Researchers at Cybernews discovered thirty exposed datasets containing sixteen billion login credentials for a variety of online services. Most of the datasets were stored in unsecured Elasticsearch instances, which have since been taken offline. It's unclear who owns the data, but the researchers note that most of the credentials are "a mix of details from stealer malware, credential stuffing sets, and repackaged leaks."
BleepingComputer notes that the credentials are not from a new breach, despite some misleading reports to the contrary. Rather, the stolen credentials were likely already circulating in various criminal souks until they were "collected by a cybersecurity firm, researchers, or threat actors and repackaged into a database that was exposed on the Internet." Still, the discovery serves as a reminder of just how many stolen credentials are there.
Veeam issued a patch on June 17th for a critical vulnerability affecting the Backup Server that could allow an authenticated user to perform remote code execution. The vulnerability (CVE-2025-23121) was assigned a CVSS score of 9.9.
BleepingComputer notes, "While CVE-2025-23121 only impacts VBR installations joined to a domain, any domain user can exploit it, making it easy to abuse in those configurations. Unfortunately, many companies have joined their backup servers to a Windows domain, ignoring Veeam's best practices, which advise admins to use a separate Active Directory Forest and protect the administrative accounts with two-factor authentication."
Varonis warns that attackers are abusing Microsoft 365's Direct Send feature to send phishing emails that impersonate internal users. Direct Send is designed to allow devices such as printers to send emails within a Microsoft 365 tenant without authentication. Varonis explains, "This setup is intended for internal use only. But here’s the catch: no authentication is required. That means attackers don’t need credentials, tokens, or access to the tenant — just a few publicly available details. Identifying vulnerable organizations is trivial. Smart host addresses follow a predictable format...and internal email formats (like first.last@company[.]com) are often easy to guess or scrape from public sources, social media, or previous breaches. Once a threat actor has the domain and a valid recipient, they can send spoofed emails that appear to originate from inside the organization, without ever logging in or touching the tenant."
The US Department of Homeland Security has warned of a heightened risk of Iranian cyberattacks following American military strikes against Iran's nuclear facilities, Infosecurity Magazine reports. The DHS said in a National Terrorism Advisory System Bulletin issued yesterday, "Low-level cyber-attacks against US networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against US networks." The advisory added, "Both hacktivists and Iranian government-affiliated actors routinely target poorly secured US networks and Internet-connected devices for disruptive cyber attacks."
John Hultquist, Chief Analyst at Google Threat Intelligence Group, noted, "Iran has had mixed results with disruptive cyber-attacks and they frequently fabricate and exaggerate their effects in an effort to boost their psychological impact. We should be careful not to overestimate these incidents and inadvertently assist the actors. The impacts may still be very serious for individual enterprises, which can prepare by taking many of the same steps they would to prevent ransomware."
Citrix has issued a patch for a critical flaw (CVE-2025-6543) affecting NetScaler ADC and NetScaler Gateway appliances that are configured as gateway virtual servers or authentication, authorization, and accounting (AAA) virtual servers, the Register reports. The flaw is a "[m]emory overflow vulnerability leading to unintended control flow and Denial of Service." Citrix has observed exploitation of the vulnerability, though the company didn't share specifics.
Benjamin Harris, CEO of watchTowr, told the Register that the flaw's 9.2 CVSS score suggests attackers are using the vulnerability to carry out more than just denial-of-service (DoS) attacks. Harris stated, "The CVSS metrics reflect code execution or similar, not DoS as the most impactful outcome. Vulnerable appliances being observed to enter a 'denial of service condition' likely reflects failed exploitation, given the class of vulnerability being discussed here."
The vulnerability is separate from another critical Citrix flaw (CVE-2025-5777) that made headlines last week. Users are urged to update their Citrix products as soon as possible.