Telecom Orange hacked, $2.4M Bitcoin seized from Chaos, Scattered Spider's tactics evolve

Cyber Security Headlines - Episode Summary Hosted by CISO Series | Release Date: July 30, 2025

In the latest episode of Cyber Security Headlines by CISO Series, host Sarah Lane delves deep into significant developments in the information security landscape. This episode covers a range of topics from critical vulnerabilities in popular platforms to sophisticated ransomware operations and evolving cyber threats targeting national security. Below is a detailed summary of the key discussions, insights, and conclusions presented in the episode.

1. Critical Authentication Flaw in Base44 Vibe Coding Platform

At the outset, Sarah Lane highlights a significant vulnerability identified by Wiz Research in the Base44 vibe coding platform, recently acquired by Wix. This flaw allows attackers to bypass Single Sign-On (SSO) mechanisms and access private applications using only a public app ID.

“Wiz Research found a critical authentication flaw in Base44's vibe coding platform, letting attackers bypass SSO and access private apps using only a public app id.” [00:07]

Key Points:

• Vulnerability Details: The flaw originated from exposed API endpoints that did not require authentication, compromising apps housing sensitive enterprise data.
• Response and Mitigation: Wix addressed and patched the vulnerability within 24 hours of discovery. Currently, there is no evidence indicating that the flaw has been exploited.
• Broader Implications: Wiz Research underscores the inherent risks associated with low-code AI development platforms, where fundamental security controls may falter across shared infrastructures.

2. French Telecom Giant Orange Discloses Cyberattack

Sarah reports on a cyberattack affecting one of France’s leading telecom providers, Orange. The incident was identified and contained by Orange Cyber Defense on July 25th, leading to temporary service disruptions for some users.

“French telecom giant Orange disclosed a cyber attack on one of its information systems, detected and isolated on July 25th by Orange Cyber Defense.” [00:07]

Key Points:

• Impact: While some customers experienced temporary disruptions, there have been no confirmations of data theft.
• Attacker Attribution: The responsible party remains unidentified; however, the breach shares similarities with recent global telecom intrusions, potentially linking it to China’s Salt Typhoon cyber espionage group.

3. FBI Seizes $2.4 Million in Bitcoin from Chaos Ransomware Operation

One of the episode’s highlights is the FBI’s successful seizure of over $2.4 million in Bitcoin from the New Chaos ransomware group, targeting Texas-based companies.

“The FBI seized over $2.4 million in Bitcoin from a member of the New Chaos ransomware operation, now traced to attacks on Texas based companies.” [00:07]

Key Points:

• Operation Details: The funds were associated with an affiliate known as HORS and were confiscated on April 15th. The Department of Justice filed a civil forfeiture complaint on July 24th to secure permanent ownership.
• Group Evolution: The Chaos ransomware group is believed to be a rebranding of Black Suit Ransomware, itself an offshoot of the now-defunct Conti Gang.
• Law Enforcement Impact: This seizure follows increased law enforcement efforts and recent dismantling of ransomware infrastructures linked to Black Suit, signaling a crackdown on ransomware operations.

4. Poland Arrests 32 Individuals Over Pro-Russian Sabotage

Sarah covers Poland’s significant crackdown on individuals allegedly conducting sabotage and arson on behalf of Russian intelligence since the onset of the Ukraine conflict.

“Poland's Prime Minister Donald Tusk warned that any efforts to destabilize the country would be met with ruthless action.” [00:07]

Key Points:

• Arrested Individuals: A total of 32 individuals from diverse nationalities, including Polish, Russian, Ukrainian, Belarusian, and Colombian, were detained.
• Charges: The suspects are accused of orchestrating sabotage and arson attacks as part of a broader Russian hybrid warfare campaign.
• Legal Actions: Notably, one Colombian suspect has already been convicted in the Czech Republic for multiple arson attacks linked to this campaign, utilizing platforms like Telegram for recruiting operatives.

5. Evolving Tactics of the Scattered Spider Cyber Threat

In an updated advisory, the FBI and CISA warn about the persistent and evolving threats posed by the Scattered Spider group, which continues to employ sophisticated social engineering and intrusion tactics.

“The FBI and CISA issued an updated advisory warning that Scattered Spider remains a serious threat using sophisticated social engineering and intrusion tactics.” [00:07]

Key Points:

• Techniques Employed: The group utilizes phishing, Multi-Factor Authentication (MFA) fatigue, SIM swapping, and ransomware variants like Dragon Force to infiltrate systems. They have also been known to encrypt VMware ESXi servers.
• Impact and Risk: Despite recent arrests linked to the gang, authorities from the US, UK, Canada, and Australia emphasize that Scattered Spider’s evolving methods continue to pose significant risks to national security and critical infrastructure.

6. Gunra Ransomware Evolves with Linux Variants

Gunra Ransomware Group has introduced a sophisticated Linux variant, marking a notable evolution from its original focus on Windows-based systems.

“The Gunra Ransomware Group released a sophisticated Linux variant capable of encrypting files using up to 100 concurrent threads.” [00:07]

Key Points:

• Technical Advancements: This variant supports partial encryption and offers configurable settings, providing attackers with enhanced control and speed during operations.
• Target Expansion: After gaining notoriety for high-profile breaches, Gunra is now targeting a diverse array of industries across multiple countries, indicating a strategic broadening of their attack vectors.

7. Autocolor Backdoor Malware Exploits SAP Vulnerability

Autocolor, a Linux-targeting malware, is exploiting a critical vulnerability in SAP NetWeaver to infiltrate systems.

“A Linux targeting malware called autocolor is exploiting a critical SAP netweaver vulnerability to infiltrate systems.” [00:07]

Key Points:

• Malware Functionality: Autocolor operates as a remote access trojan (RAT), employing advanced persistent techniques to evade detection. It establishes control via TLS and remains dormant when disconnected from its command server.
• Initial Impact: The first known attack targeted a US-based chemical company in April, highlighting the malware’s potential to compromise sensitive industrial systems.

8. Supply Chain Attacks Detected in GitHub Actions, Gravity Forms, and NPM

Supply chain vulnerabilities remain a critical concern as researchers at Armis Labs identify major attacks within trusted development tools and platforms.

“Researchers at Armis Labs uncovered major software supply chain attacks in GitHub Actions, the uaparser JS npm package and the Gravity Forms WordPress plugin.” [00:07]

Key Points:

• Attack Vectors: These incidents involved the insertion of backdoors and poisoned code, which jeopardized thousands of systems reliant on the compromised tools.
• Implications for Developers: The findings emphasize how trusted developer tools can be infiltrated, especially with the exploitation of AI-driven coding practices.
• Preventative Measures: Experts stress the importance of early detection and stringent code integrity checks to mitigate the risks of widespread backdoor insertions within software projects.

Upcoming Event: CISO Series Meetup in Montreal

For professionals in Montreal, a CISO Series meetup is scheduled for Friday, August 1st, hosted by David Spark at the Crew Cafe starting at 8:30 AM. Attendees will have the opportunity to network, participate in games, and enjoy refreshments. More details can be found on the CISO Series Events Page.

Conclusion

This episode of Cyber Security Headlines provides a comprehensive overview of the current cybersecurity landscape, highlighting significant vulnerabilities, sophisticated ransomware operations, and the persistent evolution of cyber threats targeting both corporate and national infrastructures. Hosts like Sarah Lane ensure that listeners are well-informed about the latest developments, empowering them to bolster their security measures effectively.

For a more in-depth exploration of these stories, listeners are encouraged to visit CISOseries.com.

This summary is intended for informational purposes and reflects the discussions presented in the July 30, 2025 episode of Cyber Security Headlines by CISO Series.