Cisco IOS XE exploit, Senators' CSRB request, Australia ransomware law - Cybersecurity Headlines

Summary

Cyber Security Headlines – June 2, 2025
Hosted by Steve Prentiss, CISO Series

1. Critical Cisco IOS XE Exploit Becomes Public

In the opening segment, Steve Prentiss highlights the escalating threat posed by a recently disclosed vulnerability in Cisco's IOS XE software. This flaw, initially reported in early May, pertains to an upload vulnerability affecting wireless LAN controllers.

“Details are now becoming available regarding the upload flaw, which suggests a working exploit may be soon,” Prentiss states [00:00].

The Horizon3 researchers' analysis, as cited by Bleeping Computer, indicates that while a ready-to-run Remote Code Execution (RCE) exploit script is not yet available, the provided information is sufficient for skilled attackers—or even large language models (LLMs)—to develop one. The vulnerability affects multiple versions of Cisco's software, emphasizing the urgency for organizations to implement protective measures immediately to safeguard their endpoints from potential widespread attacks.

2. Senators Advocate for Reinstatement of Cyber Review Board

Prentiss reports on a significant political development involving cybersecurity oversight. Four Senate Democrats have formally requested Homeland Security Secretary Kristi Noem to reestablish the Cyber Safety Review Board (CSRB), which was disbanded shortly after the previous administration's inauguration in January.

“The Senator's letter describes the dismissal as depriving the public of a fuller accounting of the origin, scope, scale, and severity of the SALT typhoon compromises,” Prentiss explains [00:00].

The senators argue that the termination of the CSRB hampers comprehensive investigations into the SALT typhoon cyber compromises. They underscore the contradiction between the administration's calls for leveraging private sector expertise and the simultaneous dismissal of a board designed to incorporate such external insights.

3. Australia Enacts Pioneering Ransomware Reporting Law

Australia has taken a landmark step in cybersecurity legislation by passing a law that mandates organizations to report any ransom payments made to cybercriminals. This makes Australia the first country globally to enforce such a requirement.

“Victims of ransomware attacks must declare to the government any extortion payments made on their behalf,” Prentiss reports [00:00].

The regulation applies to organizations with an annual turnover exceeding 3 million Australian dollars (approximately US$1.9 million) and certain entities within critical infrastructure sectors. Affected organizations must submit reports to the Australian Signals Directorate within 72 hours of making a payment, failure to comply with which could result in penalties of up to 60 penalty units under the Australian civil penalty system.

4. US Intelligence Employee Arrested for Alleged Classified Information Sale

In a notable law enforcement action, the FBI arrested Nathan Latch, a 28-year-old employee from Alexandria, Virginia, who worked in the Insider Threat Division with top-secret security clearance. Latch is accused of attempting to sell classified information to a foreign government.

“Operating on a tip, an FBI agent masquerading as a foreign government official... arranged a drop at a public park,” Prentiss details [00:00].

The Justice Department revealed that surveillance captured Latch leaving a thumb drive containing a substantial amount of classified data at a predetermined location. This action appears to have been part of a sting operation initiated around May 1. Latch's attempt to showcase the breadth of information accessible through his position underscores the vulnerabilities within insider threat management frameworks.

5. Exploitation of VBulletin Forum Software Flaws

Prentiss brings attention to two critical vulnerabilities identified in the open-source VBulletin forum software, both assigned CVE numbers with CVSS v3 scores of 10 and 9, respectively. These flaws affect VBulletin versions 5.0.0 through 5.7.5 and 6.00 through 6.0.3 when running on PHP 8.1 or later.

“One of these flaws has been confirmed as actively exploited in the wild,” he notes [00:00].

The vulnerabilities include an API method invocation flaw and a remote code execution (RCE) vulnerability via template engine abuse. Although patches were released the previous year, many sites remain unpatched, leaving them susceptible to attacks. The situation emphasizes the ongoing challenge of ensuring timely updates and patch management in maintaining software security.

6. Microsoft Announces Authenticator App and Password Autofill Changes

Microsoft is phasing out its Authenticator app in favor of integration with the Edge browser. Additionally, the company is deprecating the Password Autofill feature, urging users to transition to Microsoft Edge for password management.

“Users should export saved passwords before July 1 or switch to Microsoft Edge,” Prentiss relays [00:00].

This move is part of Microsoft's broader strategy to streamline security and user experience across its platforms. Users are advised to take proactive steps to migrate their saved credentials to avoid service interruptions.

7. ConnectWise Alerts of Nation-State Attacks on Screen Connect Users

ConnectWise has issued a warning regarding suspicious activities linked to sophisticated nation-state actors targeting its Screen Connect remote management and monitoring software. While the impact appears limited to a small number of clients, the nature of these attacks is concerning given Screen Connect's use by governments and large enterprises.

“Hackers have frequently targeted vulnerabilities in the software, using it as a jumping off point for ransomware attacks and data thefts,” Prentiss explains [00:00].

In response, ConnectWise has initiated a comprehensive investigation in collaboration with forensic experts from Mandiant to identify the scope and mitigate the threats posed by these advanced persistent threats (APTs).

8. Anonymous Leaker Exposes Leaders of Conti and TrickBot Ransomware Gangs

An individual operating under the moniker Gangexposed has publicly released sensitive information about key figures within the Conti and TrickBot ransomware groups. This data dump includes internal chat logs, personal videos, and records of ransom negotiations, significantly impacting the operations and anonymity of these cyber extortionists.

“I take pleasure in thinking I can rid society of at least some of these gang leaders and members,” the leaker states [00:00].

Despite a $10 million bounty for information leading to the apprehension of a prominent Conti leader, Gangexposed remains indifferent to monetary rewards. Identifying himself as an independent investigator with no formal IT background, he attributes his capabilities to classical intelligence analysis, open-source intelligence (OSINT) methodologies, and a keen aptitude for piecing together intricate puzzles overlooked by others.

For more in-depth analysis and daily updates on cybersecurity developments, visit CISOseries.com.

Transcript

Steve Prentiss (0:00)

From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Monday, June 2, 2025. I'm Steve Prentiss. Exploit for maximum severity Cisco iOS XE Flaw now public following up on a story we covered at the start of May, details are now becoming available regarding the upload flaw, which suggests a working exploit may be soon. As quoted in Bleeping Computer, a Write up by Horizon 3 researchers does not contain a ready to run proof of concept RCE exploits script, but does provide enough information for a skilled attacker or even an LLM to fill in the missing pieces. Given the immediate risk of weaponization and widespread use in attacks, it is recommended that impacted users act now to protect their endpoints. This flaw impacts software for wireless LAN controllers Senators ask for a reinstatement of Cyber Review Board to work on SALT typhoon investigation Four Senate Democrats have sent a letter to Homeland Security Secretary Kristi Noem asking her to re establish the Cyber Safety review board, whose 20 members were dismissed days after the President's inauguration in January. The Senator's letter describes the dismissal as depriving the public of a fuller accounting of the origin, scope, scale and severity of the SALT typhoon compromises. They add that the dismissals are particularly confounding in the light of the administration's repeated insistence on the need to leverage private sector and external expertise in government. Australian Ransomware victims now must report their payments Australia has made good on parts of a cybersecurity bill introduced to its Parliament in October of last year and has become the first country in the world to require victims of ransomware attacks to declare to the government any extortion payments made on their behalf to cybercriminals. The law applies to organizations with an annual Turnover Greater than 3 million Australian dollars, about US$1.9 million, as well as some critical infrastructure sector organizations. Reports must be made to the Australian signals Directorate within 72 hours or the company faces a penalty of up to 60 penalty units within the Australian civil penalty system. US intelligence employee arrested for alleged sale of classified information this arrest was made by the FBI last Thursday. Nathan Latch, 28, of Alexandria, Virginia, worked in the Insider Threat Division unit and had top secret security clearance. He is now accused of attempting to provide classified information to a foreign government. According to the Justice Department. Operating on a tip, an FBI agent masquerading as a foreign government official, quote, arranged a drop at a public park in Northern Virginia around May 1, where surveillance observed Latch leave a thumb drive at the specified location, end quote. This drive contained a decent sample size of classified data and was meant to demonstrate the range of the types of products he could obtain and share with his level of access. Huge thanks to our sponsor Conveyor Conveyor launched the first AI agent for customer trust. So wtf does that mean? It means the AI agent goes beyond just sharing NDA gated documents like a SoC2 with customers or answering a security questionnaires. Conveyor's AI agent, Sue, handles the entire security review process from start to finish. She answers every customer request from sales, completes every questionnaire, and executes every communications and coordination task in between. It's perfect for B2B InfoSec teams sick of manual security review work. Check it out@conveyor.com that is Triple W C O N V E Y O R Hackers exploiting critical flaw in VBulletin forum software there are actually two flaws both with CVE numbers and CVSS v3 scores of 10 and 9 respectively, and they affect Open Source Forum software v Bulletin. One of these flaws has been confirmed as actively exploited in the wild. The flaws are an API method invocation and a remote code execution via template engine abuse. They affect vbulletin versions 5.0.0 through 5.7.5 and 6.00 through 6.0.3 when the platform runs on a PHP 8.1 or later. Patches were released last year, meaning the danger lies with sites that have not been upgraded. Microsoft reminds users authenticator cutoff is July 1st following up on our coverage of Microsoft's ousting of its Authenticator app in favor of Edge, the company is now issuing warnings that the Password autofill feature is being deprecated in July, suggesting users move to Microsoft Edge instead. The warning clearly states that users should export saved passwords before July 1 or switch to Microsoft Edge, a transition to which the company says it's basically a one click app action Connectwise warns of nation state attack on its Screen Connect customers the company says it quote, recently learned of suspicious activity that it believes was tied to a sophisticated Nation state actor. However, they continue, this activity affected a very small number of Screen Connect customers. Screen Connect is it remote management and monitoring software used by governments and large businesses. According to the record, hackers have frequently targeted vulnerabilities in the software, using it as a jumping off point for ransomware attacks and data thefts. End quote Connectwise says it has launched an investigation with forensic experts from Mandiant Good Guy Leaker outs Conti Kingpins in ransomware data dump. According to the Register, an individual with the handle Gangexposed that is one word has exposed key figures behind the Conti and Trick Bot ransomware crews, publishing a trove of internal files and naming names. The data exposed includes chat logs, personal videos and ransom negotiations connected to a couple of the most notorious cyber extortion gangs. Speaking with the Register via signal, the individual claims he is not interested in the $10 million bounty that is being offered for information about one key Conti leader, but that he takes pleasure in thinking he can rid society of at least some of these gang leaders and members. He calls himself an independent, anonymous investigator without any formal IT background. My toolkit, he says, includes classical intelligence analysis, logic, factual research, OSINT methodology, human psychology, and the ability to piece together puzzles that others don't even notice. End quote. If you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines.