Threat Matrix: June 2025
The latest news from the digital underbelly and how to protect your business
Blog
/
Threat Matrix: June 2025
Threat Matrix: June 2025
The latest news from the digital underbelly and how to protect your business
Welcome to the hot June edition of Upfort’s Threat Matrix! We cover unpatchable printer vulnerabilities, ransomware targeting manufacturing, photo-stealing malware spreading via official app stores, and, as always, breaches galore! But we aren’t mere harbingers of cyber doom! We also offer simple steps to protect yourself in a chaotic digital world.
Want to help keep your company safe? It only takes two minutes to complete our interactive cybersecurity checklist to tell how prepared you are. Or take a free cybersecurity risk assessment, which taps Upfort’s state-of-the-art AI to surface exploitable vulnerabilities in your network.
Millions of Brother printers hit by a critical, unpatchable vulnerability
A critical vulnerability (CVE‑2024‑51978) has been found in Brother printers, scanners, and label-makers—impacting over 689 models and potentially millions of devices globally. The flaw allows attackers to generate default admin passwords based on easily discovered serial numbers, enabling them to hijack devices remotely. Though Brother released firmware updates for seven related bugs, this authentication bypass can’t be fully patched and requires a manufacturing process change .
How to protect your business: Change all default administrator passwords on Brother printers, scanners, and label-makers to strong, unique values and enforce this every time a device is factory-reset. Apply firmware updates promptly for the other seven vulnerabilities. Segment printer devices on isolated network segments and restrict access via firewall rules or VLANs. Monitor logs and network traffic for unusual printer activity as attackers may use compromised devices to pivot within your environment.
McLaren Health Care ransomware breach impacts 743,000 patients
A ransomware attack targeting McLaren Health Care and its Karmanos Cancer Institute between July 17 and August 3, 2024, resulted in unauthorized access to sensitive patient data. The breach, detected on August 5, 2024, led to a forensic investigation that concluded on May 5, 2025, with notifications sent to approximately 743,000 affected individuals. Exposed data likely included names, Social Security numbers, driver’s license details, medical records, health insurance information, and possibly additional personal details. This marks McLaren’s second major ransomware incident in under two years, following a 2023 breach impacting 2.2 million individuals.
How to protect your business: Prioritize continuous monitoring and timely response—invest in systems capable of detecting intrusions early and triggering rapid incident investigation. Ensure critical infrastructure, such as EHR platforms and network systems, undergo regular vulnerability assessments and patching. Encrypt sensitive data both in transit and at rest, and maintain robust backups to minimize downtime from ransomware attacks. Finally, develop crisis communication plans and offer identity monitoring services promptly to affected stakeholders to preserve trust and meet regulatory requirements.
19-year-old pleads guilty for PowerSchool extortion of millions
A 19‑year‑old Massachusetts college student, Matthew Lane, has pleaded guilty to hacking PowerSchool, a widely used student information system, along with another U.S. telecom provider. In late 2024, Lane used stolen contractor credentials to access PowerSchool’s support portal, exfiltrating sensitive data for over 60 million students and 10 million teachers—such as names, Social Security numbers, birth dates, medical info, email addresses, and more. He demanded a ransom of $2.85 million in Bitcoin and later targeted district-level victims with additional extortion attempts .
How to protect your business: Educate staff about credential misuse and the risks of third-party access. Employ multi-factor authentication and timely credential rotation for all vendor accounts. Monitor account activity for unauthorized access and ensure least-privilege access controls are enforced on support portals. Develop an incident-response plan that includes legal, communication, backup, and forensic readiness in the event of extortion.
Dire Wolf ransomware slashes across manufacturing and tech sectors
A newly emerged ransomware group known as Dire Wolf has struck 16 organizations across 11 countries—with a focus on manufacturing and technology—since May 2025. Using a double-extortion strategy, the attackers exfiltrate sensitive data and demand ransom, granting victims about 30 days to pay before releasing stolen information. Trustwave researchers found the malware is UPX-packed, written in Go, disables Windows event logging, and avoids encrypting multiple times via mutex checks .
How to protect your business: Conduct regular backups and test disaster recovery plans to prepare for potential encryption events. Implement endpoint detection and response (EDR) tools that can identify behaviors like event logging deletion or service termination. Segment critical systems—especially in manufacturing and OT environments—to limit ransomware propagation. Apply network controls that detect anomalies, such as unexpected UPX Go binaries or unusual process commands. Establish a ransomware playbook that defines stakeholder roles and escalation procedures across IT, legal, and communications teams.
Fake job interviews used to spread malware
North Korean threat actors have launched a new phase of their “Contagious Interview” campaign, distributing 35 malicious npm (Node Package Manager) packages masquerading as coding challenge dependencies. Developers are duped via LinkedIn messages and Google Docs interviews to install these during “fake job interviews.” Once executed, the packages deploy a multi-stage payload: a HexEval loader fingerprints the host, BeaverTail steals browser and crypto data, and InvisibleFerret establishes backdoor access. The packages often use typosquatting to appear legitimate, and over 4,000 downloads have been recorded, with six still available at the time of reporting.
How to protect your business: Adopt strict best practices for dependencies—vet any third-party code thoroughly before installation, especially during hiring exercises. Encourage developers to use isolated environments like VMs or containers when evaluating untrusted code. Monitor registry metadata for suspicious or typosquatted package names, and deploy software composition analysis tools to flag anomalous or malicious packages in CI/CD pipelines. Maintain awareness training to help staff spot social engineering via recruiters or unexpected assignments.
SonicWall trojanized NetExtender client steals VPN credentials
SonicWall recently issued a warning after researchers from SonicWall and Microsoft Threat Intelligence (MSTIC) discovered a trojanized version of its NetExtender SSL VPN client. The malicious installer, impersonating version 10.3.2.27, was distributed via spoofed websites and digitally signed by “CITYLIGHT MEDIA PRIVATE LIMITED” to appear legitimate. Once installed, it patches validation logic and captures VPN configuration details—including usernames, passwords, domains—then sends them to a remote server at 132.196.198.163 over port 8080.
This variant targets SMBs and remote workers who depend on NetExtender to access corporate networks. The threat actors used SEO poisoning, malvertising, forum posts, and social media to distribute the malware. Submission to official SonicWall domains and AV tools like Microsoft Defender now detect this threat—but other defenses could miss it.
How to protect your business: Always download remote access clients like NetExtender directly from the vendor’s official site (e.g., sonicwall.com or mysonicwall.com) and avoid promoted search results. Verify digital signatures on installer files and run new downloads through up-to-date antivirus tools. Train staff to recognize spoofed links and malicious ads, and consider network-level protections—such as MFA for VPN access and monitoring for unusual exfiltration activity.
Nucor confirms data theft amid cybersecurity “incident”
Steel giant Nucor—the largest steel producer and recycler in North America—has confirmed that hackers exfiltrated data during a recent cybersecurity breach. The incident led the company to shut down certain IT systems and halt production at multiple facilities as a precaution. While the investigation is ongoing, Nucor reported that attackers accessed and stole data from its network; review and notifications to affected parties and regulatory bodies are underway. The firm believes the threat actors have been evicted and that impacted systems are back online.
How to protect your business: Ensure your organization has a robust incident response plan ready to activate during a cyberattack. Regularly update and patch IT infrastructure, and implement network segmentation to limit the impact of breaches. Invest in continuous monitoring and detection tools to swiftly identify intrusions. Maintain offline backups and a clear communication strategy to minimize downtime and reputational harm.
Photo- and crypto-stealing “SparkKitty” malware spreads from official app stores
A new strain of mobile malware called SparkKitty has been discovered in apps on both Google Play and the Apple App Store, with the apparent goal of harvesting photos—including screenshots of cryptocurrency wallet recovery phrases. Once installed on Android or iOS devices, SparkKitty systematically exfiltrates all images from the user’s gallery. The attackers then use optical character recognition (OCR) to mine these images for seed phrases, enabling full access to victims’ crypto wallets. Originally active since February 2024 and likely a development of the earlier SparkCat malware, SparkKitty has been distributed through malicious apps like SOEX and “币coin,” each downloaded tens of thousands of times before being removed.
How to protect your business: Companies should enforce strict mobile app policies: only allow installations from official app stores, and even then, carefully vet each app before permitting access to device galleries. Prohibit storing sensitive data—like wallet recovery phrases—in screenshots or digital photos. Employ mobile threat detection tools and conduct regular audits to identify and remove suspicious apps from corporate devices. Finally, educate employees on best practices for securing private information, and implement remote wiping capabilities to remove malware from compromised devices.
Russian hackers bypass Gmail MFA using stolen app passwords
Russian state-sponsored hackers (UNC6293/APT29) have orchestrated a sophisticated phishing campaign to bypass Gmail’s multi-factor authentication by tricking targets into generating app-specific passwords. Between April and early June, attackers impersonated U.S. State Department officials and engaged targets—such as academics critical of Russia—in prolonged email exchanges. They persuaded victims to create app passwords, which allowed full access to Gmail accounts despite MFA protections.
This tactic exploited the trust in app-specific passwords—originally meant for older apps—by posing as a secure method for accessing a “State Department guest platform.” Only after installing the password did the victim realize they handed over access credentials to the threat actor. Google researchers confirm the use of residential proxies and elaborate impersonation techniques, indicating a well-resourced, patient operation.
How to protect your business: Avoid using app-specific passwords except when absolutely necessary—favor modern authentication methods like security keys or authenticator apps. Educate staff on the latest phishing TTPs, including social engineering that mimics trusted institutions. Enable Google’s Advanced Protection Program for high-risk accounts—this disables app passwords entirely. Monitor for unusual login behavior and restrict account creation of app-specific passwords where possible.
