Google patches Quick Share, ChatGPT temporary outage, UK Mail breach - Cybersecurity Headlines

Summary

Cybersecurity Headlines – April 4, 2025

Hosted by CISO Series

In this episode of Cybersecurity Headlines, the CISO Series team delves into the most pressing cybersecurity incidents and updates from around the globe. Hosted by Steve Prentiss, the episode covers critical vulnerabilities, significant breaches, and noteworthy industry developments, providing listeners with a comprehensive overview of the current cybersecurity landscape.

1. Google Patches Quick Share Vulnerability

[00:07]

Steve Prentiss begins the episode by discussing a recent vulnerability in Google's Quick Share application, previously known as Nearby Share. Quick Share is a peer-to-peer file-sharing utility akin to Apple’s AirDrop, enabling the transfer of files, photos, videos, and documents between Android devices, Chromebooks, and Windows desktops within close proximity.

Researchers at Safe Breach Labs identified a vulnerability that could be exploited to perform denial-of-service (DoS) attacks or send arbitrary files to a target device without user approval—a so-called "zero-click" exploit. This particular vulnerability was among ten discovered last August, highlighting ongoing security challenges in peer-to-peer sharing applications.

“This vulnerability could allow attackers to send arbitrary files without user consent, essentially executing a zero-click attack,” Prentiss explains, emphasizing the severity of the flaw and the importance of timely patches.

2. ChatGPT Experiences Temporary Outage

[02:45]

The discussion shifts to a brief outage experienced by ChatGPT, the AI-powered chatbot developed by OpenAI. On Wednesday morning, users worldwide encountered disruptions when attempting to ask follow-up questions, receiving error messages instead of responses. The issue was swiftly addressed by OpenAI’s team.

When queried about the outage, ChatGPT did not provide a definitive cause but referenced Sam Altman, CEO of OpenAI, who attributed the incident to “capacity challenges due to a surge in demand for the AI chatbot.” This highlights the growing reliance on AI services and the infrastructure challenges that come with scaling such technologies.

“The outage was promptly resolved, but it underscores the need for robust infrastructure to support increasing user demands,” Prentiss notes, reflecting on the implications for AI service providers.

3. UK Royal Mail Investigates Data Breach

[04:30]

Steve Prentiss reports on a significant data breach involving the Royal Mail, the UK’s national postal service. The breach reportedly involved the leakage of over 144 gigabytes of data stolen from Spectos, a third-party company specializing in data collection, analytics, and logistics services. Spectos confirmed the breach occurred on March 29, granting attackers access to customer data.

This incident marks the second breach in Royal Mail's 500-year history, raising concerns about the security of third-party vendors and the potential impact on customer privacy.

“This breach not only affects Royal Mail but also highlights the vulnerabilities inherent in third-party service providers,” Prentiss comments, stressing the importance of comprehensive security measures across all levels of service providers.

4. CISA Adds Apache Tomcat Flaw to KEV Catalog

[05:55]

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog by adding a flaw in Apache Tomcat. This path equivalence vulnerability became actively exploited merely 30 hours after the public release of a proof of concept.

Researchers from Walarm, an API security firm, confirmed that this flaw allows for remote code execution or information disclosure under specific conditions. CISA urges federal agencies to remediate this vulnerability by April 22 to prevent potential exploits.

“Federal agencies must prioritize fixing this vulnerability to safeguard against potential remote code executions,” emphasizes Prentiss, underscoring the critical nature of timely vulnerability management.

5. Surge in Scanning Activities Targeting Juniper and Palo Alto Networks Devices

[07:10]

Prentiss highlights an increase in scanning attempts targeting devices from Juniper Networks and Palo Alto Networks. The SANS Institute’s Johannes Ulrich observed a rise in scans for the username t128 paired with the default password 128Troots, which are standard for Juniper's Session Smart network products.

Similarly, Greynoise, an internet scanning security firm, detected mass probing of Palo Alto Networks' Panos Global Protect Remote Access products, with nearly 24,000 unique IP addresses attempting logins over the past month. These scans suggest that malicious actors are actively searching for vulnerable or exposed devices to exploit.

“The volume of scanning indicates a targeted effort to breach network security devices, emphasizing the need for robust authentication practices,” Prentiss warns, encouraging organizations to review and strengthen their security configurations.

6. Controversy Over CrushFTP CVE Assignment

[09:20]

A critical vulnerability in CrushFTP, an enterprise file transfer solution, has sparked debate over its Common Vulnerabilities and Exposures (CVE) assignment. Initially, CrushFTP’s developers informed customers about the vulnerability without assigning a CVE number. Five days later, Vulncheck, an intelligence firm, assigned a CVE number, which CrushFTP rejected, insisting the official CVE was still pending.

Eventually, Outpost 24, a security firm responsible for responsibly disclosing the flaw to the vendor, released a new CVE ten days after the initial disclosure. The situation underscores the complexities surrounding vulnerability disclosure and the importance of coordinated efforts to prevent malicious exploitation.

“The delay and confusion in CVE assignment can leave systems vulnerable to ongoing exploitation,” Prentiss remarks, highlighting the need for clear and timely communication between vendors and security researchers.

7. Additional Security News and Insights

a. France and UK Governments Address Commercial Hacking Tools

Representatives from France and the UK are meeting in Paris to combat the misuse of commercial cyber intrusion capabilities (CCICs). The summit aims to establish regulatory frameworks and categorize these tools effectively to prevent their irresponsible use.

b. Russian State Railway Suffers Cyber Disruption

Russian State Railway (RZD) reported a Distributed Denial-of-Service (DDoS) attack that temporarily disrupted its website and mobile application. This is the second such incident within a week, following an attack on Moscow’s subway system. RZD officials confirmed that ticket sales remained operational through physical outlets, and no group has claimed responsibility.

8. Insights on Reducing Mean Time to Remediate (MTTR) in the Cloud

Prentiss shares insights from a new strategy article titled “22 Tips to Speed Up Mean Time to Remediate in the Cloud”, which compiles advice from 30 cybersecurity professionals. The focus is on enhancing business resiliency through smarter automation, streamlined processes, and efficient risk management to reduce the mean time to remediate (MTTR) when cloud environments are compromised.

9. Upcoming Events and Resources

Listeners are encouraged to visit cisoseries.com for full stories and additional resources. The episode concludes with an invitation to join the upcoming Week in Review show featuring Howard Halton, COO and Industry Analyst at Gigaom, providing expert commentary on the week's news.

Notable Quotes

“This vulnerability could allow attackers to send arbitrary files without user consent, essentially executing a zero-click attack,” – Steve Prentiss [00:07]
“Federal agencies must prioritize fixing this vulnerability to safeguard against potential remote code executions,” – Steve Prentiss [05:55]
“The volume of scanning indicates a targeted effort to breach network security devices, emphasizing the need for robust authentication practices,” – Steve Prentiss [07:10]
“The delay and confusion in CVE assignment can leave systems vulnerable to ongoing exploitation,” – Steve Prentiss [09:20]

For more in-depth analysis and daily updates on cybersecurity, visit CISOseries.com.

Transcript

A (0:00)

From the CISO series, it's Cybersecurity Headlines.

B (0:07)

These are the cybersecurity headlines for Friday, April 4, 2025. I'm Steve Prentiss. Google Patches Quick Share Vulnerability this app formerly known as Nearby Share, is a peer to peer file sharing utility similar to Apple Airdrop that allows users to transfer files, photos, videos and other Docum documents between Android devices, Chromebooks and Windows desktops and laptops in close physical proximity. Researchers at Safe Breach Labs disclosed details of this new vulnerability that could be exploited to achieve a denial of service or send arbitrary files to a target's device without their approval. In other words, a zero click. This vulnerability was one of 10 that researchers discovered last August Chatgpt suffered a brief outage on Wednesday the AI powered Chatbot suffered some issues mid morning Eastern time on Wednesday, with users worldwide experiencing failures when asking follow up questions to answers already delivered. Instead they encountered the message something went wrong while generating the response. The issue was quickly resolved by OpenAI's team. When asked about the outage 24 hours later, ChatGPT itself did not offer a clear cause, but quoted Sam Altman who attributed the disruptions to quote, capacity challenges due to a surge in demand for the AI chatbot. UK's Royal Mail investigates data leak claims the Royal Mail, the UK's national postal service, is looking into a potential security breach after a threat actor leaked over 144 gigabytes of data allegedly stolen from Spectos, which is a third party company involved in data collection, analytics and logistics services. Spectos has confirmed in a statement shared with Bleeping Computer that its systems were breached on March 29 and the attackers gained access to customer data. This is the second breach incident in the Royal Mail's 500 year history. CISA adds Apache Tomcat flaw to its KEV catalog this is in relation to an Apache Tomcat path equivalence vulnerability which became actively exploited just 30 hours after a public proof of concept was released. As we reported in mid March, the issue confirmed by researchers at API security company Walarm, is a path equivalence flaw in Apache Tomcat that allows remote code execution or information disclosure if specific conditions are met. End quote. As with all additions to the known exploited vulnerabilities catalog, federal agencies must fix this vulnerability promptly, specifically by April 22nd. Huge thanks to our sponsor Qualys. Overwhelmed by noise in your cybersecurity processes? Cut through the clutter with Qualys Enterprise True Risk Management. Quantify your cyber risk in clear financial terms and focus on what matters most. Actionable insights help you prioritize critical threats, streamline remediation and accelerate risk reduction while effectively communicating impact to stakeholders. Empower your cybersecurity strategy with tools that drive faster, smarter and more efficient risk management. Your secure future starts today with Qualys Enterprise True risk management. Visit qualys.com ETM for more information, I.e. qualysq u-a l y-s.com ETM Juniper Networks and Palo Alto Networks devices in mystery scanning event the Register is reporting that scanning of login portals for devices made by both companies has increased substantially in recent weeks. On Wednesday, the SANS Institute's Johannes Ulrich said he noticed a surge in scans for the username t128, which when accompanied by the password 128Troots, is a well known default account for Juniper's Session smart network networking products. Internet scanning security firm Greynoise has also spotted mass probing, in this case directed at the login portals of Palo Alto Network's Panos Global Protect Remote Access products. They believe anonymous scanners are searching for exposed or vulnerable products and noted almost 24,000 unique IP addresses attempting to log in over the past 30 days. End quote. Security companies clash over Crushftp CVE number this story starts with a critical vulnerability in the Crush FTP enterprise file transfer solution. In short, its own developers alerted customers to the vulnerability, which could have exposed systems to remote hacking. Five days later, with no CVE number announced, the vulnerability, intelligence firm Vulncheck assigned one. However, Crush FTP itself rejected this number, arguing that the real CVE had been pending. And 10 days after disclosure, a new CVE was released, this one assigned by Outpost 24. This company is a security firm that had been credited for responsibly disclosing the flaw to the vendor. The crux of this issue was around a suitable delay period intended to keep the vulnerability under wraps to avoid malicious exploitation, something that did not happen. And in fact, according to the Shadow Server foundation, this exploitation is still continuing. A link to this intriguing story from Security Week, which contains more details and background, is available in the show. Notes to this episode. France and UK governments meet to discuss commercial hacking tools Representatives from the two governments are meeting in Paris this month to tackle the proliferation and irresponsible use of commercial hacking tools known as commercial Cyber intrusion capabilities, or CCICs. This summit, the Pall Mall process faces the joint challenge of establishing categories and a regulatory process alongside convincing the other member countries and individual companies to amend their own practices. Russian State Railway suffers cyber disruption the state owned railway has reported a cyber attack that temporarily disrupted its website and mobile application. This is the second incident this week for Russia's transit systems following a Monday attack and disruption on the app and website for Moscow's subway system. This RZD attack is being confirmed by RZD officials as a DDoS attack, which meant that ticket sales remained operational at physical offices across stations and terminals. No group has yet claimed responsibility for this attack. As you know, in the cloud, problems can crop up quickly, often out of your control. If your cloud environment has been compromised, you need to move fast, reducing mean time to remediate, respond or recover MTTR isn't just about speed. It is about business resiliency, which includes smarter automation, streamlined processes and reducing inefficiencies. At CISO series, we asked 30 of your professional colleagues for their best and swiftest options, and their insight reveal the story of what truly works for reducing mttr. This advice is now available in our new Strategy article entitled 22 Tips to Speed Up Mean Time to Remediate in the Cloud. Check it out and leave your comments. You can find it@cisoceries.com as well as the CISO series LinkedIn newsletter. And finally, make sure to join us later today at 3:30pm Eastern for our Week in Review show. Howard Halton, COO and Industry Analyst at gigaom, will be our guest providing his expert commentary on the news of the week. And of course, we encourage participation and comments through our YouTube live channel. Just go to the events page@ciso series.com to register. I'm Steve Prentiss reporting for the CISO Series.