Chinese State Hackers Exploit Unpatched Cisco Flaw to Breach Canadian Telecom Network

Chinese state-sponsored hacking group Salt Typhoon compromised a Canadian telecommunications provider in February 2025 by exploiting CVE-2023-20198—a maximum-severity Cisco IOS XE vulnerability with a CVSS score of 10.0. Although Cisco released a patch in October 2023, shortly after security firm VulnCheck publicly disclosed the issue, the targeted devices remained exposed 16 months later. The Canadian Centre for Cyber Security and the FBI attributed the breach to Salt Typhoon, a group previously linked to attacks on U.S. telecom firms including Verizon and AT\&T. According to the Wall Street Journal, the hackers likely used prolonged access to monitor lawful wiretap systems operated on behalf of U.S. agencies. In the Canadian case, three network devices were compromised; attackers extracted running configuration files and modified at least one to establish a GRE tunnel, enabling covert traffic collection from the connected network.

Cisco later disclosed that Salt Typhoon also exploited CVE-2018-0171, CVE-2023-20273, and CVE-2024-20399 in the same 2024 campaign. The Cyber Centre found overlaps between observed activity and indicators reported by partners and industry, suggesting the campaign extended beyond telecommunications. While some of the intrusion may have been limited to network reconnaissance, Canadian officials emphasized the failure to patch a well-known vulnerability as a critical security lapse. They warned that PRC-backed espionage operations will almost certainly continue targeting Canadian telecoms and their clients through at least 2027. Despite the scope and severity of the attack, neither the affected telecom provider nor any specific vendor was publicly named.

Read: https://arstechnica.com/security/2025/06/suspected-china-state-hackers-exploited-patched-flaw-to-breach-canadian-telecom/

Senate Bill Expands Youth Privacy Rules and Raises Concerns Over Online Surveillance

The Children and Teens’ Online Privacy Protection Act (S.836), or COPPA 2.0, currently under review by the Senate Commerce Committee, aims to update existing digital privacy laws by expanding protections from children under 13 to all users under 17. It also allows teens aged 13 to 16 to independently consent to data collection. The bill has received bipartisan support and backing from major tech companies. A key change is the replacement of the current “actual knowledge” standard with the broader phrase “knowledge fairly implied on the basis of objective circumstances.” This shift would compel platforms to infer users’ ages through behavioral cues and contextual data, effectively introducing a negligence standard that increases platforms’ legal exposure and pushes them to act preemptively to avoid penalties.

To comply, many websites may adopt universal age verification systems, potentially requiring sensitive data like facial scans, biometric information, or government-issued IDs. These systems are prone to errors and raise serious privacy concerns, as they create new repositories of personal information vulnerable to misuse, breaches, or commercial exploitation. Without comprehensive federal privacy legislation to regulate data retention, third-party access, and user recourse, these practices risk undermining the very protections the bill seeks to establish. Furthermore, requiring age checks to access online spaces—such as public forums, creative platforms, and educational tools—could discourage user participation, particularly in communities where anonymity is essential for safety or free expression. In attempting to safeguard minors, COPPA 2.0 may unintentionally extend surveillance and restrict access for all internet users.

Read: https://reclaimthenet.org/coppa-2-0-the-age-check-trap

Aflac Reports Data Breach Affecting Customers and Employees

Aflac, one of the largest insurance companies in the U.S. with around 50 million customers, confirmed in a legally required SEC filing that hackers accessed its network on June 12 and stole an unknown amount of personal data. The breach, which was detected and contained the same day, involved sensitive information such as Social Security numbers, health data, and customer claims. It also affected data belonging to Aflac’s beneficiaries, employees, and agents. The company stated that ransomware was not involved and attributed the incident to a cybercrime group known to be targeting the U.S. insurance sector. The attackers used social engineering tactics—methods of deception aimed at manipulating individuals—to gain access to Aflac’s systems. Aflac declined to answer further questions when contacted by TechCrunch.

This incident comes amid a wave of cyberattacks affecting the insurance industry. John Hultquist, chief analyst at Google’s Mandiant threat intelligence unit, linked the breach to Scattered Spider, a financially motivated and loosely organized hacker collective known for using social engineering and even threats of violence to compromise corporate help desks and call centers. The group is also suspected in recent attacks on Erie Insurance and Philadelphia Insurance Companies, where disruptions are ongoing. Scattered Spider has previously been associated with intrusions at major tech firms, casinos, hotels, and retail companies across the U.S. and U.K., highlighting the growing cybersecurity risks facing insurers and other high-value targets.

Read: https://techcrunch.com/2025/06/23/us-insurance-giant-aflac-says-customers-personal-data-stolen-during-cyberattack/

Trojanized SonicWall VPN App Exploits Certificate Loophole to Steal Enterprise Credentials

An unidentified threat actor distributed a Trojanized SonicWall NetExtender VPN (v10.3.2.27), digitally signed by “CITYLIGHT MEDIA PRIVATE LIMITED,” likely spoofing an Indian firm. Hosted on malicious sites, the installer tampered `NeService.exe` to bypass certificate checks and `NetExtender.exe` to exfiltrate VPN credentials—username, password, domain—to 132.196.198.163:8080. Victims were tricked via search; no SonicWall subdomain was compromised. SonicWall and Microsoft revoked the certificate, dismantled infrastructure, and deployed detections via Defender, Capture ATP, and RTDMI. Rapid7’s Lonnie Best contextualized the tactic as common among recent SEO-poisoning campaigns. SonicWall’s Soumyadipta Das noted other enterprise packages may also have been similarly altered.

Read: https://www.darkreading.com/identity-access-management-security/threat-actor-trojanizes-sonicwall-netextender-vpn

Anthropic Wins Fair Use Ruling but Faces Trial Over Pirated Book Library

Anthropic, the AI firm behind Claude, secured a partial win in Bartz v. Anthropic (N.D. Cal., filed Aug. 2024), where Judge William Alsup ruled that training large language models on copyrighted works constitutes “fair use.” Citing the transformative nature of LLMs, Alsup rejected claims that computer learning differs meaningfully from human reading. Legal experts like Chris Mammen and Adam Eisgrau praised the ruling, which contrasts with the earlier Thomson Reuters v. Ross decision and is expected to influence other AI copyright cases, especially where piracy is not involved.

However, Alsup also found that Anthropic’s compilation of over seven million pirated books—including downloads from Books3, LibGen, and PiLiMi by cofounder Ben Mann—was not fair use. Despite later switching to licensed data, the company retained the pirated materials. The court will proceed to trial to assess damages, with potential statutory penalties reaching billions. Anthropic sought summary judgment on fair use in Feb. 2025; plaintiffs’ attorneys remain silent. Judge Alsup’s history with Google v. Oracle adds weight to the ruling. Anthropic spokesperson Jennifer Martinez framed the outcome as supportive of innovation.

Read: https://www.wired.com/story/anthropic-ai-copyright-fair-use-piracy-ruling/