San Mateo, CA, June 16, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
SimpleHelp flaw exploited in ransomware attacks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning that ransomware groups are exploiting unpatched versions of SimpleHelp Remote Monitoring and Management (RMM) software to target utility billing software provider users. This activity is part of a broader trend observed since January 2025, in which threat actors leverage known vulnerabilities to gain access, escalate privileges, and execute remote code. Ransomware group DragonForce is among those exploiting these flaws, using them to breach Managed Service Providers and pivot to their downstream clients in double extortion campaigns. CISA urged organizations to update to the latest SimpleHelp release, isolate exposed servers, alert downstream customers, and monitor for signs of compromise. Additional guidance includes restoring encrypted systems from clean backups, maintaining offline backups, and avoiding internet-facing remote access tools like RDP. The agency also reiterated its stance against ransom payments, saying they “embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.” Read more.
Spyware hits journalists’ iPhones in Europe
Researchers at Citizen Lab have uncovered the first confirmed forensic evidence of Graphite spyware infections on iPhones belonging to at least two European journalists. Graphite, developed by Israeli firm Paragon Solutions, exploited a critical iOS vulnerability (CVE-2025-43200) via zero-click attacks using malicious media shared through iCloud Links. Apple patched the flaw in iOS 18.3.1 following its April 29 spyware alert. The researchers, Bill Marczak and John Scott-Railton, found matching digital fingerprints on the devices of Italian journalist Ciro Pellegrino and an anonymous journalist, linking both to the same Graphite operator. Pellegrino’s colleague, Francesco Cancellato, also received a spyware alert but showed no signs of infection. Citizen Lab sent its findings to Paragon, which did not respond. This comes amid political fallout in Italy, where COPASIR, the country’s parliamentary committee, confirmed the government had used Graphite on two individuals and rejected Paragon’s later offer to assist in an investigation of Cancellato. Italy’s DIS denied ending its contract with Paragon, though COPASIR stated it had declined further collaboration and might declassify Paragon’s testimony. Read more.
Nearly half of mobile users face daily scams
According to Malwarebytes ‘ Tap, Swipe, Scam report, nearly half of mobile users report facing scams or threats daily, which surveyed 1,300 adults across the U.S., U.K., Austria, Germany, and Switzerland. U.S. and U.K. users faced the highest exposure, with 51% and 49%, respectively, encountering mobile threats. While most respondents worry about lost files and productivity, the findings underscore rising enterprise risks due to widespread BYOD policies. Two-thirds of users said distinguishing scams from legitimate messages has become harder and 36% admitted to falling victim at some point. Threats are most frequently delivered through email (65%), followed by phone calls, SMS, social media, and messaging apps. Social engineering is the top tactic used, with 53% encountering it and 19% falling for it. Malware infections were reported by 36%. Extortion threats, including ransomware, sextortion, deepfake scams, and even virtual kidnappings, affected a significant number of users. Emotional harm is also widespread, with 75% citing mental health issues or harassment. Read more.
Secure Boot bug enables stealthy bootkits
A critical Secure Boot bypass vulnerability tagged as CVE-2025-3052 has been disclosed by Binarly researchers, affecting nearly all PCs and servers that trust Microsoft’s “UEFI CA 2011” certificate. The flaw, caused by a legitimate BIOS update utility signed with this certificate, allows attackers with admin rights to disable Secure Boot and install bootkits. Initially developed for rugged tablets, the utility can run on any Secure Boot-enabled system. The exploit manipulates a writable NVRAM variable to inject arbitrary code during the UEFI boot process, bypassing early-stage security. Binarly’s proof-of-concept overwrote the ‘gSecurity2’ variable, effectively disabling Secure Boot enforcement. The utility has circulated since at least late 2022 and was uploaded to VirusTotal in 2024, leading to Binarly’s discovery and subsequent disclosure to CERT/CC in February 2025. Microsoft patched the vulnerability during its June 2025 updates, adding 14 affected module hashes to the Secure Boot revocation list. Users are urged to install the updated dbx file immediately. Read more.
INTERPOL takes down 20K malware IPs
INTERPOL announced the dismantling of over 20,000 malicious IP addresses and domains tied to 69 different information-stealing malware strains during Operation Secure. This coordinated law enforcement effort ran from January to April 2025. Involving 26 countries, the operation led to the seizure of 41 servers, more than 100 gigabytes of data, and the arrest of 32 individuals. Vietnamese authorities accounted for 18 arrests and confiscated cash, devices, and official documents, while raids in Sri Lanka and Nauru resulted in 14 more arrests. Hong Kong police uncovered 117 command-and-control servers spread across 89 internet providers, which had been used to manage campaigns involving phishing, fraud, and social media scams. Group-IB, a Singapore-based cybersecurity firm, contributed intelligence on compromised accounts linked to malware families such as Lumma, RisePro, and Meta Stealer. Read more.
23andMe users demand data deletion
23andMe’s interim CEO, Joseph Selsavage, told Congress that roughly 1.9 million customers, around 15% of the company’s base, have requested deletion of their genetic data since its March bankruptcy filing. His remarks came during a House Oversight Committee hearing focused on the company’s recent bankruptcy auction. Lawmakers and consumers are alarmed that genetic data could fall into the wrong hands. Regeneron, a pharmaceutical firm, won the auction with a $256 million bid and plans to use the DNA data for drug development, pledging to honor 23andMe’s privacy standards. A bankruptcy court will review the sale later in June. The hearing also revisited the 2023 data breach that compromised the personal and genetic information of 6.9 million users, which the company controversially blamed on customers’ lack of multi-factor authentication. Meanwhile, over two dozen states, including Florida, New York, and Pennsylvania, have filed lawsuits to block consumer data sales, arguing that such transfers without consent are unlawful. Read more.
House votes to cut CISA funding
A House subcommittee has approved a fiscal 2026 funding bill that would reduce the Cybersecurity and Infrastructure Security Agency’s (CISA) budget by $135 million compared to 2025, a smaller cut than the $495 million proposed by the Trump administration. The measure, passed 8-4 by the Homeland Security Appropriations Subcommittee, would set CISA’s funding at $2.7 billion. While Republicans argued the cuts target redundancies and refocus the agency on protecting federal networks, Democrats criticized the move as weakening national security. Illinois Rep. Lauren Underwood, the top Democrat on his panel, said the legislation “fails to address the catastrophic cybersecurity threats facing our critical infrastructure.” Rep. Mark Amodei, who chairs the subcommittee, said the bill ends initiatives like misinformation monitoring, which he claimed overstepped CISA’s authority. Democrats, including Reps. Lauren Underwood and Rosa DeLauro warned that the reductions leave the U.S. more vulnerable to foreign cyberattacks. The bill consolidates election and chemical security under broader infrastructure protection efforts and removes diversity-focused positions. Despite partisan disagreement, the smaller-than-requested cut suggests bipartisan hesitance to adopt the Trump administration’s proposed CISA overhaul fully. Read more.
Optima Tax data leaked by hackers
Optima Tax Relief, one of the largest tax resolution firms in the U.S., appears to have suffered a significant data breach, with the Chaos ransomware gang reportedly leaking 69 gigabytes of corporate and customer case files, according to Bleeping Computer. The company has not confirmed the incident or issued a statement, and the number of affected individuals or businesses remains unknown. Tax-related data often includes highly sensitive details, including Social Security numbers and private financial information. Security expert Erich Kron warned that the “type of information stolen could also be used by social engineers to convince victims that they are from Optima and may lead to future scams and financial losses.” This incident follows a 2023 breach in which Optima disclosed the compromise of over 5,000 Social Security numbers. Read more.
OpenAI bans state-linked hackers from ChatGPT
OpenAI has banned several ChatGPT accounts tied to Russian and Chinese threat actors exploiting the platform for cyber operations. Russian-linked hackers used the model to iteratively refine Go-based malware, dubbed ScopeCreep, designed to evade detection, escalate privileges, and exfiltrate sensitive data from infected systems via a trojanized app impersonating Crosshair X. Meanwhile, Chinese groups APT5 and APT15 used ChatGPT for open-source research, infrastructure setup, and automation of brute-force and social media influence tools. Other banned accounts included North Korean IT worker scams, China-linked propaganda campaigns like Sneer Review and Operation VAGue Focus, and influence operations from Iran, Russia, the Philippines, and Cambodia. “Some of these companies operated by charging new recruits substantial joining fees, then using a portion of those funds to pay existing ’employees’ just enough to maintain their engagement,” OpenAI’s Ben Nimmo, Albert Zhang, Sophia Farquhar, Max Murphy, and Kimo Bumanglag said. “This structure is characteristic of task scams.” Read more.
Cyberattack disrupts UNFI operations
United Natural Foods (UNFI), the largest publicly traded wholesale distributor in North America, experienced a cyberattack on June 5 that forced the company to shut down some systems, disrupting operations and customer orders. “The Company promptly activated its incident response plan and implemented containment measures, including proactively taking certain systems offline, which has temporarily impacted the Company’s ability to fulfill and distribute customer orders,” UNFI said. With 53 distribution centers serving over 30,000 locations across the U.S. and Canada, the Rhode Island-based company has implemented containment measures and workarounds while investigating the incident with the help of external cybersecurity experts. Although the nature of the breach remains unclear and no ransomware group has claimed responsibility, UNFI has reported the attack to law enforcement and is working to restore affected systems. The company, which reported $31 billion in revenue in 2024 and employs over 28,000 people, has not disclosed if any data was compromised. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
