Typhoon on the line.

Viasat confirms it was breached by Salt Typhoon. Microsoft’s June 2025 security update giveth, and Microsoft’s June 2025 security update taketh away. Local privilege escalation flaws grant root access on major Linux distributions. BeyondTrust patches a critical remote code execution flaw. SMS low cost routing exposes users to serious risks. Erie Insurance says their ongoing outage isn’t ransomware. Backups are no good if you can’t find them. Veeam patches a critical vulnerability in its Backup software. SuperCard malware steals payment card data for ATM fraud and direct bank transfers. We preview our Juneteenth special edition. Backing up humanity.

Today is Wednesday June 18th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Viasat confirms it was breached by Salt Typhoon.

Viasat has confirmed it was breached by Salt Typhoon, the Chinese state-sponsored espionage group, in a cyberattack linked to intrusions into U.S. telecom infrastructure ahead of the 2024 presidential election. The group had previously targeted firms like Verizon, AT&T, and T-Mobile, and reportedly accessed phone records of political figures, including Donald Trump and JD Vance. Viasat, which provides secure communications to both commercial and government sectors, stated the breach stemmed from a compromised device but found no customer data was affected. The company worked with federal authorities and believes the threat has been neutralized. Salt Typhoon, active since 2020, is known for its stealth and long-term access strategies, raising concerns that the group may still be embedded in some networks. U.S. officials have linked the group to broader cyber espionage efforts, including a 2024 Treasury Department breach, while China denies all allegations.

Microsoft’s June 2025 security update giveth, and Microsoft’s June 2025 security update taketh away. 

Microsoft’s June 2025 security update has created a critical dilemma for IT admins: install a patch that breaks DHCP services or leave servers vulnerable to serious exploits. The update, released June 10, disrupts DHCP failover configurations on Windows Server 2016 through 2025, causing network outages. Microsoft confirms the bug but has yet to issue a fix—forcing some to uninstall the update, exposing systems to 66 vulnerabilities, including two zero-days. One is an actively exploited WebDAV flaw used by the Stealth Falcon group. The same update has also caused issues with Surface Hub devices and L2TP VPN connections. Experts warn this reflects a growing problem: rushed patches causing major system failures. Admins are effectively left testing mission-critical updates in production environments.

Local privilege escalation flaws grant root access on major Linux distributions. 

Researchers at Qualys have uncovered two local privilege escalation flaws that can grant root access on major Linux distributions. The first, CVE-2025-6018, affects the PAM configuration on openSUSE and SUSE Linux Enterprise, while the second, CVE-2025-6019, targets libblockdev and the udisks daemon—installed by default on most Linux systems. Together, these bugs can be chained for an easy local-to-root exploit. Even on their own, especially the udisks flaw, they pose a critical risk. Proof-of-concept exploits have already worked on Ubuntu, Debian, Fedora, and openSUSE. Admins are urged to patch both immediately, as root access can lead to persistence, lateral movement, and full system compromise. 

BeyondTrust patches a critical remote code execution flaw. 

BeyondTrust has patched a critical remote code execution flaw (CVE-2025-5309) in its Remote Support and Privileged Remote Access tools. The bug, found in the chat feature, stems from improper input handling in the template engine, enabling unauthenticated attackers to run arbitrary code on affected servers. Cloud systems were patched by June 16, but on-prem customers must update manually. Mitigations include enabling SAML for the Public Portal and disabling certain features. No active exploitation has been reported, but past flaws have been targeted.

SMS low cost routing exposes users to serious risks. 

Tech giants like Google, Meta, and Amazon rely on a global web of contractors to deliver one-time login codes via SMS, aiming for speed and low cost. But this “lowest cost routing” strategy exposes users to serious risks. Middlemen—some with links to surveillance and cybercrime—can access and potentially misuse these codes. A recent investigation from Lighthouse Reports and Bloomberg revealed that over 1,000 companies sent sensitive login messages through Fink Telecom Services, a Swiss firm with a controversial track record. Millions of messages, including account names and phone numbers, were found traveling through this insecure network. Fink has been previously linked to surveillance efforts and cyber incidents worldwide. Despite bans on such practices in places like the UK, the opaque SMS routing industry remains largely unregulated. Critics argue that tech companies are failing to vet these providers adequately, leaving customer data vulnerable in a system designed more for cost savings than security.

Erie Insurance says their ongoing outage isn’t ransomware. 

Erie Insurance denies any evidence of ransomware or ongoing cyber threats following a 10-day network outage that began June 7. This contradicts two class action lawsuits alleging a ransomware attack and data breach. Erie says it detected “unauthorized activity” and took immediate steps to contain it, adding that no data breach has been confirmed. The lawsuits, filed by a customer and a former employee, each seek $5 million, claiming negligence over exposed personal data. One plaintiff says Erie notified him of a data leak. Meanwhile, Google Threat Intelligence has linked the timing to Scattered Spider, a known cybercrime group targeting insurers. Erie continues to work with cybersecurity experts and has strengthened its defenses but declined to comment on litigation. The company urges customers to monitor their financial activity and practice good security hygiene. Communication services, including phones and emails, remain impacted by the incident.

Backups are no good if you can’t find them. 

Half of organizations struggle to locate backup data when needed, according to Eon’s 2025 State of Cloud Backup report. Despite rising ransomware threats, many still rely on outdated, manual backup strategies. A survey of 154 IT leaders found 18% experienced data loss and 22% were unsure if they had. Human error caused 64% of losses, while 25% were ransomware-related. Only 49% used fully automated backups, and just 29% had layered ransomware defenses. Alarmingly, 13% had no protection at all. Fragmented approaches, such as using individual cloud providers’ disaster recovery tools, leave gaps in visibility and consistency. Compliance is the top driver for backup investments, but mismanaged data raises risks of violations and business disruption. Eon urges companies to modernize with AI-driven, cross-cloud solutions. They say effective backups not only guard against loss, but can also fuel analytics and AI if properly managed.

Veeam patches a critical vulnerability in its Backup software. 

Veeam has patched a critical remote code execution vulnerability (CVE-2025-23121) in its Backup & Replication (VBR) software. Discovered by watchTowr and CodeWhite, the flaw affects domain-joined VBR installations and allows any authenticated domain user to execute code remotely on the backup server. It impacts VBR version 12 and later and is fixed in version 12.3.2.3617, released today. Despite Veeam’s best practices advising against domain-joining backup servers, many companies still do, increasing their exposure to this threat.

SuperCard malware steals payment card data for ATM fraud and direct bank transfers. 

Russian cybersecurity firm F6 has reported the first domestic attacks using SuperCard, a modified version of NFCGate, a legitimate tool for relaying NFC data. SuperCard, now part of a malware-as-a-service scheme, targets Android users and has previously been used in Europe to steal payment card data for ATM fraud and direct bank transfers. First detected in Italy in April and Russia in May, the malware disguises itself as a legitimate app and uses social engineering to infect victims. It identifies the user’s payment system (Visa, Mastercard, etc.) to facilitate theft. Unique to SuperCard is its open commercial distribution via Telegram, including Chinese-language channels, with subscription models and support. F6 notes that this malware has infected over 175,000 devices in Russia, causing $5.5 million in losses in Q1 2025 alone. It is marketed as capable of targeting users in the U.S., Europe, and Australia.

Up next, we are sharing an excerpt of our Juneteenth Special Edition conversation between T-Minus Space Daily’s Maria Varmazis, CISO Perspectives podcast’s Kim Jones, and myself. We’ll be right back

Welcome back. We hope you enjoyed this discussion on the eve of Juneteenth. Tune into your CyberWire Daily feed tomorrow on your favorite podcast app to hear the full conversation.

Backing up humanity. 

And finally, Former Cloudflare exec John Graham-Cumming has launched a website with a distinctly postmodern mission: preserving the web’s “low-background” cultural heritage—that is, media created by humans before AI turned content into a buffet of statistically probable sentences. His site, lowbackgroundsteel.ai, pays homage to the Cold War-era concept of “low-background steel,” metal forged before nuclear testing filled the air (and everything else) with radiation. Think of it as a digital time capsule, where archives like pre-2022 Wikipedia dumps, Project Gutenberg books, and GitHub’s Arctic Code Vault bask in their human-authored glory.

The site quietly launched in 2023 but stayed low-key until now, perhaps wisely so. Since ChatGPT’s debut, AI-generated sludge has oozed across the web, sinking projects like wordfreq, a beloved language tool that gave up in 2024 citing overwhelming synthetic noise. Graham-Cumming isn’t launching an anti-AI crusade—just tagging the “before” in case the “after” ever needs context. Think of it as civilization’s backup. 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Programming note: 

Note that we will not be publishing tomorrow in observance and celebration of the Juneteenth holiday in the US. We invite you to check out our Special Edition episode on Juneteenth tomorrow in your CyberWire Daily podcast feed. 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.