70 Microsoft Exchange servers targeted, Apple, Netflix, Microsoft sites hacked, data breach hits Aflac - Cybersecurity Headlines

Summary5 min read

Detailed Summary of "Cyber Security Headlines" Episode 70 by CISO Series

Release Date: June 25, 2025
Host: Sarah Lane

1. Microsoft Exchange Servers Targeted by Keyloggers

At the outset of the episode, Sarah Lane highlights a concerning trend where over 70 publicly exposed Microsoft Exchange servers have been compromised by unidentified attackers. These adversaries have been injecting JavaScript-based keyloggers into the login pages of these servers to illicitly capture user credentials. Lane reports:

"Unidentified attackers are targeting over 70 publicly exposed Microsoft Exchange servers by injecting JavaScript based keyloggers into login pages to steal credentials." [00:07]

The campaign, as detailed by Positive Technologies, spans 26 countries and exploits known vulnerabilities like ProxyShell and ProxyLogon, with some of the attacks dating back to 2021. The sophistication of this operation is underscored by the diverse exfiltration methods employed, including local file storage, Telegram bots, and DNS tunnels, which collectively make the detection of such breaches notably challenging. The captured credentials and user data are transmitted in plain text, exacerbating the security risks associated with these breaches.

2. Apple, Netflix, and Microsoft Sites Hacked for Tech Support Scams

Sarah Lane shifts focus to a prevalent scam strategy targeting major tech companies. Tech support scammers have been exploiting Google Ads and search parameter injection to display fake support phone numbers on legitimate websites belonging to Apple, Microsoft, and Netflix. Instead of creating spoofed websites, these attackers cleverly manipulate URLs on real support pages to present fraudulent contact information within search results. Lane explains:

"Instead of spoofing websites, the attackers link to real support Pages with manipulated URLs that show scammer numbers in search results, tricking users into calling them." [00:07]

Once users engage with these fraudulent contacts, the scammers' objectives include stealing personal data, payment information, or even gaining remote access to victims' devices, thereby posing significant threats to individual and organizational cybersecurity.

3. Cloudflare, CrowdStrike, and Ping Identity Conclude Critical Infrastructure Defense Project

The episode touches on the cessation of a pivotal cybersecurity initiative. Cloudflare, CrowdStrike, and Ping Identity have terminated their free critical infrastructure defense project, which was launched in 2022. This project aimed to safeguard sectors deemed potential targets of Russia-linked cyber threats, such as healthcare and utilities. Lane notes:

"Cloudflare, CrowdStrike and Ping Identity have ended their free critical infrastructure defense project, originally launched in 2022 to protect sectors like health care and utilities from Russia linked cyber threats." [00:07]

This shutdown coincides with warnings from the Department of Homeland Security (DHS) about potential retaliation from Iranian hackers against U.S. networks, especially following recent U.S. strikes on Iran's nuclear sites. The associated NTAS bulletin further emphasizes the escalating risks of cyber and physical attacks from Iranian-aligned actors and extremist groups, highlighting the dynamic and evolving nature of cyber threats.

4. File Fix Attack: Weaponizing Windows File Explorer for Stealthy Commands

A novel threat named File Fix has emerged, as detailed by Lane. This attack variant manipulates the Windows File Explorer to execute stealthy commands by tricking users into pasting malicious PowerShell commands into the address bar. Unlike previous click-fix attacks that relied on the run dialog, File Fix leverages a familiar user interface, disguising the malicious commands behind fake file paths. Lane elaborates:

"File Fix uses a familiar UI and disguises the command behind a fake file path likely to be adopted by threat actors due to simplicity and ability to evade detection." [00:07]

This method's simplicity and effectiveness in evading detection make it an attractive tactic for threat actors seeking to execute commands without raising immediate alarms.

5. Aflac Suffers Data Breach Exposing Sensitive Customer Information

One of the significant breaches discussed is the data compromise faced by Aflac, a leading U.S. insurer. The breach potentially exposed Social Security numbers, health data, and other sensitive customer information. Lane reports:

"Aflac, one of the largest US insurers, is investigating a data breach that may have exposed Social Security numbers, health data and other sensitive customer information." [00:07]

The attack is believed to be orchestrated by the group Scattered Spider, known for employing low-tech social engineering tactics such as impersonating employees to circumvent security measures. Despite being labeled as highly sophisticated, the breach primarily involved phishing, SIM swapping, and Multi-Factor Authentication (MFA) fatigue, rather than advanced technical exploits.

6. Russian Court Sentences REvil Ransomware Members Amidst Cybersecurity Tensions

In a notable development, a Russian court sentenced four members of the REvil ransomware group for trafficking stolen U.S. payment card data. However, these individuals were released immediately, having served time in pretrial detention. Lane provides context:

"A Russian court sentenced four REvil ransomware members for trafficking stolen U.S. payment card data, but released them immediately, citing time served in pretrial detention." [00:07]

This case is particularly significant as it is one of the rare instances where Russia has prosecuted its own hackers. The likely impetus for this action stems from U.S. pressure dating back to 2021. Notably, the case was not linked to REvil's major ransomware attacks, distinguishing it from the group's more infamous cybercriminal activities.

7. Threat Actors Trojanize SonicWall Net Extender VPN App to Steal Credentials

The episode warns of a new threat involving the trojanization of the SonicWall Net Extender VPN application. Attackers have been distributing malicious versions of this VPN client designed to steal user credentials and VPN configuration data. Lane explains:

"A threat actor distributed a trojanized version of SonicWall's Net Extender VPN app designed to steal user credentials and VPN configuration data." [00:07]

The malicious installer was signed by a suspicious entity and hosted on attacker-controlled sites, deceiving users seeking the legitimate application. In response, SonicWall and Microsoft have mitigated the threat by revoking the fake certificate and urging users to only download software from official sources, thereby minimizing the risk of further compromises.

8. Citrix Bleed 2 Vulnerability Poses Significant Security Risks

Concluding the episode, Lane discusses the newly patched Citrix Bleed 2 vulnerability, which affects NetScaler, ADC, and Gateway products. This critical flaw allows unauthenticated attackers to access sensitive memory data, including session tokens. She states:

"Citrix has patched a critical vulnerability dubbed Citrix Bleed 2, affecting Netscaler, ADC and Gateway products, which could allow unauthenticated attackers to access sensitive memory data like session tokens." [00:07]

The Citrix Bleed 2 vulnerability mirrors the original Citrix Bleed, which was heavily exploited by ransomware groups. Experts warn that it is only a matter of time before the new flaw becomes a target for similar malicious activities. Citrix has urged immediate patching and the execution of session killing commands to mitigate the associated threats, especially in light of the updated CVE descriptions that suggest the risk is more severe than initially disclosed.

This comprehensive summary encapsulates the critical discussions and insights presented in Episode 70 of the Cyber Security Headlines by the CISO Series. For detailed explorations of each headline and ongoing cybersecurity trends, listeners are encouraged to visit CISOseries.com.

Loading summary

Transcript3 lines

[00:00]
Unknown Host
From the CISO series, it's Cybersecurity Headlines.
[00:07]
Sarah Lane
These are the cybersecurity headlines for Wednesday, June 25, 2025. I'm Sarah Lane. Hackers target over 70 Microsoft Exchange servers to steal credentials via keyloggers Unidentified attackers are targeting over 70 publicly exposed Microsoft Exchange servers by injecting JavaScript based keyloggers into login pages to steal credentials. According to Positive Technologies, the campaign spans 26 countries and exploits known exchange vulnerabilities like proxy shell and proxy logon, with some attacks dating back to 2021. Exfiltration methods include local file storage, Telegram bots and DNS tunnels, making detection difficult while capturing credentials and user data in plain text. Apple, Netflix, Microsoft sites hacked for tech support scams Tech support scammers are exploiting Google Ads and search parameter Injection to display fake support phone numbers on legitimate sites like Apple, Microsoft and Netflix. Instead of spoofing websites, they the attackers link to real support Pages with manipulated URLs that show scammer numbers in search results, tricking users into calling them. Once engaged, the scammers aim to steal personal data, payment info or gain remote access to victims devices. The 2022 initiative by Cloudflare, CrowdStrike and Ping Identity provided cybersecurity support to critical infrastructure sectors seen as potential targets of Russia linked attacks Cloudflare, CrowdStrike and Ping Identity have ended their free critical infrastructure defense project, originally launched in 2022 to protect sectors like health care and utilities from Russia linked cyber threats the shutdown comes as DHS warns Iranian hackers may retaliate against U.S. networks following recent U.S. strikes on Iran's nuclear sites. The NTAS bulletin also cites growing risks of cyber and physical attacks from Iranian aligned actors and extremist groups. Wonder New File Fix attack weaponizes Windows File Explorer for stealthy commands A researcher has developed File Fix, a new variant of the cloud click fix attack that tricks users into pasting malicious PowerShell commands into the Windows File Explorer address bar, enabling stealthy command execution. Unlike prior click fix attacks that relied on the run dialog, File Fix uses a familiar UI and disguises the command behind a fake file path likely to be adopted by threat actors due to simplicity and ability to evade detection. Huge thanks to our sponsor, ThreatLocker. ThreatLocker is a global leader in zero trust endpoint security, offering cybersecurity controls to protect businesses from zero day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit threatlocker.com CISO that's threatlocker.com CISO Aflac, one of the US's largest insurers, is the latest to fall under siege to hackers Aflac, one of the largest US insurers, is investigating a data breach that may have exposed Social Security numbers, health data and other sensitive customer information. The attack is suspected to be linked to Scattered Spider, a group known for low tech social engineering tactics like impersonating employees to bypass security. Despite being labeled highly sophisticated, the methods reportedly involved phishing, sim swapping and MFA fatigue, not advanced exploits. A Russian court sentenced four REvil ransomware members for for trafficking stolen U.S. payment card data, but released them immediately, citing time served in pretrial detention. The case wasn't tied to REvil's major ransomware attacks and is one of the rare instances of Russia prosecuting its own hackers, likely prompted by US pressure back in 2021 threat actor trojanizes copy of SonicWall net extender VPN app A threat actor distributed a trojanized version of SonicWall's Net Extender VPN app designed to steal user credentials and VPN configuration data. The malicious installer, signed by a suspicious entity, was hosted on attacker controlled sites to trick users searching for the legitimate app. SonicWall and Microsoft have since mitigated the threat, revoked the fake certificate and and warned users to only download software from official sources. Don't panic, but it's only a matter of time Before Critical Citrix Bleed 2 is under attack Citrix has patched a critical vulnerability dubbed Citrix Bleed 2, affecting Netscaler, ADC and Gateway products, which could allow unauthenticated attackers to access sensitive memory data like session tokens. The flaw is similar to the original Citrix Bleed, which was heavily exploited by ransomware groups, and experts warn it's a matter of time before the new bug is also targeted. Citrix urges immediate patching and session killing commands to mitigate the threat, especially as updated CVE descriptions suggest the risk is more severe than initially disclosed. Be sure you're registered for this week's Super Cyber Friday event All about hacking the internal politics of cybersecurity if you've ever been challenged by navigating the tricky waters of an organization to get the security mission done, you need to join us. We've got two seasoned CISOs joining us this Friday, 1pm Eastern Time, talking for an hour about why just being right isn't enough when it comes to security decisions. To register to join us, head on over to the Events page @ciso series.com and if you have some thoughts on the news from today or about the show in general, be sure to reach out to us@feedbacksoseries.com we would love to hear from you. I'm Sarah Lane reporting for the CISO series, and we'll talk to you next time.
[07:18]
Unknown Host
Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines.