Good morning security gang!

In today's packed episode of the Cyber Hub Podcast, we dive deep into the escalating cyber warfare landscape with China's Salt Typhoon continuing its devastating campaign against global telecommunications infrastructure, a massive $90 million cryptocurrency heist targeting Iran's largest exchange, and critical vulnerabilities demanding immediate attention. From supply chain attacks to ransomware breaches affecting millions of Americans, this episode covers the most pressing cybersecurity developments shaping our digital defense strategies.

Episode Summary - Thursday, June 19, 2025

China's Salt Typhoon Confirms ViaSat as Latest Victim

China's notorious Salt Typhoon cyber espionage group has claimed another major victim with the confirmation that ViaSat, a leading satellite broadband provider, has been successfully breached. This attack represents a significant escalation in what security experts are calling one of the most damaging cybersecurity breaches in American history. ViaSat provides critical satellite broadband services to aviation, military, energy, maritime, and enterprise customers worldwide, making this breach particularly concerning for national security.

The company disclosed to shareholders that 189,000 broadband subscribers in the United States alone were affected by the breach, which was discovered earlier this year. ViaSat has been working closely with federal authorities to investigate the full scope of the attack. This marks the second time ViaSat has fallen victim to state-sponsored cyber attacks, having previously been targeted by Russian hackers in February 2022, just one hour before Russia's invasion of Ukraine, which severely disrupted communications across Ukraine and Europe.

The FBI has confirmed that Salt Typhoon has successfully breached multiple major telecommunications providers including AT&T, Verizon, Lumen, Charter Communications, Consolidated Communications, and Windstream, as well as telecom infrastructure in over a dozen countries. This coordinated campaign demonstrates China's continued malicious activity against global telecommunications infrastructure, raising serious questions about the security of satellite backup systems and the need for robust telecommunications resilience planning.

Supply Chain Attack Hits UBS Through ChainIQ

A significant supply chain cyber attack has impacted major financial institution UBS through their procurement service provider ChainIQ. The attackers successfully exfiltrated sensitive data containing employee business contact details of several high-profile clients, including UBS and other real estate and construction services companies. ChainIQ's response time of eight hours and 45 minutes to revoke attacker access highlights concerning gaps in incident response capabilities.

The company's claim that this was a "never before seen attack on a global scale" has drawn criticism from cybersecurity experts, who note that supply chain attacks have become increasingly common. While ChainIQ stated that no customer bank data was compromised, the incident underscores the ongoing vulnerability of third-party service providers and the cascading effects these breaches can have on major financial institutions and their clients.

Healthcare Data Breach Affects 5.4 Million Americans

California-based healthcare technology firm Episource has disclosed a massive data breach affecting more than 5.4 million Americans. The attackers successfully stole an extensive range of sensitive information including Social Security numbers, health insurance ID numbers, Medicaid and Medicare ID numbers, and comprehensive medical records covering doctors, diagnoses, test results, images, and treatment information.

The company was forced to shut down its computer systems immediately upon discovery to contain the attack and prevent further data exfiltration. This defensive measure, while disruptive to operations, represents standard incident response protocol to create a sandbox environment and limit the scope of ongoing attacks. Law enforcement is actively involved in the investigation, and Episource is working with its customers to coordinate notification efforts for all affected individuals.

Krispy Kreme Ransomware Attack Reveals Extensive Data Loss

Krispy Kreme has confirmed that a ransomware attack that occurred on December 11, 2024, resulted in a significant data breach affecting thousands of individuals. The Play ransomware group claimed responsibility for the attack and successfully stole 184 gigabytes of sensitive data, which they subsequently published on their dark web leak site after Krispy Kreme refused to pay the ransom demand.

The compromised data includes an extensive range of personally identifiable information such as names, dates of birth, Social Security numbers, driver's license numbers, financial account information, usernames, passwords, payment card data, passport numbers, digital signatures, biometric data, U.S. military ID numbers, and medical information. The majority of impacted individuals are current or former Krispy Kreme employees and their family members. Texas authorities have been notified that nearly 7,000 Texans were affected, with breach costs exceeding $11 million and expected to increase throughout 2025.

Israel-Iran Cyber Warfare Escalates with $90 Million Crypto Heist

The cyber warfare between Israel and Iran has reached new heights with Predatory Sparrow, an Israeli-linked cyber group, claiming responsibility for stealing over $90 million in cryptocurrency from Nobotex, Iran's largest crypto exchange. The sophisticated attack occurred on June 19, 2025, at 2:24 AM Eastern time, with the group subsequently burning the stolen funds in a politically motivated cyber attack.

Predatory Sparrow has promised to publish the company's source code and internal information stolen during the breach, continuing their pattern of releasing sensitive data from Iranian financial institutions. The attack follows previous successful operations against Iranian banks that caused widespread outages to account access, withdrawals, and payment systems. Additionally, Israeli cyber operations have successfully taken over Iranian television broadcasts, urging citizens to rise against the current regime.

In response to these escalating cyber attacks, Iran has implemented near-total internet blackouts and restricted international landline telephone services, effectively isolating the country's communications infrastructure. Network data from internet monitoring organizations has confirmed sharp drops in internet connectivity across Iran, representing one of the most comprehensive communication shutdowns in recent years.

Novel Russian Phishing Tactic Bypasses MFA

Russian state-sponsored hackers have developed a sophisticated new phishing tactic that successfully bypasses multi-factor authentication by exploiting app-specific passwords (ASPs). The attack targeted Keir Giles, a British expert on Russian information operations, demonstrating the advanced social engineering capabilities of Russian cyber operatives.

Google's threat intelligence team detected the attack and worked with Citizens Lab to analyze the novel technique. The attackers used well-executed social engineering messages to trick the target into generating and sharing app-specific passwords, which are typically used when applications don't support standard MFA protocols. This technique represents a significant evolution in phishing tactics and is expected to become more widely adopted by other threat actors now that the methodology has been exposed.

The attack highlights the ongoing vulnerability of app-specific password systems, particularly as Google has been phasing out support for less secure apps while still allowing personal Gmail account holders to generate these passwords. Security experts warn that this technique will likely become more common as other attackers adopt the Russian-developed methodology.

Critical Linux Kernel Vulnerability Under Active Exploitation

CISA has issued urgent warnings about attackers actively targeting a high-severity vulnerability in the Linux kernel's OverlayFS subsystem that allows attackers to gain root privileges through local privilege escalation. The vulnerability, tracked as CVE-2023-0386, stems from improper ownership management weaknesses in the Linux kernel and was originally patched in January 2023.

Despite being publicly disclosed two months after the initial patch, proof-of-concept exploits have been circulating on GitHub since May 2025, leading to increased exploitation attempts in the wild. The vulnerability poses significant risks to organizations running affected Linux systems, particularly those with local user access. Federal agencies and private organizations are urged to prioritize patching efforts to prevent potential system compromises.

Major Vendor Security Updates Released

Multiple technology vendors have released critical security updates addressing high-severity vulnerabilities across their product portfolios. Cisco has issued firmware updates for Meraki devices to resolve a critical flaw (CVE-2025-20271) that allows attackers to cause AnyConnect VPN servers to restart continuously, leading to persistent denial-of-service conditions.

Atlassian has announced patches for five different vulnerabilities affecting third-party dependencies in Bamboo, Bitbucket, Confluence, Crowd, and JIRA products. These updates address various security weaknesses that could potentially be exploited by attackers to compromise enterprise collaboration and development environments.

Cloud Software Group has released security bulletins warning customers about two newly identified vulnerabilities in Citrix NetScaler ADC and Gateway products. CVE-2025-5349 affects both NetScaler ADC and Gateway through improper access control issues in the management interface, while CVE-2025-5777 results from insufficient input validation leading to memory over-read conditions when configured as a gateway.

International Law Enforcement Success Against Ransomware

International law enforcement cooperation has achieved a significant victory with the extradition of a 33-year-old Ukrainian national who operated multiple ransomware families including REvil, Locker, Goga, Megacortex, Hive, and Dharma. The suspect was arrested in Kiev at the FBI's request and extradited to the United States to face charges related to ransomware attacks against companies in France, Norway, Germany, the Netherlands, Canada, and the United States.

The investigation involved Ukrainian cyber police, national police, and international law enforcement partners, leading to the identification and seizure of devices and the arrest of multiple cybercriminals operating from Ukraine. This case demonstrates the growing effectiveness of international cooperation in combating ransomware operations and holding cybercriminals accountable across borders.

Key Action Items for Security Teams:

• Immediate Patching Required: Update Linux systems affected by CVE-2023-0386, Cisco Meraki devices, Atlassian products, and Citrix NetScaler systems

• MFA Assessment: Review and disable app-specific password functionality where possible, implement stronger authentication methods

• Supply Chain Security: Audit third-party service providers and implement enhanced monitoring for supply chain attacks

• Telecommunications Backup: Evaluate satellite communication backup strategies and implement redundant communication systems

• Incident Response: Review and update incident response procedures, ensure rapid containment capabilities

• Employee Training: Conduct advanced phishing awareness training focusing on social engineering tactics targeting MFA bypass

• Vulnerability Management: Prioritize patching of internet-facing systems and critical infrastructure components

• Threat Intelligence: Monitor for indicators of compromise related to Salt Typhoon, Play ransomware, and Russian phishing campaigns

✅ Story Links:

https://www.bleepingcomputer.com/news/security/telecom-giant-viasat-breached-by-chinas-salt-typhoon-hackers/

https://www.securityweek.com/chain-iq-ubs-data-stolen-in-ransomware-attack/

https://therecord.media/5-million-affected-episource-data-breach

https://www.securityweek.com/krispy-kreme-confirms-data-breach-after-ransomware-attack/

https://www.bleepingcomputer.com/news/security/pro-israel-hackers-hit-irans-nobitex-exchange-burn-90m-in-crypto/

https://therecord.media/iran-internet-outages-israel-conflict

https://therecord.media/keir-giles-russia-expert-email-attack-gtig-citizen-lab-reports

https://www.bleepingcomputer.com/news/security/cisa-warns-of-attackers-exploiting-linux-flaw-with-poc-exploit/

https://www.securityweek.com/high-severity-vulnerabilities-patched-by-cisco-atlassian/

https://thecyberexpress.com/netscaler-adc-gateway-flaw-cve-2025-5349/

https://www.bleepingcomputer.com/news/security/ryuk-ransomwares-initial-access-expert-extradited-to-the-us/

🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1

🚨 Important Links to Follow:

👉Website:

CISO Talk by James Azar

The latest news and topics from a cybersecurity practitioners discussing Cybersecurity, Privacy, Technology & Geo-Politics. I am a two times Founder and Chief Information Security Officer. All opinions are my own

👉Listen here: https://linktr.ee/cyberhubpodcast

✅ Stay Connected With Us.

👉Facebook: https://www.facebook.com/CyberHubpodcast/

👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/

👉Twitter (X): https://twitter.com/cyberhubpodcast

👉Instagram: https://www.instagram.com/cyberhubpodcast

🤝 For Business Inquiries: info@cyberhubpodcast.com

=============================

🚀 About The CyberHub Podcast.

The Hub of the Infosec Community.

Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.