Hybrid Exchange flaw, France telecom breach, Dialysis company attack - Cybersecurity Headlines

Summary4 min read

Cyber Security Headlines: August 8, 2025
Hosted by CISO Series

On August 8, 2025, the CISO Series delivered a comprehensive episode of "Cyber Security Headlines," hosted by Steve Prentiss. This episode delved into critical cybersecurity incidents and vulnerabilities affecting major organizations worldwide. Below is a detailed summary of the key topics discussed, enriched with notable quotes and structured to provide a clear understanding for those who haven't listened to the episode.

1. Microsoft Identifies High Severity Flaw in Hybrid Exchange Deployments

Steve Prentiss opened the discussion by highlighting a significant vulnerability reported by Microsoft:

Steve Prentiss (00:06): "Microsoft warns of high severity flaw in hybrid Exchange deployments... By abusing this shared identity, attackers who control the on-prem Exchange can potentially forge or manipulate trusted tokens or API calls that the cloud side will accept as legitimate as they implicitly trust the on-premise server."

Key Points:

Affected Systems: Exchange Server 2016, Exchange Server 2019, and the latest Microsoft Exchange Server Subscription Edition.
Vulnerability Details: The flaw allows attackers to escalate privileges within Exchange Online cloud environments by exploiting the trust relationship between on-premises and cloud servers.
Current Status: No known exploitation has been observed in the wild, but Microsoft has flagged the vulnerability as highly likely to be exploited.

2. France's BOUYGES Telecom Suffers Data Breach

Next, Prentiss addressed a major breach affecting France's telecommunications sector:

Steve Prentiss (02:15): "France's third largest mobile operator, BOUYGES Telecom, announced on Wednesday that it had been hit by a cyber attack that compromised the data of millions of customers."

Key Points:

Impact: Unauthorized access to personal data from 6.4 million customer accounts, encompassing both mobile and fiber-to-home services.
Company Response: The breach has been resolved, with BOUYGES Telecom emphasizing that specific account types affected were not distinguished in their statement.
Context: This incident follows a similar breach last week affecting Orange, France's largest telecom provider, although Orange did not disclose specific customer data compromises.
Further Updates: No reported impacts on other customers in either retail or enterprise segments.

3. DaVita's April Ransomware Attack Exposes Sensitive Health Information

Prentiss revisited a significant healthcare-related cybersecurity incident:

Steve Prentiss (04:50): "Dialysis company's April attack affects 900,000 people... DaVita, a Denver-based healthcare provider, revealed that a ransomware attack in April led to unauthorized access to personal and medical information of over 900,000 individuals."

Key Points:

Data Compromised: Personal information, health insurance details, and medical records.
Attackers: The Interloc ransomware gang claimed responsibility, asserting a 1.5 terabyte data haul.
Impact: DaVita's critical role in treating end-stage renal disease means the breach has serious implications for patient care continuity.
Significance: Highlights the vulnerability of healthcare providers to ransomware attacks and the potential human cost of such breaches.

4. Security Flaws Discovered in Axis Communications Video Surveillance Products

The episode also covered vulnerabilities in video surveillance systems:

Steve Prentiss (06:10): "Researchers from security firm Clarity have identified a number of security flaws in video surveillance products from Axis Communications... These could be vulnerable to RCE takeover attacks."

Key Points:

Affected Products: Axis Device Manager and Axis Camera Station.
Vulnerability Details: Over 6,500 servers expose the Axis proprietary remoting protocol and associated services online, with nearly 4,000 located in the U.S.
Severity: Four CVEs identified, with scores ranging from 4.8 to 9.0 on the CVSS scale.
Potential Exploits: Remote Code Execution (RCE) attacks that could allow attackers to take control of surveillance systems.

5. Data Breaches at Air France and KLM

Prentiss reported on cybersecurity incidents within the aviation industry:

Steve Prentiss (07:00): "Air France and KLM announced data breaches where attackers accessed a customer service platform, stealing data of an undisclosed number of customers."

Key Points:

Company: Part of the multinational Air France KLM Group.
Data Compromised: Although the group stated that financial and personal information was not affected, the exact scope remains unclear.
Attribution: Bleeping Computer linked this breach to the Shiny Hunters extortion group, known for targeting Salesforce instances through vishing and social engineering tactics.

6. Ghost Calls: A New Command and Control Evasion Technique

Concluding the episode, Prentiss discussed an innovative cyberattack method introduced at Black Hat USA:

Steve Prentiss (08:45): "Security researcher Adam Crosser described Ghost Calls, a post-exploitation C2 evasion method that abuses turn servers... allowing operators to blend command and control sessions into normal enterprise traffic patterns."

Key Points:

Mechanism: Exploits WebRTC protocols and temporary TURN credentials used in video calls to establish covert communication channels.
Impact: Enables attackers to bypass traditional defenses without relying on exploits, making detection significantly more challenging.
Implications: Organizations need to enhance monitoring of WebRTC traffic and scrutinize unusual patterns that may indicate covert C2 activities.

Additional Insights and Events

Beyond the primary topics, the episode briefly mentioned upcoming live events hosted by CISO Series:

Super Cyber Friday (13:00): Focused on "Hacking Toxic Culture," encouraging critical thinking about cultural issues within cybersecurity.
Week in Review (15:30 Eastern): Featuring Montes Fitzpatrick, CISO at Navis, offering expert commentary on recent cybersecurity news.

Listeners were encouraged to participate and provide feedback via the CISO Series website.

Conclusion

The August 8, 2025, episode of "Cyber Security Headlines" provided an in-depth overview of current cybersecurity threats and vulnerabilities impacting various sectors, from technology and telecommunications to healthcare and aviation. With insights into emerging attack techniques like Ghost Calls and the ongoing challenges faced by major organizations, the episode underscored the evolving landscape of cybersecurity and the critical need for robust defense mechanisms.

For more detailed stories and updates, listeners are directed to visit CISOseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Friday, August 8, 2025. I'm Steve Prentiss. Microsoft warns of high severity flaw in hybrid Exchange deployments This is a vulnerability that could allow attackers to go undetected as they escalate privileges in the Exchange Online cloud environments that connect on Prem Exchange servers to Exchange Online to allow for seamless integration of email and calendar features. By abusing this shared identity, attackers who control the on Prem Exchange can potentially forge or manipulate trusted tokens or API calls that the cloud side will accept as legitimate as it implicitly trusts the on premise server. This vulnerability affects Exchange Server 2016 and Exchange Server 2019 as well as Microsoft Exchange Server subscription edition. That is the latest version which replaces the traditional perpetual license model with a subscription based one. End Quote no exploitation has yet been seen in the wild, but Microsoft has tagged this as exploitation more likely France's third largest mobile operator suffers breach BOIG Telecom that is spelled B O U Y G u E s, one of France's largest telecom companies and its third largest mobile operator announced on Wednesday that it had been hit by a cyber attack that compromised the data of millions of customers. The attack has been resolved, but a statement released by the company describes unauthorized access to certain personal data from 6.4 million customer accounts, although it does not distinguish between mobile customer accounts and fiber to home accounts in that tally. This attack follows another one last week affecting Orange, which is the largest telecoms provider in France. Although Orange did not disclose any brief breach of customer data. Just as an update, there has been no subsequent reported impacts on Arauj customers either in the retail or enterprise spaces. Dialysis company's April attack affects 900,000 people following up on a story we covered in April, DaVita, that is da capital V I T A, a Denver based healthcare provider of kidney related care such as dialysis, says that the ransomware attack that occurred in April did result in access to P along with health insurance information and medical information of more than 900,000 people. This was accessed as part of a 1.5 terabyte haul claimed by the Interloc ransomware gang. As quoted in the record, the attack caused alarm because of the pivotal role that DaVita plays for dialysis patients in treating end stage renal disease, which necessitates kidney dialysis three times per week until patients receive a new kidney. Huge thanks to our sponsor ThreatLocker. ThreatLocker is a global leader in zero trust endpoint security, offering cybersecurity controls to protect businesses from zero day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and to start your free trial, visit threatlocker.com CISO I.e. t H R E A T L O c k e r.com CISO another video surveillance company, is facing problems. Researchers from security firm Clarity have identified a number of security flaws in video surveillance products from Axis Communications. These could be vulnerable to RCE takeover attacks, specifically through the company's Axis Device Manager, which manages fleets of cameras, as well as the Axis Camera Station, which is client software used to view camera feeds. Clarity said it found more than 6,500 servers that expose the proprietary Axis remoting protocol and its services over the Internet, out of which nearly 4,000 are located in the U.S. the four CVE numbers associated with these flaws range from 4.8 to 9.0 on the CVSS scale and are listed in the show Notes to this episode. Air France and KLM announce data breaches the two airlines announced on Wednesday that attackers had breached a customer service platform and stolen the data of an undisclosed number of customers. The airlines are part of a French Dutch multinational airline holding company group called Air France KLM Group Group whose systems were compromised. Spokespeople for the group emphasized that their networks were not affected by the attack and that customers financial and personal information was not affected. Bleeping computer suggests that this incident is part of a wave of data breaches linked to the Shiny Hunters extortion group which targets Salesforce instances in vishing and social engineering attacks. Ghost Calls exploits video chat connectivity to break in Speaking at Black Hat usa, security researcher Adam Crosser of Praetorian described a post exploitation command and control evasion method called Ghost Calls. This process abuses turn servers. These are traversal using relays around NAT, a networking protocol used by video call, VoIP and WebRTC services that helps devices behind NAT firewalls communicate with each other when a direct connection is not possible. End quote for example, a zoom or teams meeting uses temporary turn credentials and now these can be hijacked to set up a WebRTC tunnel between the attacker and the victim. Ghost Calls uses legitimate credentials, WebRTC and custom tooling to bypass most existing defenses and anti abuse measures without relying on an exploit, allowing operators to blend interactive command and control sessions into normal enterprise traffic patterns, appearing as nothing more than a temporarily joined online meeting. End quote as usual, we've got a busy Friday of live streams today it starts at 1pm with Super Cyber Friday, where the topic will be Hacking Toxic Culture, an hour of critical thinking about how and why we poison the well in CyberSecurity. Then at 3:30pm Eastern, we have our Week in Review show. Montes Fitzpatrick, CISO at navis, will be our guest, providing his expert commentary on the news of the week. To join us for both, head on over to the events page@cisoseries.com Also, if you have some thoughts on the news from today or about the show in general, please be sure to reach out to us at feedbackisoseries. We'd love to hear from you. I'm Steve Prentiss reporting for the CISO series.
[07:29]
A
Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines.

Cyber Security Headlines: August 8, 2025
Hosted by CISO Series

1. Microsoft Identifies High Severity Flaw in Hybrid Exchange Deployments

Steve Prentiss opened the discussion by highlighting a significant vulnerability reported by Microsoft:

Steve Prentiss (00:06): "Microsoft warns of high severity flaw in hybrid Exchange deployments... By abusing this shared identity, attackers who control the on-prem Exchange can potentially forge or manipulate trusted tokens or API calls that the cloud side will accept as legitimate as they implicitly trust the on-premise server."

Key Points:

Affected Systems: Exchange Server 2016, Exchange Server 2019, and the latest Microsoft Exchange Server Subscription Edition.
Vulnerability Details: The flaw allows attackers to escalate privileges within Exchange Online cloud environments by exploiting the trust relationship between on-premises and cloud servers.
Current Status: No known exploitation has been observed in the wild, but Microsoft has flagged the vulnerability as highly likely to be exploited.

2. France's BOUYGES Telecom Suffers Data Breach

Next, Prentiss addressed a major breach affecting France's telecommunications sector:

Steve Prentiss (02:15): "France's third largest mobile operator, BOUYGES Telecom, announced on Wednesday that it had been hit by a cyber attack that compromised the data of millions of customers."

Key Points:

Impact: Unauthorized access to personal data from 6.4 million customer accounts, encompassing both mobile and fiber-to-home services.
Company Response: The breach has been resolved, with BOUYGES Telecom emphasizing that specific account types affected were not distinguished in their statement.
Context: This incident follows a similar breach last week affecting Orange, France's largest telecom provider, although Orange did not disclose specific customer data compromises.
Further Updates: No reported impacts on other customers in either retail or enterprise segments.

3. DaVita's April Ransomware Attack Exposes Sensitive Health Information

Prentiss revisited a significant healthcare-related cybersecurity incident:

Steve Prentiss (04:50): "Dialysis company's April attack affects 900,000 people... DaVita, a Denver-based healthcare provider, revealed that a ransomware attack in April led to unauthorized access to personal and medical information of over 900,000 individuals."

Key Points:

Data Compromised: Personal information, health insurance details, and medical records.
Attackers: The Interloc ransomware gang claimed responsibility, asserting a 1.5 terabyte data haul.
Impact: DaVita's critical role in treating end-stage renal disease means the breach has serious implications for patient care continuity.
Significance: Highlights the vulnerability of healthcare providers to ransomware attacks and the potential human cost of such breaches.

4. Security Flaws Discovered in Axis Communications Video Surveillance Products

The episode also covered vulnerabilities in video surveillance systems:

Steve Prentiss (06:10): "Researchers from security firm Clarity have identified a number of security flaws in video surveillance products from Axis Communications... These could be vulnerable to RCE takeover attacks."

Key Points:

Affected Products: Axis Device Manager and Axis Camera Station.
Vulnerability Details: Over 6,500 servers expose the Axis proprietary remoting protocol and associated services online, with nearly 4,000 located in the U.S.
Severity: Four CVEs identified, with scores ranging from 4.8 to 9.0 on the CVSS scale.
Potential Exploits: Remote Code Execution (RCE) attacks that could allow attackers to take control of surveillance systems.

5. Data Breaches at Air France and KLM

Prentiss reported on cybersecurity incidents within the aviation industry:

Steve Prentiss (07:00): "Air France and KLM announced data breaches where attackers accessed a customer service platform, stealing data of an undisclosed number of customers."

Key Points:

Company: Part of the multinational Air France KLM Group.
Data Compromised: Although the group stated that financial and personal information was not affected, the exact scope remains unclear.
Attribution: Bleeping Computer linked this breach to the Shiny Hunters extortion group, known for targeting Salesforce instances through vishing and social engineering tactics.

6. Ghost Calls: A New Command and Control Evasion Technique

Concluding the episode, Prentiss discussed an innovative cyberattack method introduced at Black Hat USA:

Steve Prentiss (08:45): "Security researcher Adam Crosser described Ghost Calls, a post-exploitation C2 evasion method that abuses turn servers... allowing operators to blend command and control sessions into normal enterprise traffic patterns."

Key Points:

Mechanism: Exploits WebRTC protocols and temporary TURN credentials used in video calls to establish covert communication channels.
Impact: Enables attackers to bypass traditional defenses without relying on exploits, making detection significantly more challenging.
Implications: Organizations need to enhance monitoring of WebRTC traffic and scrutinize unusual patterns that may indicate covert C2 activities.

Additional Insights and Events

Beyond the primary topics, the episode briefly mentioned upcoming live events hosted by CISO Series:

Super Cyber Friday (13:00): Focused on "Hacking Toxic Culture," encouraging critical thinking about cultural issues within cybersecurity.
Week in Review (15:30 Eastern): Featuring Montes Fitzpatrick, CISO at Navis, offering expert commentary on recent cybersecurity news.

Listeners were encouraged to participate and provide feedback via the CISO Series website.

Conclusion

For more detailed stories and updates, listeners are directed to visit CISOseries.com.