Hackers exploit Langflow flaw, TP-Link routers still vulnerable, Russia detects SuperCard malware attacks - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines Summary
Episode: Hackers exploit Langflow flaw, TP-Link routers still vulnerable, Russia detects SuperCard malware attacks
Host: CISO Series
Release Date: June 18, 2025

1. Exploitation of Langflow Vulnerability and the Rise of Flawedrix Botnet

Sarah Lane opened the episode by highlighting a critical security threat:
"Attackers are actively exploiting a critical vulnerability in Langflow, a Python-based AI workflow tool to deploy the flawedrix botnet, enabling full system compromise and DDoS attacks." (00:07)

The vulnerability exists in Langflow versions prior to 1.3.0, allowing unauthenticated code execution due to insufficient input validation. This flaw has been leveraged to deploy the Flawedrix botnet, which conducts Distributed Denial of Service (DDoS) attacks and facilitates complete system compromises. Both Trend Micro and the Cybersecurity and Infrastructure Security Agency (CISA) have issued urgent advisories, urging organizations to apply patches immediately and restrict access to mitigate the threat. The malware's stealth techniques enable it to evade detection, leading to widespread deployment in the wild.

2. Ongoing Vulnerabilities in Discontinued TP-Link Routers

Continuing the discussion on vulnerabilities, Sarah reported that CISA has identified ongoing exploitation of a critical command injection flaw affecting multiple discontinued TP-Link router models.
"Agencies must remove affected devices by July 7." (00:32)

This vulnerability poses significant risks as attackers can inject malicious commands, potentially granting them control over the network. CISA's warning underscores the importance of decommissioning outdated hardware to prevent exploitation.

3. Russia Detects SuperCard Malware Attacks Targeting Financial Data

In an alarming development, Sarah Lane detailed Russia's detection of SuperCard malware attacks:
"Russian cybersecurity firm F6 has identified the first local attacks using SuperCard, a malicious variant of the NFC Gate app designed to steal payment card data via NFC." (01:25)

Initially observed in Italy, SuperCard is now available as Malware-as-a-Service (MaaS) on platforms like Telegram, where Chinese-speaking actors facilitate its distribution. The malware harvests card data through NFC interactions, enabling fraudulent transactions. F6 reported approximately 175,000 devices infected in Russia, resulting in an estimated $5.5 million in damages during the first quarter of the year.

4. Silver Fox APT Targets Taiwan with Sophisticated RAT Malware

Sarah Lane further reported on advanced persistent threats:
"Researchers at Fortinet warn of a phishing campaign by China-linked group Silver Fox APT targeting Taiwan with two Ghost RAT variants, Ghost Cringe and Holding Hands." (02:17)

The Silver Fox APT employs deceptive phishing emails masquerading as government or business communications, utilizing PDF and ZIP attachments to deploy shellcode through DLL sideloading. This method grants remote access, facilitates data theft, and allows for additional payload downloads. The malware incorporates advanced anti-VM and privilege escalation techniques, reflecting the group's evolving sophistication across recent campaigns, including the prior WN 4.0 attacks.

5. Microsoft Addresses Surface Hub Boot Issues with Emergency Updates

Addressing software stability, Sarah highlighted Microsoft's response to boot issues:
"Microsoft released an out-of-band update to fix a secure boot violation error that was preventing Surface Hub version 1 devices running Windows 10 22H2 from starting after installing the June security update." (03:50)

The problematic update, initially intended to resolve Hyper-V issues, inadvertently caused broader compatibility problems. Microsoft has clarified that this issue does not affect Surface Hub 2S or 3 models and has paused the faulty update as of June 11, recommending users apply the emergency fix to prevent further disruptions.

6. UK ICO Fines 23andMe for Data Protection Failings

In regulatory news, Sarah Lane reported a significant fine imposed on 23andMe:
"The UK's Information Commissioner's Office has fined 23andMe 2.3 million British pounds for failing to protect sensitive genetic data during a 2023 credential stuffing attack." (04:37)

The breach compromised data from 7 million individuals, including over 155,000 UK residents and 320,000 Canadians. Cybersecurity Expert added:
"Via reused passwords exploiting weaknesses in 23andMe's Authentication, Monitoring, and incident response." (05:07)

23andMe, currently undergoing U.S. bankruptcy proceedings, had previously attributed the breach to user error. The fine follows the company's pending sale to a nonprofit associated with co-founder Ann Wachicki, which has committed to maintaining existing privacy standards.

7. Cock Lee Suffers Data Breach Exposing Over 1 Million User Records

Sarah Lane continued with a report on Cock Lee’s data breach:
"Privacy-focused email provider Cock Lee confirmed a data breach affecting more than 1 million user accounts after attacks exploited an old SQL injection flaw in its now-retired Round Cube webmail platform." (05:54)

The exposed data includes email addresses, login timestamps, failed login attempts, and some user contact information. However, passwords, IP addresses, and email contents remained secure. Cock Lee has since permanently removed Roundcube, acknowledging that poor security practices contributed to the breach and advising users to reset their passwords and transition to more secure email clients like IMAP or SMTP.

8. Google Alerts on Scattered Spider's Targeted Attacks Against US Insurance IT Teams

In cybersecurity threats targeting specific industries, Sarah reported:
"Google's Threat Intelligence Group says the cybercrime gang Scattered Spider is now actively targeting IT support teams at major US insurance firms known for social engineering tactics." (06:25)

Scattered Spider employs sophisticated social engineering methods, impersonating employees to bypass multi-factor authentication (MFA) and exploit help desks. This approach often facilitates broad access through Managed Service Providers (MSPs) and contractors. Cybersecurity Expert emphasized the severity:
"Google and Mandiant warn the group is likely seeking high-value enterprise targets." (07:30)

To counteract these attacks, experts recommend tightening identity controls, restricting access privileges, and training support staff to rigorously verify user identities before making account changes.

Conclusion

The episode of CISO Series' Cyber Security Headlines delved into a myriad of pressing cybersecurity issues, from vulnerabilities in widely-used tools like Langflow and TP-Link routers to sophisticated malware attacks in Russia and targeted phishing campaigns against Taiwan. Regulatory actions against companies like 23andMe and data breaches at providers like Cock Lee underscore the ongoing challenges in data protection. Additionally, the strategic maneuvers of cybercrime groups like Silver Fox APT and Scattered Spider highlight the evolving landscape of cyber threats, necessitating robust defensive measures and continuous vigilance.

For listeners seeking more in-depth analyses and daily updates on the cybersecurity realm, visiting CISOseries.com is recommended.

Note: This summary excludes advertisements, intros, outros, and non-content sections as per the instructions.

Loading summary

Transcript10 lines

[00:00]
CISO Series Host
From the CISO series. It's Cybersecurity Headlines.
[00:07]
Sarah Lane
These are the cybersecurity headlines for Wednesday, June 18, 2025. I'm Sarah Lane. Hackers exploit critical lang flow flaw to unleash flawedrix botnet Attackers are actively exploiting a critical vulnerability in Langflow, a python based AI workflow tool to deploy the floodric Spotnet and enabling full System compromise and DDoS attacks. The flaw is present in versions before 1.3.0 and allows unauthenticated code execution due to missing input validation. Trend Micro and CISA both urge immediate patching and restricted access since the malware uses stealth techniques to evade detection and is being deployed widely in the wild. Organizations warned Vulnerability exploited against discontinued TP link routers CISA has warned that attackers are exploiting a critical command injection flaw affecting multiple discontinued TP Link router models. Agencies must remove affected devices by July 7. CISA also flagged active exploitation of Apple products, a media processing flaw used in targeted attacks patched in February with iOS, 3-1-18 andMacOS 15. Russia detects its first Supercard malware attacks skimming bank data via NFC Russian cybersecurity firm F6 has identified the first local attacks using Supercard, a malicious variant of the NFC Gate app designed to steal payment card data via nfc. It was first seen in Italy, but Supercard is now being marketed as a malware as a service by Chinese speaking actors and sold on Telegram and then harvests card data to enable fraudulent transactions. F6 reports 175,000 devices infected in Russia with 5.5 million in damages in Q1 of this year. Silver Fox Apt targets Taiwan with complex Ghost cringe and holding hands rat malware Researchers at Fortinet warn of a phishing campaign by China linked group Silver Fox Apt targeting Taiwan with two Ghost RAT variants, Ghost Cringe and Holding Hands delivered via fake emails posted as government or business communications. The malware uses PDF and zip attachments to deploy shellcode through DLL sideloading, enabling remote access, data theft and additional payload downloads. The attackers use sophisticated anti VM and privilege escalation techniques, continuously refining their tools and methods across recent campaigns, including the earlier WN 4.0 attacks. Huge thanks to our sponsor Adaptive Security, OpenAI's first cybersecurity investments as deepfake scams and gen AI phishing evolve Adaptive equips security teams with AI powered phishing simulations featuring realistic personalized deepfakes and engaging security awareness training. Their new AI content creator turns threat intel and policy updates into interactive multilingual training instantly trusted by Fortune 500s and backed by Andreessen Horowitz and OpenAI Adaptive helps you stay ahead of AI driven threats. Learn more at adaptive security.com pro Israel hackers claim breach of Iranian bank amid military escalation Predatory Sparrow, a group linked to Israeli military intelligence, claimed responsibility for a cyber attack on Iran's bank sepa, allegedly in retaliation for the bank's role in funding Iran's military and nuclear programs. The attack disrupted banking services and may have also impacted gas stations and salary distributions. Iranian officials haven't confirmed the breach, but the bank was previously sanctioned by the US back in 2007 for missile development support. Microsoft fixes Surface Hub boot issues with emergency updates Microsoft released an out of ban update to fix a secure boot violation error that was preventing surface hub version 1 devices running Windows 10 22H2 from starting after installing the June security update. The issue doesn't affect Surface Hub 2S or 3. Microsoft had paused the problematic update on June 11 and advised users that the emergency fix would prevent further failures.
[05:07]
Cybersecurity Expert
The original update was meant to fix Hyper V issues but triggered broader compatibility problems.
[05:15]
Sarah Lane
UK ICO finds 23andMe for data protection failings the UK's Information Commissioner's Office has fined 23andMe to 2.3 million British pounds for failing to protect sensitive genetic data during a 2023 credential stuffing attack. Attackers accessed data on 7 million people, including 155,592 UK and 320,000 Canadian residents.
[05:46]
Cybersecurity Expert
Via reused passwords exploiting weaknesses in 23andMe's Authentication, Monitoring and incident response.
[05:54]
Sarah Lane
The company, which is in U.S. bankruptcy proceedings, previously blamed user error. The fine follows 23andMe's pending sale to a nonprofit tied to its co founder, Ann Wachicki, which has pledged to uphold existing privacy commitments. Hacker steals 1 million cock Lee user records and webmail data breach Privacy focused email provider Cock Lee confirmed a data breach affecting more than 1 million user accounts after attacks exploited an old SQL injection flaw in its now retired Round Cube webmail platform. Exposed data includes email addresses, login timestamps, failed login accounts, and some users contact info, but no passwords, IPs or email content themselves. Cock Lee has permanently removed Roundcube, acknowledging poor security practices contributing to the breach. Users are advised to reset passwords and switch to IMAP or SMTP clients. Google warns of Scattered Spider attacks targeting IT support teams at US insurance firms Google's Threat Intelligence Group says the cybercrime gang Scattered Spider is now actively targeting IT support teams at major US Insurance firms known for social engineering tactics. The group impersonates employees, bypasses MFA and exploits help desks while often gaining broad access via msps and contractors.
[07:30]
Cybersecurity Expert
Google and Mandiant warn the group is likely seeking high value enterprise targets. Experts recommend tightening identity controls, restricting access and training support staff to verify identities before account changes. Experts recommend tightening identity controls, restricting access and training support staff to verify identities before account changes Remember to join us this Friday for Super Cyber Friday. We're tackling a big one this week, spending an hour talking about hacking what it takes to become a ciso. If you're in security leadership and want to know how people have gotten to the top, then you need to join us at 1:00pm Eastern Time. Be sure to head on over to our events page over@cisoseries.com and and register.
[08:19]
Sarah Lane
And if you have some thoughts on the news from today or the show in general, be sure to reach out to us@feedbacksoseries.com we'd love to hear from you. I'm Sarah Lane reporting for the CISO series. Thanks for listening and we'll talk to you next time.
[08:36]
CISO Series Host
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.
[08:47]
Unknown Speaker
It.