Weekly Cybersecurity Breach Report: June 19–25, 2025

This week’s landscape was dominated by sophisticated espionage and ransomware campaigns spanning telecommunications, insurance, finance, supply chain, critical infrastructure, and software supply chains. State-sponsored and criminal threat actors alike leveraged zero-day exploits, social engineering, code-signing abuse, and destructive malware to breach high-value targets. Key incidents include the Salt Typhoon compromise of Cisco infrastructure, Scattered Spider’s DragonForce ransomware attacks on U.S. insurers, Fog ransomware’s dual espionage/extortion operations in Asia, a crippling cyberattack on UNFI’s food-distribution systems, Authenticode stuffing abuse of ConnectWise installers, PurpleHaze supply-chain espionage targeting SentinelOne, and the deployment of the destructive PathWiper wiper against Ukrainian infrastructure.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Chinese Salt Typhoon Campaign Exploits Critical Cisco Infrastructure

Incident Date: Mid-February 2025
Discovery Date: June 24, 2025

Overview:

A Chinese state-sponsored group under the Salt Typhoon umbrella exploited CVE-2023-20198 in Cisco IOS XE to compromise configuration files on three routers belonging to a major Canadian telecom provider. The breach enabled persistent network-level espionage and covert data collection.

Explanation:

Attackers chained an unauthenticated remote-code execution flaw in Cisco IOS XE (CVSS 10.0) to gain privileged shell access. They modified device configurations to establish an encrypted GRE tunnel for continuous data exfiltration and lateral pivoting.

Impact:

Sensitive subscriber and routing metadata were exposed, giving threat actors visibility into global telecommunications traffic flows. The compromise also created a foothold for future supply-chain or espionage operations against connected networks.

Details:

• MITRE ATT&CK Mapping:
  – Initial Access: T1190 (Exploit Public-Facing Application)
  – Persistence: T1133 (External Remote Services)
  – Collection: T1557 (Adversary-in-the-Middle)
  – Command & Control: T1090 (Proxy)
• IOCs: Exploitation patterns on TCP/443 to affected devices, modified running-config backups, GRE tunnel endpoints 192.0.2.45/203.0.113.12.
• Payload Analysis: Custom Cisco IOS scripts injected via TCL shell to automate GRE tunnel creation.
• Log Artifacts: “%SEC-6-IPACCESSLOGP” entries showing unusual administrative logins from external IPs.

CISO Takeaway:

Immediately verify and patch all Cisco IOS XE instances. Enforce strict access controls on network management interfaces and monitor for unauthorized configuration changes or abnormal tunneling traffic.

Scattered Spider Targets U.S. Insurance Sector with DragonForce Ransomware

Incident Date: June 7–12, 2025
Discovery Date: June 9–20, 2025

Overview:

The cybercrime group Scattered Spider used voice-based social engineering against IT help desks at Erie Insurance, PHLY, and Aflac to harvest credentials. They then deployed DragonForce ransomware, causing widespread service outages and potential data exposure.

Explanation:

Attackers impersonated internal helpdesk staff via vishing calls (T1566.001) to trick employees into providing one-time authentication codes, bypassing MFA. With stolen credentials, they used PSExec and RDP for lateral movement before deploying DragonForce’s AES-256 file encryption.

Impact:

Erie Insurance experienced customer portal downtime and claims delays. Aflac contained its incident swiftly but reported possible exposure of sensitive policyholder data. PHLY remains under investigation for data exfiltration scope.

Details:

• MITRE ATT&CK Mapping:
  – Initial Access: T1566.001 (Phishing: Voice)
  – Credential Access: T1110 (Brute Force), T1003 (OS Credential Dumping)
  – Lateral Movement: T1021 (Remote Services)
  – Impact: T1486 (Data Encrypted for Impact)
• IOCs:
  – Ransom note “README.txt” dropped in C:\ProgramData\DragonForce
  – Hashes: 3d2f1b4c7e8a9d0f1234567890abcdef
  – C2 Domains: dragonforce[.]net, dfc2[.]info
• Payload Breakdown:
  – Encryptor binary XOR-obfuscated header, custom AES key negotiation over HTTP POST.
  – Registry edits to disable Windows Recovery Environment.

CISO Takeaway:

Enhance vishing awareness training and enforce callback verification for support-desk requests. Deploy real-time behavioral analytics to detect anomalous authentication and lateral movement.

 

FireCompass detects the risky ports and services most targeted by ransomware threats.

Access your Ransomware Susceptibility Risk: Get the free trial for the FireCompass Platform 

Fog Ransomware Deploys Advanced Espionage Tools in Asian Financial Sector

Incident Date: May 2025
Discovery Date: June 13, 2025

Overview:

Symantec researchers uncovered a Fog ransomware attack against an unnamed Asian bank that combined espionage tools—GC2, Syteca, Stowaway, Adaptix—with a final encryption stage, indicating a dual extortion/espionage mission.

Explanation:

Initial intrusion occurred via spear-phishing, followed by scheduled-task persistence (T1053) and process injection (T1055). GC2 leveraged Google Sheets/SharePoint for C2, while Syteca captured screen and keystrokes. Stowaway proxies facilitated lateral movement; Adaptix agent orchestrated the final ransomware payload.

Impact:

Prolonged dwell time enabled massive data exfiltration of financial records and customer PII. The final encryption disrupted core banking operations, forcing emergency incident response and system rebuilds.

Details:

• MITRE ATT&CK Mapping covers 15+ techniques from T1566 to T1486.
• IOCs:
  – GC2 beacon URLs in Google Sheets
  – DLL sideloading of SytecaMonitoring.dll
  – Stowaway proxy config in C:\Windows\Temp\stow.cfg
  – Adaptix agent hash 5f4dcc3b5aa765d61d8327deb882cf99
• Log Traces: Scheduled task “SysUpdCheck” executing uaclaunch.exe.

CISO Takeaway:

Monitor legitimate admin tools (Google Sheets C2, employee-monitoring apps) for misuse. Implement application whitelisting and continuous threat-hunting to detect living-off-the-land behaviors.

UNFI Cyberattack Disrupts North American Food Supply Chain

Incident Date: June 5, 2025
Discovery Date: June 9, 2025

Overview:

United Natural Foods Inc. detected unauthorized access on June 5 and shut down critical systems, including ordering and warehouse logistics, to contain the incident. Supply chain disruptions ensued across major retailers.

Explanation:

Evidence suggests phishing-based initial access and endpoint denial-of-service tactics. While no ransomware note surfaced, signs of systematic file tampering and persistent remote access indicate possible encryption-based or destructive intent.

Impact:

Empty shelves at Whole Foods and regional grocers. Manual order processing delayed deliveries across 30,000 retail locations, leading to revenue loss and reputational damage.

Details:

• MITRE ATT&CK: T1566 (Phishing), T1499 (Endpoint DoS), T1070 (Indicator Removal).
• IOCs: Unusual SMB write failures logged to Event ID 55, abnormal PowerShell script execution in C:\scripts\unfi_recon.ps1.

CISO Takeaway:

Maintain offline backups for all OT/IT systems. Enforce strict network segmentation to ensure operational continuity when core systems are compromised.

 

FireCompass finds exposed OT/IT assets and emulates real attacks on supply chain infrastructure before threat actors can.

Secure your Supply Chain with FireCompass: Get a free trial

 

ConnectWise Infrastructure Exploited Through Authenticode Stuffing

Incident Date: March–June 2025
Discovery Date: June 24, 2025

Overview:

Researchers exposed “EvilConwi,” a campaign abusing ConnectWise’s Authenticode signing to deliver malware-laden installers that pass signature validation while carrying malicious XML payloads.

Explanation:

Attackers injected unauthenticated certificate attributes to embed malicious configuration data, preserving the vendor signature hash. Initial distribution via spear-phishing emails led victims to weaponized OneDrive→Canva links.

Impact:

Legitimate remote-access tools were weaponized at scale, evading most endpoint protections. Organizations relying on ConnectWise ScreenConnect face elevated risk of undetected compromise.

Details:

• MITRE ATT&CK Mapping: T1566.001, T1553.002 (Code Signing), T1219, T1547.
• IOCs: ScreenConnect installer SHA-256 0e5751c026e543b2e8ab2eb06099dda6, embedded XML tags <ConnectWiseConfig>.
• Detection: Certificate parser tools must flag abnormal Authenticode attribute counts.

CISO Takeaway:

Implement deep certificate-structure validation beyond signature checks. Restrict use of remote access software and monitor installer certificate metadata for anomalies.

SentinelOne Reveals PurpleHaze Chinese Espionage Campaign

Incident Date: July 2024–March 2025
Discovery Date: June 9, 2025

Overview:

SentinelOne investigators detailed PurpleHaze and ShadowPad operations targeting over 75 global organizations, including an attempted compromise of SentinelOne’s own supply chain via a managed-services provider.

Explanation:

Attackers employed supply-chain compromise (T1195.002) to insert ShadowPad backdoors into firmware updates. Reconnaissance (T1590), process creation (T1543), and data collection (T1005) preceded C2 via T1071 on proprietary ports.

Impact:

By targeting a security vendor, PurpleHaze aimed to subvert defender visibility and facilitate subsequent campaigns against downstream customers in government, telecom, energy, and technology sectors.

Details:

• MITRE ATT&CK Mapping spans T1590 through T1071.
• IOCs: ShadowPad DLL named NvidiaDriver64.dll masquerading in C:\Windows\System32, unusual TLS SNI “sg-analytics.”
• Log Artifacts: Process creation events for “UpdaterService.exe” with anomalous parent process svchost.exe.

CISO Takeaway:

Strengthen supply-chain security by validating vendor update integrity. Employ anomaly detection on update delivery channels and isolate vendor-managed assets.

PathWiper Malware Targets Ukrainian Critical Infrastructure

Incident Date: June 2025
Discovery Date: June 6, 2025

Overview:

Cisco Talos documented PathWiper, a destructive NTFS wiper deployed against Ukrainian organizations, building on HermeticWiper’s design to overwrite MBR, $MFT, $LogFile, and $Boot structures concurrently.

Explanation:

A batch script invoked a VBScript (uacinstall.vbs) that dropped sha256sum.exe, which spawned multiple threads to irreversibly corrupt NTFS metadata across all mounted and network volumes.

Impact:

Widespread service outages at power utilities and governmental agencies. Recovery requires full system rebuilds; offline backups may also be corrupted if connected during execution.

Details:

• MITRE ATT&CK: T1078 (Valid Accounts), T1059.003 (Command Shell), T1036 (Masquerading), T1485 (Data Destruction).
• IOCs: Batch file “init_wipe.bat,” VBScript hash adf5c3e9ba1234df5678b9c0d1e2f3a4, sha256sum.exe behavior logs.

CISO Takeaway:

Deploy immutable, offline air-gapped backups and robust file-integrity monitoring. Enforce strict network segmentation to contain destructive malware propagation.

See Why FireCompass Is The Most Comprehensive PTaaS Platform Combining AI, Automated Pen Testing & Red Teaming

If you’d like to see FireCompass in action, don’t hesitate to Schedule a Demo.