Cyber Security Headlines – June 2, 2025
Hosted by Steve Prentiss, CISO Series
1. Critical Cisco IOS XE Exploit Becomes Public
In the opening segment, Steve Prentiss highlights the escalating threat posed by a recently disclosed vulnerability in Cisco's IOS XE software. This flaw, initially reported in early May, pertains to an upload vulnerability affecting wireless LAN controllers.
“Details are now becoming available regarding the upload flaw, which suggests a working exploit may be soon,” Prentiss states [00:00].
The Horizon3 researchers' analysis, as cited by Bleeping Computer, indicates that while a ready-to-run Remote Code Execution (RCE) exploit script is not yet available, the provided information is sufficient for skilled attackers—or even large language models (LLMs)—to develop one. The vulnerability affects multiple versions of Cisco's software, emphasizing the urgency for organizations to implement protective measures immediately to safeguard their endpoints from potential widespread attacks.
2. Senators Advocate for Reinstatement of Cyber Review Board
Prentiss reports on a significant political development involving cybersecurity oversight. Four Senate Democrats have formally requested Homeland Security Secretary Kristi Noem to reestablish the Cyber Safety Review Board (CSRB), which was disbanded shortly after the previous administration's inauguration in January.
“The Senator's letter describes the dismissal as depriving the public of a fuller accounting of the origin, scope, scale, and severity of the SALT typhoon compromises,” Prentiss explains [00:00].
The senators argue that the termination of the CSRB hampers comprehensive investigations into the SALT typhoon cyber compromises. They underscore the contradiction between the administration's calls for leveraging private sector expertise and the simultaneous dismissal of a board designed to incorporate such external insights.
3. Australia Enacts Pioneering Ransomware Reporting Law
Australia has taken a landmark step in cybersecurity legislation by passing a law that mandates organizations to report any ransom payments made to cybercriminals. This makes Australia the first country globally to enforce such a requirement.
“Victims of ransomware attacks must declare to the government any extortion payments made on their behalf,” Prentiss reports [00:00].
The regulation applies to organizations with an annual turnover exceeding 3 million Australian dollars (approximately US$1.9 million) and certain entities within critical infrastructure sectors. Affected organizations must submit reports to the Australian Signals Directorate within 72 hours of making a payment, failure to comply with which could result in penalties of up to 60 penalty units under the Australian civil penalty system.
4. US Intelligence Employee Arrested for Alleged Classified Information Sale
In a notable law enforcement action, the FBI arrested Nathan Latch, a 28-year-old employee from Alexandria, Virginia, who worked in the Insider Threat Division with top-secret security clearance. Latch is accused of attempting to sell classified information to a foreign government.
“Operating on a tip, an FBI agent masquerading as a foreign government official... arranged a drop at a public park,” Prentiss details [00:00].
The Justice Department revealed that surveillance captured Latch leaving a thumb drive containing a substantial amount of classified data at a predetermined location. This action appears to have been part of a sting operation initiated around May 1. Latch's attempt to showcase the breadth of information accessible through his position underscores the vulnerabilities within insider threat management frameworks.
5. Exploitation of VBulletin Forum Software Flaws
Prentiss brings attention to two critical vulnerabilities identified in the open-source VBulletin forum software, both assigned CVE numbers with CVSS v3 scores of 10 and 9, respectively. These flaws affect VBulletin versions 5.0.0 through 5.7.5 and 6.00 through 6.0.3 when running on PHP 8.1 or later.
“One of these flaws has been confirmed as actively exploited in the wild,” he notes [00:00].
The vulnerabilities include an API method invocation flaw and a remote code execution (RCE) vulnerability via template engine abuse. Although patches were released the previous year, many sites remain unpatched, leaving them susceptible to attacks. The situation emphasizes the ongoing challenge of ensuring timely updates and patch management in maintaining software security.
6. Microsoft Announces Authenticator App and Password Autofill Changes
Microsoft is phasing out its Authenticator app in favor of integration with the Edge browser. Additionally, the company is deprecating the Password Autofill feature, urging users to transition to Microsoft Edge for password management.
“Users should export saved passwords before July 1 or switch to Microsoft Edge,” Prentiss relays [00:00].
This move is part of Microsoft's broader strategy to streamline security and user experience across its platforms. Users are advised to take proactive steps to migrate their saved credentials to avoid service interruptions.
7. ConnectWise Alerts of Nation-State Attacks on Screen Connect Users
ConnectWise has issued a warning regarding suspicious activities linked to sophisticated nation-state actors targeting its Screen Connect remote management and monitoring software. While the impact appears limited to a small number of clients, the nature of these attacks is concerning given Screen Connect's use by governments and large enterprises.
“Hackers have frequently targeted vulnerabilities in the software, using it as a jumping off point for ransomware attacks and data thefts,” Prentiss explains [00:00].
In response, ConnectWise has initiated a comprehensive investigation in collaboration with forensic experts from Mandiant to identify the scope and mitigate the threats posed by these advanced persistent threats (APTs).
8. Anonymous Leaker Exposes Leaders of Conti and TrickBot Ransomware Gangs
An individual operating under the moniker Gangexposed has publicly released sensitive information about key figures within the Conti and TrickBot ransomware groups. This data dump includes internal chat logs, personal videos, and records of ransom negotiations, significantly impacting the operations and anonymity of these cyber extortionists.
“I take pleasure in thinking I can rid society of at least some of these gang leaders and members,” the leaker states [00:00].
Despite a $10 million bounty for information leading to the apprehension of a prominent Conti leader, Gangexposed remains indifferent to monetary rewards. Identifying himself as an independent investigator with no formal IT background, he attributes his capabilities to classical intelligence analysis, open-source intelligence (OSINT) methodologies, and a keen aptitude for piecing together intricate puzzles overlooked by others.
For more in-depth analysis and daily updates on cybersecurity developments, visit CISOseries.com.
