MANGO discloses data breach, Jewelbug infiltrates Russian IT network, nation-state behind F5 attack? - Cybersecurity Headlines

Summary4 min read

Cyber Security Headlines – October 16, 2025

Host: Sarah Lane, CISO Series

Main Theme & Purpose

This episode delivers concise, up-to-the-minute reporting on major security events and vulnerabilities shaping the global IT and cybersecurity landscape. Key stories cover new data breaches, nation-state activity, critical product vulnerabilities, and law enforcement actions. The tone remains fact-driven and urgent, emphasizing actionable intelligence for security professionals.

Key Discussion Points & Insights

1. Mango Discloses Data Breach

Timestamp: 00:11 – 01:06

Incident: Spanish retailer Mango reports a data breach via a compromised external marketing vendor.
Data Exposed: Customer first names, countries, postal codes, emails, and phone numbers.
Mitigating Factors:
- “Financial and identity data were not affected and Mango's internal systems reportedly remain secure.” (Sarah Lane, 00:20)
Response:
- Notification sent to Spain's Data Protection Authority.
- Support hotline established for affected customers.
- No ransomware group has claimed responsibility.

2. Jewelbug Infiltrates Russian IT Network

Timestamp: 01:08 – 01:53

Actors: Chinese-linked threat group “Jewelbug” (referred to as “Juulbug” in transcript).
Target: Russian IT service provider compromised over five months.
What Was Accessed: Code repositories and software build systems.
Techniques: Stealth, including use of cloud services, Microsoft debugging tool renaming, DLL sideloading, and credential dumping.
Attribution:
- “Symantec links Juulbug to previous activity clusters and notes the group uses stealthy techniques...” (Sarah Lane, 01:22)

3. F5 Discloses Breach Tied to Nation-State Actor

Timestamp: 01:54 – 02:52

Incident: F5 acknowledges a breach with longstanding nation-state intrusion.
What Was Stolen: Big-IP source code, as well as information on undisclosed vulnerabilities and some customer configuration data.
No Supply Chain Tampering:
- “The breach was discovered back in August and exposed configuration data… but didn’t show supply chain tampering.” (Sarah Lane, 02:20)
Authorities Involved:
- CISA issued emergency directives.
- Collaboration with CrowdStrike and Mandiant.
- Federal agencies ordered to patch and report use of affected products.
Risks:
- “CISA warned the stolen data poses a significant threat to federal networks.” (Sarah Lane, 02:43)

4. Windows Server Updates Cause Active Directory Issues

Timestamp: 02:53 – 03:34

Problem: September’s Windows Server 2025 update breaks Active Directory synchronization—particularly for large AD security groups (>10,000 members).
Impact:
- “The bug prevents full sync of large ad security groups exceeding 10,000 members.” (Sarah Lane, 03:09)
Workarounds: Registry workaround released, but carries risk—potential system issues or permanent damage if misapplied.
Upcoming Fixes: Permanent fix in development. Separate network share installation bug is also under review.

5. Power School Hacker Sentenced to Four Years in Prison

Timestamp: 04:30 – 05:08

Culprit: 19-year-old Matthew Lane of Massachusetts.
Crime: Hacked educational software company Power School and demanded $2.9M ransom regarding 70+ million persons' data.
Sentencing: Four years in prison, $14M restitution, and $25,000 fine.
Impact:
- “The breach, disclosed back in January, exposed Social Security numbers, medical data and special education information for 60 million students and 9 million teachers.” (Sarah Lane, 04:56)
Prosecution: Prosecutors cited Lane's hacking history, sought a 7-year sentence.

6. Developers Writing Secret VS Code Extensions

Timestamp: 05:09 – 05:46

Findings: Over 500 VS Code and OpenVSX extensions exposed API keys, credentials, and tokens.
Risks: 100+ extensions could allow malicious updates, creating severe supply chain threats.
High-Risk Targets: AI platforms, cloud services, databases.
Response: Microsoft implemented secret scanning and blocked leaky extensions, working with developers for remediation.

7. 200,000 Linux Systems Vulnerable to Secure Boot Bypass

Timestamp: 05:47 – 06:23

Discovery: Eclipsium researchers found 200,000 Linux systems with UEFI components vulnerable to Secure Boot bypass.
Mechanism:
- Diagnostic MM command can overwrite keys, allowing unsigned bootkit/rootkit loading.
- “Disabling signature verification and allowing attackers to load unsigned bootkits or rootkits, achieving persistent pre OS control.” (Sarah Lane, 05:59)
Mitigation: Framework issuing DBX updates, advice to update UEFI revocation, use BIOS passwords, and firmware scanning.

8. Whisper2FA Behind 1 Million Phishing Attempts Since July

Timestamp: 06:24 – 07:07

Analysis: Barracuda researchers link Whisper2FA phishing toolkit to nearly one million phishing attempts, making it a leading phishing-as-a-service platform.
Tactics: Harvests credentials and MFA codes real-time using AJAX—effectively bypassing 2FA.
Features: Heavy obfuscation, base64-XOR encoding, anti-debugging.
Impersonated Brands: DocuSign, Adobe, Microsoft 365.
Significance:
- “Barracuda calls it evidence of increasingly sophisticated full service phishing platforms.” (Sarah Lane, 07:03)

Notable Quotes & Memorable Moments

On F5 breach's seriousness:
- “CISA warned the stolen data poses a significant threat to federal networks.” (Sarah Lane, 02:43)
On Whisper2FA’s impact:
- “Whisper2FA has driven nearly 1 million phishing attempts since July, making it one of the most active phishing as a service tools after Tycoon and Evil Proxy.” (Sarah Lane, 06:27)
On the scope of Power School breach:
- “Exposed Social Security numbers, medical data and special education information for 60 million students and 9 million teachers.” (Sarah Lane, 04:56)

Useful Timestamps for Key Segments

Mango Data Breach: 00:11–01:06
Jewelbug / Russian IT Intrusion: 01:08–01:53
F5 Nation-State Attack: 01:54–02:52
Windows Server Update Issues: 02:53–03:34
Power School Hacker Sentencing: 04:30–05:08
VS Code Extension Risks: 05:09–05:46
Linux UEFI Secure Boot Bypass: 05:47–06:23
Whisper2FA Phishing Platform: 06:24–07:07

Overall Tone

Consistent with the title, the tone is businesslike, urgent, and focused on rapid, useful information exchange for busy security professionals. The host provides succinct, factual reporting with little editorializing, aiming to equip listeners with actionable insights.

For deeper dives on each story, listeners are directed to the full articles at CISOseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series. It's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Thursday, October 16, 2025. I'm Sarah Lane. Mango Discloses Data Breach Spanish fashion retailer Mango disclosed a data breach after one of its external marketing vendors was compromised, exposing customer data including first names, countries, postal codes, emails and phone numbers. Financial and identity data were not affected and Mango's internal systems reportedly remain secure. The company has notified Spain's Data Protection Authority and set up a support hotline for affected customers. No ransomware group has claimed responsibility. Threat Group Jewelbug Infiltrates Russian IT network Chinese linked threat group Juulbug conducted a five month intrusion targeting a Russian IT service provider gaining access to code repositories and software build systems. Symantec links Juulbug to previous activity clusters and notes. The group uses stealthy techniques including cloud services, renamed Microsoft debugging tools, DLL sideloading and credential dumping. F5 discloses breach tied to Nation State Threat Actor CISA issued an emergency directive after F5 disclosed that a nation state actor had long term access to its systems, stealing big IP source code and details on undisclosed vulnerabilities. Agencies now have to patch affected F5 products by October 22nd and report deployments by October 29th. The breach was discovered back in August and exposed configuration data for some customers, but didn't show supply chain tampering. F5 says it's expelled the attackers while working with CrowdStrike and Mandiant. CISA warned the stolen data poses a significant threat to federal networks. Windows Server Updates Cause Active Directory Issues Microsoft confirmed that September's Windows Server 2025 updates are breaking active directory synchronization affecting services like Microsoft Entra Connect Sync. The bug prevents full sync of large ad security groups exceeding 10,000 members. Microsoft issued a registry workaround but warned it could cause system issues and if done incorrectly, a permanent fix is in development. The company is also addressing a separate update failure affecting Windows 1124H2 and Windows Server 2025 when installing from network shares. Huge thanks to our sponsor Vanta. What is your 2am Security worry? Is it do I have the right controls in place or are my vendors secure? Or the really scary one? How do I get out from under these old tools and manual processes? Enter Vanta. Vanta automates manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your system, centralizes your data and and simplifies your security at scale. Vanta also fits right into your workflows. Using AI to streamline evidence collection, flag risks and keep your program audit ready all the time. With Vanta, you get everything you need to move faster and scale confidently and get back to sleep. Get started at Vanta.com headlines Power school hacker sentenced to four years in prison A Massachusetts man, 19 year old Matthew Lane, was sentenced to four years in prison for hacking educational software company Power School and demanding a 2.9 million dollar ransom to avoid leaking data on more than 70 million people. Lane was also ordered to pay about $14 million in restitution and and a $25,000 fine. The breach, disclosed back in January, exposed Social Security numbers, medical data and special education information for 60 million students and 9 million teachers. Prosecutors sought a seven year sentence citing Lane's history of hacking. Devs are writing secret Vs Code Extensions Researchers from Wiz Security, working with Microsoft found that over 500 VS code and OpenVSX extensions from hundreds of publishers exposed API keys, credentials and tokens. More than 100 of these could have let attackers push malicious updates to users with auto updates, amplifying the risk of supply chain attacks. High risk targets include AI platforms, cloud services and databases. Microsoft has implemented secret scanning and blocked leaky extensions, working with developers to replace them with sanitized versions. 200,000 Linux systems vulnerable to secure Boot bypass Researchers at Eclipsium found that around 200,000 Linux systems from framework shipped with signed UEFI components vulnerable to secure boot bypass. Legitimate diagnostic tools included in the UEFI shells specifically for the MM command can overwrite the G Security two pointer, disabling signature verification and allowing attackers to load unsigned bootkits or rootkits, achieving persistent pre OS control Framework is issuing DBX updates to to block vulnerable shells, with fixes varying by model. Experts recommend updating UEFI revocation lists using BIOS passwords and scanning firmware for vulnerable components. Whisper 2fa behind 1 million phishing attempts since July Barracuda researchers say that the phishing platform Whisper2FA has driven nearly 1 million phishing attempts since since July, making it one of the most active phishing as a service tools after Tycoon and Evil Proxy. The kit uses Ajax to repeatedly harvest credentials and MFA codes in real time, bypassing two factor authentication. Newer versions include heavy obfuscation, base 64XOR encoding and anti debugging features. Attackers impersonate brands like DocuSign, Adobe and Microsoft 365 using invoices or voicemail lures. Barracuda calls it evidence of increasingly sophisticated full service phishing platforms. In cybersecurity, we often focus on technical skills. These are easy to demonstrate and are part of the foundation of getting the job done. But everyone needs soft skills. It's core to communication which soft skills are necessary for each role in cybersecurity. That is what we're trying to figure out on this week's episode of Defense In Depth Depth. Look for the episode what Soft Skills do youo need in Cyber? Wherever you get your podcasts, if you get value out of cyber Security headlines every day, remember to tell a friend to check out the show. And if you share the show with colleagues or your team, please let us know@feedbackisoseries.com I am Sarah Lane, reporting for the CISO series. Please enjoy a pie tonight or tomorrow or wherever you get your desserts.
[08:34]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.