Good Morning Security Gang!

Broadcasting from the Team8 CISO Village in South Florida, today's packed cybersecurity news cycle brings critical updates on supply chain disruptions, blood shortage crises, Chinese espionage campaigns, and significant FBI leadership changes.

From wholesale food distributors under siege to cybersecurity vendors becoming prime targets, the threat landscape continues to evolve with far-reaching consequences across multiple sectors.

Major Stories

United Natural Foods Hit by Devastating Cyber Attack

United Natural Foods, North America's largest publicly traded wholesale distributor, has been forced to shut down critical systems following a cyber attack discovered on Thursday, June 5th. The Rhode Island-based company, which operates 53 distribution centers and delivers fresh and frozen products to over 30,000 locations across the United States and Canada—including major supermarket chains like Whole Foods—disclosed the incident in both an SEC filing and press release.

The attack has already resulted in widespread employee shift cancellations, raising concerns about potential supply chain disruptions reminiscent of the UK's Co-op incident that led to empty shelves across the country. While the company has not disclosed the nature of the attack or the threat actors involved, the incident highlights the critical vulnerability of supply chain infrastructure and the importance of proper crisis communication with employees during such events.

UK Blood Crisis: Cyber Attack Creates Million-Donor Emergency

The UK's National Health Service (NHS) is desperately seeking one million blood donors as stocks remain critically low following last year's significant cyber attack that disrupted pathology services across several London healthcare organizations. The attack's downstream impact has created a severe shortage of O-negative blood, which comprises only 8% of the population but accounts for 15% of all blood used by hospitals and first responders.

Unable to quickly match patients' blood types during the crisis, hospitals were forced to rely heavily on universal O-type blood as the safest transfusion option. This case study demonstrates the long-term, life-threatening consequences of cyber attacks on healthcare infrastructure, with effects still being felt a full year after the initial incident.

Ticketmaster Data Resurfaces in Cybercrime Underground

The Arcana security extortion gang has briefly relisted stolen Ticketmaster data from the 2024 Snowflake-related breaches, marking a troubling trend in data resale activities. The original breach affected multiple companies including Santander, AT&T, Advanced Auto Parts, Neiman Marcus, Los Angeles Unified School District, Pure Storage, and Cylance—all victims of compromised Snowflake instances lacking multi-factor authentication.

Security experts suggest this reselling pattern indicates either extremely cheap data acquisition costs or unpaid cybercrime affiliates attempting to recoup losses by remarketing previously stolen information. This trend mirrors similar incidents with Change Healthcare and other high-profile breaches, highlighting internal disputes within cybercrime organizations and the ongoing monetization of stolen data.

FBI Appoints New Cyber Operations Leader

The FBI has announced Brett Leatherman as its new Deputy Chief of Cyber Operations, marking a significant leadership change in the Bureau's cybersecurity efforts. Leatherman, a career FBI official with over two decades of experience, was personally selected by new FBI Director Kash Patel to replace the recently retired Brian Vorndarn.

Having previously served as Deputy Assistant FBI Director for Security Operations and Section Chief of National Security Cyber Operations, Leatherman brings extensive experience in state-affiliated cyber threats and multi-agency intelligence coordination from his time at the Cleveland and Detroit field offices. This appointment comes amid increased federal focus on cybersecurity, following Director Patel's recent appearance on Joe Rogan's podcast discussing cyber warfare and the administration's new executive orders addressing cybersecurity strategy.

Chinese Espionage Campaign Targets Cybersecurity Vendors

Sentinel One has revealed a sophisticated 12-month campaign by Chinese Nexus threat actors targeting cybersecurity vendors through espionage and reconnaissance operations. While the attackers never successfully penetrated Sentinel One's network, they did briefly compromise a third-party contractor handling employee laptop logistics, demonstrating the persistent supply chain risks facing security companies.

The campaign targeted over 70 organizations between July 2024 and March 2025, including a South Asian government IT agency and major European media group, utilizing well-known Chinese espionage tools like ShadowPad backdoor and exploiting zero-day vulnerabilities in Checkpoint, Fortinet, SonicWall, and Ivanti systems. This disclosure underscores a critical blind spot in the industry's threat model, as cybersecurity vendors represent high-value targets due to their visibility into thousands of downstream customers.

Scattered Spider Launches New MSP Campaign

The notorious Scattered Spider threat group has shifted focus to targeting Managed Service Providers (MSPs) and IT vendors as part of a strategic campaign to infiltrate their customers' networks. According to ReliaQuest research, the group has deployed sophisticated social engineering techniques to trick workers into providing access credentials and bypass multi-factor authentication systems.

Analysis of over 600 domains linked to Scattered Spider reveals that 81% impersonate technology vendors, with 70% of targets concentrated in technology, finance, and retail sectors. This evolution in tactics demonstrates the group's adaptation to increasingly hardened direct targets, instead pursuing supply chain compromise as a more effective attack vector.

React Native Supply Chain Attack Compromises Popular Packages

Over the weekend, React Native Aria packages for Glue Stack were backdoored in a significant supply chain attack targeting application development infrastructure. The compromised packages, some of which hadn't been updated in years, collectively receive over one million weekly downloads, making this a particularly impactful breach.

While React Native Aria operates as a front-end only library without CLI or script execution capabilities, the incident highlights the growing danger of open-source package vulnerabilities and the critical need for secure software development practices. This attack aligns with recent executive orders requiring government contractors to follow secure code development processes, signaling a shift toward mandatory security standards for software procurement.

Wazuh Security Platform Exploited by Mirai Botnet

A critical remote code execution vulnerability in Wazuh servers has been actively exploited by the Mirai botnet, according to Akamai security researchers. Wazuh, a popular free and open-source security platform designed for threat detection and response, patched the unsafe deserialization vulnerability (CVE details provided) that allows remote code execution on servers.

The flaw can be triggered by anyone with API access or, in certain configurations, even compromised agents. With proof-of-concept exploits enabling denial-of-service attacks already circulating, organizations running Wazuh installations face immediate risk and should prioritize patching efforts.

Google Play Store Crypto Phishing Campaign Uncovered

Cybersecurity researchers have identified over 20 malicious applications on the Google Play Store designed to target cryptocurrency wallet users through sophisticated phishing schemes.

The deceptive applications impersonated well-known wallet platforms including SushiSwap, PancakeSwap, HyperLiquid, and Radium, using identical names and similar logos to trick users into revealing sensitive mnemonic phrases.

This effectively hands over complete control of victims' digital assets to attackers. The campaign exploits Google Play's less stringent security measures compared to Apple's App Store, allowing fraudulent applications from different developers to masquerade as legitimate cryptocurrency platforms.

Nigeria Convicts Chinese Cyber Fraud Syndicate

A Federal High Court in Nigeria has convicted nine Chinese nationals for operating an international cyber fraud syndicate, sentencing each to one year in prison for training and recruiting young Nigerians to commit online fraud. Operation Eagle Flush, as described by Nigerian investigators, specifically targeted victims in the United States and Europe through dating, romance, and investment scams orchestrated primarily by Chinese nationals.

The defendants, who reached plea deals and will be deported after completing their prison terms, were each fined $640. This case exemplifies the global reach of Chinese-backed cybercrime operations, with similar activities documented across Myanmar, the Philippines, and other regions worldwide.

James’ Take

Today's cybersecurity landscape reveals an increasingly sophisticated and interconnected threat environment where supply chain attacks, nation-state espionage, and cybercrime syndicates converge to create multifaceted risks for organizations worldwide. The downstream impacts of cyber attacks—from blood shortages in the UK to food distribution disruptions in North America—demonstrate that cybersecurity incidents extend far beyond immediate technical concerns to affect public health, safety, and essential services.

Action Items

• Immediate Patching: Organizations using Wazuh security platforms must immediately apply available patches for the critical RCE vulnerability being exploited by Mirai botnet

• Supply Chain Assessment: Companies should conduct comprehensive reviews of third-party vendors, contractors, and open-source dependencies, particularly focusing on security practices and access controls

• MFA Implementation: All organizations must enforce multi-factor authentication across all systems, especially cloud platforms like Snowflake, to prevent credential-based attacks

• Employee Communication Planning: Develop crisis communication strategies for cyber incidents that include sensitive employee management to prevent information leaks and maintain workforce stability

• MSP Security Review: Managed Service Providers and IT vendors should implement enhanced security monitoring and social engineering awareness training given increased targeting by Scattered Spider

• Mobile App Verification: Cryptocurrency users must verify application authenticity through official channels and avoid downloading wallet applications from app stores without thorough verification

• Blood Donation Response: UK residents should consider participating in the NHS blood donation drive to address the ongoing shortage caused by cyber attack disruptions

• Chinese Threat Awareness: Organizations should implement enhanced monitoring for Chinese-linked threat actors, particularly focusing on reconnaissance activities and supply chain compromise attempts

• Secure Development Practices: Development teams must implement secure coding practices and regular dependency audits, especially for React Native applications and open-source packages

• Executive Order Compliance: Government contractors should begin preparing for new secure software development requirements mandated by recent executive orders

✅ Story Links:

https://www.bleepingcomputer.com/news/security/grocery-wholesale-giant-united-natural-foods-hit-by-cyberattack/

https://therecord.media/uk-nhs-calls-for-blood-donations-after-cyberattack

https://www.bleepingcomputer.com/news/security/stolen-ticketmaster-data-from-snowflake-attacks-briefly-for-sale-again/

https://therecord.media/brett-leatherman-fbi-cyber-replacing-bryan-vorndran

https://www.securityweek.com/chinese-espionage-crews-circle-sentinelone-in-year-long-reconnaissance-campaign/

https://www.cybersecuritydive.com/news/scattered-spider-msps-it-vendors-social-engineering/750172/

https://www.securityweek.com/react-native-aria-packages-backdoored-in-supply-chain-attack/

https://www.securityweek.com/mirai-botnets-exploiting-wazuh-security-platform-vulnerability/

https://thecyberexpress.com/new-crypto-phishing-campaign/

https://therecord.media/nigeria-jails-9-chinese-nationals-cyber-fraud

🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1

🚨 Important Links to Follow:

👉Website:

CISO Talk by James Azar

The latest news and topics from a cybersecurity practitioners discussing Cybersecurity, Privacy, Technology & Geo-Politics. I am a two times Founder and Chief Information Security Officer. All opinions are my own

👉Listen here: https://linktr.ee/cyberhubpodcast

✅ Stay Connected With Us.

👉Facebook: https://www.facebook.com/CyberHubpodcast/

👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/

👉Twitter (X): https://twitter.com/cyberhubpodcast

👉Instagram: https://www.instagram.com/cyberhubpodcast

🤝 For Business Inquiries: info@cyberhubpodcast.com

=============================

🚀 About The CyberHub Podcast.

The Hub of the Infosec Community.

Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.