Weekly Cybersecurity Recap - 23 June 2025

Introduction

From a record-breaking DDoS attack to a surveillance exploit targeting mobile users, last week’s cybersecurity stories highlight the evolving nature of digital threats. Notably, cyberattacks against major UK retailers have now been traced back to Scattered Spider, while new ransomware tactics, Android banking malware, and a staggering 16 billion exposed credentials round out a tense week in cybersecurity.

Threat Actors and Ransomware

Scattered Spider Behind Cyberattacks on M&S and Co-op, Causing Up to $592M in Damages

The coordinated cyberattacks on UK retail giants Marks & Spencer and Co-op have been attributed to the Scattered Spider threat group. According to the Cyber Monitoring Centre (CMC), these incidents are now categorized as a "Category 2 systemic event" due to their widespread impact. The financial cost is projected to reach between $363 million and $592 million, making it one of the most expensive retail-focused cyber events in recent history.

Qilin Ransomware Adds "Call Lawyer" Feature to Pressure Victims for Larger Ransoms

The Qilin ransomware group is ramping up pressure tactics by offering legal aid to affiliates via a new "Call Lawyer" feature. This legal threat tactic appears to be part of a broader strategy to fill the vacuum left by now-defunct ransomware groups such as LockBit and BlackCat. Qilin, also known as Gold Feather or Water Galura, has been active since 2022 and is showing signs of a comeback as it adopts more strategic, manipulative methods.

Exploits and Malware

FreeType Zero-Day Found by Meta Exploited in Paragon Spyware Attacks

Meta has confirmed that a FreeType vulnerability disclosed earlier this year was actively exploited by Israeli surveillance firm Paragon. The flaw (CVE-2025-27363), which enabled arbitrary code execution, was reported in March and patched in early May. It has since been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, underlining its severity and real-world use.

GodFather Banking Trojan Debuts Virtualization Tactic

The GodFather Android banking trojan has adopted a sophisticated virtualization approach to compromise mobile banking and crypto apps, particularly in Turkey. It installs a malicious host app containing a virtualization framework, which then runs real versions of targeted apps inside an isolated sandbox. This gives attackers an edge in evading detection and allows full control over transactions within the fake environment.

Major Incidents and Disruptions

Record-Breaking 7.3 Tbps DDoS Attack Targets Hosting Provider

Cloudflare has intercepted a DDoS attack peaking at an astonishing 7.3 terabits per second—the most powerful on record. This brief but intense attack, which lasted only 45 seconds, delivered the data equivalent of 9,000 HD videos to a targeted hosting provider. It surpasses previous peaks of 5.6 and 6.5 Tbps, reflecting a dramatic escalation in volumetric attack capacity.

161,000 People Impacted by Krispy Kreme Data Breach

Krispy Kreme disclosed that its late-2024 ransomware incident impacted over 161,000 individuals, mostly employees and their families. The Play ransomware group claimed responsibility and posted 184 GB of stolen data online after the company allegedly declined to pay a ransom. Victims are now receiving notification letters as the company begins its remediation and response efforts.

Credential Exposure and Warnings

Internet users advised to change passwords after 16bn logins exposed

A massive cache of 16 billion credentials has surfaced, prompting widespread calls for users to reset their passwords. Researchers from Cybernews uncovered the data in 30 separate dumps collected from infostealers and leaks. While there's no single data breach involved, the collection potentially exposes access to services like Google, Meta, and Apple. Experts urge the use of password managers and multi-factor authentication.