Cybersecurity News: Brute forcing Google accounts, Guardian's Secure Messaging, UNFI cyberattack - Cybersecurity Headlines

Summary

Cybersecurity News Summary

Podcast: Cyber Security Headlines
Host: CISO Series
Episode Title: Cybersecurity News: Brute Forcing Google Accounts, Guardian's Secure Messaging, UNFI Cyberattack
Release Date: June 10, 2025

1. Brute Forcing Google Accounts

Timestamp: [00:06]

In this segment, cybersecurity researcher known as BruteCat unveiled a significant vulnerability in Google's account recovery process. By exploiting an error, BruteCat was able to obtain the recovery phone numbers linked to Google Accounts. The flaw was identified when the account recovery page remained functional even with JavaScript disabled in the browser.

"BruteCat first noticed this when they found the account recovery page still worked even with JavaScript disabled in the browser." – B [00:06]

The researcher employed a method involving pairing two HTTP requests to verify if a recovery email or phone number was associated with a specific display name. To circumvent rate limiting and bot protection mechanisms, IPv6 address rotation was utilized alongside bypassing bot guard tokens. Depending on the region, the time required to target a specific number ranged from approximately 20 minutes in the US to a mere 5 seconds in Singapore.

Following the disclosure of this vulnerability, Google promptly deprecated the problematic username recovery form to mitigate potential abuses.

2. The Guardian Launches Secure Messaging Service

Timestamp: [03:20]

The UK-based publication, The Guardian, in collaboration with the University of Cambridge, has introduced a new secure messaging service aimed specifically at journalists. This service integrates encrypted messaging directly within The Guardian's mobile application.

"Secure messaging is designed to provide strong, plausible deniability by making every instance of the news organization's public mobile app behave the same way, whether it's used for secure communication or for normal news consumption." – B [03:45]

Historically, journalists have relied on platforms like Signal for end-to-end encrypted communications with their sources. The Guardian's initiative seeks to streamline this process by embedding secure messaging capabilities into their existing app infrastructure. The backend framework, Coverdrop, has been made open-source and is available on GitHub, encouraging other organizations to adopt similar secure communication practices.

3. United Natural Foods Cyberattack

Timestamp: [04:15]

United Natural Foods (UNFI), North America's leading publicly traded wholesale food distributor with 53 distribution centers, confirmed a cyberattack on June 5, 2025, as detailed in an 8K filing with the US SEC.

"The company proactively took some systems offline due to the attack, disrupting customer orders." – B [04:15]

The cyberattack led to the temporary shutdown of certain systems, resulting in disruptions to customer orders. Additionally, social media reports indicated that some worker shifts were canceled in response to the incident. As of the episode's release, no ransomware group had claimed responsibility, and UNFI had not disclosed specifics regarding data loss or the extent of system breaches.

4. Pathwiper Targets Ukrainian Critical Infrastructure

Timestamp: [04:50]

Researchers from Cisco Talos have identified a new wiper malware dubbed PathWiper, which is actively targeting critical infrastructure in Ukraine. This malware is associated with Russian Advanced Persistent Threats (APTs).

"PathWiper maps all attached storage using System APIs and overwrites file system components, including master boot records." – B [04:50]

PathWiper is deployed through an endpoint administration framework that executes a Visual Basic script file. Once operational, it systematically maps all connected storage devices and initiates threads for each volume to overwrite vital file system components. This method is reminiscent of the 2022 wiper linked to the Russian Sandworm group, known as Hermetic Wiper, though PathWiper exhibits more sophisticated targeting techniques.

5. Russian Companies Under Siege by Lockbit 3.0

Timestamp: [05:25]

Positive Technologies, a Russian cybersecurity firm, reported that Russian companies are increasingly falling victim to Dark Gaboon, a financially motivated group deploying Lockbit 3.0 ransomware.

"Unlike typical Lockbit affiliates, Dark Gaboon appears to operate entirely independently, using Russian language phishing emails with malicious attachments claiming to have legitimate financial documents." – B [05:25]

Dark Gaboon distinguishes itself from other Lockbit affiliates by operating autonomously. Their tactics involve sending phishing emails in Russian, which contain malicious attachments masquerading as legitimate financial documents. Although the group has been active since at least 2023, their use of open-source tools complicates attribution efforts.

6. FBI Leadership Update: Brett Leatherman Appointed

Timestamp: [06:00]

FBI Director Kash Patel announced the appointment of Brett Leatherman as the new assistant director and head of the FBI's cyber division. Leatherman brings over 22 years of experience to the role, having previously served as the section chief for cyber investigations and deputy assistant director.

"Leatherman has been the FBI's public face for communications on major cyber incidents going back to the Colonial Pipeline attack." – B [06:00]

This appointment marks a significant leadership continuity within the FBI's cybersecurity operations, especially notable amidst recent personal shakeups in government cybersecurity positions since January. Leatherman succeeds Brian Vordran, who departed to become Microsoft's deputy CISO.

7. NHS Struggles with Blood Supply Amid Cyberattack Aftermath

Timestamp: [06:35]

The UK's National Health Service (NHS) is facing challenges in maintaining blood supply levels following a ransomware attack on Synovus, a pathology services provider, last year. Despite the attack occurring in May, its repercussions continue to impact blood type matching and supply.

"Stocks have remained in a very fragile position ever since, especially for the universal donor O type recorded." – B [06:35]

The ransomware incident disrupted Synovus's ability to quickly match blood types, leading to increased reliance on O type blood. Given that the blood supply relies on a consistent donor base, the shortage poses significant risks to healthcare operations.

8. Cloudflare Develops OAuth 2.1 Library with Claude AI

Timestamp: [07:10]

Cloudflare has released an open-source OAuth 2.1 library, primarily developed using Anthropic's Claude Language Model (LLM). The company provided comprehensive documentation, including a full prompt history, to ensure the library's security and reliability.

"The capabilities of generative AI systems are impressive, but we need to be realistic about their constraints." – B [07:10]

Max Mitchell, a software developer, reviewed the development process and noted that while the LLM excelled in generating documentation and handling substantial code blocks with clear context, human intervention was still necessary for tasks like styling and housekeeping. Kenton Varda, Cloudflare's tech lead overseeing the project, acknowledged the impressive capabilities of generative AI while emphasizing the importance of human oversight to manage the systems' limitations.

Conclusion

The CISO Series' latest episode of Cyber Security Headlines delivered comprehensive coverage of significant cybersecurity incidents and developments from June 10, 2025. From vulnerabilities in major platforms like Google to the evolving tactics of ransomware groups, the episode underscores the dynamic and ever-present challenges in the cybersecurity landscape. Additionally, advancements in secure communications by reputable organizations like The Guardian and technological integrations using AI, as demonstrated by Cloudflare, highlight ongoing efforts to bolster security measures amidst increasing threats.

For more detailed stories and daily updates, listeners are encouraged to visit CISOseries.com.

Transcript

A (0:00)

From the CISO series, it's Cybersecurity Headlines.

B (0:06)

These are the cybersecurity headlines for Tuesday, June 10, 2025 I'm Rich Stroffelino Brute forcing phone numbers linked to Google Accounts the security researcher known as brutecat published details about how they were able to obtain the recovery phone number attached to Google Accounts due to an error in the account recovery process. Brutecat first noticed this when they found the account recovery page still worked even with JavaScript disabled in the browser. The researcher paired two HTTP requests to verify if a recovery email or phone number was linked to a display name, and then used IPv6 address rotation to avoid rate limiting and pasting in a bot guard token. With JavaScript disabled to be able to create an attack chain for a brute force attack, the process to hit a specific number for an account varied from about 20 minutes in the US to about 5 seconds in Singapore. After disclosing the flaw, Google deprecated the username recovery form used in the attack. The Guardian launches secure messaging service the UK publication partnered with the University of Cambridge to launch this new secure messaging service, offering encrypted messaging directly to journalists from within its app. Journalists have long used end to end encrypted messaging, things like signal to communicate with sources. But secure messaging is designed to provide strong, plausible deniability by making every instance of the news organization's public mobile app behave the same way, whether it's used for secure communication or for normal news consumption. Using a backend called Coverdrop, the Guardian published the source code on GitHub so other organizations can adopt it as well. United Natural foods hit by cyberattack the company confirmed it discovered a cyberattack on June 5, 2025, according to an 8K filing with the US SEC. United Natural Foods is North America's largest publicly traded wholesale food distributor, with 53 distribution centers. The company proactively took some systems offline due to the attack, disrupting customer orders. At the same time, anecdotal posts on social media mentioned that some worker shifts have been canceled as well. No ransomware group took credit for the attack, and the company has not released further details about any data loss or what systems the attacker accessed. Pathwiper hits Ukrainian critical infrastructure Researchers at Cisco Talos identified a new wiper malware hitting Ukraine tied to Russian APTS. Dubbed PathWiper, the malware was initially deployed using an endpoint administration framework executing a Visual Basic script file. Once running, PathWiper maps all attached storage using System APIs. From there, it creates threads for each volume to overwrite file system components, including master boot records. Talos Researchers say PathWiper resembles a 2022 wiper linked to the Russian Sandworm group called hermetic wiper, although PathWiper shows more sophisticated targeting. And now, thanks to today's episode sponsor Vantage, is your manual GRC program slowing you down? There's something more efficient than spreadsheets, screenshots and manual processes. Vanta with Vanta GRC can be so much easier while also strengthening your security posture and driving revenue for your business. Vanta automates key areas of your GRC program, including compliance, risk and customer trust, and streamlines the way you manage information. The impact is real. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. Get back time to focus on strengthening security and scaling your business. Get started@vanta.com headlines that's V A N T A dot com headlines Russian companies hit with lock bit. You don't tug on Superman's cape. You don't spit into the wind. You don't pull the mask off an old lone Ranger. And you don't have your ransomware Affiliates attack Russia. Those used to be the rules. However, the Russian cybersecurity firm Positive Technologies identified a financially motivated group called Dark Gaboon, which has been doing just that, deploying Lockbit 3.0 ransomware. Unlike typical Lockbit affiliates, Dark Gaboon appears to operate entirely independently, using Russian language phishing emails with malicious attachments claiming to have legitimate financial documents. Researchers say the group has appeared to operate since at least 2023, but its use of open source tools in other parts of its attack chain has made attribution difficult. FBI keeps Leatherman in its back pocket FBI Director Kash Patel named agency veteran Brett Leatherman as assistant director and head of the cyber division during his 22 year career. Leatherman served as section chief for cyber investigations and deputy assistant director for the last three years, and he's been the FBI's public face for communications on major cyber incidents going back to the Colonial Pipeline attack. He takes over for Brian Vordran, who left the FBI to work as Microsoft's deputy ciso. Given the number of personal shakeups across government cybersecurity posts since January, this is a notable bit of continuity. NHS out for blood after cyberattack On June 9, the UK's National Health Service called for people to donate blood with supplies still disrupted from a ransomware attack against the pathology services provider Synovus last year. That attack disrupted the ability for healthcare organizations to quickly match blood types, resulting in increased usage of O type stocks. Because the blood supply is maintained by a relatively small number of consistent donors, stocks have remained in a very fragile position ever since, especially for the universal donor O type recorded. Future News reported that impacted patients were still not notified of what data was exposed in the attack as of May Cloudflare creates OAuth library with Claude Last week, Cloudflare published the open source OAuth 2.1 library, which was written almost entirely by Anthropic's Claude LLM. Notably, the company also published comprehensive documentation of the process and including a full prompt history. Due to the sensitive nature of the library, this wasn't an exercise in vibe coding, and human review was involved in all parts of the process. Software developer Max Mitchell reviewed the process, finding the LLM excelled when given a substantial code block to work off of with clear context and explanation of what needed to be changed. In all instances, the LLM excelled at generating documentation. However however the code needed human intervention for styling and other housekeeping tasks. Mitchell suggested looking at this the same as collaborating with another human developer, expecting a back and forth rather than one off, prompting success. Cloudflare tech lead Kenton Varda, who oversaw the project, came into it with a healthy dose of skepticism, but ended up saying I was trying to validate my skepticism. I ended up proving myself wrong. The capabilities of generative AI systems are impressive, but we need to be realistic about their constraints. This applies to the limits of the systems themselves, but also to our ability as humans to spot them. So how do we take advantage of these new capabilities without getting taken for a ride along the way? That's one of the questions we'll be trying to answer on this week's episode of the CISO Series podcast. Look for Aside from text, images and videos, Genai can't fool me wherever you get your podcasts. And if you have some thoughts about the news from today, or just about the show in general, be sure to reach out to us@feedbacksoseries.com we'd love to hear from you. Reporting from the CISO series, I'm Rich Stroffolino, reminding you to have a super sparkly day.