The NHS in England said earlier this year it was still dealing with blood supply issues a year later.
Some industry and government studies have suggested that delays caused by ransomware attacks in the delivery of healthcare have undoubtedly contributed to poorer patient outcomes, including those potentially leading to deaths, but specific hard figures have been elusive.
Canadian Telecoms Firms Targeted by Chinese Hackers
Add Canadian telecoms to the ever-growing list of major Western network providers targeted by the Chinese hacking group widely tracked as Salt Typhoon. The Canadian Centre for Cyber Security warned last Thursday that the Beijing threat actor “almost certainly” compromised network devices belonging to an unnamed Canadian telecom. Salt Typhoon leaped into public awareness after penetrating U.S. telecommunications infrastructure in 2024 to eavesdrop on senior government officials, including then-presidential candidate Donald Trump. The group has kept up the hacking tempo, apparently breaching data management firm Commvault’s cloud environment earlier this year (see: Salt Typhoon Believed to Be Behind Commvault Data Breach).
Along with the FBI, the Canadian center said Salt Typhoon exploited Cisco IOS XE vulnerabilities – CVE-2023-20198 and CVE-2023-20273. In at least one case, it used Cisco tunneling protocol known as generic routing encapsulation to spy on traffic going through the network. Chinese hacker targeting of Cisco equipment has become a sore point for the company, which through its cyberthreat analysis unit said in February that hackers have only used known vulnerabilities rather than developing zero-day exploits.
Russia Intelligence Hackers Spread Novel Backdoors
Russian intelligence hackers are sending malware-laced Microsoft Word documents through the Signal chat app, Ukrainian cyber defenders warned Kyiv government and military officials on Saturday. Ukraine’s Computer Emergency Response Team attributes the campaign to the threat group it tracks as UAC-001 – also known as APT 28 and Fancy Bear. The hacking group operates from Unit 26165 of the Russia’s General Staff Main Intelligence Directorate.
The documents contain macro scripts leading to back infections of novel backdoors CERT-UA dubbed Beardshell and Slimagent. Beardshell runs PowerShell scripts and exfiltrates data through an API for cloud storage service IceDrive. Slimagent takes screenshots of infected computers and saves them locally used an obfuscated format.
Ukrainian defenders traced the infections back to spring 2024 after receiving in May telemetry from cybersecurity company Eset showing unauthorized access to a gov.ua email account. Russian hackers have repeatedly targeted email servers in a bid to spy on Kyiv. They’ve also sought to pierce the end-to-end encryption protections of Signal through social engineering (see: Ukrainian Signal Users Fall to Russian Social Engineering).
CERT-UA pushed monitoring for traffic tied to api.icedrive.net and app.koofr.net
SAP and Citrix Patch Critical Flaws Exposing Sensitive Data
Researchers detailed two now-patched vulnerabilities in SAP Graphical User Interface for Windows and Java, CVE-2025-0055 and CVE-2025-0056, that exposed user input history – including usernames and bank details – due to weak or no encryption. Stored locally, these files were easily accessible to anyone with access to the victim’s machine, increasing risks from phishing and USB-based attacks. A third related flaw in SAP NetWeaver, CVE-2025-0059, remains unpatched. Users are urged to disable input history and delete existing data files.
Citrix also fixed a critical vulnerability in NetScaler ADC/Gateway, CVE-2025-5777, dubbed “Citrix Bleed 2.” The flaw, similar to a 2023 exploit, enables attackers to harvest session tokens via malformed requests, bypassing authentication when configured as a Gateway or AAA virtual server.
Suspected Chinese Hacks Targeting Oil and Energy Sector
Possibly Chinese hackers are targeting the energy, oil and gas sector through phishing attacks that leave behind a backdoor by exploiting a Microsoft feature that allows self-updating applications to install and run in the background.
Researchers from Trellix dubbed the campaign “OneClik,” after Microsoft ClickOnce deployment technology.
Trellix said Tuesday it observed three distinct variants of malware that each use a .net ClickOnce loaded to deploy a backdoor christened “RunnerBeacon.”
The campaign has likely run since at least September 2023. Based on overlap in evasion tactics such as in-memory decryption, Trellix said the campaign could be linked to APT41. Also known as Barium and Brass Typhoon, the threat actor focuses on critical national infrastructure.
Security firm Symantec in 2023 attributed a hacking campaign that targeted an unnamed power grid network in Asian country to APT41 (see: Chinese APT41 Implicated in Asian National Power Grid Hack).
Oh Brother
Security researchers uncovered an authentication bypass vulnerability in Brother printers and scanners allowing hackers to obtain the device’s default administrator password.
Researchers from Rapid7 said Wednesday the flaw comes down to Brother setting a default password for each printer during manufacturing based on each devices’ serial number. “Brother has indicated that this vulnerability cannot be fully remediated in firmware, and has required a change to the manufacturing process of all affected models,” researchers said. 689 models across Brother’s range of printer, scanner and label maker devices are affected.
The authentication bypass law, tracked as CVE-2024-51978 rates a 9.8 on the CVSS score of 10. In combination with a slew of other vulnerabilities disclosed by Rapid7, hackers could to penetrate deeper into a victim network or crash the printer.
Rapid7 identified eight vulnerabilities in all, not all of them only affecting Brother printers. Also affected are devices from Fujifilm Business, Ricoh, Toshiba and Konica Minota. “In total, 748 models across five vendors are affected.”
Ransomware Hits US Dairy Giant
Dairy Farmers of America, the largest dairy cooperative in the United States, confirmed that multiple manufacturing plants across its network were hit by a ransomware attack. The incident temporarily disrupted milk processing and plant operations.
In a June 18 statement to Dairy Herd Management, DFA said it “immediately contained the threat” and quickly resumed operations at affected facilities. The cooperative did not disclose the number of impacted sites, whether data was stolen, or if a ransom was paid.
Iran-Linked Hackers Disrupt Public Services in Albania
An Iranian hacker group calling itself “Homeland Justice” claimed responsibility for a cyberattack that disrupted multiple public services in Tirana, Albania, late last week, reported online newspaper The Albanian on Friday.
The group, tied to Iran’s Islamic Revolutionary Guard Corps, said it breached the capital’s municipal systems, exfiltrated data, wiped servers and took down the city’s official website.
Iranian hackers have targeted Albania repeatedly since 2022 over opposition to the European country’s sheltering of Mujahedin-e-Khalq, a group dedicated to overthrow of the Islamic Republic of Iran. Members of MEK left Iraq to settle in Albania at the behestof the United States, with the last group of Iranian exiles arriving in 2016 (See: Iranian Group Likely Behind Albanian Government Attack).
The attack crippled services including public transportation, passport and license issuance and kindergarten enrollment. Municipal staff also lost access to emails and internal systems.
Oxford City Council Breached
The English city of Oxford confirmed a data breach involving unauthorized access to legacy systems containing personally identifiable information. The breach affected records of former and current municipal staff, including election workers, from 2001 to 2022.
Most systems have been restored following ICT disruptions but some service delays continue. The city government stated there’s no evidence citizen data was compromised or that stolen data has been disseminated.
The exposed information likely includes personal details of polling station workers and ballot counters.
Experts Urge EU to Counter China, North Korea Cyberthreats
Security experts urged the European Union to adopt stronger countermeasures against hybrid threats from China and North Korea, including by disrupting malware infrastructure. At a hearing of Parliament’s Special Committee on the European Democracy Shield, Antonia Hmaidi of the Mercator Institute >recommended Europe adopt U.S.-style malware takedowns and rapid alert systems to counter Chinese targeting of European diplomatic and critical infrastructure. North Korean threats, including fake job scams, are also rising, the committee heard. The European Union recently imposed cyber sanctions on a suspected North Korean operative linked to hacks against Ukraine.
Other Stories From Last Week
With reporting from Information Security Media Group’s Akshaya Asokan in Southern England, Marianne Kolbasuk McGee in the Boston exurbs and David Perera in Northern Virginia.
