Welcome reader to your CybersecurityHQ report

Brought to you by:

👣 Smallstep – Secures Wi‑Fi, VPNs, ZTNA, SaaS, cloud APIs, and more using hardware-bound credentials with ACME Device Attestation while solving the other half of Zero Trust

🏄‍♀️ Upwind Security – Real-time cloud security that connects runtime to build-time to stop threats and boost DevSecOps productivity

🔧 Endor Labs – Application security for the software development revolution, from ancient C++ code to bazel monorepos, and everything in between

🧠 Ridge Security – The AI-powered offensive security validation platform

Forwarded this email? Join 70,000 weekly readers by signing up now.

—

Get annual access to our deep dives, weekly cyber intel podcast report, premium content, AI Resume Builder, and more — all for just $299. Corporate plans are now available too.

This Week in Cybersecurity: 900 Ransomware Victims, Zero-Day Chaos, and Industrial Systems Left Wide Open

🎧 Listen to this newsletter on our AI-powered podcast

This week marked a decisive inflection in the cyber threat landscape, defined not by isolated anomalies but by a synchronized acceleration of risk. Play ransomware added over 900 new victims to its portfolio, underscoring the efficiency and scale of automated exploitation. Meanwhile, multiple zero-day vulnerabilities were actively weaponized, with critical infrastructure left precariously exposed in public-facing environments.

At the same time, a sweeping reversal of Biden-era cybersecurity mandates via executive order stripped away foundational safeguards, including AI governance protocols and secure software development requirements. This policy whiplash introduces systemic ambiguity at a time when clarity and coordination are paramount.

Concurrently, the global software supply chain faced renewed destabilization. Open source ecosystems, long the bedrock of digital innovation, became fertile ground for sophisticated subversion. Compounding this, we observed state-backed actors leveraging AI to execute precision-targeted financial fraud at scale, collapsing human-led defenses under the weight of automated deception.

This is not just a convergence of incidents; it is the materialization of a new paradigm. Defenders now operate at human speed while adversaries operate at algorithmic velocity. With the rollback of regulatory guardrails and the weaponization of AI, organizations face an asymmetric cyberwar in which resilience must be redefined.

The message is clear: governance gaps and technological advancements are intersecting with unprecedented force. We must recalibrate our posture from reactive containment to proactive, policy-anchored, AI-augmented defense.

Quick Stats Dashboard

• 900 Organizations hit by Play Ransomware

• 86M AT&T records with decrypted SSNs

• 84,000 Vulnerable Roundcube servers

• 40,000+ Exposed security cameras

• 300,000 Texas DOT crash reports stolen

• 46 Days - M&S cyberattack outage

• 20,000 Malicious IPs taken down

• 500+ EU AI Act violations

• $540M Cyera Series E funding

Critical Threats Requiring Immediate Response

1. Internet-Exposed Water System HMIs [CRITICAL]

• Browser-accessible control systems found online

• Risk: Sabotage or chemical mix alterations

• Action: Emergency OT audit within 24 hours

2. Active Zero-Day Exploits [CRITICAL]

• Microsoft WebDAV (CVE-2025-33053) - Turkish defense org attacked

• Chrome browser - Second Q2 zero-day, patch immediately

• Microsoft 365 Copilot - Zero-click AI data leak flaw

• Action: Apply all patches within 48 hours

3. Supply Chain Compromise [HIGH]

• NPM/PyPI packages with system wipe capabilities

• ConnectWise vulnerability questions

• Action: Audit all dependencies and third-party tools

Major Policy Shift: Trump Cybersecurity Executive Order

Key Reversals:

• Eliminated Software Bill of Materials (SBOM) requirements

• Rolled back AI governance frameworks

• Removed post-quantum encryption mandates

• Shifted focus to digital identity and sanctions policies

Implication: Organizations must self-impose security standards as federal mandates disappear. Private sector leadership becomes critical.

Action: Maintain security practices despite regulatory rollbacks. Document your security baseline independent of federal requirements.

Five Defining Threat Vectors

→ Ransomware at Industrial Scale

Play ransomware's 900 victims represent just one group. This week's additional victims:

• Lee Enterprises: 40,000 individuals affected

• Sensata Technologies: Operations impacted

• Erie Insurance: Business disruptions confirmed

• Kettering Health: Hit by Interlock ransomware

Pattern: Healthcare, media, education, municipalities, and insurance sectors heavily targeted. Average downtime extending to weeks, not days.

Action: Implement 24-hour offline immutable backups, quarterly recovery drills, and sub-30-second automated isolation.

→ Critical Infrastructure Exposure

Water system HMIs found accessible via standard browsers represent broader OT security failures. Combined with new attack methods like SmartAttack (using smartwatches against air-gapped systems), the "air gap" security model is obsolete.

Action: Deploy ICS-specific monitoring (Nozomi, Dragos), enforce IT/OT segmentation, deny all inbound internet traffic by default.

→ Supply Chain Weaponization

This week's supply chain incidents:

• Malicious NPM packages disguised as Express utilities

• Global malware operation targeting npm and PyPI

• Backdoored repositories targeting novice cybercriminals

• ConnectWise vulnerability under active exploitation

Action: Private registries, dependency scanning in CI/CD, vendor security assessments.

→ Zero-Day Exploitation Surge

Active exploits beyond those in RED ALERT:

• Salesforce Industry Cloud: 5 CVEs + 15 misconfigurations

• Cisco Secure Firewall: Persistent backdoor installations

• Fortinet FortiGate: Qilin ransomware exploitation

• Roundcube: PoC code available for 84,000 vulnerable instances

• New Secure Boot flaw: Bootkit malware installation

Reality: Patch Tuesday's 66 fixes can't match exploitation velocity.

→ AI-Powered Attack Evolution

North Korean Grey Nickel group's ChatGPT-based banking fraud represents new threat class:

• AI-generated deepfake audio in vishing campaigns

• 5,000+ accounts compromised in early June

• Young Western hackers collaborating with Russians

• UNC6040 using fake Salesforce apps in sophisticated campaigns

Action: Deploy behavioral biometrics, AI anomaly detection, and deepfake awareness training.

Geopolitical Risk Brief

Active Threat Campaigns

→ North Korea: Financial Warfare

• ChatGPT fraud schemes (per OpenAI)

• RedLine malware ($10M US reward offered)

• $7.74M cryptocurrency forfeiture sought

→ Ukraine: Under Destructive Attack

• PathWiper malware targeting critical infrastructure

• Additional data wipers discovered

• Russia-linked campaigns escalating

→ Middle East: State-Sponsored Operations

• Stealth Falcon APT exploiting Microsoft RCE

• Iran's BladedFeline targeting Iraqi officials

• Regional cyber conflicts intensifying

→ China: Long-Game Espionage

• 70+ organizations targeted in sustained campaign

• Year-long SentinelOne reconnaissance

• Cash bounties for Taiwanese "military hackers"

Real-World Impact Analysis

Retail Disruption

• M&S: 46-day outage finally resolved

• United Natural Foods: Whole Foods supplier operations hit

• Customer Impact: Empty shelves, blocked orders, trust erosion

Healthcare Under Siege

• Ransomware causing multi-week outages

• Patient care systems increasingly targeted

• Insurance and health systems equally vulnerable

Government Data Exposure

• Texas DOT loses 300,000 crash reports

• Turkish defense organization breached

• Police portals compromised by ViLE gang

Emerging Attack Techniques

Advanced Social Engineering:

• FIN6 poses as job seekers with weaponized resumes

• IT support impersonation in voice phishing

• Fake Salesforce apps in vishing campaigns

IoT Exploitation:

• Mirai variants exploiting Wazuh platform

• TBK DVR devices targeted via command injection

• Apache Tomcat panels under brute-force from 295 IPs

Novel Vectors:

• SmartAttack exfiltrates from air-gapped systems via smartwatches

• iMessage zero-click suspected against high-value targets

Market & Regulatory Landscape

Investment Surge in AI Security

• Cyera: $540M at $6B valuation

• Maze: $25M for AI cloud security agents

• Swimlane: $45M for automation

• Guardz: $56M for SMB security

• Securonix: Acquires ThreatQuotient

Regulatory Shifts

US Federal:

• Trump order eliminates key security mandates

• Bipartisan $50M energy sector cyber bill proposed

• FTC scrutinizing retail cyber failures

EU Enforcement:

• 500+ AI Act violations already flagged

• GDPR fines increasing for cyber incidents

• WhatsApp fined (NSO Group disputes)

Strategic Guidance for Leaders

Next 48 Hours

1. Patch all critical zero-days (especially WebDAV, Chrome, Copilot)

2. Audit internet-facing OT/ICS systems

3. Review npm/PyPI dependencies

4. Verify backup restoration capabilities

Next 30 Days

1. Assume Federal Void: Implement security standards regardless of rollbacks

2. AI Defense Posture: Counter AI attacks with AI defenses

3. Supply Chain Fortress: Every dependency needs vetting

4. Speed Over Perfection: Sub-minute containment is the new standard

Key Leadership Takeaways

1. Policy vacuum creates opportunity - Lead where government retreats

2. AI changes both offense and defense - Invest in both capabilities

3. Ransomware industrialization complete - 900 victims proves mass production

4. Infrastructure myths shattered - Air gaps and isolation are illusions

5. Recovery speed determines survival - Prevention alone guarantees failure

Areas Needing Intelligence

• ConnectWise vulnerability specifics

• Western-Russian hacker collaboration details

• PathWiper and Mirai variant IoCs

• Full Trump executive order impact assessment

Final Signal: Velocity Wins

With attacks automated at cloud scale and policies in flux, traditional security models collapse. Success requires detection and containment in minutes, recovery in hours. Every system must be disposable and restorable.

This week's 900 victims are next month's 9,000 without fundamental change. Act accordingly.

Cyber Threats & Attack Trends

CybersecurityHQ: This Week’s Reports Based on Technical Research and Academic Papers

→ Free

1. Enterprise AI gets helpful—then hacked 👉 Read the report

 → Pro subscriber-only

1. Rethinking cyber incident SLAs in multi-vendor AI environments 👉 Read the report

2. Key strategies for aligning IT risk management with enterprise-wide risk management in large corporations 👉 Read the report

3. Identifying the most effective machine learning techniques for detecting anomalous AI behavior in real-time production environments 👉 Read the report

And more inside - check out the full list here.

Cyber Intel Brief: Key Insights from Leading Security Podcasts

This is what you missed in this week’s Cyber Intel Report sourced from top cybersecurity podcasts and webinars, if you haven’t upgraded your membership: critical insights, expert takes, and the latest threats unpacked. Don’t let this slip by—upgrade today to get the full scoop!

⤷ Chaos RAT spreads cross-platform via spoofed IT tools, infecting Windows and Linux environments
⤷ Shadow AI tools like unsanctioned note-takers leak sensitive enterprise data outside IT control
⤷ MDR and XDR platforms suffer outages, leaving gaps in core detection and response capabilities
⤷ Russia’s GRU Unit 29155 blends sabotage, criminal outsourcing, and psyops into a unified campaign
⤷ EU Vulnerability Database (EUVD) challenges CVE dominance with faster exploit visibility

And more insights in this week’s full CISO briefing.

Interesting Read

Anthropic Launches Claude Gov for U.S. Defense & Intelligence

On June 5, 2025, Anthropic rolled out Claude Gov, an AI model designed for U.S. defense and intelligence agencies, featuring relaxed guardrails to support threat analysis and classified document understanding.

This represents a direct convergence of security, AI, and geopolitics: commercial AI firms are now actively supplying state actors with models tailored for national security needs. This raises new accountability questions around bias, data usage, and dual-use risk. CISOs should ask: Could these defense-grade models adapt for offensive cyber or surveillance tools?

→ Read more at theverge.com

Fresh From the Field: Security Resources You Can Use

Social Media Highlights

Stay safe, stay secure.

The CybersecurityHQ Team