Good Morning Security Gang!
Welcome to your comprehensive daily cybersecurity briefing from the CyberHub Podcast. This final show of the week packed a tremendous amount of critical security news, from major ransomware developments to international cyber warfare escalations that demand immediate attention from security professionals worldwide.
CyberHub Podcast Episode 923 - June 5, 2025
Introduction
Episode 923 delivered an intensive overview of the current cybersecurity landscape, highlighting significant threats ranging from domestic ransomware operations affecting nearly 40,000 Americans to sophisticated nation-state attacks spanning from Ukraine's breach of Russian defense contractors to Iran's continued targeting of Iraqi officials. The episode also addressed concerning budget cuts at CISA, new regulatory developments in children's online privacy, and several major law enforcement victories against cybercriminal organizations.
Major Stories Breakdown
Lee Enterprises Ransomware Attack Aftermath
Lee Enterprises, the prominent newspaper publisher, completed its forensic investigation following a ransomware attack earlier this year, revealing the compromise of personal information belonging to 39,779 individuals, including social security numbers. The Keylyn ransomware gang claimed responsibility for the attack, allegedly stealing 350 gigabytes of data and threatening to leak information unless ransom demands were met. The company has offered affected victims twelve months of free credit monitoring and identity protection services, while investigators continue monitoring whether the stolen data has appeared on dark web marketplaces.
Play Ransomware Gang's Massive Campaign
Federal authorities issued a critical advisory revealing that the Play ransomware gang has victimized approximately 900 organizations over the past three years, making them the most active ransomware group in 2024 and continuing their destructive campaign through May 2025. The FBI and Australian Cyber Security Center updated their advisory to include new tactics, techniques, and procedures observed in recent attacks. Initial access brokers linked to Play have been exploiting three specific vulnerabilities in Simple Help remote monitoring and management software (CVE-2024-5772, 5773, and 5726), which when chained together allow privilege escalation and arbitrary code execution. The group has developed sophisticated evasion techniques, including recompiling ransomware for each attack and using unique email communications through GMX.de and web.de domains, with some victims even receiving phone calls for extortion purposes.
CISA Budget Crisis and Workforce Reduction
A concerning development has emerged regarding the Cybersecurity and Infrastructure Security Agency (CISA), which has lost approximately 1,000 employees, reducing its workforce to around 2,200 through buyouts, early retirements, and layoffs. More than 600 employees departed in the most recent round as part of the Department of Homeland Security's workforce transition program, with the actual number approaching 700 according to insider sources. This reduction doesn't include private contractors who ceased working for CISA following abrupt contract cancellations. The podcast host expressed serious concerns about the lack of strategic direction from the current administration regarding CISA's future, emphasizing that cybersecurity requires specialized personnel and cannot operate as a lean organization given the escalating threat landscape.
Ukraine's Strategic Cyber Operation Against Russia
Ukrainian military intelligence (GUR) successfully breached Tupolev, a Russian aerospace and defense company developing supersonic strategic bombers, stealing 4.4 gigabytes of classified information. The compromised data includes personnel information, internal management communications, procurement documents, engineer resumes, and minutes from closed meetings.
While weapons systems information wasn't specifically mentioned in the breach disclosure, Ukrainian sources indicated their hackers maintained persistent access to Tupolev's network for an extended period, gathering intelligence for future operations against other Russian defense sector organizations. This cyber operation represents a significant strategic move in the ongoing conflict, potentially influencing future peace negotiations.
Iran's Continued Cyber Aggression in Iraq
ESET researchers attributed new cyber attacks targeting Kurdish and Iraqi government officials to Bladed Feline, assessed as a subcluster of the Iranian nation-state group OilRig. This campaign demonstrates Iran's ongoing cyber warfare strategy in Iraq, exploiting the power vacuum created since 2003 when Saddam Hussein's regime was overthrown.
The attacks target both the Iraqi government, which has been distancing itself from Iranian influence, and Kurdish officials who have historically maintained alliance with American forces. This cyber activity occurs amid Iran's weakened regional position following losses in Lebanon, Gaza, and Syria.
China's Escalating Cyber Accusations Against Taiwan
Chinese authorities issued warrants for twenty Taiwanese individuals, alleging they conducted hacking operations against mainland systems on behalf of Taiwan's ruling Democratic Progressive Party. Police in Guangzhou claimed the group was led by someone named Ning Naoi, though specific crimes weren't detailed.
Simultaneously, China banned all commercial dealings with Sicuens International Company, labeling its owners as "hardcore Taiwan independence supporters." This represents an escalation in China's economic and cyber warfare tactics against Taiwan, combining legal persecution with commercial restrictions.
Google Warns of Salesforce-Targeting Criminal Campaign
Google's Threat Analysis Group identified a sophisticated criminal operation called "Comm" that tricks companies into providing widespread access to Salesforce applications. The criminals exploit Salesforce's legitimate Data Loader tool, impersonating IT support personnel and convincing employees to install modified Salesforce connected apps disguised as Data Loader versions. This technique, designated as UNC6040 campaign, has targeted approximately twenty organizations and remains ongoing. The operation allows criminals to exfiltrate sensitive data directly from Salesforce environments and move laterally through victims' cloud services and internal networks.
ClickFix Malware Evolution
Researchers analyzed the evolution of ClickFix attacks, which combine malware distribution with sophisticated social engineering techniques. These attacks exploit MFA verification fatigue and use fake CAPTCHA pages to silently install malware, specifically leveraging fake Cloudflare "humanness checks" that mimic the legitimate Turnstile system. This represents a concerning trend where attackers weaponize familiar security mechanisms against users, turning trusted security tools into attack vectors.
UAE Banking Security Enhancement
The UAE Central Bank issued a directive requiring financial institutions to eliminate weak authentication methods, specifically SMS and email-based one-time passwords, from all banking operations by March 26, 2026. This progressive move demonstrates the UAE's commitment to cybersecurity leadership, requiring banks to transition from legacy systems to more secure authentication mechanisms.
Congressional Action on Children's Online Privacy
FTC Chair Andrew Ferguson announced aggressive enforcement of newly formalized rules protecting children's online privacy and called on Congress to strengthen federal laws. An effort to update the Children's Online Privacy Protection Act (COPA) died in the previous congressional session but was reintroduced in March.
The podcast emphasized the critical need for bipartisan action to protect children from online exploitation, human trafficking, and other digital threats.
BidenCash Marketplace Takedown
The Department of Justice successfully seized the BidenCash cybercrime marketplace, taking offline approximately 145 dark web and clear web domains. The marketplace, operational for less than a year, became one of the top carding platforms after publishing 3.3 million stolen credit cards for free in February 2023 as a promotional strategy.
BidenCash served over 117,000 customers, facilitating trade of more than 15 million payment card numbers and generating $17 million in revenue before its takedown.
Vile Cybercriminal Group Sentencing
Two members of the "Vile" cybercriminal group received prison sentences for hacking the DEA web portal in an extortion scheme. The group specialized in obtaining personal information for harassment, threats, and extortion through doxing.
Twenty-one-year-old Sager Steven Singh (aka "Weep") received 27 months, while twenty-six-year-old Nicholas Sorolo (aka "The Convict" or "Anon Ominous") received 25 months for aggravated identity theft and conspiracy to commit computer intrusion.
Summary
This episode highlighted the accelerating pace of cyber threats across multiple fronts, from ransomware operations affecting tens of thousands of Americans to sophisticated nation-state campaigns reshaping international relations.
The concerning reduction in CISA's workforce amid escalating threats raises questions about America's cybersecurity preparedness, while positive developments in law enforcement actions and regulatory improvements in children's online privacy provide some optimism for the cybersecurity community.
Action Items for Security Professionals
Immediate Risk Assessment: Conduct tabletop exercises based on Play ransomware TTPs and assess Simple Help RMM vulnerabilities in your environment
Supply Chain Review: Evaluate third-party risk management protocols, especially for RMM tools and Salesforce integrations
Authentication Modernization: Begin planning migration away from SMS and email-based OTP systems following UAE banking directive example
Employee Training: Implement enhanced social engineering awareness training focusing on IT impersonation and ClickFix attack vectors
Incident Response Planning: Update IR procedures to address sophisticated lateral movement through cloud services and SaaS applications
Threat Intelligence Integration: Monitor for Play ransomware indicators and Comm campaign TTPs in security tooling
Regulatory Compliance: Review children's privacy protection measures if handling youth data, anticipating strengthened COPA requirements
Budget Planning: Assess cybersecurity staffing levels and budget allocations in light of CISA workforce reduction trends
✅ Story Links:
https://www.securityweek.com/lee-enterprises-says-40000-hit-by-ransomware-caused-data-breach/
https://www.securityweek.com/fbi-aware-of-900-organizations-hit-by-play-ransomware/
https://www.cybersecuritydive.com/news/cisa-departures-trump-workforce-purge/749796/
https://thehackernews.com/2025/06/iran-linked-bladedfeline-hits-iraqi-and.html
https://therecord.media/google-warns-cybercriminals-targeting-salesforce-apps
https://www.securityweek.com/clickfix-attack-exploits-fake-cloudflare-turnstile-to-deliver-malware/
https://www.bankinfosecurity.com/uae-central-bank-tells-fis-to-drop-sms-otp-authentication-a-28589
https://therecord.media/ftc-chair-implores-congress-to-strengthen-childrens-privacy-law
https://www.securityweek.com/carding-marketplace-bidencash-shut-down-by-authorities/
🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1
🚨 Important Links to Follow:
👉Website:
👉Listen here: https://linktr.ee/cyberhubpodcast
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/
👉Twitter (X): https://twitter.com/cyberhubpodcast
👉Instagram: https://www.instagram.com/cyberhubpodcast
🤝 For Business Inquiries: info@cyberhubpodcast.com
=============================
🚀 About The CyberHub Podcast.
The Hub of the Infosec Community.
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.
Share this post