Cyber Security Headlines Summary

Hosted by CISO Series | Release Date: June 4, 2025

In the latest episode of Cyber Security Headlines by the CISO Series, host Sarah Lane delves into a spectrum of pressing issues shaping the information security landscape. This comprehensive summary captures the key discussions, insights, and conclusions presented during the episode, providing valuable information for cybersecurity professionals and enthusiasts alike.

1. Meta and Yandex De-anonymizing Android Users

At the outset ([00:07]), Sarah highlights a significant privacy breach involving tech giants Meta and Yandex. The Web Browsing Identifiers Research Group Local Mess unveiled a detailed report on its GitHub page, exposing how both companies exploit Android's Browser 2 app communication to de-anonymize users. By leveraging metapixel and Yandex Metrica trackers, Meta and Yandex link web activity to app identities, effectively bypassing Android and browser privacy protections. This method abuses local host ports, enabling unauthorized harvesting of unique web identifiers by Facebook, Instagram, and Yandex applications.

Google has responded by stating that these practices violate Play Store rules and is actively working on implementing fixes. In response, Meta and Yandex have announced that they are pausing or ending these behaviors amid ongoing discussions, as Sarah notes, “[...] Meta and Yandex claim they're pausing or ending the behavior amid ongoing discussion” ([00:07]).

2. Shift in Malware Dominance: Llama C2 to Creed

The episode transitions to the evolving malware landscape, focusing on the decline of Llama C2. First identified in 2022, Llama C2 was a prominent malware-as-a-service (MaaS) tool used for information stealing by various threat groups. However, a coordinated law enforcement operation in May, as reported by Checkpoint Research, has significantly undermined its dominance. Developers of Llama C2 are attempting to recover, but the damage to its reputation appears irreversible.

In its stead, a new stealer named Creed has surged in popularity. Webz researchers observed Creed's emergence on February 10, and ReliaQuest reports that Creed is now leading credential theft activities on the Russian dark web platform Accred. Within its first week, Creed facilitated the upload of over 4,000 logs, marking it as a formidable successor in credential theft operations.

3. Hewlett Packard Enterprise Patches Critical Authentication Bypass

Security vulnerabilities continue to pose significant threats. Hewlett Packard Enterprise (HPE) has recently addressed eight vulnerabilities in its Store Once backup software, including a critical authentication bypass flaw with a CVSS score of 9.8 ([03:45]). This particular bug arises from a flawed authentication method, potentially allowing remote exploitation of other linked remote code executions (RCEs), directory traversal issues, and a Server-Side Request Forgery (SSRF) vulnerability. All versions prior to v4.3.11 are affected, with no mitigation options available aside from upgrading the software. Although these flaws were reported in October 2024, they were only fixed after seven months, and no public exploitation has been detected to date.

4. Vodafone Fined Record Amounts in Germany for Data Protection Failures

A significant development in data protection enforcement involves Vodafone, which has been fined a total of 45 million euros by Germany's federal commissioner for data protection for GDPR violations ([04:30]). The fines stem from fraudulent activities conducted by third-party sales agents acting on Vodafone's behalf. Specifically, agents engaged in fraud through the use of fake or altered contracts. Vodafone was fined 15 million euros for its failure to adequately monitor these partners, and an additional 30 million euros for weak customer authentication measures that allowed unauthorized access to eSIM profiles.

Vodafone attributes the issues to insufficient data protection checks and asserts that it has since overhauled its systems under new leadership to prevent future breaches.

5. Expansion of Krokodilus Android Banking Malware

The Krokodilus Android banking malware continues to expand its reach beyond its origins in Turkey. Sarah reports that Krokodilus has now infiltrated multiple new regions, including Spain, Poland, parts of South America, and Asia ([05:15]). The malware propagates through fake applications, deceptive advertisements, and compromised browser updates. Additionally, it has enhanced its capabilities by adding fake contacts, stealing cryptocurrency wallet seed phrases, and employing sophisticated obfuscation techniques to evade detection.

Threat Fabric, the researchers who first identified Krokodilus in March during test campaigns, cautions that the malware is rapidly evolving into a serious global threat, necessitating heightened vigilance among Android users and cybersecurity professionals.

6. Significant Turnover in US Cyber Workforce at CISA

A concerning trend in the US cybersecurity infrastructure involves significant workforce reductions at the Cybersecurity and Infrastructure Security Agency (CISA). According to Axios, nearly 1,000 cybersecurity professionals have departed since President Trump's administration took office, including 600 voluntary buyouts and 174 deferred resignations ([05:50]). Additional cuts have impacted contract teams such as Election Integrity and Diversity, Equity, and Inclusion (DEI) units.

Critics argue that this exodus of key personnel and the resulting depletion of resources could severely undermine the United States' cyber defenses, especially amid escalating cyber threats. However, CISA leadership maintains that the agency remains mission-ready, despite the staffing challenges.

7. Coinbase Data Breach Linked to Bribed Indian Support Agents

The episode sheds light on the Coinbase data breach disclosed in May, which has been traced back to bribed customer support agents at the Indian outsourcing firm Task US ([06:30]). Reuters reports that two Task US employees were apprehended for stealing sensitive customer information, including names, emails, Social Security numbers, and ID scans, which they sold to attackers in exchange for bribes. The breach was initially detected in January, months before Coinbase made it public.

In an effort to address the breach, Coinbase rejected a $20 million ransom offer and instead offered a bounty to identify the attackers. Consequently, nearly 70,000 customers were affected, with potential losses reaching $400 million. In response, Task US has ceased its Coinbase operations in India.

8. UK’s Strategic Defense Review Embraces Cyber Warfare

In a landmark move, the United Kingdom has formalized its commitment to cyber warfare as a component of its integrated military operations, as detailed in its 2025 Strategic Defense Review released on June 2 ([06:55]). For the first time, the UK explicitly acknowledges cyber warfare's role alongside traditional military domains.

The review proposes the establishment of a centralized Cyber Electromagnetic Command to coordinate cyber, artificial intelligence (AI), and electromagnetic capabilities across land, sea, air, and digital fronts. Citing 9,000 gray zone cyber attacks targeting UK military networks over the past two years, the UK aims to enhance its defensive and offensive cyber capabilities. Additionally, the review introduces the Targeting Web, an AI-driven system designed for rapid cross-domain decision-making and attack execution, drawing lessons from the ongoing conflict in Ukraine.

9. Malicious Ruby Gems Target Telegram API Data

Cybersecurity threats also extend into the software development realm. Researchers from Socket have uncovered two malicious Ruby gems masquerading as legitimate Fastlane CI/CD plugins ([07:10]). These compromised packages redirect Telegram API traffic to attacker-controlled servers, enabling the theft of sensitive data such as bot tokens, message contents, files, and proxy credentials. The attack exploits typo squatting, presenting gems that closely mimic real plugins in functionality and appearance, including similar documentation.

Socket warns that these malicious gems remain active, urging developers to immediately uninstall them, revoke any affected bot tokens, rebuild binaries, and block the compromised traffic to mitigate potential damage.

Conclusion

Sarah Lane concludes the episode by encouraging listeners to engage with the CISO Series community, inviting feedback and discussions via their designated email. She wraps up by reminding the audience that comprehensive cybersecurity headlines are available every weekday on cisoseries.com, where listeners can access the full stories behind the summarized headlines.

Note: This summary condenses the key points from the June 4, 2025, episode of Cyber Security Headlines. For an in-depth understanding, listeners are encouraged to tune into the full podcast available on CISO Series.