
In this episode of Cybersecurity Today, hosted by David Shipley, key cybersecurity incidents and threats are discussed. The Canadian Center for Cybersecurity revealed a breach by Chinese state-sponsored hackers of a Canadian telco, with further...
Loading summary
David Shipley
Canada's cybersecurity agency confirms Chinese hack of telco US braces for retaliatory cyber strikes after bombing Iranian nuclear sites Hard coded single letter password in sitecore XP sparks major remote compromise and Russian hackers bypass Gmail MFA using stolen app passwords this is Cybersecurity Today and I'm your host David Shipley. Let's get started. The Canadian Centre for Cybersecurity, or cccs, quietly revealed Friday night in a social media post that a Canadian telecommunications provider was breached by China's state sponsored hacking team Salk Typhoon. Many in the cybersecurity industry were waiting for this news for some time following the massive breach of US and global telecommunications providers in 2024, given that all use similar third party equipment. In a joint release with the FBI first posted on their website on Thursday, the center said the PRC backed campaign was likely not contained just to the telecommunications sector. The agency said it expects Chinese hackers will, quote, almost certainly end quote, continue to target Canadian critical infrastructure over the next two years, especially telecommunications providers. This is particularly notable. The intelligence community in the Western world is increasingly raising the alarm around a potential Chinese invasion of Taiwan before the end of 2027. Beijing has repeatedly denied US allegations of its involvement in salt typhoon, which was first reported by the Wall Street Journal last year. In January, the US sanctioned a Chinese firm accused of quote, direct involvement, end quote in the infiltrations, along with the country's Ministry of State Security in the advisory. Last week, the Canadian center for Cybersecurity said the threat actors explo CVE2023 201 98. It is a vulnerability in Cisco networking gear. First reported in October 2023. The CVE is a critical zero day privilege escalation vulnerability in the web UI interface of routers, switches and wireless controllers running Cisco's iOS XE. It was given a 10 out of 10 on the CVSS score. The attackers used the critical vulnerability to retrieve the running configuration files from three devices in the targeted telco and modified at least one of the files to configure a generic routing encapsulation or GRE tunnel which enables traffic collection from the network. GREs work a lot like a VPN but without encryption. Compromised devices can then be used to spy on internal network traffic or as launching pads for attacks on other systems. The CCCS and FBI. News of the Canadian telco compromise is the latest in a string of Chinese hacks in Canada. Most recently in 2024, the government of British Columbia was compromised by Chinese hackers and in the fall of 2024, report from the center confirmed Chinese hackers have been in numerous governments throughout the country for more than five years. The revelation that a Canadian telecommunications provider's equipment was compromised comes days after the Canadian government tabled its second attempt at critical cybersecurity legis. Formally called Bill C26, the new Bill C8 is a near twin of the past law that passed Law failed to get through the winter session of Parliament before the government fell due to a typo, but in typical government fashion, it only made it to the second step in the House of Commons before Parliament took its summer break because prior the United States Department of Homeland Security issued a bulletin on Sunday warning of possible cyber attacks following the US Bombing raids on Iran's nuclear facilities. The Department of Homeland Security issued an advisory on Sunday saying attacks from low level cyber hacktivists are likely and larger attacks could follow a foreign leader's issue of religious ruling calling for retaliatory violence against targets in the U.S. jen Easterly, the former head of the cybersecurity and infrastructure security agency CISA, posted on LinkedIn Sunday a repeat of the successful shields up messaging her team had used during the lead up to the 2022 Russian invasion of Ukraine. Easterly said in her post that while it's unclear if cyber capabilities were at all impacted by recent Israeli airstrikes, Iran has a track record of retaliatory cyber operations targeting civilian infrastructure including water systems, fire, financial institutions, energy pipelines, government networks and more. She urged critical infrastructure providers and others to be on the lookout for credential theft and phishing wipers disguised as ransomware, hacktivist fronts and false flag operations and targeting of industrial control system and operational technology systems. Her advice? Enforce MFA across all cloud, IT and OT systems, patch every Internet facing asset segment networks and elevate detections of OT traffic. Conduct tabletop cybersecurity drills, particularly with industrial control system scenarios and subscribe to ISAC alerts for real time intelligence. And in case you missed it, there is a recent statement from the IT ISAC and the AG ISAC about Middle east tensions and cyber threats. As always, report suspicious activity immediately to the Cybersecurity and Infrastructure Security Agency or the Federal Bureau of Investigation. Quote the playbook is known, so is the response. And it's not rocket science. End quote. Now, not everyone in cybersecurity land, however, is convinced that the brace for impact messaging is warranted, or at least with how it's being positioned. Jacob Williams, VP of Research and Development with Hunter Strategy and a well known voice in the cybersecurity community had a slightly different take on Sunday. Quote if you're an enterprise worried about your exposure to pro Iran hacktivists, real talk you're doing security wrong. Hacktivists lack sophisticated tools. They employ DDoS and hack and leak as their primary techniques. Apts they are not. End quote. He further added quote the question you should ask is what action should I be taking based on this new information? And my friends, if you're already doing security right, the answer is no additional action required. End quote so Canada is getting pwned all over the place by China. America should or should not be worried about Iranian cyber retaliation and one of the largest enterprise web content management platforms had a single letter hard coded credential that could be exploited remotely Last week, researchers over at Watchtower disclosed a devastating vulnerability chain affecting the sitecore Experience platform, or sitecore xp. That's the tech backbone behind the digital experiences. Read websites of major banks, airlines and global enterprises. Basically the kind of software you really don't want exposed. And here's the kicker. It wasn't just one bug. It was a chain of three vulnerabilities that, when linked together, allow attackers to execute code remotely without authentication translations. Hackers completely hijack a server running sitecore without needing a username or password. Let's break it down. The first part of this chain Hard coded credentials. At the center of this mess is an internal Sitecore user account named Sitecore ServicesAPI. The account comes with a hard coded password. Just the letter B. That's right, just B. This is not supposed to happen. It's not even an admin account and has no roles assigned. But because of a login path quirk sitecore Admin, attackers can still use it to log in under certain conditions. From there, they get a valid session cookie, which opens the door to authenticated internal endpoints. These are typically locked down by Microsoft's Internet Information Services web server rules, but they don't enforce sitecore role checks. So boom, you're in. The next step is called zip slip. Once in, the attacker moves to the second vulnerability. It's a flaw in how the sitecore upload wizard works. The wizard lets you upload zip files, and that's where the magic or mayhem happens. A carefully crafted zip file that can include a malicious path like webshell aspx. Due to poor path sanitization, sitecore maps the path straight into the webroot, letting the attacker drop a web shell right onto the server and execute remote code. No guesswork needed. No system path knowledge required. Just zip, slip and boom, you've got a server. And then comes PowerShell. The third bug kicks in if you've got the Sitecore PowerShell extension or SPE module installed, which a lot of organizations do. With this extension, attackers can upload arbitrary files to any location, bypassing restrictions on file types or locations. And that makes remote code execution faster, simpler, and dead easy to repeat. Double Yahtzee. Maybe the big picture Watchtower found these bugs in Sitecore versions 10.1 through 10.4. Their scans show 22,000 publicly facing Sitecore instances. Not all are vulnerable, but it's a massive attack. Services in addition to those global enterprises we mentioned earlier airlines, banks, telcos, government regulators. If you also guessed that their customers include some of the biggest oil companies in the world, running from Saudi Amrico to Chevron, you'd be right. Not that you know they've got anything to worry about lately from someone maybe looking to destabilize other oil providers right now. The good news keeps on coming. Patches were released back in May 2025, but technical details were held back June 17th to give customers time to update. Now's the time. Watchtower CEO put it bluntly. If you're running Sitecore, it doesn't get worse than this. Rotate your credentials patch now because attackers will reverse engineer this fix. Sitecore's response to their credit, sitecore worked with Watchtower and published a security Bulletin Security Bulletin 2025003 along with patches. The three CVEs identified were CVE2025, 34509 hard coded credentials, CVE2025 34510 path traversal to RCE and CVE2025 34511 post auth RCE via PowerShell. They also reminded customers about a fourth issue, CVE2025 27218 that had already been patched in December 2024. If your organization runs Sitecore, don't wait for the headlines to get worse. Please patch, rotate those passwords and harden your instances. And it won't just be Iranians who'll be itching to use this. Of course, ransomware gangs don't go on holiday just because global tensions went up more. Which brings us to the latest Russian hacker headline Fun. All right, let's talk about an interesting high stake phishing campaign that's a masterclass in patience, precision and and psychological manipulation. And of course it comes out of Russia. Between April and June, a Russian state linked threat actor tracked by Google threat intelligence group as UNC6293 likely affiliated with APT 29 under Russia's Foreign Intelligence Service, launched a highly targeted phishing campaign. But this wasn't your usual click here fast scam. This was a slow burn social engineering and it was aimed at high profile academics and outspoken critics of the Russian government. Let's walk through what made this campaign so interesting and so dangerous. MFA bypassed thanks to app specific passwords now most of us think multi factor authentication protects our email and in most cases it does. But this campaign didn't try to break through the mfa. Instead it sidestepped it using app specific passwords, which are a legitimate feature in Google accounts that let users create one time passwords for third party apps that don't support two factor authentication. What UNC 6293 did was convince their targets to create and hand over one of these app specific passwords, giving the hackers full access to Gmail inboxes without triggering any alerts. It's like asking someone to build a key to their own house and then hand it over to you. This operation was surgical. One of the targets was Keir Giles, a leading expert on Russian disinformation. The attackers posed as a cloud S. Weber from the Department of State inviting Kir to a private online discussion. The email came from a Gmail address. Should been suspicious on its own, but what sold it was it was included with multiple@state.gov addresses in the CC line. It looked official. Problem is there was no Claude S. Weaver at State and the attackers exploited a little known quirk. The real US State Department mail server doesn't always bounce messages for non existing addresses, so nothing looked amiss. Then came the clever part. After a few exchanges, no pressure, just polite scheduling back and forth, Giles was invited to join a platform called the Ms. Department of State Guest tenant sounded official. Seemed plausible to access it he was told all he needed to do was generate a Google app specific password and send it over to one of the admins so they could add him to the guest platform. They even provided a helpful PDF with step by step instructions that password it gave the attack full direct access to Jiles Gmail account. And this wasn't a one off. According to the University of Toronto Citizens Lab and Google's Threat team, this was part of two active phishing campaigns. One used the State Department lure, the other leaned on Ukraine and Microsoft themed bait. Behind the scenes, UNC6293 used a mix of residential proxies and virtual private servers Remember we talked about this a few episodes ago. These attacks weren't quick hits. They were slow, deliberate and deeply customized, built on fake Personas, forged documents, and years of tradecraft. Now, who's at Risk? The people being targeted in this campaign are folks involved in geopolitics, legal disputes, national security or human rights advocacy. The kind of people who would hold sensitive information and whose communications might shape policy or public opinion. However, criminal groups tend to follow these kinds of clever tactics. We will see this repeated again. And this reminds me an awful lot of the rise of other social engineering tactics like click Fix. Google is urging anyone at risk to enroll in its Advanced Protection Program. This is the same high security system used by political campaigns and journalists. Crucially, it blocks the use of app specific passwords entirely and enforces strong hardware based login methods. So, dear Admins, maybe it's time for all of us to start locking down people's abilities to create app specific passwords. Now, if you're feeling a bit overwhelmed by last Friday's episode and hopefully took Jim's advice to enjoy the weekend, take a breath. I'm going to go full Canadian and issue an apology. This week is not starting off any better. I'm sorry. As always, stay skeptical, stay patched and yesterday was a good time to review your 72 hour emergency kit. Always interested in your opinion. Contact us@EditorialEchnewsDay CA or leave a comment under the YouTube video. I've been your host, David Shipley, sitting in for Jim Love, who will be back on Wednesday. Thanks for listening.
Cybersecurity Today: In-Depth Summary of the June 23, 2025 Episode
Host: David Shipley (Sitting in for Jim Love)
Overview: The episode opens with alarming news from the Canadian Centre for Cybersecurity (CCCS) and the FBI regarding a breach of a major Canadian telecommunications company by the Chinese state-sponsored hacking group, Salk Typhoon. This incident follows a significant global breach in 2024 affecting multiple telecommunications providers due to shared third-party equipment vulnerabilities.
Key Details:
Notable Quote: “The intelligence community in the Western world is increasingly raising the alarm around a potential Chinese invasion of Taiwan before the end of 2027.” — David Shipley (02:50)
Implications: The breach underscores the persistent threat to critical infrastructure, particularly telecommunications, and signals ongoing and future targeting by Chinese hackers. The CCCS anticipates continued attacks over the next two years, emphasizing the need for robust cybersecurity measures within Canadian critical sectors.
Overview: Following recent U.S. military operations against Iranian nuclear facilities, the Department of Homeland Security (DHS) warns of potential cyber retaliations from Iran.
Key Details:
Notable Quotes:
Expert Opinion: Jacob Williams, VP of Research and Development at Hunter Strategy, offers a contrasting perspective, suggesting that fears of Iranian cyber retaliation may be overstated. He asserts that if an organization is already implementing robust security measures, additional actions may not be necessary.
Notable Quote: “If you're an enterprise worried about your exposure to pro-Iran hacktivists, real talk you're doing security wrong.... If you're already doing security right, the answer is no additional action required.” — Jacob Williams (12:45)
Implications: The DHS advisory highlights the tension between proactive security measures and perceptions of threat severity. While officials urge heightened vigilance, some experts advocate for confidence in existing security frameworks.
Overview: A severe security flaw was uncovered in the Sitecore XP, a widely used web content management system integral to the digital operations of major banks, airlines, and enterprises.
Key Details:
Vulnerability Chain: A sequence of three vulnerabilities allows remote, unauthenticated code execution.
Affected Versions: Sitecore versions 10.1 through 10.4, affecting approximately 22,000 publicly facing instances (20:45).
Response and Mitigation:
Implications: The vulnerability poses a significant risk to global enterprises relying on Sitecore XP. Timely patching and credential management are critical to preventing exploitation and ensuring system integrity.
Overview: Russian threat actors, linked to APT 29 and tracked as UNC6293, have developed a sophisticated phishing campaign targeting high-profile individuals by exploiting Google's app-specific passwords to bypass Multi-Factor Authentication (MFA).
Key Details:
Attack Mechanics:
Preventative Measures:
Implications: This campaign exemplifies advanced social engineering tactics that circumvent traditional security measures like MFA. It underscores the necessity for organizations to adopt stringent authentication protocols and educate users on the risks of credential sharing.
Host’s Summary: David Shipley emphasizes the importance of staying vigilant amidst evolving cyber threats. He reiterates key security practices such as patching vulnerabilities promptly, enforcing multi-factor authentication, and conducting regular cybersecurity drills.
Final Advice:
Call to Action: Listeners are encouraged to share their opinions and experiences by contacting the podcast team via email or leaving comments on the YouTube video, fostering a community-driven approach to cybersecurity awareness.
Notable Closing Quote: “As always, report suspicious activity immediately to the Cybersecurity and Infrastructure Security Agency or the Federal Bureau of Investigation. The playbook is known, so is the response. And it's not rocket science.” — David Shipley (36:00)
Contact Information: For further discussion or to share feedback, listeners are invited to reach out via us@EditorialEchnewsDay.ca or comment under the podcast's YouTube video.
This summary captures the critical discussions and insights presented in the June 23, 2025 episode of Cybersecurity Today, providing a comprehensive overview for those who have not listened to the original podcast.