Cyberattack empties Whole Food shelves. Cybercrime as a Service. Elder Abuse Awareness Day. HR under attack. What's AI-Privilege?

Cybersecurity News of the Week & Patch Report, June 15, 2025

This week's essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Sections

• Section 1: National and International News

• SecureTheVillage: Events. Programs. Guides. Newsletters.

• Section 2: Families and Individuals: Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware.

• Section 3: Smaller Businesses and Nonprofits: A Discipline of Cybersecurity.

• Cybersecurity Nonprofit of the Week

• Section 4: Patch and Update Report

Section 1: National and International News

Cyberattack leads to Whole Foods shortages: A cyberattack on a primary organic food distributor has led to empty shelves at Whole Foods stores across the country. … The company, Rhode Island-based United Natural Foods Inc. (UNFI), is one of the country’s largest organic food distributors and a major partner with Whole Foods. It became aware of a cyberattack on June 5, according to a filing with the Securities and Exchange Commission, and took some of its systems offline, hampering its ability to distribute orders to customers.

Hundreds of Russian devices hit by Rare Werewolf cryptomining attacks: A hacker group known as Rare Werewolf has been hijacking computers across Russia and neighboring countries to secretly mine cryptocurrency, according to new research. … The campaign has affected hundreds of Russian users, particularly targeting industrial enterprises and engineering schools, with additional victims reported in Belarus and Kazakhstan.

Pentagon’s $11B IT modernization struggles with cost overruns, delays, and cybersecurity gaps: GAO report exposes performance failures, weak oversight, and schedule slips, up to four years, across major defense systems. … The GAO’s sixth annual review of the DoD’s IT business programs found significant gaps in performance reporting and cybersecurity planning across the Pentagon’s 24 major IT investments, which support critical functions including healthcare, human resources, financial management, logistics, and contracting. … The assessment uncovered troubling cybersecurity gaps as the Pentagon faces mounting digital threats. Two programs lack approved cybersecurity strategies entirely, while four programs have yet to develop implementation plans for zero trust architecture despite a 2027 departmental deadline.

How Crime-As-A-Service Turned Hacking Into A Subscription Business: Not too long ago, at least a small amount of technical know-how was needed by anyone who wanted to launch a cyberattack and disrupt the operations of a business. … Today, though, an underground economy exists where anyone with the funds can access tools and expertise that can bring businesses to the ground. … Referred to by security experts as crime-as-a-service, this involves the developers of hacker tools and apps charging via a subscription model, like any other software developer. … Effectively, this means that just about anyone sitting behind a VPN can carry out a crime anonymously anywhere in the world. It’s a “democratization” of cybercrime. … Another factor is a change in strategy. Increasingly, rather than targeting technology, criminals are striking directly at the weakest link in the cybersecurity chain, which is usually us humans.

Inside a Dark Adtech Empire Fed by Fake CAPTCHAs: Late last year, security researchers made a startling discovery: Kremlin-backed disinformation campaigns were bypassing moderation on social media platforms by leveraging the same malicious advertising technology that powers a sprawling ecosystem of online hucksters and website hackers. A new report on the fallout from that investigation finds this dark ad tech industry is far more resilient and incestuous than previously known.

What is 'AI privilege'? OpenAI CEO says talking to ChatGPT should be as private as a doctor’s visit: As millions rely on ChatGPT for personal and emotional support, a legal battle with The New York Times threatens to erase current privacy protections. The demand to permanently store user chats has sparked backlash from CEO Sam Altman, who is now pushing for a new confidentiality standard—“AI privilege”—to safeguard sensitive user data in the AI age.

States take legal action as 23andMe attempts to sell customer genetic information amid bankruptcy: Attorneys general contend bankruptcy proceedings shouldn't allow genetic testing company to sell sensitive customer data without consent. … Bankrupt 23andMe is facing a lawsuit over its plans to sell customer genetic information. … Twenty-seven states and the District of Columbia took legal action this week against 23andMe in the U.S. Bankruptcy Court for the Eastern District of Missouri, the court overseeing the Chapter 11 bankruptcy proceedings that the genetic testing company entered earlier in the year. … The states contend 23andMe has "no right to sell their customers’ genetic identities to the highest bidder" unless the company "first obtain[s] express informed consent to the proposed transaction/transfer by each consumer impacted."

Scientists Are ‘Playing with God’s Dice’ by Using Quantum Entanglement for this Game-Changing Random Number Generator: National Institute of Standards and Technology (NIST) scientists have created the first random number generator that uses quantum entanglement, providing traceable and certifiable confirmation that the numbers generated are truly random. … As random numbers are critical to encryption, certifiable systems that generate a truly random outcome could play a critical role in digital security.

Top 5 Skills Entry-Level Cybersecurity Professionals Need: Cybersecurity professional organization ISC2 found hiring managers prize teamwork, problem-solving, and analytical thinking in early-career employees. … Despite global economic pressures, the industry is strong: 75% of hiring managers planned to hire more cybersecurity professionals during 2025, ISC2 found. Nearly 90% of the people surveyed had open positions at their organizations. The report found early-career roles are relatively quick to fill.

Government offices in North Carolina, Georgia disrupted by cyberattacks: A city in North Carolina and a district attorney’s office covering four counties in Georgia are both dealing with operational issues related to recent cyberattacks. … Thomasville, North Carolina, home to about 30,000 residents, said essential services will still be available but many city systems will be offline due to a cyberattack. … About three hours south in Georgia, the Ogeechee Judicial Circuit District Attorney’s Office warned the counties it governs about phone and internet outages impacting its work.

Lewiston-area patients left waiting for care after hospital cyber incidents: Two health care systems were breached in subsequent weeks, leaving many patients scrambling. … The first breach affected St. Mary’s Health System, whose owner, Massachusetts-based Covenant Health, disconnected the facility from all its data systems on May 26. … A week later, Central Maine Healthcare, which owns CMMC and smaller hospitals in Bridgton and Rumford, shut down its network servers and phone systems after identifying “unusual activity” within its computer systems.

Virginia mortgage firm hack exposes thousands of customers: An attacker breached the McLean Mortgage Corporation, stealing sensitive customer data, including financial account information. … According to information the company submitted to the Maine Attorney General’s Office, over 30,000 individuals were impacted in the cyberattack.

SecureTheVillage

Events

• June 17: SecureTheVillage's Cybersecurity Connect Discussion Group. Recent developments in cybersecurity and privacy laws and regulations. Discussion led by Robert Braun, Partner, Jeffer Mangels Butler & Mitchell LLP, Chair of the JMBM Cybersecurity and Privacy Group. Cybersecurity Connect is where cybersecurity professionals, IT leaders, attorneys, risk managers, executive leaders, educators, investors, and law enforcement come together to discuss challenges, exchange ideas, and strengthen our collective defenses. June 17, 3:45 - 5:00 PDT.

Programs

• Protect your business

• Protect your nonprofit

• The MSP Cybersecurity Peer Group

Guides for families and individuals

• How Hackable Are You? Strengthen your cybersecurity and privacy defenses with our free updated 13-step guide.

• Guide to Password Managers. What you need to know to get a password manager that's right for you.

• After a Disaster: A Guide to Keep Your Phone Secure, Safeguard Your Information, and Avoid Being Scammed. This is a concise guide on how to protect yourself from scams in the aftermath of a local disaster, whether it's an earthquake, major fire, hurricane, or other crisis.

• Keeping Kids Safe Online: A Guide for Parents. … Coming Soon.

SecureTheVillage FREE Newsletters. Sign up or share with a friend!

• Cybersecurity News of the Week & Weekend Patch Report. Our award winning newsletter, now on Substack. Essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned.

• Family Protection Newsletter: Our monthly newsletter for non-cyber experts. For your parents, friends, and those who need to protect themselves in a digital world.

Section 2: Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware.

Always be suspicious. Don’t trust. Verify.

• FBI warns Americans of elderly abuse ahead of Elder Abuse Awareness Day: The state of Virginia ranked 11th in overall losses for elderly Americans that are victims in fraud, and the Federal Bureau of Investigation (FBI) is warning people against those who seek to take advantage of the vulnerable and growing population. … This warning comes ahead of World Elder Abuse Awareness Day, which is on June 15. … In 2024 there was a total of $4.885 billion in reported losses from 147,127 complaints, a 46 percent increase in complaints and 43 percent of revenue losses. … “Elder abuse isn’t just a betrayal of trust—it’s a serious crime that shatters the safety and dignity of those who helped build our communities,” said Dominique Evans, Special Agent in Charge, FBI Norfolk. … The FBI says the elderly are frequently targeted by criminals, as they are perceived to be more trusting. Here are some tips to help protect your information:

Coming soon … Improved child protection tools. … SecureTheVillage Parent's Guide. Coming Soon.

• Apple to expand tools to help parents protect kids and teens online: Including new ways to manage Child Accounts, the ability to share a child’s age range to receive age-appropriate experiences within an app, updated age ratings on the App Store, and more. … With the release of iOS 26, iPadOS 26, macOS Tahoe 26, watchOS 26, visionOS 26, and tvOS 26 this fall, parents have more ways to ensure kids have age-appropriate experiences from the moment they set up their device.

Section 3: Smaller Businesses and Nonprofits: A Discipline of Cybersecurity.

Alert your HR about this hiring scam.

• FIN6 cybercriminals pose as job seekers on LinkedIn to hack recruiters: Cybercriminals from the long-running FIN6 group are posing as job seekers on platforms like LinkedIn to infect recruiters with malware delivered through fake resumes, according to a new report. … In their latest campaign, the hackers — also tracked as Skeleton Spider — initiate interactions with recruiters on platforms such as LinkedIn and Indeed and, after gaining their trust, send malicious phishing emails that deliver a backdoor known as MoreEggs. … The phishing emails are professionally written and contain no clickable links — forcing recipients to manually type a URL, which helps the messages bypass security filters. The links direct recruiters to landing pages that mimic personal resume portfolios. … These sites are hosted on trusted cloud infrastructure, including Amazon Web Services (AWS), to evade detection. The landing pages use traffic filtering and CAPTCHA to ensure that only human recruiters — rather than automated analysis tools — are targeted with the malware.

Preparing for the next cloud outage.

• The cloud broke Thursday and it'll happen again - how to protect your business before then: Simply using a multi-cloud or hybrid cloud isn't enough. … After a rocky Thursday afternoon on the internet, both Google and Cloudflare services appear to be operating normally as of Friday morning. When trouble started, the question wasn't what's wrong with what cloud service; it was, what service isn't down?

Using Android phones? Check out Google’s new security management tool.

• Your Android phone is getting a huge security upgrade for free - what's new: Google has added new enterprise-scale security protections for your organization's Android devices. … Mobile devices are always a tempting target for cybercriminals. That's true not just for consumers but for companies. According to Google, more than half of organizations have pointed to smartphones as their most exposed endpoint, and data breaches often occur from improper use of these devices. … In a blog post released on Tuesday, Google describes the latest protections available with its Android Enterprise platform.

Cybersecurity Nonprofit of the Week … Cyber Readiness Institute

Our kudos this week to the Cyber Readiness Institute (CRI) and the great work they do helping our smaller organizations manage their information security challenges. CRI’s Cyber Readiness Program helps organizations protect their data, employees, vendors, and customers. This free, online program is designed to help small and medium-sized enterprises become more secure against today’s most common cyber vulnerabilities. Their free Cyber Leader Certification Program is a personal professional credential for those who have completed the Cyber Readiness Program. Both are highly recommended. The Cyber Readiness Institute plays a major role in SoCal Cybersecure™, SecureTheVillage's learn-by-doing Cohort program for smaller businesses and nonprofits. Like SecureTheVillage, the Cyber Readiness Institute is a fellow-member of Nonprofit Cyber. Dr. Stahl is a proud member of CRI’s Small Business Advisory Council.

Section 4: Weekend Patch Report

Keeping your computers, smartphones, notepads and other devices patched and updated is #4 on SecureTheVillage's How Hackable Are You Guide.

The following lists current versions of common software programs. Items in Bold have been updated.

Updates are usually available from within the program. If not, updates can be downloaded from the company's website. Even as patching is increasingly automated, it's important to double-check that it's being done.

• 7-Zip 24.09.

• Adobe Acrobat Reader updated to 25.001.20531

• AVG 25.5.3382.

• Apple iOS 18.5

• Apple iPadOS 18.5

• Apple macOS Sequoia 15.5

• Apple macOS Sonoma 14.7.6

• Apple macOS Ventura 13.7.6

• Apple watchOS 11.5

• Apple tvOS 18.5

• Apple vision OS 2.5

• Apple Safari 18.5

• Brave updated to 1.79.123.

• CCleaner 6.36.11508.

• Chrome updated to 137.0.7151.104.

• Discord updated to 1.0.9195.

• Dropbox updated to 226.4.5094.

• Edge 137.0.3296.68.

• Evernote updated to 10.141.5.

• ExpressVPN 12.102.0.40

• Firefox updated to 139.0.4.

• Foxit Reader 2025.1.0.27937.

• Google Drive for Desktop 109.0.3.0.

• iTunes 12.13.7.1.

• KeePass 2.57.1.

• Malwarebytes updated to 5.3.2.195.

• Microsoft 365 & Office updated

• Microsoft Windows updated

• Notepad++ 8.8.1.

• OneDrive updated to 25.095.0518.0002.

• Opera Chromium updated to 119.0.5497.88.

• Spotify updated to 1.2.66.444.

• Teams updated to 25122.1415.3698.6812.

• TeamViewer 15 updated to 15.66.5.

• Thunderbird updated to 139.0.2.

• Zoom updated to 6.4.7