On 12 June 2025, dozens of anonymous X (formerly Twitter) accounts advocating Scottish independence abruptly went silent. Many had posted hundreds of times per week, often using pro-independence slogans, anti-UK messaging, and identity cues like “NHS nurse” or “Glaswegian socialist.”
Their sudden disappearance coincided with a major Israeli airstrike campaign against Iranian military and cyber infrastructure. Within days, Iran had suffered severe power outages, fuel shortages, and an internet blackout affecting 95 percent of national connectivity.
What appeared at first glance to be a curious coincidence has since emerged as the most visible rupture to date in a long-running foreign influence operation.
A cartel affiliate notified an FBI agent about a hacker who infiltrated cameras and phones to track an FBI official’s meetings, the DOJ inspector general said.
A hacker working on behalf of the Sinaloa drug cartel infiltrated cameras and phones to track an FBI official in Mexico investigating the drug lord El Chapo, then used data from that surveillance to kill and intimidate potential sources and witnesses the agent was meeting with, a Justice Department watchdog report revealed.
An FBI case agent learned about the hacker from someone affiliated with the cartel in 2018, according to the inspector general report released Friday.
“That individual said the cartel had hired a ‘hacker’ who offered a menu of services related to exploiting mobile phones and other electronic devices,” the report states. “According to the individual, the hacker had observed people going in and out of the United States Embassy in Mexico City and identified ‘people of interest’ for the cartel, including the FBI Assistant Legal Attache (ALA T), and then was able to use the ALA T’s mobile phone number to obtain calls made and received, as well as geolocation data, associated with the ALAT’s phone.
Unidentified hackers breached a Norwegian dam's control system in April, opening its valve for hours due to a weak password.
In a concerning incident this April, unidentified hackers managed to breach the control systems of a Norwegian dam. Reportedly, hackers breached the control systems of a Norwegian dam, causing its water valve to open fully. The incident occurred at the Lake Risevatnet dam, situated near the city of Svelgen in Southwest Norway. The valve remained open for four hours before the unauthorized activity was detected.
According to the Norwegian energy news outlet, Energiteknikk, the hack did not pose a danger, as the water flow barely exceeded the dam’s minimum requirement. The valve released an additional 497 litres per second, but officials noted that the riverbed could handle a much larger volume, up to 20,000 litres per second.
The incident was discovered on April 7 by the dam’s owner, Breivika Eiendom. Norwegian authorities, including NSM (National Security Authority), NVE (Norwegian Water Resources and Energy Directorate), and Kripos (a special agency of the Norwegian Police Service), were alerted on April 10, and an investigation is now underway.
Officials suspect the breach occurred because the valve’s web-accessible control panel was protected by a weak password. Breivika technical manager Bjarte Steinhovden speculated this was the likely vulnerability. The initial point of entry allowed attackers to bypass authentication controls and gain direct access to the operational technology (OT) environment.
An intern at Société Générale is believed to have facilitated the theft of more than EUR1mn (USD1.15mn) from the bank's customers.
A business student who was interning at Société Générale, a leading multinational bank headquartered in France, is believed to have fed information to SIM swappers who stole from 50 customers of the bank, reports Le Parisien. The intern’s arrest prompted officers from France’s fraud police (La Brigade des Fraudes aux Moyens de Paiement, BFMP) to identify a series of alleged accomplices, including one person who specialized in taking control of the phone service of victims.
Using information provided by the intern, the SIM swapper would call the comms providers that provided service to customers of Société Générale. He would pretend to be the legitimate phone user, and that his phone had been lost so a replacement SIM would be issued to him. Having taken control of the victim’s phone service, the SIM swapper would then receive the one-time passwords sent to those numbers by Société Générale. With these codes, the gang were able to withdraw money from the bank accounts of victims. In total, it is believed that more than EUR1mn (USD1.15mn) was stolen this way.
Germany's data protection commissioner has asked Apple and Google to remove Chinese AI startup DeepSeek from their app stores in the country due to concerns about data protection, following a similar crackdown elsewhere.
FRANKFURT, June 27 (Reuters) - Germany's data protection commissioner has asked Apple (AAPL.O), opens new tab and Google (GOOGL.O), opens new tab to remove Chinese AI startup DeepSeek from their app stores in the country due to concerns about data protection, following a similar crackdown elsewhere.
Commissioner Meike Kamp said in a statement on Friday that she had made the request because DeepSeek illegally transfers users' personal data to China.
The two U.S. tech giants must now review the request promptly and decide whether to block the app in Germany, she added, though her office has not set a precise timeframe.
Google said it had received the notice and was reviewing it.
DeepSeek did not respond to a request for comment. Apple was not immediately available for comment.
According to its own privacy policy, opens new tab, DeepSeek stores numerous pieces of personal data, such as requests to its AI programme or uploaded files, on computers in China.
"DeepSeek has not been able to provide my agency with convincing evidence that German users' data is protected in China to a level equivalent to that in the European Union," Kamp said.
"Chinese authorities have far-reaching access rights to personal data within the sphere of influence of Chinese companies," she added.
The Danish government is to clamp down on the creation and dissemination of AI-generated deepfakes by changing copyright law to ensure that everybody has the right to their own body, facial features and voice.
The Danish government said on Thursday it would strengthen protection against digital imitations of people’s identities with what it believes to be the first law of its kind in Europe.
Having secured broad cross-party agreement, the department of culture plans to submit a proposal to amend the current law for consultation before the summer recess and then submit the amendment in the autumn.
It defines a deepfake as a very realistic digital representation of a person, including their appearance and voice.
The Danish culture minister, Jakob Engel-Schmidt, said he hoped the bill before parliament would send an “unequivocal message” that everybody had the right to the way they looked and sounded.
He told the Guardian: “In the bill we agree and are sending an unequivocal message that everybody has the right to their own body, their own voice and their own facial features, which is apparently not how the current law is protecting people against generative AI.”
He added: “Human beings can be run through the digital copy machine and be misused for all sorts of purposes and I’m not willing to accept that.”
The move, which is believed to have the backing of nine in 10 MPs, comes amid rapidly developing AI technology that has made it easier than ever to create a convincing fake image, video or sound to mimic the features of another person.
The changes to Danish copyright law will, once approved, theoretically give people in Denmark the right to demand that online platforms remove such content if it is shared without consent.
Hawaiian Airlines, the tenth-largest commercial airline in the United States, is investigating a cyberattack that has disrupted access to some of its systems.
With over 7,000 employees, 235 average daily flights, and a fleet of over 60 airplanes, Hawaiian Airlines connects Hawai'i with 15 U.S. mainland cities and 10 other destinations across Asia and the Pacific.
The airline stated in a statement issued on Thursday morning that the incident didn't affect flight safety and has already contacted relevant authorities to assist in investigating the attack.
Hawaiian Airlines also hired external cybersecurity experts to asses the attack's impact and help restore affected systems.
"Hawaiian Airlines is addressing a cybersecurity event that has affected some of our IT systems. Our highest priority is the safety and security of our guests and employees. We have taken steps to safeguard our operations, and our flights are operating safely and as scheduled," the airline said.
"Upon learning of this incident, we engaged the appropriate authorities and experts to assist in our investigation and remediation efforts. We are currently working toward an orderly restoration and will provide updates as more information is available."
A banner on the airline's website notes that the incident hasn't impacted flights in any way and that travel hasn't been affected.
The same alert is also displayed on the Alaska Airlines website, which is owned by Alaska Air Group, a company that acquired Hawaiian Airlines last year.
A critical pre-authentication vulnerability (CVE-2025-6709) in MongoDB Server enables unauthenticated attackers to trigger denial-of-service (DoS) conditions by exploiting improper input validation in OIDC authentication.
The flaw allows malicious actors to crash database servers by sending specially crafted JSON payloads containing specific date values, causing invariant failures and server crashes.
This vulnerability affects MongoDB Server versions before 7.0.17, 8.0.5, and 6.0.21 (with authentication required for 6.x exploitation).
Vulnerability Analysis
Attackers can reproduce the exploit using MongoDB’s mongo shell to send malicious JSON payloads targeting the OIDC authentication mechanism.
The server fails to properly validate date values in JSON input, leading to:
Complete server crashes without authentication in v7.0 and v8.0 deployments
Post-authentication DoS in v6.0 environments
Critical disruption of database operations through invariant failures
The vulnerability carries a CVSS score of 7.5 (High) due to its network-based attack vector, low attack complexity, and high availability impact.
MongoDB has classified this as CWE-20 (Improper Input Validation).
Mitigation and Updates
Administrators should immediately upgrade to patched versions:
MongoDB v6.0 → 6.0.21 or later
MongoDB v7.0 → 7.0.17 or later
MongoDB v8.0 → 8.0.5 or later
For environments where immediate patching isn’t feasible, consider disabling OIDC authentication until updates are applied.
This joint guide highlights important considerations for organizations seeking to transition toward more secure software development practices
Today, CISA, in partnership with the National Security Agency (NSA), released a joint guide on reducing memory-related vulnerabilities in modern software development.
Memory safety vulnerabilities pose serious risks to national security and critical infrastructure. Adopting memory safe languages (MSLs) offers the most comprehensive mitigation against this class of vulnerabilities and provides built-in safeguards that enhance security by design.
CISA’s Secure by Design program advocates for integrating proactive security measures throughout the software development lifecycle, with MSLs as a central component. Consistent support for MSLs underscores their benefits for national security and resilience by reducing exploitable flaws before products reach users.
This joint guide outlines key challenges to adopting MSLs, offers practical approaches for overcoming them, and highlights important considerations for organizations seeking to transition toward more secure software development practices. Organizations in academia, U.S. government, and private industry are encouraged to review this guidance and support adoption of MSLs.
In addition to the product published today, CISA and the NSA previously released the joint guide, The Case for Memory Safe Roadmaps. To learn more about memory safety, visit Secure by Design on CISA.gov.
Please share your thoughts with us via our anonymous product survey; we welcome your feedback.
As Scale AI seeks to reassure customers that their data is secure following Meta's $14.3 billion investment, leaked files and the startup's own contractors indicate it has some serious security holes.
Scale AI routinely uses public Google Docs to track work for high-profile customers like Google, Meta, and xAI, leaving multiple AI training documents labeled "confidential" accessible to anyone with the link, Business Insider found.
Contractors told BI the company relies on public Google Docs to share internal files, a method that's efficient for its vast army of at least 240,000 contractors and presents clear cybersecurity and confidentiality risks.
Scale AI also left public Google Docs with sensitive details about thousands of its contractors, including their private email addresses and whether they were suspected of "cheating." Some of those documents can be viewed and also edited by anyone with the right URL.
More than 10,000 appointments were cancelled at the two London NHS trusts that were worst affected.
Around 170 patients have suffered harm as a result of a cyber attack on blood services at London hospitals and GP surgeries, reports suggest.
Pathology services provider Synnovis was the victim of a ransomware attack by a Russian cyber gang in June last year.
As a result more than 10,000 appointments were cancelled at the two London NHS trusts that were worst affected.
And a significant number of GP practices in London were unable to order blood tests for their patients.
Now the Health Service Journal (HSJ) has reported that there were nearly 600 “incidents” linked to the attack, with patient care suffering in 170 of these.
An ongoing phishing campaign abuses a little‑known feature in Microsoft 365 called "Direct Send" to evade detection by email security and steal credentials.
Direct Send is a Microsoft 365 feature that allows on‑premises devices, applications, or cloud services to send emails through a tenant's smart host as if they originated from the organization's domain. It’s designed for use by printers, scanners, and other devices that need to send messages on behalf of the company.
However, the feature is a known security risk, as it doesn't require any authentication, allowing remote users to send internal‑looking emails from the company's domain.
Microsoft recommends that only advanced customers utilize the feature, as its safety depends on whether Microsoft 365 is configured correctly and the smart host is properly locked down..
"We recommend Direct Send only for advanced customers willing to take on the responsibilities of email server admins," explains Microsoft.
"You need to be familiar with setting up and following best practices for sending email over the internet. When correctly configured and managed, Direct Send is a secure and viable option. But customers run the risk of misconfiguration that disrupts mail flow or threatens the security of their communication."
The company has shared ways to disable the feature, which are explained later in the article, and says they are working on a way to deprecate the feature.
CISA says a maximum severity vulnerability in AMI's MegaRAC Baseboard Management Controller (BMC) software, which enables attackers to hijack and brick servers, is currently under active exploitation.
CISA has confirmed that a maximum severity vulnerability in AMI's MegaRAC Baseboard Management Controller (BMC) software is now actively exploited in attacks.
The MegaRAC BMC firmware provides remote system management capabilities for troubleshooting servers without being physically present, and it's used by several vendors (including HPE, Asus, and ASRock) that supply equipment to cloud service providers and data centers.
This authentication bypass security flaw (tracked as CVE-2024-54085) can be exploited by remote unauthenticated attackers in low-complexity attacks that don't require user interaction to hijack and potentially brick unpatched servers.
Developing a rigorous scoring system for Agentic AI Top 10 vulnerabilities, leading to a comprehensive AIVSS framework for all AI systems.
Key Deliverables
Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user.
For more information about these vulnerabilities, see the Details section of this advisory.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
Details
The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerability.
Details about the vulnerabilities are as follows:
CVE-2025-20281: Cisco ISE API Unauthenticated Remote Code Execution Vulnerability
A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability.
This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Bug ID(s): CSCwo99449
CVE ID: CVE-2025-20281
Security Impact Rating (SIR): Critical
CVSS Base Score: 10.0
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2025-20282: Cisco ISE API Unauthenticated Remote Code Execution Vulnerability
A vulnerability in an internal API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and then execute those files on the underlying operating system as root.
This vulnerability is due a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system. An attacker could exploit this vulnerability by uploading a crafted file to the affected device. A successful exploit could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges on the system.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Bug ID(s): CSCwp02821
CVE ID: CVE-2025-20282
Security Impact Rating (SIR): Critical
CVSS Base Score: 10.0
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HWorkarounds
There are no workarounds that address these vulnerabilities.
If the United States wishes to compete in cyberspace, it must compete against China to secure its offensive cyber supply chain.
Strategic competition between the United States and China has long played out in cyberspace, where offensive cyber capabilities, like zero-day vulnerabilities, are a strategic resource. Since 2016, China has been turning the zero-day marketplace in East Asia into a funnel of offensive cyber capabilities for its military and intelligence services, both to ensure it can break into the most secure Western technologies and to deny the United States from obtaining similar capabilities from the region. If the United States wishes to compete in cyberspace, it must compete against China to secure its offensive cyber supply chain.
This report is the first to conduct a comparative study within the international offensive cyber supply chain, comparing the United States’ fragmented, risk-averse acquisition model with China’s outsourced and funnel-like approach.
Key findings:
Description of Problem
A vulnerability has been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Refer below for further details.
Affected Versions
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.46
NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.19
NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.236-FIPS and NDcPP
NetScaler ADC 12.1-FIPS is not affected by this vulnerability.
Additional Note: Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities. Customers need to upgrade these NetScaler instances to the recommended NetScaler builds to address the vulnerabilities.
This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Cloud Software Group upgrades the Citrix-managed cloud services and Citrix-managed Adaptive Authentication with the necessary software updates.
Details
NetScaler ADC and NetScaler Gateway contain the vulnerability mentioned below:
CVE-ID
Description Pre-conditions CWE CVSSv4
CVE-2025-6543
Memory overflow vulnerability leading to unintended control flow and Denial of Service
NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server
CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSS v4.0 Base Score: 9.2
(CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L)
What Customers Should Do
Exploits of CVE-2025-6543 on unmitigated appliances have been observed.
Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.
NetScaler ADC and NetScaler Gateway 14.1-47.46 and later releases
NetScaler ADC and NetScaler Gateway 13.1-59.19 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.236 and later releases of 13.1-FIPS and 13.1-NDcPP. Customers should contact support - https://support.citrix.com/support-home/home to obtain the 13.1-FIPS and 13.1-NDcPP builds that address this issue.
Note: NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and no longer supported. Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.
GreyNoise has identified a notable surge in scanning activity targeting MOVEit Transfer systems, beginning on May 27, 2025. Prior to this date, scanning was minimal — typically fewer than 10 IPs observed per day.
Roughly 16% of Swiss federal politicians had their official government email leaked on the dark web. This puts them at risk of phishing attacks or blackmail.
In the latest installment of our investigation into politicians’ cybersecurity practices, we found the official government email addresses of 44 Swiss politicians for sale on the dark web, roughly 16% of the 277 emails we searched. Constella Intelligence(new window) helped us compile this information.
Sharp-eyed readers might wonder why we searched for 277 email addresses if there are only 253 politicians between the Council of States, Federal Council, and National Council. The explanation is some politicians publicly share another email address along with their official government one. In these cases, we searched for both.
Since these email addresses are all publicly available, it’s not an issue that they’re on the dark web. However, it is an issue that they appear in data breaches, meaning Swiss politicians violated cybersecurity best practices and used their official emails to create accounts with services like Dropbox, LinkedIn, and Adobe, although there is evidence some Swiss politicians used their government email address to sign up for adult and dating platforms.
We’re not sharing identifying information for obvious reasons, and we notified every affected politician before we published this article.
Swiss politicians performed roughly as well as their European colleagues, having few fewer elected officials with exposed information than the UK (68%), the European Parliament (41%), and France (18%), and only slightly more than Italy (15%).
It should be noted that even a single compromised account could have significant ramifications on national security. And this isn’t a hypothetical. The Swiss government is actively being targeted on a regular basis. In 2025, hackers used DDoS attacks(new window) to knock the Swiss Federal Administration’s telephones, websites, and services offline. In 2024, Switzerland’s National Cyber Security Center published a report stating the Play ransomware group stole 65,000 government documents(new window) containing classified information from a government provider.