Columbia hack, hunger relief ransomware, Qantas breach - Cybersecurity Headlines

Summary

Cyber Security Headlines - July 3, 2025

Hosted by Rich Stofalino, CISO Series

1. Columbia University Data Breach

Overview: Columbia University, a prestigious educational institution, fell victim to a significant cyberattack in June 2025. The breach resulted in the exfiltration of sensitive student application data spanning from 2019 onwards.

Details: According to Bloomberg sources, the attack compromised over 2.5 million student applications, which included personal information such as names, student ID numbers, citizenship details, and application decisions. The threat actors, purportedly politically motivated, contacted Bloomberg asserting they had obtained approximately 460 gigabytes of data. This included financial aid packages and an alarming 1.8 million Social Security numbers.

Motivation: The attackers claimed their intent was to uncover evidence that Columbia maintained admission practices prohibited by the 2023 Supreme Court ruling. This allegation points towards a possible political agenda underpinning the breach.

Notable Quote: Rich Stofalino highlighted the severity of the breach, stating:

"The alleged threat actor contacted Bloomberg, claiming they obtained roughly 460 gigabytes of data, including financial aid packages and 1.8 million Social Security numbers." ([02:15])

2. Ransomware Attack on German Hunger Relief Charity

Overview: One of Germany's largest hunger relief organizations, Welthungerhilfe (WHH), faced a crippling ransomware attack orchestrated by the Rezaida ransomware group. The attackers demanded over $2 million, threatening the charity's operations.

Impact: In a bold move, WHH refused to succumb to the ransom demands. Instead, they promptly shut down the affected systems and enlisted cybersecurity experts to manage the recovery process. Impressively, the organization ensured that their operations continued uninterrupted, and there was no immediate evidence suggesting that donor data was compromised.

Pattern of Attacks: This incident is part of a broader trend where the Rezaida group targets organizations that serve vulnerable populations. Their previous attacks on hospitals and disability nonprofits reveal a deliberate strategy to exploit entities that provide essential services.

Notable Quote: Rich emphasized the group's malicious focus, noting:

"The same group has previously attacked hospitals and disability nonprofits, continuing a deliberate pattern of exploiting those who serve the most vulnerable." ([03:40])

3. Qantas Contact Center Breach

Overview: Australian airline giant Qantas disclosed a breach affecting its contact center operations. The incident was first identified on June 30, 2025, when unusual network activity was detected within their systems.

Details: Initial investigations revealed that the breach originated from a third-party customer service platform. As a result, the attackers accessed sensitive customer information, including names, email addresses, and frequent flyer numbers. While Qantas did not specify the total number of impacted customers, local media reports estimate the figure could be as high as 6 million individuals.

Operational Impact: Despite the breach's scale, Qantas assured stakeholders that their operations remained unaffected. Importantly, they confirmed that no financial or passport information was accessed during the incident.

Notable Quote: Highlighting the containment measures, Rich stated:

"Qantas didn't specify the number of impacted customers, but local media reports that the figure could be as high as 6 million people. The airline has said the attack did not impact operations and that no financial or passport information was accessed." ([05:10])

Additional Security Concerns Highlighted

While the episode primarily focused on the aforementioned breaches, several other notable security issues were briefly discussed:

WordPress Plugin Vulnerability: A flaw in the Forminator Forms plugin, used by over 600,000 WordPress sites, allows potential site takeovers. Despite a patch released on June 30, only about a third of installations have updated, leaving numerous sites at risk.
Spanish Data Leak Arrests: Spanish authorities detained two individuals in Las Palmas for a data leak involving high-ranking officials and journalists. The suspects attempted to sell the data online, posing a significant national security threat.
Android SMS Stealer in Uzbekistan: A novel malware dubbed Quiz Serial infected nearly 100,000 devices, targeting users through Telegram channels and harvesting sensitive information like SMS-based authentications.
French Government Ivanti Hacks: Exploiting vulnerabilities in Ivanti cloud services, the threat actor group Hokan (UNC5174) targeted various French sectors, aiming to exfiltrate data for sale to state intelligence agencies.
Clone Crypto Wallet Extensions: Over 40 cloned crypto wallet extensions mimicking trusted tools like Metamask were uploaded to the Firefox Add-on store, compromising user funds through stolen recovery phrases.

Notable Insight: Rich underscored the challenges organizations face in vetting third-party vendors, emphasizing the reliance on security rating vendors and questioning their efficacy in genuinely mitigating third-party risks.

Concluding Remarks

The episode provided a comprehensive overview of the current cybersecurity landscape, highlighting the persistent threats faced by educational institutions, non-profits, and large corporations alike. Rich Stofalino emphasized the importance of proactive measures and the need for organizations to stay vigilant against evolving cyber threats.

Final Quote: Wrapping up the discussion, Rich encouraged feedback and continued engagement:

"If you have some thoughts on the news from today or just about the show in general, reach out to us. Feedback@cisoseries.com we would love to hear from you." ([06:55])

For more detailed stories and in-depth analysis, visit CISOseries.com.

Transcript

Host (0:00)

From the CISO series. It's Cybersecurity Headlines.

Rich Stroffelino (0:06)

These are the cybersecurity headlines for Thursday, July 3, 2025. I'm Rich Stofalino. Student Data Lost in Columbia University hack Bloomberg sources say a cyber attack against the prominent university in June was able to exfiltrate student application data from at least as far back as 2019. A source reviewing a subset of the Data found over 2.5 million applications that included names, student ID numbers, citizenship information and application decisions. The alleged threat actor contacted Bloomberg, claiming they obtained roughly 460 gigabytes of data, including financial aid packages and 1.8 million Social Security numbers. They claimed the attack was politically motivated, seeking to find evidence that Colombia maintained admission practices barred by the Supreme Court in 2023. German hunger relief charity Hit by Ransomware In a search to the answer of the age old question how low can you go? The Rezaida ransomware group has targeted welthhungerheife, one of Germany's largest hunger relief charities. They're demanding over $2 million stealing food literally from the mouths of the hungry. WHH has refused to pay, shut down impacted systems and brought in cybersecurity experts to help with recovery aid. Operations continue uninterrupted and there is no current evidence donor data was compromised. The same group has previously attacked hospitals and disability nonprofits, continuing a deliberate pattern of exploiting those who serve the most vulnerable. Qantas contact center breached the Australian airline disclosed it first detected unusual network activity on June 30. An initial investigation found that the threat actors gained access through a third party customer service platform, obtaining customer names, email addresses and frequent flyer numbers. Qantas didn't specify the number of impacted customers, but local media reports that the figure could be as high as 6 million people. The airline has said the attack did not impact operations and that no financial or passport information was accessed. WordPress plugin flaw opens the door to site takeover the Forminator Forms plugin is active on over 600,000 WordPress sites are offering a drag and drop visual builder for form based content, but security researcher Fatreo bluerock that's the name folks discovered a flaw in how the plugin handles input validation, which didn't check if those fields are supposed to handle files. This could be exploited to insert an uploaded file with a custom path that points to a system file, something like WP Config php. Forminator is often configured to auto delete old submissions, which could then delete that core file that defaulting back to a setup stage where an attacker could start a takeover attempt after contacting the developers. A patch was released on June 30, but since its release only about a third of installs have downloaded it. And now a huge thanks to our sponsor Palo Alto Networks. You're moving fast in the cloud, and so are attackers. But while SecOps and Cloud Security teams are working in silos, attackers are exploiting the gaps between them. Cortex Cloud by Palo Alto Networks bridges this divide, unifying teams and stop attacks with real time cloud security that includes AI powered protection, detection and automated response capabilities. Threats are stopped in minutes instead of days, and teams can finally protect cloud environments at the speed and scale of modern attacks. To learn more about how Cortex Cloud stops cloud attacks before they become breaches, Visit Palo Alto networks.com CDOR arrests reign in Spain over data leak pain Spanish police arrested two individuals in Las Palmas for alleged cybercriminal activity that obtained data on high ranking state officials and journalists. Police described it as a serious threat to national security, with the two leaking samples of the data online as they attempted to sell it. One suspect is reported to be specialized around data exfiltration, while the other managed the sale of the data and obscured cryptocurrency transactions. Police raids also obtained electronic devices and authorities hope this will lead to more co conspirators or buyers of the data being arrested. Android SMS stealer hits Uzbekistan Researchers at Group IB identified a novel SMS stealer dubbed Quiz Serial that infected almost 100,000 devices in the country. Quiz Cereal spreads through Telegram channels, with threat actors posing as government agents trying to spread malicious apps like presidential support or financial assistance. Once installed, Quiz Serial harvests phone numbers, bank card numbers, SMS based authentication and SIM card information. Initially, researchers saw this data exfiltrated through Telegram bots, but newer variants use a gate server with HTTP post requests. The researchers note that Uzbekistan's payment system overwhelmingly depends on SMS for its primary authentication factor. French government impacted by Ivanti hacks Ah, the Ivanti cloud service appliance vulnerabilities. The flaw that just keeps on giving. France's cybersecurity agency Anssi issued a report finding that a campaign used these vulnerabilities to target organizations from governmental telecommunications, media, finance and transport sectors. Anssi said the attacks were linked to the threat actor Hokan, described by Mandiant as UNC5174, believed to be a contractor for China's Ministry of State Security. The agency acknowledged the attacks were designed to exfiltrate data that the group could sell to state intelligence agencies. Begun the cloned crypto Wallet wars have hackers uploaded over 40 cloned crypto wallet extensions to the Firefox Add on store, mimicking trusted tools like Metamask and Coinbase. The extensions appear legitimate but contained hidden code that captured users recovery phrases, allowing attackers to drain funds. One victim reported losing over $4,000. The listings used faked five star reviews to boost credibility. Mozilla has since implemented a system to flag and manually review suspicious crypto add ons, but many of the malicious clones remained live for weeks. Organizations don't have time to do in depth vetting on every third party. This leaves them turning to better than nothing security rating vendors. These might be fine for liability, but do do these vendors actually help improve your understanding of third party risk? That's what we try to figure out on this week's episode of Defense In Depth. Look for the episode what's the most efficient way to rate third party vendors? Wherever you get your podcasts or head on over to cisoseries.com and if you have some thoughts on the news from today or just about the show in general, reach out to us. Feedbackesoseries.com we would love to hear from you. Reporting from the CISO series, I'm Rich Stroffelino reminding you to have a super sparkly day.