Hackers exploit Langflow flaw, TP-Link routers still vulnerable, Russia detects SuperCard malware attacks - Cybersecurity Headlines

Summary

Cyber Security Headlines Summary
Episode: Hackers exploit Langflow flaw, TP-Link routers still vulnerable, Russia detects SuperCard malware attacks
Host: CISO Series
Release Date: June 18, 2025

1. Exploitation of Langflow Vulnerability and the Rise of Flawedrix Botnet

Sarah Lane opened the episode by highlighting a critical security threat:
"Attackers are actively exploiting a critical vulnerability in Langflow, a Python-based AI workflow tool to deploy the flawedrix botnet, enabling full system compromise and DDoS attacks." (00:07)

The vulnerability exists in Langflow versions prior to 1.3.0, allowing unauthenticated code execution due to insufficient input validation. This flaw has been leveraged to deploy the Flawedrix botnet, which conducts Distributed Denial of Service (DDoS) attacks and facilitates complete system compromises. Both Trend Micro and the Cybersecurity and Infrastructure Security Agency (CISA) have issued urgent advisories, urging organizations to apply patches immediately and restrict access to mitigate the threat. The malware's stealth techniques enable it to evade detection, leading to widespread deployment in the wild.

2. Ongoing Vulnerabilities in Discontinued TP-Link Routers

Continuing the discussion on vulnerabilities, Sarah reported that CISA has identified ongoing exploitation of a critical command injection flaw affecting multiple discontinued TP-Link router models.
"Agencies must remove affected devices by July 7." (00:32)

This vulnerability poses significant risks as attackers can inject malicious commands, potentially granting them control over the network. CISA's warning underscores the importance of decommissioning outdated hardware to prevent exploitation.

3. Russia Detects SuperCard Malware Attacks Targeting Financial Data

In an alarming development, Sarah Lane detailed Russia's detection of SuperCard malware attacks:
"Russian cybersecurity firm F6 has identified the first local attacks using SuperCard, a malicious variant of the NFC Gate app designed to steal payment card data via NFC." (01:25)

Initially observed in Italy, SuperCard is now available as Malware-as-a-Service (MaaS) on platforms like Telegram, where Chinese-speaking actors facilitate its distribution. The malware harvests card data through NFC interactions, enabling fraudulent transactions. F6 reported approximately 175,000 devices infected in Russia, resulting in an estimated $5.5 million in damages during the first quarter of the year.

4. Silver Fox APT Targets Taiwan with Sophisticated RAT Malware

Sarah Lane further reported on advanced persistent threats:
"Researchers at Fortinet warn of a phishing campaign by China-linked group Silver Fox APT targeting Taiwan with two Ghost RAT variants, Ghost Cringe and Holding Hands." (02:17)

The Silver Fox APT employs deceptive phishing emails masquerading as government or business communications, utilizing PDF and ZIP attachments to deploy shellcode through DLL sideloading. This method grants remote access, facilitates data theft, and allows for additional payload downloads. The malware incorporates advanced anti-VM and privilege escalation techniques, reflecting the group's evolving sophistication across recent campaigns, including the prior WN 4.0 attacks.

5. Microsoft Addresses Surface Hub Boot Issues with Emergency Updates

Addressing software stability, Sarah highlighted Microsoft's response to boot issues:
"Microsoft released an out-of-band update to fix a secure boot violation error that was preventing Surface Hub version 1 devices running Windows 10 22H2 from starting after installing the June security update." (03:50)

The problematic update, initially intended to resolve Hyper-V issues, inadvertently caused broader compatibility problems. Microsoft has clarified that this issue does not affect Surface Hub 2S or 3 models and has paused the faulty update as of June 11, recommending users apply the emergency fix to prevent further disruptions.

6. UK ICO Fines 23andMe for Data Protection Failings

In regulatory news, Sarah Lane reported a significant fine imposed on 23andMe:
"The UK's Information Commissioner's Office has fined 23andMe 2.3 million British pounds for failing to protect sensitive genetic data during a 2023 credential stuffing attack." (04:37)

The breach compromised data from 7 million individuals, including over 155,000 UK residents and 320,000 Canadians. Cybersecurity Expert added:
"Via reused passwords exploiting weaknesses in 23andMe's Authentication, Monitoring, and incident response." (05:07)

23andMe, currently undergoing U.S. bankruptcy proceedings, had previously attributed the breach to user error. The fine follows the company's pending sale to a nonprofit associated with co-founder Ann Wachicki, which has committed to maintaining existing privacy standards.

7. Cock Lee Suffers Data Breach Exposing Over 1 Million User Records

Sarah Lane continued with a report on Cock Lee’s data breach:
"Privacy-focused email provider Cock Lee confirmed a data breach affecting more than 1 million user accounts after attacks exploited an old SQL injection flaw in its now-retired Round Cube webmail platform." (05:54)

The exposed data includes email addresses, login timestamps, failed login attempts, and some user contact information. However, passwords, IP addresses, and email contents remained secure. Cock Lee has since permanently removed Roundcube, acknowledging that poor security practices contributed to the breach and advising users to reset their passwords and transition to more secure email clients like IMAP or SMTP.

8. Google Alerts on Scattered Spider's Targeted Attacks Against US Insurance IT Teams

In cybersecurity threats targeting specific industries, Sarah reported:
"Google's Threat Intelligence Group says the cybercrime gang Scattered Spider is now actively targeting IT support teams at major US insurance firms known for social engineering tactics." (06:25)

Scattered Spider employs sophisticated social engineering methods, impersonating employees to bypass multi-factor authentication (MFA) and exploit help desks. This approach often facilitates broad access through Managed Service Providers (MSPs) and contractors. Cybersecurity Expert emphasized the severity:
"Google and Mandiant warn the group is likely seeking high-value enterprise targets." (07:30)

To counteract these attacks, experts recommend tightening identity controls, restricting access privileges, and training support staff to rigorously verify user identities before making account changes.

Conclusion

The episode of CISO Series' Cyber Security Headlines delved into a myriad of pressing cybersecurity issues, from vulnerabilities in widely-used tools like Langflow and TP-Link routers to sophisticated malware attacks in Russia and targeted phishing campaigns against Taiwan. Regulatory actions against companies like 23andMe and data breaches at providers like Cock Lee underscore the ongoing challenges in data protection. Additionally, the strategic maneuvers of cybercrime groups like Silver Fox APT and Scattered Spider highlight the evolving landscape of cyber threats, necessitating robust defensive measures and continuous vigilance.

For listeners seeking more in-depth analyses and daily updates on the cybersecurity realm, visiting CISOseries.com is recommended.

Note: This summary excludes advertisements, intros, outros, and non-content sections as per the instructions.

Transcript

CISO Series Host (0:00)

From the CISO series. It's Cybersecurity Headlines.

Sarah Lane (0:07)

These are the cybersecurity headlines for Wednesday, June 18, 2025. I'm Sarah Lane. Hackers exploit critical lang flow flaw to unleash flawedrix botnet Attackers are actively exploiting a critical vulnerability in Langflow, a python based AI workflow tool to deploy the floodric Spotnet and enabling full System compromise and DDoS attacks. The flaw is present in versions before 1.3.0 and allows unauthenticated code execution due to missing input validation. Trend Micro and CISA both urge immediate patching and restricted access since the malware uses stealth techniques to evade detection and is being deployed widely in the wild. Organizations warned Vulnerability exploited against discontinued TP link routers CISA has warned that attackers are exploiting a critical command injection flaw affecting multiple discontinued TP Link router models. Agencies must remove affected devices by July 7. CISA also flagged active exploitation of Apple products, a media processing flaw used in targeted attacks patched in February with iOS, 3-1-18 andMacOS 15. Russia detects its first Supercard malware attacks skimming bank data via NFC Russian cybersecurity firm F6 has identified the first local attacks using Supercard, a malicious variant of the NFC Gate app designed to steal payment card data via nfc. It was first seen in Italy, but Supercard is now being marketed as a malware as a service by Chinese speaking actors and sold on Telegram and then harvests card data to enable fraudulent transactions. F6 reports 175,000 devices infected in Russia with 5.5 million in damages in Q1 of this year. Silver Fox Apt targets Taiwan with complex Ghost cringe and holding hands rat malware Researchers at Fortinet warn of a phishing campaign by China linked group Silver Fox Apt targeting Taiwan with two Ghost RAT variants, Ghost Cringe and Holding Hands delivered via fake emails posted as government or business communications. The malware uses PDF and zip attachments to deploy shellcode through DLL sideloading, enabling remote access, data theft and additional payload downloads. The attackers use sophisticated anti VM and privilege escalation techniques, continuously refining their tools and methods across recent campaigns, including the earlier WN 4.0 attacks. Huge thanks to our sponsor Adaptive Security, OpenAI's first cybersecurity investments as deepfake scams and gen AI phishing evolve Adaptive equips security teams with AI powered phishing simulations featuring realistic personalized deepfakes and engaging security awareness training. Their new AI content creator turns threat intel and policy updates into interactive multilingual training instantly trusted by Fortune 500s and backed by Andreessen Horowitz and OpenAI Adaptive helps you stay ahead of AI driven threats. Learn more at adaptive security.com pro Israel hackers claim breach of Iranian bank amid military escalation Predatory Sparrow, a group linked to Israeli military intelligence, claimed responsibility for a cyber attack on Iran's bank sepa, allegedly in retaliation for the bank's role in funding Iran's military and nuclear programs. The attack disrupted banking services and may have also impacted gas stations and salary distributions. Iranian officials haven't confirmed the breach, but the bank was previously sanctioned by the US back in 2007 for missile development support. Microsoft fixes Surface Hub boot issues with emergency updates Microsoft released an out of ban update to fix a secure boot violation error that was preventing surface hub version 1 devices running Windows 10 22H2 from starting after installing the June security update. The issue doesn't affect Surface Hub 2S or 3. Microsoft had paused the problematic update on June 11 and advised users that the emergency fix would prevent further failures.