Undetectable Android spyware is detectable, Hunters ransomware quits, Salt Typhoon dormant - Cybersecurity Headlines

Summary

Cyber Security Headlines Summary – July 4, 2025

Hosted by Steve Prentiss from the CISO Series

1. Microsoft Addresses Windows Firewall Configuration Errors

Timestamp: [00:00]

Steve Prentiss opens the episode by discussing a recent issue affecting users on Windows 1124H2 systems. After installing the 2025 Windows non-security Preview Update and rebooting, some users encounter Windows Firewall configuration errors.

Issue Details: Users see event 2042 warnings in the Event Viewer related to Windows Firewall with Advanced Security, indicating a configuration read failure.
Microsoft's Response: The tech giant refers to the problem as a "known issue" caused by a "new feature that is still under development and hasn't yet been fully integrated with the operating system." Steve notes, “The alert can be safely ignored, and a fix is on its way.”

Key Takeaway: While the firewall warnings may cause initial concern, Microsoft assures users that the issue is benign and a resolution is forthcoming.

2. Cat Watchful Spyware: From Undetectable to Detectable

Timestamp: [01:30]

The discussion shifts to Cat Watchful, an Android monitoring application marketed as a parental control tool. Initially touted as undetectable, allowing users to secretly monitor device activity, recent developments have exposed significant vulnerabilities.

Security Flaw: A researcher uncovered that Cat Watchful is susceptible to SQL injection attacks, leading to the exposure of plain text logins and passwords for all 62,050 accounts. Additionally, account-device links and administrative tracking data were compromised.
User Protection: Android users can verify the presence of this spyware by dialing 543210 and pressing the call button, a built-in backdoor that triggers the spyware to reveal itself for uninstallation.

Impact: This breach not only compromises user security but also undermines trust in applications claiming to offer stealthy monitoring capabilities.

3. Cisco Identifies Critical Vulnerability in Enterprise Software

Timestamp: [03:15]

Cisco has issued a warning about a severe vulnerability involving hard-coded credentials within its enterprise software.

Vulnerability Details: The flaw has been assigned a CVE number with a CVSS score of 10/10, indicating critical severity. It affects Cisco's Unified CM and Unified CMSME communication management software, potentially allowing attackers to gain root access.
Cause: The issue stems from default static credentials embedded in the management tools, which cannot be removed or altered by users.
Cisco’s Mitigation: On Wednesday, Cisco released patches and a path file to address the vulnerability, urging enterprises to apply updates immediately to prevent unauthorized access.

Expert Insight: “Hard-coded credentials are a fundamental security oversight,” Prentiss emphasizes, highlighting the importance of configurability in enterprise security tools.

4. Hunter’s Ransomware Group Shuts Down Amid Evolving Threat Landscape

Timestamp: [05:00]

In a surprising turn, the notorious Hunter's Ransomware group has announced the cessation of its operations, attributing the shutdown to "changing times" and the diminishing profitability of ransomware attacks.

Public Statement: The group released a message akin to those of legitimate businesses, offering decryption keys to victims as a "gesture of goodwill."
Industry Skepticism: Security firm Group IB anticipates that Hunter’s is merely rebranding as World Leaks, a group that favors extortion by stealing and holding company data for ransom without encrypting files.

Implications: While Hunter's official exit might seem positive, the potential rebranding signals an ongoing threat in a new guise, urging organizations to remain vigilant.

5. Surmodics Suffers Cyber Attack Affecting IT Systems

Timestamp: [07:45]

Surmodics, a leading U.S. provider of outsourced hydrophilic coatings for medical devices, reported a cyber attack that impacted its IT infrastructure.

Attack Details: Unauthorized access was detected exactly one month prior, resulting in the shutdown of parts of the IT system and the implementation of alternate methods for processing customer orders.
Industry Context: Surmodics becomes the third publicly traded medical device company to disclose a cyber attack to the SEC within eight months, following Artevion and Masimo.
Current Status: While partial restoration has been achieved, the full extent of the data breach remains under investigation. Notably, no proprietary or third-party information has been disclosed, and no group has claimed responsibility.

Security Insight: The healthcare sector continues to be a prime target for cybercriminals, underscoring the need for robust security measures.

6. North Korean Hackers Exploit New Zoom Vulnerability

Timestamp: [10:20]

The BlueNoroff APT group, based in Pyongyang, has developed a novel payload to compromise Zoom users, enhancing their attack efficacy.

Attack Vector: Victims receive a Calendly invite via Telegram, leading them to a Zoom meeting where they're prompted to install what appears to be a legitimate Zoom SDK update.
Malicious Activity: Executing the fraudulent script initiates a multi-stage infection process, ultimately deploying malicious binaries tracked by Sentinel One.

Comparison: Unlike previous Zoom exploits that manipulated audio settings, this new method focuses on deceptive software updates, increasing the risk of successful breaches.

Recommendation: Users are advised to verify software updates through official channels and remain cautious of unsolicited meeting invitations.

7. DOJ Investigates Ex-Ransomware Negotiator for Alleged Kickbacks

Timestamp: [12:50]

The Department of Justice (DOJ) is probing a former employee of Digital Mint, a Chicago-based incident response and digital asset services firm, for potential involvement in extortion-related activities.

Allegations: The suspect is accused of collaborating with ransomware gangs to negotiate payments and allegedly receiving a share of the ransoms paid by victims.
Company Response: Digital Mint confirmed the investigation and stated that the employee was terminated upon discovering the alleged misconduct.

Industry Impact: This case highlights the ethical and legal risks associated with ransomware negotiation services, emphasizing the need for stringent oversight and accountability.

8. Salt Typhoon's Activity Contained but Remains a Potential Threat

Timestamp: [15:10]

Salt Typhoon, the Chinese hacker group responsible for significant telecommunications sector breaches, has been declared largely contained by the FBI's new Cyber Division leader, Brett Leatherman.

Current Status: The group's operations are dormant within the affected telecom networks, confined to their existing locations without active infiltration efforts.
Ongoing Risk: Leatherman warns that despite the current containment, Salt Typhoon remains a potential threat due to their persistent foothold in telecommunications infrastructures, which could allow for future points of persistence and exploitation.

Expert Commentary: "The longer they have a foothold inside telecommunications networks, the more ways they can create points of persistence," Leatherman explains, underscoring the need for continuous monitoring and security enhancements.

Conclusion

In this episode of Cybersecurity Headlines, host Steve Prentiss covers a spectrum of critical security issues, from software vulnerabilities and sophisticated spyware to ransomware group dynamics and international cyber threats. Each segment underscores the evolving landscape of cybersecurity, emphasizing the importance of vigilance, timely updates, and robust protective measures to safeguard against increasingly sophisticated attacks.

For the full stories behind these headlines and more, visit CISOseries.com.

This summary is intended to provide a comprehensive overview of the key discussions and insights from the July 4, 2025 episode of Cyber Security Headlines. For detailed information and expert analysis, listening to the full podcast is recommended.

Transcript

Steve Prentiss (0:00)

From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Friday, July 4, 2025. I'm Steve Prentiss. Microsoft asks users to ignore Windows firewall config errors this issue seems to appear for some users on Windows 1124H2 systems after rebooting their systems following the installation of the 2025 Windows non security Preview. Update Warnings appear in the event viewer as event 2042 for Windows Firewall with Advanced security with a config read failed warning and a more data is available message. Microsoft says this is a quote known issue end quote caused by a quote new feature that is still under development and hasn't yet been fully integrated with the operating system, end quote. The alert can be safely ignored, they said, and a fix is on its way. Undetectable Android spyware leaks user logins and becomes detectable Cat Watchful, as one word, is a monitoring application marketed as a parental control application for Android and which allows users to view content from a victim's device in real time, tap into the microphone and cameras and access photos, videos, chat logs and location. The product is described as undetectable and hides its presence to prevent being uninstalled by the victim. Unfortunately, a researcher has discovered that the app is prone to SQL injection attacks and because of this, the plain text logins and passwords of all 62,050 Cat Watchful accounts, along with details linking accounts to devices and tracking administrative data have been made visible, according to Security. Android users can also check whether the spyware has been installed on their devices by dialing 543210 and then pressing the call button. This is apparently a built in backdoor feature that makes the spyware reveal itself to be uninstalled. Cisco warns of hard coded credentials in enterprise software. This is a critical vulnerability with a CVE number and a CVSS score of 10 out of 10. In its announcement made Wednesday, Cisco stated that it applies to its Unified CM and Unified CMSME communication management software and could allow attackers to log in as the root account. In its advisory, Cisco says the problem exists because the enterprise management tools contain default static credentials that cannot be removed or changed. On Wednesday, Cisco announced patches for the critical vulnerability and has released a path file which is expected to roll out this Hunter's Ransomware group shuts doors blaming changing times the group, famous for attacks on Indian multinational Tata Technologies and Chinese owned ICBC bank, has announced it is closing down business and offering decryption keys to its victims. In an announcement that resembles the type disseminated by larger legitimate businesses, especially when job losses are involved. The Hunter's message blames what it calls recent developments and an overall sense that collecting ransoms is no longer as easy, easy or rewarding as it once was. It calls the decryption offer a gesture of goodwill. However, researchers at the security firm Group IB have already predicted that the same team behind Hunters is rebranding as World Leaks, which uses an extortion only model whereby attackers steal a company's data and holds it to ransom without deploying any kind of file encryption. Huge thanks to our sponsor Palo Alto Networks. You're moving fast in the cloud, and so are attackers. But while SecOps and Cloud Security teams are working in silos, attackers are exploiting the gaps between them. Cortex Cloud by Palo Alto Networks bridges this divide, unifying teams and stopping attacks with real time cloud security that includes AI powered protection, detection and automated response capabilities. Threats are stopped in minutes instead of days, and teams can finally protect cloud environments at the speed and scale of modern attacks. To learn more about how Cortex Cloud stops cloud attacks before they become breaches, visit paloaltonetworks.com CDR that is Palo altonetworks.com CDR Medical Device Company Surmodics reports cyber attack Based in Minnesota, Surmodics S U R Modics is the largest US Provider of outsourced hydrophilic coatings used to reduce friction for objects such as intravascular medical devices. Its IT team observed unauthorized access in its network exactly one month ago, forcing the company to shut down parts of its IT system and to find alternate ways to receive and process customer orders. This is the third publicly traded medical device company to report a cyber attack to the SEC in the last eight months, the other two being Artevion and Masimo. While now partially restored, the scope and details of the IT data stolen by the hackers are still being analyzed. No group has claimed responsibility and the company says no proprietary data or third party information has been released. North Korean hackers find yet another way to hack through Zoom. Although we have covered this topic a few times in the past weeks, this one differs in the payload and is therefore worthy of note. The blue Norof Apt, based out of Pyongyang, is following the same social engineering path of inviting a victim via telegram to a calendly invite, which takes them to a Zoom meeting. In this instance, rather than exploiting a faked faulty audio situation, the victim is instructed to run a malicious script posing as a Zoom SDK update. The script's execution triggers a multi stage infection chain, leading to the deployment of malicious binaries that Sentinel 1 collectively tracks. As Nimdoor N I M D O O R Department of justice investigates ex Ransomware negotiator over alleged Extortion kickbacks the individual under investigation is a former employee of Digital Mint, a Chicago based incident response and digital asset services company that specializes in ransomware negotiation and facilitating cryptocurrency payments to receive a decryptor or prevent stolen data from being publicly released, according to an initial report from Bloomberg. The DOJ is investigating whether the suspect worked with ransomware gangs to negotiate payments and then allegedly received a cut of the ransom that was charged to the customer. Digitalmint has confirmed that one of its former employees is under criminal investigation and informed Bleeping Computer that it terminated the employee after learning of the alleged conduct Salt Typhoon largely contained in Telecom networks, says FBI Brett Leatherman, new leader of the FBI Cyber Division, has told cyberscoop that Salt Typhoon, who were of course the Chinese hackers behind the massive telecommunications sector bre are largely contained and dormant in the networks, locked into the location they're in and not actively infiltrating information. Leatherman adds, however, that that does not mean they no longer pose a threat, specifying that the longer they have a foothold inside telecommunications networks, the more ways they can create points of persistence. End quote Just a reminder that there will be no Super Cyber Friday or Week in Review shows today. The Week in Review returns next Friday, July 11, and Super Cyber Friday returns the following Friday, July 18. You can always find out the details and register to participate by visiting the events page@cisoseries.com and if you have some thoughts on the news from today or about the show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.