Meta, Yandex take heat on browsing identifiers, Acreed malware makes gains, HPE warns of critical auth bypass - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines Summary

Hosted by CISO Series | Release Date: June 4, 2025

In the latest episode of Cyber Security Headlines by the CISO Series, host Sarah Lane delves into a spectrum of pressing issues shaping the information security landscape. This comprehensive summary captures the key discussions, insights, and conclusions presented during the episode, providing valuable information for cybersecurity professionals and enthusiasts alike.

1. Meta and Yandex De-anonymizing Android Users

At the outset ([00:07]), Sarah highlights a significant privacy breach involving tech giants Meta and Yandex. The Web Browsing Identifiers Research Group Local Mess unveiled a detailed report on its GitHub page, exposing how both companies exploit Android's Browser 2 app communication to de-anonymize users. By leveraging metapixel and Yandex Metrica trackers, Meta and Yandex link web activity to app identities, effectively bypassing Android and browser privacy protections. This method abuses local host ports, enabling unauthorized harvesting of unique web identifiers by Facebook, Instagram, and Yandex applications.

Google has responded by stating that these practices violate Play Store rules and is actively working on implementing fixes. In response, Meta and Yandex have announced that they are pausing or ending these behaviors amid ongoing discussions, as Sarah notes, “[...] Meta and Yandex claim they're pausing or ending the behavior amid ongoing discussion” ([00:07]).

2. Shift in Malware Dominance: Llama C2 to Creed

The episode transitions to the evolving malware landscape, focusing on the decline of Llama C2. First identified in 2022, Llama C2 was a prominent malware-as-a-service (MaaS) tool used for information stealing by various threat groups. However, a coordinated law enforcement operation in May, as reported by Checkpoint Research, has significantly undermined its dominance. Developers of Llama C2 are attempting to recover, but the damage to its reputation appears irreversible.

In its stead, a new stealer named Creed has surged in popularity. Webz researchers observed Creed's emergence on February 10, and ReliaQuest reports that Creed is now leading credential theft activities on the Russian dark web platform Accred. Within its first week, Creed facilitated the upload of over 4,000 logs, marking it as a formidable successor in credential theft operations.

3. Hewlett Packard Enterprise Patches Critical Authentication Bypass

Security vulnerabilities continue to pose significant threats. Hewlett Packard Enterprise (HPE) has recently addressed eight vulnerabilities in its Store Once backup software, including a critical authentication bypass flaw with a CVSS score of 9.8 ([03:45]). This particular bug arises from a flawed authentication method, potentially allowing remote exploitation of other linked remote code executions (RCEs), directory traversal issues, and a Server-Side Request Forgery (SSRF) vulnerability. All versions prior to v4.3.11 are affected, with no mitigation options available aside from upgrading the software. Although these flaws were reported in October 2024, they were only fixed after seven months, and no public exploitation has been detected to date.

4. Vodafone Fined Record Amounts in Germany for Data Protection Failures

A significant development in data protection enforcement involves Vodafone, which has been fined a total of 45 million euros by Germany's federal commissioner for data protection for GDPR violations ([04:30]). The fines stem from fraudulent activities conducted by third-party sales agents acting on Vodafone's behalf. Specifically, agents engaged in fraud through the use of fake or altered contracts. Vodafone was fined 15 million euros for its failure to adequately monitor these partners, and an additional 30 million euros for weak customer authentication measures that allowed unauthorized access to eSIM profiles.

Vodafone attributes the issues to insufficient data protection checks and asserts that it has since overhauled its systems under new leadership to prevent future breaches.

5. Expansion of Krokodilus Android Banking Malware

The Krokodilus Android banking malware continues to expand its reach beyond its origins in Turkey. Sarah reports that Krokodilus has now infiltrated multiple new regions, including Spain, Poland, parts of South America, and Asia ([05:15]). The malware propagates through fake applications, deceptive advertisements, and compromised browser updates. Additionally, it has enhanced its capabilities by adding fake contacts, stealing cryptocurrency wallet seed phrases, and employing sophisticated obfuscation techniques to evade detection.

Threat Fabric, the researchers who first identified Krokodilus in March during test campaigns, cautions that the malware is rapidly evolving into a serious global threat, necessitating heightened vigilance among Android users and cybersecurity professionals.

6. Significant Turnover in US Cyber Workforce at CISA

A concerning trend in the US cybersecurity infrastructure involves significant workforce reductions at the Cybersecurity and Infrastructure Security Agency (CISA). According to Axios, nearly 1,000 cybersecurity professionals have departed since President Trump's administration took office, including 600 voluntary buyouts and 174 deferred resignations ([05:50]). Additional cuts have impacted contract teams such as Election Integrity and Diversity, Equity, and Inclusion (DEI) units.

Critics argue that this exodus of key personnel and the resulting depletion of resources could severely undermine the United States' cyber defenses, especially amid escalating cyber threats. However, CISA leadership maintains that the agency remains mission-ready, despite the staffing challenges.

7. Coinbase Data Breach Linked to Bribed Indian Support Agents

The episode sheds light on the Coinbase data breach disclosed in May, which has been traced back to bribed customer support agents at the Indian outsourcing firm Task US ([06:30]). Reuters reports that two Task US employees were apprehended for stealing sensitive customer information, including names, emails, Social Security numbers, and ID scans, which they sold to attackers in exchange for bribes. The breach was initially detected in January, months before Coinbase made it public.

In an effort to address the breach, Coinbase rejected a $20 million ransom offer and instead offered a bounty to identify the attackers. Consequently, nearly 70,000 customers were affected, with potential losses reaching $400 million. In response, Task US has ceased its Coinbase operations in India.

8. UK’s Strategic Defense Review Embraces Cyber Warfare

In a landmark move, the United Kingdom has formalized its commitment to cyber warfare as a component of its integrated military operations, as detailed in its 2025 Strategic Defense Review released on June 2 ([06:55]). For the first time, the UK explicitly acknowledges cyber warfare's role alongside traditional military domains.

The review proposes the establishment of a centralized Cyber Electromagnetic Command to coordinate cyber, artificial intelligence (AI), and electromagnetic capabilities across land, sea, air, and digital fronts. Citing 9,000 gray zone cyber attacks targeting UK military networks over the past two years, the UK aims to enhance its defensive and offensive cyber capabilities. Additionally, the review introduces the Targeting Web, an AI-driven system designed for rapid cross-domain decision-making and attack execution, drawing lessons from the ongoing conflict in Ukraine.

9. Malicious Ruby Gems Target Telegram API Data

Cybersecurity threats also extend into the software development realm. Researchers from Socket have uncovered two malicious Ruby gems masquerading as legitimate Fastlane CI/CD plugins ([07:10]). These compromised packages redirect Telegram API traffic to attacker-controlled servers, enabling the theft of sensitive data such as bot tokens, message contents, files, and proxy credentials. The attack exploits typo squatting, presenting gems that closely mimic real plugins in functionality and appearance, including similar documentation.

Socket warns that these malicious gems remain active, urging developers to immediately uninstall them, revoke any affected bot tokens, rebuild binaries, and block the compromised traffic to mitigate potential damage.

Conclusion

Sarah Lane concludes the episode by encouraging listeners to engage with the CISO Series community, inviting feedback and discussions via their designated email. She wraps up by reminding the audience that comprehensive cybersecurity headlines are available every weekday on cisoseries.com, where listeners can access the full stories behind the summarized headlines.

Note: This summary condenses the key points from the June 4, 2025, episode of Cyber Security Headlines. For an in-depth understanding, listeners are encouraged to tune into the full podcast available on CISO Series.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series. It's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Wednesday, June 4, 2025. I'm Sarah Lane. Meta and Yandex are de anonymizing Android users Web Browsing Identifiers Research Group Local Mess posted on its GitHub page a lengthy explanation of how Meta and Yandex are Both exploiting Android's Browser 2 app communication to De anonymize users by linking web activ activity to app identities through metapixel and Yandex Metrica trackers. This method bypasses both Android and browser privacy protections by abusing local host ports, letting Facebook, Instagram and Yandex apps harvest unique web identifiers. Google says the practice violates the Play Store rules and is working on fixes. Meta and Yandex claim they're pausing or ending the behavior amid ongoing discussion. Llama C2 Fractures as a Creed Malware Becomes Top Dog Llama C2, a malware as a service info stealer first seen back in 2022 and used by various threat groups, lost its dominance after a coordinated law enforcement operation back in May, Checkpoint Research says. Lummus developers are trying to recover, but the reputation may be permanently damaged. A new stealer called a Creed, first observed by Webz researchers on February 10, has surged in popularity as a result. According to ReliaQuest, Accred now is leading credential theft activity on the Russian market, a top dark web platform with more than 4,000 uploaded logs in its first week. Hewlett Packard Enterprise Warns of Critical Store Once Auth Bypass Hewlett Packard Enterprise has patched eight vulnerabilities in its Store Once backup software, including a Critical Auth bypass flaw with a CVSS score of 9.8. The bug stems from a faulty authentication method and can enable remote exploitation of other linked 3 rces, 2 directory traversal issues and 1 SSRF bug. All versions before v 4.3.11 are affected, with no mitigations offered beyond upgrading. The flaws were reported back in October 2024 and fixed after seven months. No exploitation has been publicly found. Vodafone hit by record German data fine over rogue agents Germany's federal commissioner for data protection fined Vodafone 45 million euros for GDPR violations. The regulator said that third party sales agents acting on Vodafone's behalf committed fraud via fake or altered contract contracts. Vodafone was fined 15 million euros for failing to monitor these partners, but then another 30 million euros for weak customer authentication that let unauthorized parties access ESIM profiles. Vodafone says the issue stemmed from insufficient data protection checks, but claims it has since overhauled systems under new leadership. Huge thanks to our sponsor Conveyor. Tired of herding cats to complete customer security questionnaires? Your team probably spends hours daily juggling the back and forth of completing these security requests. That's why Conveyor created Sue, the first AI agent for customer trust. Sue doesn't just handle completing security questionnaires and sending SOC2 to prospects. She manages all the communication and follow up as well. You simply get notified when everything's done so you can do a quick review. Stop wrangling cats and see what sue can do for you at www.conveyor.com Krokodilus sharpens its teeth on Android users the Android banking malware Krokodilus has expanded from Turkey to multiple new regions, including Spain, Poland, parts of South America and also Asia. It spreads via fake apps, ads and browser updates, and now adds fake contacts, steals crypto wallet seed phrases and uses obfuscation to evade detection. Threat fabric, which first spotted Crocodylus in test campaigns back in March, warns it's rapidly evolving into a serious global threat. Exclusive One third of top US Cyber force has left since Trump took office Axios reports that nearly 1,000 people in the U.S. cybersecurity and infrastructure Security Agency, also known as CISA workforce have left in the latest US administration. This includes 600 recent voluntary buyouts and 174 deferred resignations, with additional cuts hitting contract teams like Election Integrity and DEI units. Critics warn the loss of key figures and shrinking resources could undermine US Cyber defenses amid rising threats. CISA leadership says it's still mission ready. Coinbase breach tied to bribed task U.S. support agents in India A Coinbase data breach disclosed back in May has been linked to bribed customer support agents at Indian outsourcing firm Task US Reuters reports that two Task US employees were caught stealing names, emails, Social Security numbers and ID scans and passing them along to attackers in exchange for bribes. The breach was first detected in January. That was months before Coinbase made it public. Coinbase also refused a $20 million ransom, offering a bounty to identify the attackers. Instead, nearly 70,000 customers were affected and losses could reach $400 million. Task US has since shut down its Coinbase operations in India. The UK brings cyber warfare out of the closet the UK published its 2025 Strategic Defense Review on June 2, openly committing for the first time to cyber warfare as part of an integrated military operation. The review proposes a centralized cyber EM command to coordinate cyber, AI and electromagnetic capabilities across land, sea, air and digital domains, citing 9,000 gray zone cyber attacks on UK military networks over the past two years. It also introduces the Targeting Web, a new AI driven system for rapid cross domain decision making and attacks inspired by lessons from the war in Ukraine. Malicious Ruby Gems pose as fastlane to steal Telegram API data Socket researchers discovered two malicious Ruby gems masquerading as legitimate Fastlane CI CD plugins. The packages reroute Telegram API traffic to attacker controlled servers, harvesting sensitive data like bot tokens, message content files and proxy credentials. The attack exploits typo squatting and mimics real plugins, functionality and documentation. Socket warns that the gems are still live and developers should uninstall them, revoke affected bot tokens, rebuild binaries and block affected traffic. If you have some thoughts on the news from today or about our show in general, be sure to reach out to us@feedbackisoseries.com we'd love to hear from you. I'm Sarah Lane reporting for the CISO series. We'll talk to you next time.
[07:36]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.