Top news stories this week
- CitrixBleed 2. Return of Cit-risks. New Citrix vulnerability echoes infamous CitrixBleed vulnerability.
- Busted breachers. Law enforcement charge cyber criminals involved in high-profile data breaches.
- Patient failure. NHS confirms first patient death linked to Synnovis cyberattack in 2024.
- Press 1 to be scammed. Apple, Netflix and other 24/7 help desk numbers hijacked by scammers.
- Remote access abused. SonicWall and ScreenConnect suffer stealthy cyberattacks.
- Aflac attack. Major US insurer the latest victim in suspected Scattered Spider insurance pivot.
1. New Citrix vulnerability echoes infamous CitrixBleed vulnerability
The new Citrix vulnerability, dubbed ‘CitrixBleed 2’ is reminiscent of CitrixBleed, which was extensively exploited by threat actors in 2024. Although this new flaw is not actively exploitable yet, it could potentially allow attackers to access session tokens, credentials, and other sensitive data from public-facing gateways and virtual servers.
So what?
Citrix have advised organisations to immediately patch their NetScaler software and terminate all active ICA and PCoIP sessions after upgrading.
[Researcher: Tlhalefo Dikolomela]
2. Law enforcement charge cyber criminals involved in high-profile data breaches
A British national known online as ‘IntelBroker’ has been charged in the US for stealing and selling sensitive data from victims worldwide, causing an estimated USD 25 million in damages. The criminal was also an administrator for the popular cybercrime discussion board BreachForums. Four other administrators of BreachForums have been arrested in Paris, including 'ShinyHunters', which was associated with the high-profile attacks on Snowflake, Ticketmaster, and AT&T.
So what?
Following takedowns, forums can easily return under a different domain, however law enforcement arrests do disrupt these criminal sites.
[Researcher: Milda Petraityte]
3. First patient fatality linked to Qilin attack on NHS blood supplier Synnovis in 2024
The NHS has confirmed the cyberattack on its supplier Synnovis last year contributed to the death of a King’s College Hospital patient last year. The attack caused delay and disruption to critical pathology services with more than 10,000 appointments having to be cancelled during the fallout of the incident.
So what?
Healthcare organisations and suppliers should develop stringent disaster recovery plans to ensure patients are protected during cyberattacks.
[Researcher: Lawrence Copson]
4. Apple, Netflix and other 24/7 help desk numbers hijacked by scammers
Cybercriminals have been observed manipulating search engine algorithms to promote malicious websites masquerading as the real thing. In this variation of search engine poisoning, scammers are leveraging paid search services to embed fake IT help desk phone numbers into search results of people looking for 24/7 support from the likes of Apple, Bank of America, Facebook, Netflix, Microsoft, and more.
SO WHAT?
Organisations should carry out due diligence on monitoring search engine results, and seek to engage dark web and typosquatting domain monitoring services. Users should exert additional vigilance when clicking on search results and remember that legitimate help desks will not ask for personal information.
[Researcher: Lester Lim]
5. SonicWall and ScreenConnect targeted in cyberattacks
Cybercriminals have distributed a trojanised version of SonicWall’s NetExtender VPN client via spoofed websites, capturing VPN credentials and sending them to a malicious server. In a parallel campaign, attackers used a technique called Authenticode Stuffing to tamper with signed ScreenConnect executables, allowing for attacker-controlled configurations like fake update messages and malicious server URLs which appear legitimate while granting unauthorised access.
So What?
Even signed, trusted, remote-access software can be weaponised with difficult detection. It is essential to regularly verify the integrity of IT tools—whether developed internally or provided by MSPs.
[Researcher: Katarina Zotovic]
6. US insurance giant Aflac latest to disclose likely Scattered Spider cyber incident
Major US insurance company Aflac is the latest to disclose that a cyberattack occurring on 12 June 2025 has resulted in potential breach of customer data. While Aflac avoided major service disruptions, they have already been subject to a class action lawsuit. This attack was believed to have been carried out by Scattered Spider, a financially motivated threat actor group that has been behind many recent high-profile attacks.
SO WHAT?
Scattered Spider and other threat actors have repeatedly used social engineering as an entry vector. It is crucial that IT help desks utilise strong identity verification techniques to defend against such attacks.
[Researcher: Stephen Ross]
