Microsoft Entra attack, Thursday's Cloud outages, Mark Green retires - Cybersecurity Headlines

Summary

Cyber Security Headlines: Microsoft Entra Attack, Cloud Outages, Mark Green Retires

Hosted by CISO Series | Release Date: June 13, 2025

The latest episode of Cyber Security Headlines, presented by the CISO Series, delves into a range of pressing issues in the information security landscape. From sophisticated hacking campaigns targeting Microsoft Entra ID accounts to significant cloud service outages and notable shifts in governmental cybersecurity leadership, this episode provides a comprehensive overview for professionals and enthusiasts alike.

1. Microsoft Entra ID Accounts Under Siege

Timestamp: [00:07]

The episode opens with an alarming report on a widespread cyberattack targeting Microsoft Entra ID accounts. Steve Prentiss, the host, discusses findings from researchers at Proofpoint, who have identified a campaign leveraging the Team Filtration pen testing framework.

Attack Details:
- Threat Actor: UnksneakyStrike
- Duration: December 2024 - March 2025
- Scope: Targeted over 80 Microsoft Entra ID accounts across hundreds of organizations globally.
- Methodology: Utilized AWS servers across multiple regions and exploited a sacrificial Office 365 account with a Business Basic license to abuse the Microsoft Teams API for account enumeration.
Notable Quote:

"Team Filtration is a legitimate pen testing tool first published in 2022 by trusted SEC Red Team researcher Melvin Langvick." – Steve Prentiss [00:14]

The use of legitimate tools like Team Filtration underscores the sophisticated tactics employed by threat actors to bypass security measures and maintain a low profile during their operations.

2. Significant Cloud Outages Impacting Major Services

Timestamp: [02:30]

The episode highlights recent outages affecting major cloud service providers, namely Google Cloud and Cloudflare. These disruptions had a cascading effect on a multitude of services, causing widespread inconvenience and security concerns.

Affected Services:
- Google Home & Nest
- Snapchat, Discord, Shopify, Spotify
- Access Authentication Failures
- Cloudflare Zero Trust Warp Connectivity Issues
Impact:
- User Reports: DownDetector registered tens of thousands of outage reports.
- Duration: Initiated around 1:15 PM Eastern Time and gradually resolved throughout the afternoon.
Notable Quote:

"DownDetector received tens of thousands of reports with impacted users experiencing Cloudflare and Google Cloud server connection, website and hosting problems." – Steve Prentiss [02:45]

The episode emphasizes the critical reliance on cloud services and the domino effect that such outages can have on both consumers and businesses.

3. Mark Green's Retirement: Implications for Cyber Legislation

Timestamp: [04:10]

A significant shift in the political landscape is reported with the retirement announcement of Mark Green, the Tennessee Republican and Chair of the House Homeland Security Committee.

Key Points:
- Retirement Reason: Transitioning to an unspecified role in the private sector post a final vote on the President's "big beautiful bill."
- Legislative Impact: Green's departure could exert additional pressures on the future of cyber legislation.
- Contributions: As committee head, Green was a staunch advocate for cyber workforce legislation and supported the reauthorization of the Cybersecurity Information Sharing Act of 2015, set to expire in September.
Notable Quote:

"As head of the committee, Green championed cyber workforce legislation as his top priority." – Steve Prentiss [04:25]

Green's leadership has been pivotal in shaping cyber policy, and his exit may lead to uncertainties in the advancement and implementation of critical cybersecurity measures.

4. Fog Ransomware: A Blend of Monitoring and Pen Testing Tools

Timestamp: [05:20]

The discussion shifts to a novel ransomware attack dubbed Fog, which has targeted financial institutions in Asia using a combination of legitimate software and penetration testing tools.

Attack Vector:
- Tools Used: Legitimate employee monitoring software Sciteca and the GC2 penetration testing tool.
- Functionality of GC2: Enables attackers to execute commands on target machines via Google Sheets or Microsoft SharePoint lists and exfiltrate files using Google Drive or SharePoint documents.
Security Insights:
- James Maud from Beyond Trust highlights the tactic:
  
  "Threat actors typically use legitimate commercial software during attacks to reduce the chances that their intrusions are detected by security tools." – James Maud [06:15]
Impact: This blend of tools makes the Fog ransomware particularly stealthy, complicating detection and mitigation efforts.

5. Emergency Windows Update Addresses Easy Anti Cheat BSOD Issues

Timestamp: [05:55]

Microsoft has responded swiftly to a critical issue affecting gamers and system stability by releasing an emergency out-of-band update for Windows 24H2.

Issue Addressed:
- Problem: Blue Screen of Death (BSOD) errors triggered on systems running EasyAntiCheat, a service integral to preventing online multiplayer game cheating.
Update Details:
- Nature: A revised version of the Windows 11 cumulative update initially released during the month's Patch Tuesday.

This proactive approach by Microsoft underscores the importance of timely patches in maintaining system integrity and user experience.

6. Graphite Spyware Exploits iOS Vulnerabilities in Zero-Click Attacks

Timestamp: [06:40]

A forensic investigation by Citizen Lab has unveiled the use of Paragon's Graphite Spyware in zero-click attacks targeting journalists' iPhones in Europe.

Attack Mechanics:
- Exploited Vulnerability: An unknown flaw in iOS 18.1.1 (CVE unspecified) allowed malicious media files shared via iCloud links to compromise devices.
- Spyware Functionality: Graphite enables unauthorized access and surveillance, marking it as a sophisticated tool in Paragon's arsenal.
Response:
- Apple's Action: The vulnerability has been patched following notification to the victims on April 29.
Notable Quote:

"Apple notified the victims on April 29, identifying the spyware as advanced." – Steve Prentiss [06:55]

The exploitation of zero-day vulnerabilities in widely used platforms like iOS highlights the relentless efforts of threat actors to infiltrate high-profile targets.

7. Vulnerabilities in Sino Track GPS Devices Allow Remote Control and Tracking

Timestamp: [07:20]

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about vulnerabilities in Sino Track GPS devices, which could have dire consequences for vehicle security and privacy.

Vulnerabilities Identified:
- CVE Scores: 8.3 and 8.6
- Potential Exploits:
  - Accessing a vehicle's device profile
  - Tracking its location
  - Cutting power to the fuel pump
Security Lapses:
- Default Credentials: Sino Track devices utilize a universal default password and do not mandate password changes during setup.
- Device ID Exposure: Usernames are easily obtainable from the device label, making unauthorized access straightforward.
CISA's Recommendation:

"CISA is urging users to change their default passwords and hide the device IDs." – Steve Prentiss [07:35]

Currently, there have been no public records of these vulnerabilities being exploited, but the potential risks necessitate immediate action from device owners.

8. Innovative Data Exfiltration via Smartwatches in Air-Gapped Systems

Timestamp: [07:45]

Introducing a novel threat vector, a researcher from Ben Gurion University of the Negev has developed a method named Smart Attack for exfiltrating data from air-gapped systems using smartwatches.

Attack Process:
- Technique: Utilizes the smartwatch's built-in microphone to capture ultrasonic signals ranging from 18 to 22 kHz.
- Prerequisite: Requires prior infiltration to install malware that can transmit data via the infected machine's speakers at inaudible frequencies.
Researcher Insight:

"Smart Attack uses a smartwatch's built-in microphone to capture covert ultrasonic signals within range of 18 to 22kHz." – Mordechai Guri [07:50]

While the method is sophisticated, its practicality depends on specific environmental conditions and the initial breach, highlighting the evolving nature of cyber threats.

Conclusion

The episode of Cyber Security Headlines effectively underscores the dynamic and multifaceted challenges in today's cybersecurity environment. From sophisticated attacks leveraging legitimate tools to vulnerabilities in both software and hardware devices, the landscape requires constant vigilance and adaptive strategies. Additionally, the political shift with Mark Green's retirement adds another layer of complexity to the formulation and implementation of robust cyber legislation.

For listeners seeking in-depth analysis and updates on these topics, the CISO Series remains a valuable resource. Stay informed and proactive in your cybersecurity endeavors.

Note: This summary is crafted for individuals who have not listened to the podcast and aims to encapsulate all critical discussions and insights presented in the episode.

Transcript

A (0:00)

From the CISO series. It's Cybersecurity Headlines.

B (0:07)

These are the cybersecurity headlines for Friday, June 13, 2025. I'm Steve Prentiss. Hackers attacks target Microsoft Entra ID accounts using pen testing tool Researchers at Proofpoint are describing a hacking campaign that is using the Team Filtration Pen testing framework to target more than 80 Microsoft Entra ID accounts at hundreds of organizations worldwide. Blame is being placed on a threat actor called UnksneakyStrike. The attacks occurred from December of last year through to March. Team Filtration is a legitimate pen testing tool first published in 2022 by trusted SEC Red Team researcher Melvin Langvick. It is thought that for this attack, the gang quote used AWS servers across multiple regions and used a sacrificial office365 account with a Business Basic license to abuse Microsoft Teams API for account enumeration. Google Cloud and Cloudflare outages reported yesterday. These outages affected services such as Google Home, Nest, Snapchat, Discord, Shopify and Spotify, as well as creating Access authentication failures and Cloudflare Zero Trust warp connectivity issues. DownDetector received tens of thousands of reports with impacted users experiencing Cloudflare and Google Cloud server connection, website and hosting problems. The issue started around 1:15pm Eastern Time and was being resolved throughout the afternoon. House Homeland Chairman Mark Green Announces His Departure the Tennessee Republican who chairs the House Homeland Security Committee has announced his pending retirement from Congress, which could place additional pressures on the fate of cyber legislation, cyberscoop said, quote. As head of the committee, Green championed cyber workforce legislation as his top priority and recently and he called for a vote on the measure on the House floor. He has supported reauthorizing a cybersecurity 2015 information sharing law that expires in September, end quote. Green said he would leave for an unspecified job in the private sector following a final vote on the President's big beautiful bill. Fog ransomware attack uses employee monitoring software and a pen testing tool. This attack on a financial institution in Asia in May deployed the Fog ransomware tool by using a legitimate, legitimate employee monitoring software called Sciteca paired with the GC2 penetration testing tool. A report from Symantec says the GC2 allows an attacker to execute commands on target machines using Google sheets or Microsoft SharePoint list and exfiltrate files using Google Drive or Microsoft SharePoint documents. Although the researchers are not sure of the role played by sciteca, James Maud, who is field CTO at Beyond Trust, said threat actors typically use legitimate commercial software during attacks to reduce the chances that their intrusions are detected by security tools. Huge thanks to our sponsor Vanta. Is your manual GRC program slowing you down? There's something more efficient than spreadsheets, screenshots and manual processes, and that's Vanta. With Vanta, GRC can be so much easier while also strengthening your security posture and driving revenue for your business. Vanta automates key areas of your GRC program, including compliance, risk and customer trust, and streamlines the way you manage information. The impact is real. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. Get back time to focus on strengthening security and scaling your business. Get started@vanta.com headlines that is V A N T A Windows releases emergency update to fix easy Anti Cheat Blue Screen of Death Microsoft has released an out of band windows 24H2 update to address a problem in which Blue Screen of Death errors were triggered on systems with easyanti Cheat, which is a popular service installed with many multiplayer games to prevent cheating while playing online. The update is a revised version of the Windows 11 cumulative update released during this month's patch Tuesday. Graphite spyware used in Apple iOS zero click attacks on journalists A forensic investigation by Citizen Lab has confirmed that Paragon's graphite spyware was used in zero click attacks targeting iPhones of at least two journalists in Europe. The attacks exploited a then unknown vulnerability with a CVE number in iOS 18.1.1, which allowed malicious photographs or videos shared via icloud links to compromised devices. Apple notified the victims on April 29, identifying the spyware as advanced. The graphite platform is believed to be part of Paragon's mercenary spyware operations. The flaw has since been patched by Apple. Sino Track GPS device flaws lead to remote vehicle control and location tracking CISA is warning of two vulnerabilities in SinoTrack GPS Track GPS devices that can be exploited to access a vehicle's device profile, track its location, or even cut power to the fuel pump, depending on the model. The two vulnerabilities have CVE numbers and have CVSS scores of 8.3 and 8.6. SinoTrack apparently uses the same default password for all units and does not require changing it during setup. Since the username is simply the device ID printed on the label, someone could easily gain access either by physically seeing the device or even spotting it in online photos, such as on ebay. CISA is urging users to change their default passwords and hide the device IDs no public exploitation of the vulnerabilities has yet been recorded. Air gapped data could be stolen via smartwatches, says researcher A new technique for exfiltrating data from air gapped systems through a smartwatch is being developed by a researcher from the Ben Gurion University of the Negev. Mordechai Guri says the technique, called Smart Attack, uses a smartwatch's built in microphone to capture covert ultrasonic signals within range of 18 to 22kHz, successfully enabling data theft based on certain environmental conditions. It must be said, however, that to succeed, a previous infiltration is required to implant malware that would transmit information using the infected machine's speakers in a frequency range that makes sounds inaudible to humans. Make sure to join us later today at 3:30pm Eastern for our Week in Review show. Christina Shannon, CIO at Kik Consumer Products, will be our guest providing her expert commentary on the news of the week, and we encourage participation and comments through our YouTube live channel. Just go to the events page@cisoseries.com to register. And if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series.