Vercara’s Open-Source Intelligence (OSINT) Report – June 20 – June 26, 2025

McLaren Health Care says Data Breach Impacts 743,000 patients

(TLP: CLEAR) McLaren Health Care is notifying 743,000 patients of a data breach stemming from a ransomware attack in July 2024, believed to be carried out by the INC gang. Although the attack caused an immediate IT and phone system outage in early August 2024, investigations to identify impacted individuals concluded only in May 2025. Official notifications began shortly after. McLaren, a nonprofit health system operating 14 hospitals and employing over 28,000 staff across Michigan and Indiana, disclosed that attackers had unauthorized access from July 17 to August 3, 2024. Although the notice didn’t name the INC group, a hospital employee had shared ransom notes bearing their name during the incident. The breach exposed patient information, including full names, though the extent of compromised data remains unclear due to reductions in reports sent to U.S. authorities. This marks McLaren’s second ransomware attack in recent years, following a July 2023 incident by the ALPHV/BlackCat group, which compromised sensitive data of 2.2 million individuals and led to a public data leak. McLaren’s delayed disclosure underscores challenges in breach response and recovery timelines, especially in the healthcare sector, which remains a high-value target for cybercriminals due to the sensitive nature of its data.

(TLP: CLEAR) Comments: McLaren Health Care has now encountered multiple ransomware attacks, raising ongoing concerns about the security of personal health information. As cybercriminal groups like INC continue to target the healthcare sector, it’s imperative that providers move beyond reactive responses. A proactive cybersecurity posture—centered on zero trust, robust incident response planning is no longer optional, it’s essential to safeguard PHI. Options for proactive security measures to combat Ransomware can include Threat Hunting, Endpoint Protection & Response, User Awareness training, and Security Solutions that can detect Malware at an early stage.

(TLP: CLEAR) Recommended best practices/regulations: Department of Health and Human Services Fact Sheet: Ransomware and The Health Information Portability and Accountability Act (HIPAA): “The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. Some of these required security measures include:

• Implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks.
• Implementing procedures to guard against and detect malicious software.
• Training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections.
• Implementing access controls to limit access to ePHI to only those persons or software programs requiring access.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), functions as a complement to anti-virus and Endpoint Detection and Response (EDR) agents to reduce the total amount of malware infections.

Source: https://www.bleepingcomputer.com/news/security/mclaren-health-care-says-data-breach-impacts-743-000-patients/

Iran confirmed it Shut Down Internet to Protect the Country Against Cyberattacks

(TLP: CLEAR) Amid escalating tensions with Israel, Iran confirmed it imposed a near-total internet blackout to defend against cyberattacks targeting its critical infrastructure. The shutdown, which began on June 17, 2025, followed a series of missile exchanges and cyber incidents, including attacks on Bank Sepah and the cryptocurrency exchange Nobitex. The pro-Israel hacktivist group Predatory Sparrow claimed responsibility for these breaches, alleging ties between the institutions and Iran’s Islamic Revolutionary Guard Corps (IRGC). Iranian government spokesperson Fatemeh Mohajerani stated that the internet restrictions were necessary to prevent enemy drones—allegedly controlled via the internet—and to mitigate further cyber intrusions. She emphasized that the decision was a national security measure, not a technical failure. The government warned it would shift to a national internet if needed, limiting access to the global web. The blackout severely disrupted communication within Iran and with the outside world, affecting citizens’ ability to access information and stay connected during the conflict. Reports indicated that even basic services like banking and GPS navigation were impacted. Cloudflare and other monitoring firms confirmed the dramatic drop in Iranian internet traffic. This move highlights the growing intersection of kinetic warfare and cyber operations, where digital infrastructure becomes both a target and a tool. While Iran framed the shutdown as a defensive necessity, critics argue it also silences dissent and restricts civil liberties during a volatile period

(TLP: CLEAR) Comments: Iran’s near total blackout or blackhole in inbound/outbound traffic to the country is a significant event amidst the growing conflicts globally. To fully disrupt cyberattacks they’ve controlled the information flow by limiting Internet accessibility in and out of the country. The two mechanisms the country must have utilized are DNS and BGP to manipulate the traffic flows to protect against adversarial threats.

(TLP: CLEAR) Recommended best practices/regulations NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.”

(TLP: CLEAR) Vercara Vercara UltraDDoS Protect scrubs malicious traffic away from your infrastructure, defusing the large, complex attacks that make headlines every day and threaten your operational stability. Powerful automation allows you to activate on-demand cloud protection through means that include DNS Redirection, BGP Redirection, and API-triggering. The result is an incredibly fast response against DDoS trouble when you need it most.

Source: https://securityaffairs.com/179199/cyber-warfare-2/iran-confirmed-it-shut-down-internet-to-protect-the-country-against-cyberattacks.html

Weaponized DMV-Themed Phishing Attacking U.S. Citizens to Harvest Personal and Financial Data

(TLP: CLEAR) A phishing campaign that began in May 2025 has aggressively targeted U.S. citizens by impersonating state Departments of Motor Vehicles (DMVs). The operation leveraged spoofed SMS messages warning of unpaid toll violations and imminent legal consequences, pushing recipients to click malicious links. These links led to convincingly cloned DMV websites where victims were prompted to submit personal and financial information, including credit card details—for supposed identity verification. The messages, often spoofed from phone numbers traced to the Philippines, cited fake legal codes (e.g., “Administrative Code 15C-16.003”) to increase urgency. Technical investigation by Check Point revealed that these phishing websites shared identical static assets, including JavaScript, CSS, and imagery, indicating the use of a centralized phishing kit known as “Lighthouse.” Chinese-language code comments and repeated infrastructure patterns suggest attribution to a China-based threat group. The campaign’s scale is significant: the FBI’s Internet Crime Complaint Center received over 2,000 related complaints in just one month. States such as New York, Florida, California, and Texas issued public alerts, while national media raised awareness. Analysis further exposed a unified DNS infrastructure and a consistent domain pattern—formatted as https://[state]dmv.gov-xxxx.cfd/pay—with most domains hosted on the same IP address. Each phishing site was tailored to mimic specific state DMVs yet reused identical assets, enhancing operational efficiency and obfuscation. This campaign exemplifies a mature phishing operation that blends technical precision, social engineering, and infrastructure reuse. It underscores the importance of public vigilance and proactive state-level cybersecurity alerts to mitigate emerging threats.

(TLP: CLEAR) Comments This even underscores the importance of zero trust and social engineering mechanisms that leverage impersonating trusted programs. Despite the plethora of information that users can find that will educate and help users raise awareness on tactics like phishing, it is important that users seek out these organizations on their own communication mediums when receiving these types of messages. Impersonating a trusted organization like USPS or the DMV is not a new tactic and is a common problem that these organizations deal with. Organizations should consider notifying end users/customers on their notification mechanisms so customers can clarify secure communication mediums.

(TLP: CLEAR) Recommended best practices/regulations NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections.
Source: https://cybersecuritynews.com/weaponized-dmv-themed-phishing-attacking-u-s-citizens/

Iranian Cyber Threats Loom Over US Networks Amid Nuclear Tensions

(TLP: CLEAR) As geopolitical tensions surrounding Iran’s nuclear program intensify, cybersecurity experts are warning of elevated threats to U.S. digital infrastructure. Historically active in cyber operations, Iranian threat actors are seen as likely to increase targeting of U.S. networks, including critical infrastructure, financial institutions, and government agencies. The article highlights Iran’s cyber capabilities, citing past incidents such as the 2012 Shamoon attack on Saudi Aramco and DDoS campaigns against U.S. banks. These events illustrate Iran’s motivation and capacity to retaliate against sanctions or perceived provocations through cyber means.

Tactically, Iranian cyber operators deploy a variety of methods, including phishing, ransomware, malware, and advanced persistent threats (APTs) to gain access, disrupt services, and exfiltrate data. Experts note that these actors often combine social engineering with technical expertise to bypass defenses. The potential consequences of successful cyberattacks range from economic disruption and compromised infrastructure to national security risks. The interconnected nature of modern networks heightens the risk of cascading impacts from a single incident.

To mitigate these threats, the article calls for a combination of proactive cybersecurity measures and robust response planning. Recommended strategies include enhanced cyber hygiene, real-time threat intelligence, incident response protocols, and cross-sector collaboration. Strengthening defenses through public-private partnerships and advanced technologies is seen as essential to protecting U.S. networks amid this evolving threat landscape.

(TLP: CLEAR) Comments: This pattern underscores the importance of recognizing cyber threats as a matter of national and organizational security rather than isolated IT concerns. The article highlights how Iranian actors, like many state-backed groups, combine social engineering with technical exploits to maximize impact—often targeting sectors with widespread societal consequences. Given the geopolitical dimensions, incidents like these also serve as reminders of how cyber operations increasingly intersect with international policy and diplomacy. Preparing for this kind of hybrid threat landscape requires a collaborative effort across public and private sectors, grounded in adaptive risk management and situational awareness.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected” Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real time such as Vercara’s UltraDDoS Protect.

Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”

(TLP: CLEAR) Vercara Vercara UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.

Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections.

Source: https://www.msn.com/en-us/money/other/iranian-cyber-threats-loom-over-us-networks-amid-nuclear-tensions/ar-AA1HiSyO?ocid=BingNewsSerp