest. From politics to sports, join millions who start their day informed.