Week that Was for 06.21.25

At a glance.

• Scattered Spider shifts targeting to the US insurance sector.
• Pro-Israel hackers hit Iranian financial entities.
• Billions of previously stolen credentials were exposed in unsecured databases.
• Viasat identified as a victim of Salt Typhoon hacks.
• Veeam patches critical flaw affecting backup servers.
• Google attributes last week's outage to API management bug.

Scattered Spider shifts targeting to the US insurance sector.

Researchers at Google warn that the Scattered Spider cybercriminal group is now launching ransomware and extortion against entities in the US insurance industry, following a wave of attacks against the UK's retail sector, CyberScoop reports. John Hultquist, chief analyst at Google Threat Intelligence Group, said the threat actor has "a habit of working their way through a sector." Hultquist added, "Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers."

US-based insurance provider Aflac has disclosed that a cybercriminal group breached its network via social engineering and may have stolen sensitive customer information, the Record reports. A source close to the incident told the Record that the attack bears the hallmarks of Scattered Spider. Aflac hasn't publicly attributed the attack to a particular actor, but stated, "This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group. This was part of a cybercrime campaign against the insurance industry." The company is still determining the number of affected individuals, but says the "potentially impacted files contain claims information, health information, social security numbers, and/or other personal information, related to customers, beneficiaries, employees, agents, and other individuals in our U.S. business."

CyberScoop notes that Pennsylvania-based Erie Insurance also disclosed a disruptive cyber incident last week, though the firm hasn't shared details on the incident.

Pro-Israel hackers hit Iranian financial entities.

The pro-Israel hacking group Predatory Sparrow has claimed responsibility for a cyberattack against Iran's Bank Sepah, causing issues with account access, withdrawals, and card payments, the Record reports. The incident also reportedly disrupted payments at gas stations that rely on the bank.

Predatory Sparrow also took credit for stealing more than $90 million in cryptocurrency from Nobitex, Iran's largest crypto exchange, according to researchers at Elliptic. The hackers sent the money to vanity addresses with anti-Iranian messages as their public keys, meaning the funds are now essentially impossible for anyone to access. Elliptic explains, "The hack does not appear to be financially motivated. The vanity addresses used by the hackers are generated through 'brute force' methods - involving the creation of large numbers of cryptographic key pairs until one contains the desired text. But creating vanity addresses with text strings as long as those used in this hack is computationally infeasible." Nobitex's website is still down, and Predatory Sparrow has published what it claims is the company's full source code, PBS reports.

Predatory Sparrow presents itself as a hacktivist group, but is widely believed to be linked to Israeli intelligence. Axios predicts that cyberattacks will continue alongside the ongoing kinetic conflict between Israel and Iran. The Iranian government has shut down most of the country's Internet to thwart alleged Israeli cyberattacks, the Wall Street Journal reports. Tehran's communications ministry said the shutdown was due to "the aggressor’s abuse of the country’s communication network for military purposes."

Billions of previously stolen credentials were exposed in unsecured databases.

Researchers at Cybernews discovered thirty exposed datasets containing sixteen billion login credentials for a variety of online services. Most of the datasets were stored in unsecured Elasticsearch instances, which have since been taken offline. It's unclear who owns the data, but the researchers note that most of the credentials are "a mix of details from stealer malware, credential stuffing sets, and repackaged leaks."

BleepingComputer notes that the credentials are not from a new breach, despite some misleading reports to the contrary. Rather, the stolen credentials were likely already circulating in various criminal souks until they were "collected by a cybersecurity firm, researchers, or threat actors and repackaged into a database that was exposed on the Internet." Still, the discovery serves as a reminder of just how many stolen credentials are out there.

Viasat identified as a victim of Salt Typhoon hacks.

Bloomberg reports that Viasat is the latest US telecom to be identified as a victim of the Chinese cyberespionage campaign Salt Typhoon. The telecom said in a statement, "Viasat and its independent third-party cybersecurity partner investigated a report of unauthorized access through a compromised device. Upon completing a thorough investigation, no evidence was found to suggest any impact to customers."

The company added that it could not share information on the government's investigation into the incident, stating, "Viasat believes that the incident has been remediated and has not detected any recent activity related to this event."

The surveillance campaign, which surfaced last year, also hit Verizon, AT&T, and Lumen, gathering tens of millions of phone records.

Veeam patches critical flaw affecting backup servers.

Veeam has issued a patch for a critical vulnerability affecting the Backup Server that could allow an authenticated user to perform remote code execution. The vulnerability (CVE-2025-23121) was assigned a CVSS score of 9.9.

BleepingComputer notes, "While CVE-2025-23121 only impacts VBR installations joined to a domain, any domain user can exploit it, making it easy to abuse in those configurations. Unfortunately, many companies have joined their backup servers to a Windows domain, ignoring Veeam's best practices, which advise admins to use a separate Active Directory Forest and protect the administrative accounts with two-factor authentication."

Google attributes last week's outage to API management bug.

Google has attributed last week's major Google Cloud outage to an API management bug. The company explained in an incident report, "On May 29, 2025, a new feature was added to Service Control for additional quota policy checks. This code change and binary release went through our region-by-region rollout, but the code path that failed was never exercised during this rollout due to needing a policy change that would trigger the code. As a safety precaution, this code change came with a red-button to turn off that particular policy serving path. The issue with this change was that it did not have appropriate error handling nor was it feature flag protected. Without the appropriate error handling, the null pointer caused the binary to crash."

Google continued, "On June 12, 2025 at ~10:45am PDT, a policy change was inserted into the regional Spanner tables that Service Control uses for policies. Given the global nature of quota management, this metadata was replicated globally within seconds. This policy data contained unintended blank fields. Service Control, then regionally exercised quota checks on policies in each regional datastore. This pulled in blank fields for this respective policy change and exercised the code path that hit the null pointer causing the binaries to go into a crash loop. This occurred globally given each regional deployment."