This Month in Security: June 2025

June has been dotted with many stories, but the most prevalent is what people are calling the “Mother of all Breaches”. Other stories this month include a significant shift in U.S. cybersecurity policy via a new executive order, and a dramatic escalation of cyber warfare tied to geopolitical conflicts. While we typically try to keep political stories to a minimum, they played a major role in the cyber world this month.  

Geopolitical Cyber Fronts Escalate

Open conflicts and international tensions fueled significant cyber activity this month, moving beyond espionage and into direct, disruptive attacks (Cybersecurity Drive).

• Israel-Iran Cyber Warfare: The outbreak of open conflict between Israel and Iran on June 13 immediately spilled into cyberspace. The Israeli-linked hacking group known as Gonjeshke Darande, the Farsi name for Predatory Sparrow, claimed a destructive attack on Iran's Sepah Bank, causing widespread service outages (Wired, (Radware).
• Russia-NATO Tensions Rise Ahead of Summit: The 2025 NATO Summit is approaching and security analysts warn of potential increased Chinese and Russian hybrid threats against European nations. These threats include not just cyber espionage but also low-sophistication sabotage of critical infrastructure (like submarine cables), weaponized disinformation using AI deepfakes, and disruptive cyberattacks aimed at destabilizing NATO members and exploiting internal divisions (Industrial Cyber).
• U.S. Warns of Heightened Iranian Cyber Threats: The Department of Homeland Security (DHS) issued a National Terrorism Advisory System (NTAS) bulletin in June, warned that the ongoing conflict with Iran is creating a heightened threat environment for the U.S. The bulletin anticipates low-level attacks from pro-Iranian hacktivists and more targeted intrusions from state-affiliated operators against U.S. critical infrastructure (Industrial Cyber).

Policy Shift: A New U.S. Cybersecurity Executive Order

On June 6, a new U.S. Executive Order, "Sustaining Select Efforts to Strengthen the Nation's Cybersecurity," was issued. It aims to revise five (5) key federal policies which include Securing third-party software supply chains, Quantum cryptography, Artificial intelligence (AI), Internet of Things (IoT) devices, and Cybersecurity-related sanctions authorities on “foreign” actors (Woods Rogers, A&O Shearman).

• Software Attestation Changes: The order removes some specific software attestation requirements for federal contractors but reaffirms the NIST Secure Software Development Framework (SSDF) as the government's authoritative source for secure software best practices (The Chertoff Group, NIST).
• AI and Quantum Crypto: The order also prioritizes making federal cyber defense research data more accessible for AI development and directs agencies to incorporate AI software vulnerabilities into their standard disclosure processes (Woods Rogers).
• Sanctions and IDs: It also refines the scope of cyber sanctions to apply specifically to "foreign malicious actors." It also removes some prior directives related to the federal acceptance of digital identity documentation and certain email encryption requirements (The Chertoff Group).

Notable Threats and Incidents

• The "Mother of All Breaches" 2.0: A 16 Billion Credential Leak: Around June 18-19, cybersecurity researchers uncovered one of the largest data leaks in history. It was a massive compilation of 16 billion login credentials aggregated from countless personal and corporate devices that were infected with infostealer malware. The data included usernames and passwords for numerous services, including Apple ID, Google/Gmail, Facebook, PayPal, Microsoft, and various government portals (AP News, NBC DFW).
• Malware This Month:
  • BrowserVenom Infostealer: A new malware campaign, dubbed "BrowserVenom," used malvertising to promote a phishing site impersonating the official website for a popular Chinese AI model, "DeepSeek-R1." Users interested in the AI tool were tricked into downloading the infostealer, which then harvested their sensitive information (Cyfirma).
  • Chameleon Trojan Disables Biometrics: A new version of the Chameleon Android banking trojan was discovered with a dangerous new capability: it can disable fingerprint and face unlock on targeted devices. This forces users to revert to entering their PIN, which the malware can then capture to gain access to the device and financial apps (BleepingComputer).
  • Water Curse APT: A newly identified threat group, "Water Curse," began targeting developers and security researchers by distributing malware hidden within weaponized Visual Studio projects hosted on GitHub (Acumen Cyber).
• Major Breaches, Ransomware, and APT Activity:
  • American Express Breach via Third Party: American Express began sending data breach notifications to customers after a third-party service provider was breached. Breached information included customer names, AmEx card account numbers, and other card data like card expiration dates. The breach did not compromise American Express's own systems (BleepingComputer).
  • Healthcare Under Attack: Michigan-based McLaren Health Care began notifying over 740,000 individuals that their data, including Social Security numbers, was stolen in a ransomware attack (The Record).
  • Scattered Spider Shifts Focus: The financially motivated threat group known as Scattered Spider, or UNC3944, who was previously known for attacks on the retail sector, shifted its focus to target the U.S. insurance industry (Acumen Cyber).

June Patches and Vulnerabilities

• Microsoft's June Patch Tuesday: On June 10th, Microsoft addressed 67 new vulnerabilities, including one actively exploited zero-day in Web Distributed Authoring and Versioning (WebDAV) (CVE-2025-33053), which allows remote code execution (RCE). Nine (9) vulnerabilities were rated Critical, including RCE flaws in Microsoft Office, Schannel, and the Remote Desktop Client (Ivanti, CrowdStrike).
• CISA KEV Catalog: CISA added WebDAV vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, along with an unspecified Apple vulnerability (CVE-2025-43200) and a command injection flaw in TP-Link routers (CVE-2023-33538), mandating that federal agencies patch swiftly (CISA).
• Adobe: Adobe released a massive patch for its products, fixing 254 CVEs across Acrobat/Reader, Experience Manager, and more (HackerNews).

Key Takeaways for Staying Secure

• Address the Credential Leak Immediately: The 16 billion credential leak is a critical threat to everyone. It is imperative to change passwords, especially for critical accounts (email, banking, social media) and enable strong, phishing-resistant multi-factor authentication (MFA), such as authenticator apps or security keys, on all services that support it. Avoid SMS-based 2FA when possible (Ozark FCU).
• Patch WebDAV Zero-Day: The actively exploited WebDAV vulnerability (CVE-2025-33053) should be a top priority for patching in all Windows environments to prevent remote code execution (Qualys Blog).
• Be Wary of AI-Themed Lures: The "BrowserVenom" campaign proves that threat actors are weaponizing interest in popular AI tools. Treat downloads from non-official sources with extreme suspicion, even if they appear high in search engine results (Cyfirma).
• Enhance Mobile Security: The surge in sophisticated Android malware highlights the need for vigilance. Only download apps from official app stores, be wary of permissions requested by apps, and use mobile security software (The Hacker News).
• Review Supply Chain Security for Developers: The "Water Curse" campaign targeting GitHub repos is a reminder for development teams to scrutinize the source and integrity of all third-party code and projects (Acumen Cyber).
• Heighten Awareness for Critical Infrastructure: Organizations in critical sectors (energy, water, telecom, healthcare, government) must be on high alert due to escalating nation-state threats, implementing robust monitoring and adhering strictly to CISA advisories.
• Reach Out: When needed, reach out to a trusted provider to review your security posture, like Cloud Security Partners. contact@cloudsecuritypartners.com