Episource Breach, Predatory Sparrow strikes again, Swiss banks data leak - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines - Episode Summary Hosted by CISO Series | Release Date: June 19, 2025

The latest episode of "Cyber Security Headlines" by CISO Series, hosted by Rich Stroffelino, delves into significant cybersecurity incidents and developments impacting various sectors. This comprehensive summary captures the key discussions, insights, and conclusions from the episode, providing valuable information for those who haven't tuned in.

1. Episource Breach Impacts Over 5 Million Individuals

Incident Overview: Episource, a healthcare technology services provider, disclosed a substantial data breach impacting over 5.4 million individuals. The breach involved unauthorized access to Episource’s systems from January 27 to February 6, 2025.

Details:

Stolen Information: The breach compromised sensitive data, including Social Security numbers, insurance and Medicaid/Medicare numbers, and medical records.
Response Measures: Episource is collaborating with partner doctors and health plan providers to notify all affected victims. The company advises victims to monitor their benefit statements for potential fraud.
Historical Context: This incident mirrors a previous data loss Episource experienced in 2023 due to a cyberattack.

Notable Quote: Rich Stroffelino highlighted the severity of the breach: “Episource is urging all impacted victims to review their benefit statements closely for any signs of fraud” [02:30].

2. Predatory Sparrow Strikes Iran’s Financial Sector Again

Incident Overview: The pro-Israeli hacktivist group, Predatory Sparrow, has once again targeted Iran’s financial sector, successfully siphoning over $90 million from Nobatex, Iran’s largest cryptocurrency exchange.

Details:

Attack Modus Operandi: Predatory Sparrow took credit for the attack via social media and threatened to release Nobatex's source code and internal information.
Verification: Researchers at Elliptic confirmed the $90 million asset transfer, validating Predatory Sparrow's claims through the use of vanity addresses.
Recent Activity: This attack follows a similar incident the previous day, where the group targeted Swiss banks, specifically UBS and Paquette, leading to significant data leaks.

Notable Quote: Rich Stroffelino emphasized the impact: “Predatory Sparrow’s latest move not only steals substantial assets but also threatens to expose critical internal information” [04:15].

3. Swiss Banks Data Leak Through External Supplier

Incident Overview: Both UBS and Paquette, prominent Swiss banks, confirmed internal data leaks stemming from breaches at their external supplier, ChainIQ.

Details:

Leaked Data: The breach exposed tens of millions of UBS employees’ data, direct internal phone lines to executives, and Paquette's invoice information.
Client Data Security: Importantly, both banks assured that no client information was compromised.
Public Disclosure: Data from the attack was published on illicit forums as of June 12. ChainIQ has opted not to reveal details about negotiations or ransom demands.

Notable Quote: Rich Stroffelino noted the strategic nature of the leak: “While employee and internal data was exposed, the assurance that client information remained secure is a critical aspect of this breach” [05:00].

4. Microsoft 365 Enhances Security by Blocking Legacy Authentication Protocols

Update Overview: Starting mid-July, Microsoft will implement changes to enhance security across Microsoft 365 tenants by blocking legacy authentication protocols in SharePoint, OneDrive, and Office files.

Details:

Implementation Timeline: The transition is expected to be completed by August.
Affected Protocols: This includes blocking browser authentication for SharePoint and OneDrive via Relaying Party Suite (RPS) and preventing Office files from being opened through front-page remote procedure calls.
Security Rationale: Legacy protocols are vulnerable to brute force and phishing attacks, prompting Microsoft’s proactive measures.
Policy Enhancements: App consent policies will be updated to require administrative approval before users can grant third-party apps file access.

Notable Quote: Rich Stroffelino explained Microsoft's stance: “Blocking these legacy protocols is a necessary step to mitigate the increasing threats of brute force and phishing attacks” [06:00].

5. State Healthcare Exchanges Share Sensitive Data with Big Tech

Investigation Findings: An investigation by The Markup and CalMatters revealed that four state-run insurance marketplace websites inadvertently shared sensitive information with major technology companies through embedded advertising trackers.

Details:

Data Shared: States like Nevada, Maine, Rhode Island, and Massachusetts shared varying sensitive information, including prescription details, dosage information, and medical visits, with platforms like LinkedIn, Snapchat, and Google.
Mechanism: The issue arose from using separate sites to connect users with insurance plans, which employed embedded trackers.
Response: Upon notification, all affected exchanges removed the trackers, asserting that no personally identifiable information (PII) was stored.

Notable Quote: Rich Stroffelino highlighted the privacy concerns: “The inadvertent sharing of sensitive healthcare data through embedded trackers underscores the need for stringent data handling practices” [03:45].

6. Linux Distributions Vulnerable to Local Privilege Escalation (LPE)

Vulnerability Report: Researchers at the Qualys Threat Research Unit identified two new LPE vulnerabilities affecting several prominent Linux distributions.

Details:

Affected Systems:
- SUSE Linux 15: A flaw in the Pluggable Authentication Modules (PAM) framework allows attackers to escalate user privileges.
- Udisk Daemon Vulnerability: Impacts the default storage management service across most distributions via a flaw in Libblock dev.
Exploitation Potential: These vulnerabilities can be easily chained to gain root privileges on systems like SUSE, Ubuntu, Debian, and Fedora.
Mitigation: Patches are now available for both vulnerabilities, with Proofs of Concept (POCs) demonstrating potential exploits.

Notable Quote: Rich Stroffelino stressed the urgency: “With patches available, it's critical for administrators to apply updates promptly to safeguard against potential escalations” [04:45].

7. Federal Government Seizes $224 Million in Cryptocurrency Linked to Scams

Seizure Details: The U.S. Department of Justice announced the filing of a civil forfeiture action to seize over $224 million in cryptocurrency associated with investment and romance scams.

Details:

Scam Tactics: Fraudsters deceived at least 400 victims globally by promoting fake crypto ventures and engaging in romantic relationships to extract funds.
Collaboration: The U.S. Secret Service and FBI worked alongside Tether to trace and reclaim the stolen assets.
Objective: The DOJ aims to use the forfeited funds to compensate the victims affected by these scams.

Notable Quote: Rich Stroffelino highlighted the significance of the action: “This substantial forfeiture not only disrupts the scammers’ operations but also provides a pathway to restitution for the victims” [05:30].

8. Targeted Hacking Campaign Compromises Russian Military Expert Keir Giles

Incident Overview: Reports from Citizen Lab and Google Threat Intelligence Group revealed a sophisticated hacking campaign targeting Keir Giles, a Russian military expert, attributed to the Russian-linked threat group UNC 6293.

Details:

Attack Strategy: Unlike typical broad attacks, this campaign focused meticulously on a single individual, employing a slower, more targeted approach.
Compromise Method: The attackers eventually persuaded Giles to share a screenshot of an app-specific password, granting them full access to his Google accounts.
Expert Insight: John Scott Railton of Citizen Lab remarked, “It’s as if they knew everything we'd been taught to expect from Russian hackers and then did the opposite” [06:30].

Notable Quote: Rich Stroffelino emphasized the uniqueness of the attack: “Targeting an individual with such precision showcases the evolving tactics of threat groups like UNC 6293” [06:45].

Conclusion: This episode of "Cyber Security Headlines" underscores the ever-evolving landscape of cybersecurity threats, ranging from large-scale data breaches and sophisticated hacking campaigns to governmental actions against cryptocurrency scams. The discussions highlight the critical need for robust security measures, timely patching of vulnerabilities, and vigilant monitoring of data-sharing practices to safeguard sensitive information across various sectors.

For more detailed stories and daily updates, visit CISOseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series. It's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Thursday, June 19, 2025. I'm Rich Stroffelino. Over 5 million impacted by episource breach in a notice on its website, the healthcare technology services provider Episource disclosed that threat actors accessed ITS systems from January 27 through February 6, 2025, in disclosure filings with the U.S. department of Health and Human Services. It disclosed this impacted over 5.4 million people with information stolen, including Social Security numbers, insurance and Medicaid, Medicare numbers and medical records. The company is working with partner doctors and health plan providers to provide notice to all impacted victims. Episource urges victims to review benefit statements for fraud. Episource experienced a similar loss of data from a CyberAttack back in 2023. Predatory Sparrow strikes Iran Again the pro Israeli hacktivist group took another swipe at Iran's financial sector, stealing over $90 million in assets from Nobatex, the country's largest crypto exchange. Predatory Sparrow took credit for the attack on social media and threatened to release nobatex source code and other internal information. Researchers at Elliptic confirmed it saw a $90 million asset transfer with vanity addresses used, supporting Predatory Sparrow's claims. The attack comes a day after the group also took credit for an attack on a state owned bank data leak at Swiss banks. Both UBS and Paquette confirmed they had internal data leak through a breach at an external supplier identified by the Swiss newspaper Le Temps as the business service company ChainIQ. Leaked data includes employee data on tens of millions of UBS staff and direct internal phone lines to UBS executives and Paquette invoice information. Both banks said the attack did not compromise any client information. Attackers published data from the attack on illicit forums on June 12. Chain IQ said it would not disclose information on any negotiations or potential ransom demands. Microsoft 365 to block legacy AUTH Protocols Starting in mid July, Microsoft will begin changing security defaults on Microsoft 365 tenants to to block legacy authentication protocols across SharePoint, OneDrive and Office files. It estimates this transition will be completed by August. This will include blocking browser authentication for SharePoint and OneDrive using Relaying Party Suite or RPS, as well as blocking opening Office files with front page remote procedure call. Microsoft said these protocols are vulnerable to brute force and phishing attacks. The company will also update app consent policies to prevent users from granting third party apps file access by default without admin approval. And now thanks for our sponsor for today. Adaptive Security OpenAI's first cybersecurity investment as deepfake scams and Genai Phishing evolve, Adaptive equips security teams with AI powered phishing simulations featuring realistic personalized deepfakes and engaging security awareness training. Their new AI content creator turns threat intel and policy updates into interactive multilingual training. Instantly trusted by Fortune 500s and backed by Andreessen Horowitz and OpenAI, Adaptive helps you stay ahead of AI driven threats. Learn more at adaptivesecurity.com that's a D A P T I V E s E C U-R-I-T-Y.com State healthcare exchanges share data with Big Tech an investigation by the Markup and Calmatters found that four state run insurance marketplace sites share sensitive information through embedded advertising trackers on their sites. The investigation looked at exchanges operated by 20 states overall. Nevada's exchange shared prescription and dosage information with LinkedIn and Snapchat. Maine's and Rhode Islands exchanges shared the same information as well as doctors visited with Google. Massachusetts shared some disability and pregnancy information with Google. Part of the issue is that some exchanges used separate sites to connect users with insurance plans, and those services use embedded trackers. All exchanges removed the trackers when alerted by investigators, maintaining that they did not store any personally identifiable information. Linux Distro is vulnerable to LPE vulnerabilities Researchers at the Qualys Threat Research Unit discovered two new local privilege escalation, or LPE vulnerabilities impacting many prominent Linux distributions. One flaw in the Pluggable Authentication Modules framework on SUSE Linux 15 allows attackers to obtain allow active user privileges. The other impacts the udisk daemon, a default storage management service on most distributions that allows the same privilege escalation through a flaw in Libblock dev. While these can be chained easily to attack SUSE systems, the Researchers also created POCs to obtain root privileges on Ubuntu Debris, Debian and Fedora patches for both are now available. Fed sees crypto funds linked to investment scams the U.S. department of justice announced it filed civil forfeiture action to obtain over $224 million in cryptocurrency tied back to scams, fooling victims who believed they were investing in legitimate crypto ventures or through romance scams. A network of scammers worked at least 400 victims globally, including including dozens in the U.S. the U.S. secret Service and FBI worked with Tether to trace back the stolen assets. The Department of Justice hopes the successful forfeiture will eventually allow it to return funds to victims more details on Kir Giles hack Citizen Lab and Google Threat Intelligence Group separately released reports detailing a recent hacking campaign that successfully accessed the email of Russian military expert Keir Giles. Attributed to the Russian linked threat group UNC 6293. The campaign stood out for its particular slow role and focus on one individual rather than an organization. To that point, Citizen Lab senior researcher John Scott Railton said, it's as if they knew everything we'd been taught to expect from Russian hackers and then did the opposite. The whole report is worth a read and we have a link in the show notes. But the final step saw the attackers getting Giles to share a screenshot of an app specific password, which allowed them to compromise his Google accounts. It's almost time for this week's Super Cyber Friday discussion about hacking. What It Takes to Become a CISO should be a fascinating hour digging into what it takes to move from the technical world of cybersecurity and into security leadership. You need to register to join us, so head on over to our events page@cisoseries.com or look for the event on LinkedIn. If you have some thoughts about the news from today, or just about the show in general, remember you can reach out to us@feedbackisoseries.com we'd love to hear from you. Reporting for the CISO series, I'm Rich Stroffelino, reminding you to have a super sparkly day.
[07:15]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines sat.

Cyber Security Headlines - Episode Summary Hosted by CISO Series | Release Date: June 19, 2025

1. Episource Breach Impacts Over 5 Million Individuals

Details:

Stolen Information: The breach compromised sensitive data, including Social Security numbers, insurance and Medicaid/Medicare numbers, and medical records.
Response Measures: Episource is collaborating with partner doctors and health plan providers to notify all affected victims. The company advises victims to monitor their benefit statements for potential fraud.
Historical Context: This incident mirrors a previous data loss Episource experienced in 2023 due to a cyberattack.

Notable Quote: Rich Stroffelino highlighted the severity of the breach: “Episource is urging all impacted victims to review their benefit statements closely for any signs of fraud” [02:30].

2. Predatory Sparrow Strikes Iran’s Financial Sector Again

Details:

Attack Modus Operandi: Predatory Sparrow took credit for the attack via social media and threatened to release Nobatex's source code and internal information.
Verification: Researchers at Elliptic confirmed the $90 million asset transfer, validating Predatory Sparrow's claims through the use of vanity addresses.
Recent Activity: This attack follows a similar incident the previous day, where the group targeted Swiss banks, specifically UBS and Paquette, leading to significant data leaks.

3. Swiss Banks Data Leak Through External Supplier

Incident Overview: Both UBS and Paquette, prominent Swiss banks, confirmed internal data leaks stemming from breaches at their external supplier, ChainIQ.

Details:

Leaked Data: The breach exposed tens of millions of UBS employees’ data, direct internal phone lines to executives, and Paquette's invoice information.
Client Data Security: Importantly, both banks assured that no client information was compromised.
Public Disclosure: Data from the attack was published on illicit forums as of June 12. ChainIQ has opted not to reveal details about negotiations or ransom demands.

4. Microsoft 365 Enhances Security by Blocking Legacy Authentication Protocols

Details:

Implementation Timeline: The transition is expected to be completed by August.
Affected Protocols: This includes blocking browser authentication for SharePoint and OneDrive via Relaying Party Suite (RPS) and preventing Office files from being opened through front-page remote procedure calls.
Security Rationale: Legacy protocols are vulnerable to brute force and phishing attacks, prompting Microsoft’s proactive measures.
Policy Enhancements: App consent policies will be updated to require administrative approval before users can grant third-party apps file access.

5. State Healthcare Exchanges Share Sensitive Data with Big Tech

Details:

Data Shared: States like Nevada, Maine, Rhode Island, and Massachusetts shared varying sensitive information, including prescription details, dosage information, and medical visits, with platforms like LinkedIn, Snapchat, and Google.
Mechanism: The issue arose from using separate sites to connect users with insurance plans, which employed embedded trackers.
Response: Upon notification, all affected exchanges removed the trackers, asserting that no personally identifiable information (PII) was stored.

6. Linux Distributions Vulnerable to Local Privilege Escalation (LPE)

Vulnerability Report: Researchers at the Qualys Threat Research Unit identified two new LPE vulnerabilities affecting several prominent Linux distributions.

Details:

Affected Systems:
- SUSE Linux 15: A flaw in the Pluggable Authentication Modules (PAM) framework allows attackers to escalate user privileges.
- Udisk Daemon Vulnerability: Impacts the default storage management service across most distributions via a flaw in Libblock dev.
Exploitation Potential: These vulnerabilities can be easily chained to gain root privileges on systems like SUSE, Ubuntu, Debian, and Fedora.
Mitigation: Patches are now available for both vulnerabilities, with Proofs of Concept (POCs) demonstrating potential exploits.

Notable Quote: Rich Stroffelino stressed the urgency: “With patches available, it's critical for administrators to apply updates promptly to safeguard against potential escalations” [04:45].

7. Federal Government Seizes $224 Million in Cryptocurrency Linked to Scams

Seizure Details: The U.S. Department of Justice announced the filing of a civil forfeiture action to seize over $224 million in cryptocurrency associated with investment and romance scams.

Details:

Scam Tactics: Fraudsters deceived at least 400 victims globally by promoting fake crypto ventures and engaging in romantic relationships to extract funds.
Collaboration: The U.S. Secret Service and FBI worked alongside Tether to trace and reclaim the stolen assets.
Objective: The DOJ aims to use the forfeited funds to compensate the victims affected by these scams.

8. Targeted Hacking Campaign Compromises Russian Military Expert Keir Giles

Details:

Attack Strategy: Unlike typical broad attacks, this campaign focused meticulously on a single individual, employing a slower, more targeted approach.
Compromise Method: The attackers eventually persuaded Giles to share a screenshot of an app-specific password, granting them full access to his Google accounts.
Expert Insight: John Scott Railton of Citizen Lab remarked, “It’s as if they knew everything we'd been taught to expect from Russian hackers and then did the opposite” [06:30].

Notable Quote: Rich Stroffelino emphasized the uniqueness of the attack: “Targeting an individual with such precision showcases the evolving tactics of threat groups like UNC 6293” [06:45].

For more detailed stories and daily updates, visit CISOseries.com.