Espionage, Exploits, and AI Anxiety Amongst CISOs

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on industry events from the month of June 2025 as well as predictions / recommendations for the coming months.

Note that this month’s report focuses primarily on industry events and breaches along with some additional content. As July is the start of a new fiscal quarter, we would normal present some data along with the usual report contents. Our quarterly data comparison will be presented next month with a new and improved format and more extensive data.

Executive Summary

• New Hornetsecurity CISO poll reveals growing concern over shadow AI, low user awareness, and fragmented governance as AI adoption accelerates.
• Citrix Bleed 2 (CVE‑2025‑5777) – Critical session hijack bug under active exploitation; CISA issued a 24-hour patch mandate.
• Salt Typhoon APT – Chinese state-backed breaches hit Viasat and multiple North American telecoms.
• Snowflake Data Resurgence – Old Ticketmaster data from 2024 reappears; the breach is still biting.
• Zoomcar API Breach – Leaky endpoint exposed 8.4M users, data ripe for phishing/scam campaigns.
• Myth Stealer Malware – Rust-based browser and crypto stealer marks an emerging trend in lightweight malware design.

CISO Perspectives on AI in Cybersecurity

This month, Hornetsecurity released a new research blog based on candid interviews and polling with CISOs from across Europe and North America. Rather than focusing on AI hype or product pitches, we went straight to the source to understand how real-world security leaders are grappling with the rise of AI in their environments.

The results? Mixed, but insightful.

While some organizations are starting to integrate AI into security workflows, including use cases like false positive triage, SOC efficiency, and ticket enrichment, most CISOs report a cautious, measured approach. Governance varies widely, with some companies rolling out internal policies and even self-hosted LLMs, while others are still in lockdown mode due to compliance and privacy concerns.

One common thread across all conversations: concern over shadow AI usage and the risk of sensitive data leaks via unsanctioned tools. End-user awareness remains low in many environments, and even leadership understanding of AI risks is uneven at best. As one vCISO noted, “Management sees the productivity gains related to AI but doesn’t necessarily see the associated risks.”

Looking ahead, the CISOs we spoke with flagged synthetic identity fraud, voice cloning, and model poisoning as top concerns for 2025, especially for orgs managing internal models or developing software in-house.

If you’re looking for a grounded, boots-on-the-ground view of how CISOs are approaching AI, not just the upside, but the risks and roadblocks too, check out the full post below:

Read the full article here!

Threat Overview

Citrix Bleed 2 (CVE‑2025‑5777) – Actively Exploited

Citrix NetScaler ADC and Gateway devices were hit mid-June by a nasty out-of-bounds memory-read bug dubbed “Citrix Bleed 2,” allowing unauthenticated attackers to steal session tokens and hijack active user connections. The flaw was patched on June 17, but scans and proof-of-concept exploits started circulating almost immediately.

By July, CISA escalated the alert, telling federal agencies to patch within 24 hours, an unprecedented turnaround. Researchers at Imperva noted over 11.5 million attack attempts across thousands of exposed systems, which really shows how trivial it is to weaponize.

Why it Matters

• No authentication needed to strip session tokens, making it a potent MFA bypass.
• Thousands of vulnerable appliances are exposed on the internet, over 1,200 confirmed as unpatched in late June.
• Fast-moving PoCs and exploit conversation among threat actors ensure this remains a top-tier risk.

Salt Typhoon Chinese APT Targets Viasat & Canadian Telecoms

In mid-June, BleepingComputer reported that China-linked APT Salt Typhoon breached satellite provider Viasat, exploiting Cisco flaws to infiltrate its network. Canadian telecom agencies independently confirmed intrusions dating back to February, indicating a widespread espionage campaign.

This isn’t a casual nuisance. Salt Typhoon is a highly sophisticated unit focused on telecom infrastructure, wiretapping platforms, and sensitive metadata. The fact that the industry doesn’t seem to know the full extent of the group’s intrusion is both sobering, and worrying all at the same time.

Why it Matters

• Breaches of core infrastructure like Viasat and telecom providers pose massive risks to national communications and surveillance data.
• The campaign’s persistence across North America displays an intent for long-term espionage and data capture.
• Treatment of these intrusions helps sharpen nation-state counterintelligence protocols, and likely inspired policy shifts pending further government action.

Snowflake APT Breach Resurfaces — Ticketmaster Data Popped Up

An extortion gang linked to the 2024 Snowflake breach rattled the scene in June by resurging and briefly re-listing stolen Ticketmaster data (~569 GB) for sale. While initial panic suggested a new leak, BleepingComputer confirmed it was not a fresh breach, but residual data from 2024.

Still, the reemergence of stale Snowflake data shines a spotlight on several worrying trends across businesses: credential reuse, persistent underground interest, and the long tail of cloud-provider data exposure. This cloud-side breach continues to echo over a year later. Organizations would do well to be reminded that Snowflake misconfigurations and insufficient token hygiene can haunt infrastructure for a long time.

Zoomcar API Breach – 8.4 Million Users Exposed

On June 16, reports emerged that Zoomcar, a major Indian car-sharing platform, had an unpatched API flaw that leaked 8.4 million user records: names, emails, vehicle registration numbers and profiles. While no ransomware or extortion was detected, the exposed dataset offers a tempting goldmine for identity theft, spear-phishing campaigns, and vehicle-related scams.

Although not as headline-grabbing as ransomware, it’s clear that APIs offer an avenue to threat actors that many organizations aren’t thinking about. The mounting threat of unsecured APIs in SaaS ecosystems, especially those crossing international boundaries should be a growing concern for CISOs and industry leaders. Data remains live, user endpoints are exposed, and regulatory scrutiny can be increasingly intense.

Mobile Rust Malware (“Myth Stealer”)

In early June, a new Rust-based info-stealer dubbed Myth Stealer appeared, dropping itself via fake gaming portals. It focused on extracting browser credentials (Chrome, Firefox) and crypto wallets marking a fresh iteration in malware evolution.

Rust’s memory safety and ease of cross-compilation make it a rising favorite for malware authors who want speed and stealth. Myth Stealer is a textbook example of a small / efficient footprint, and difficult for traditional endpoint protection to detect. The shift toward lightweight, multi-platform stealer campaigns that target both browsers and wallet-specific artifacts continues, and the industry must continue to evolve around these evolving threats.

Predictions for the Coming Months

• More Citrix-style pre-auth exploits targeting hypervisors and network devices will likely surface, pushing patch deadlines past “urgent” into “life or death.”
• Cloud data remnants will continue to resurface - expect stale but sensitive data from Snowflake, AWS, Azure, GCP…etc to keep popping up in dark auctions.
• API misconfigurations will be a persistent SaaS problem; expect regulators to treat these breaches as more than just operational issues.
• Shadow AI will outpace official governance unless orgs move quickly to define usage policies and internal tooling. Expect more leaks of sensitive data via unsanctioned AI services.
• CISO-driven AI adoption will remain cautious, with experimentation continuing in triage, enrichment, and ticket automation workflows, but full automation will lag due to compliance friction and lack of trust.
• Synthetic identity fraud and deepfake-driven impersonation attacks will rise in frequency, especially targeting finance and compliance-heavy sectors.
• Internal model poisoning risks will grow as more orgs self-host LLMs for proprietary workflows, particularly in dev environments and data-heavy industries.

Monthly Recommendations

1. Patch critical network appliances NOW - prioritize Citrix, Cisco, and other perimeter devices with aggressive patch cycles and WAF signatures.
2. Harden telco-grade infra - deploy EDR/XDR on routers, enforce zero trust, and run threat hunts for state-extortion groups like Salt Typhoon.
3. Re-assess cloud config hygiene - audit Snowflake & API/microservice configurations, rotate tokens/keys, and set up storage access logging and alarm-ing.
4. Inventory browser-based malware exposure - deploy credential vaults, enforce MFA, and update endpoint protection to detect Rust-style stealers like Myth.
5. Automate API security testing - integrate API scanning during CI pipelines; use WAFs for real-time anomaly detection on traffic to internal APIs.
6. Invest in intelligence feeds - subscribe to telemetry that surfaces PoCs and threat chatter (e.g., Citrix exploits, APT chatter) so you’re not always reacting late.
7. Create or update your internal AI use policy - define sanctioned tools, data handling standards, and approval flows for business units experimenting with AI.
8. Launch end-user awareness training - focused specifically on AI risks: model hallucination, sensitive data handling, and phishing via AI-generated content.
9. Partner with legal and compliance teams - to establish acceptable use guidelines and vendor reviews for third-party AI tools.