SonicWall Malware Warning, Crypto Phishing Scheme, Medical Data Exposed – Cybersecurity News [June 23, 2025]

If you’re online, you’re a target, and this week proves it once again. Attackers have cloned a popular VPN app, used crypto support tools for phishing, and exposed data from hospitals, city councils, and even an international sports event. Here’s a deeper look into cybersecurity’s latest threats and how to stay protected!

SonicWall Flags Malware-Infected NetExtender Targeting VPN Credentials

Cybersecurity researchers at SonicWall and Microsoft uncovered a fake version of SonicWall’s NetExtender VPN client this week, which is being distributed to steal user credentials.

The tampered software closely resembles NetExtender v10.3.2.27, the latest official release, and is hosted on a lookalike website designed to appear legitimate. Obviously, the installer isn’t signed by SonicWall, but it does carry a digital signature from “CITYLIGHT MEDIA PRIVATE LIMITED,” helping it evade basic security checks. The threat actors behind it have modified two core binaries. The first one alters validation logic to bypass certificate checks, and the other captures sensitive VPN data.

When users enter their login details and click “Connect,” the malware sends usernames, passwords, domains, and other configuration information to a remote server (IP: 132.196.198.163) via port 8080. The real NetExtender is a widely used remote VPN tool meant for secure business access, and this attack specifically targets small to medium-sized organizations and IT professionals. Distribution of the malware is being carried out through spoofed search results, malvertising, and social media platforms like YouTube and TikTok, bypassing traditional malware protection.

SonicWall and Microsoft now block these installers, but the risks still remain, which is why you should only download VPN clients from official sources and avoid clicking on unsolicited links.

Trezor Support Tool Exploited in Ongoing Crypto Phishing Scheme

Trezor has issued a warning about a phishing scam that exploits its automated support system to send fake but convincing emails directly from its official help address.

The issue stems from how Trezor’s support platform works, where anyone can submit a ticket using any email and subject line. Once a ticket is submitted, the system replies automatically from help@trezor.io, using the subject line provided. Attackers are using this to their advantage by inserting phishing links and alarming messages into the subject, such as “[URGENT]: vault.trezor.guide – Create a Trezor Vault now in order to secure assets that may potentially be at risk.” Because the email appears to come from Trezor’s real support address, many users trusted it. Clicking the link led victims to a fake website that asked for their wallet seed phrase–the 24-word key that can unlock all crypto funds stored in the wallet. Anyone who enters this phrase can have their entire wallet stolen.

Trezor, which produces offline cold wallets that require physical confirmation for transactions, has urged users never to share their seed phrase and is working on preventing similar abuse.Trezor has also shared a guide on defending against phishing actors and scammers.

McLaren Health Care Reports Breach Affecting 743,000 Patient Records

McLaren Health Care also sent notifications to 743,000 patients of a data breach as a result of a ransomware attack that occurred in July 2024.

The incident is old but it took a long time for forensic experts to determine the full scope of affected individuals, and the details were shared recently. McLaren is a nonprofit network that operates 14 hospitals across Michigan. It experienced a significant IT and phone outage that led to the discovery. At the time, patients were asked to carry essential medical and appointment information manually. McLaren’s public notice does not name the attacker, but ransom notes linked to the INC ransomware group were reportedly printed across one of its hospitals, which could mean they’re behind the attack or are at least involved.

Though full names were confirmed as compromised, the complete list of exposed data types hasn’t been disclosed. This is McLaren’s second breach in two years, following a July 2023 incident linked to ALPHV/BlackCat, where sensitive information of over two million individuals was stolen and leaked.

McLaren is now reaching out to impacted patients. As an added safeguard, you should monitor accounts, enable alerts, and place fraud watches if you receive a breach notice.

Oxford City Council Breach Exposes 20 Years of Stored Data

In other news, the Oxford City Council disclosed a cyberattack that exposed personal information from old systems.

The breach involved unauthorized access to legacy databases holding data from 2001 to 2022, where the threat actors were able to access former and current officers, as well as temporary data of the staff that worked on election duties. The Council has released an official statement, sharing that the attackers accessed historic records but there was no evidence that citizen data was included or that the compromised information has been shared further.

In addition to the data breach, the incident disrupted ICT services across various departments. Most of their systems have since been restored, but there are residual delays that will remain until backlogs are cleared. The Council is now working with law enforcement and cybersecurity experts and will contact all affected individuals directly.

They’re also rolling out new security features. Until then, it’s best to remain cautious of suspicious emails and review any official communication carefully.

Hacktivist Group Leaks Personal Data from 2024 Saudi Games

Thousands of sensitive records linked to athletes and attendees of the Saudi Games have reportedly been leaked online by a threat actor identified as Cyber Fattah.

According to cybersecurity firm Resecurity, the data breach was revealed on Telegram on June 22 through SQL database dumps. The attackers are believed to have accessed the phpMyAdmin backend of the Saudi Games 2024 website, exfiltrating a wide range of information later posted to the DarkForums cybercrime site. The leak includes government and IT staff email credentials, passport scans, ID cards, bank statements, and medical forms.

The dump was shared by a profile named ZeroDayX, likely created just to publicize this breach. They also shared that such incidents reflect a growing trend of ideologically motivated cyberattacks, where various groups target public institutions and events to push political agendas. Such activities have been observed by several other actors in the region, including collaborations with lesser-known threat groups.

The broader pattern involves information operations meant to disrupt trust and destabilize institutions through digital means, often coordinated via Telegram. and cybercrime forums.