Infosec bits for 2025 week 25

Kgwadi Matenche | June 20, 2025, 3:57 p.m.

Cybersecurity News:

Russian APT29 Exploits Gmail App Passwords to Bypass 2FA in Targeted Phishing Campaign [Ravie Lakshmanan, The Hacker News]

Asana warns MCP AI feature exposed customer data to other orgs [Bill Toulas, Bleeping Computer]

Massive 7.3 Tbps DDoS Attack Delivers 37.4 TB in 45 Seconds, Targeting Hosting Provider [Ravie Lakshmanan, The Hacker News]

Iran curbs internet access to ward off Israel’s cyberattacks [Daryna Antoniuk, Recorded Future News]

Breaches & Leaks:

Krispy Kreme says November data breach impacts over 160,000 people [Sergiu Gatlan, Bleeping Computer]

Vulnerabilities & Patches:

Chrome 137 Update Patches High-Severity Vulnerabilities [Ionut Arghire, SecurityWeek]

BeyondTrust warns of pre-auth RCE in Remote Support software [Sergiu Gatlan, Bleeping Computer]

Veeam Patches CVE-2025-23121: Critical RCE Bug Rated 9.9 CVSS in Backup & Replication [Ravie Lakshmanan, The Hacker News]

High-Severity Vulnerabilities Patched in Tenable Nessus Agent [Ionut Arghire, SecurityWeek]

Critical Linux Flaws Discovered Allowing Root Access Exploits [Alessandro Mascellino, Infosecurity Magazine]

Others:

Gerrit Misconfiguration Exposed Google Projects to Malicious Code Injection [Ionut Arghire, SecurityWeek]

Banana Squad Hides Data-Stealing Malware in Fake GitHub Repositories [Deeba Ahmed, HackRead]

Over 46,000 Grafana instances exposed to account takeover bug [Bill Toulas, Bleeping Computer]