Transcript
David Shipley (0:02)
Canadian city denied $5 million insurance claim from ransomware attack due to lack of MFA AI powered cursor IDE vulnerable to prompt injection attacks Palo Alto Networks investigating ransomware Threats related to SharePoint exploitation and attackers use fake OAuth apps with tycoon kit to breach Microsoft 365 accounts this is cybersecurity Today, and I'm your host David Shipley, coming to you from beautiful Fredericton, New Brunswick Hamilton, Ontario Taxpayers are on the hook now for an additional $5 million after the city's cyber insurance provider denied claims related to a February 2024 ransomware attack. The insurer cited Hamilton's failure to fully implement Multi Factor Authentication as a root cause for the breach, making the losses ineligible for coverage. City officials had argued the breach exploited a sophisticated vulnerability in an external server and that MFA wouldn't have prevented it. The attack paralyzed 80% of city systems and triggered an $18.5 million ransom demand. Hamilton refused to pay and has since spent 4 million on recovery efforts, with monthly rebuilding costs of nearly $400,000 until late 2026. Now, without insurance support, the financial burden grows even heavier on residents. According to a staff report, Hamilton was aware in the fall of 2022 that MFA was a requirement in its insurance policy. A limited MFA pilot program began in 2023, but widespread rollout stalled when cyber attackers struck in early 2024. MFA was only in place in some departments. Cybersecurity consultants brought in after the attack pointed to internal resistance from staff and a lack of leadership urgency as key factors delaying the full deployment of mfa. Hamilton's leadership has since acknowledged cultural and governance gaps contributed to the city's cyber risk. The critical lesson here Cybersecurity isn't just about buying tools. Success depends on fostering a culture of change and ensuring leadership drives that change before, not after, a crisis hits. For everyone else, you can bet insurers are going to scrutinize your claims if you don't deploy technology controls like MFA security awareness programs and more that your policy specifically requires. You can kiss that coverage goodbye. Another day, Another CVE from AI Powered Coding Tools A newly disclosed vulnerability in the AI Powered code editor Cursor is raising serious concerns about the risks of prompt injection and remote code execution in popular modern developer environments known as CURR, execute and tracked as CVE2025 54 135. The flaw allows an attacker to feed a malicious prompt to Cursor's AI agent, potentially triggering arbitrary code execution with the same privileges as the developer. Cursor integrates AI to assist with coding tasks and connects to external tools via the Model Context Protocol mcp, an open standard designed to extend functionality. But this flexibility comes with a price. According to researchers at AIM Security. A prompt injection delivered through something as simple as a malicious message in a shared Slack channel can manipulate Cursor's configuration file and silently initiate malicious code execution. Crucially, Cursor processes suggested edits live even if the user rejects them, the payload lands anyway. Potential consequences include ransomware attacks, data exfiltration, and even AI logic corruption that could sabotage entire code bases or enable supply chain attacks. Cursor issued a patch on July 8, and version 1.3, released July 29, includes a fix. The vulnerability received a ABCBSS score of 8.6, marking it as high severity. The takeaway here as AI agents become more deeply embedded in developer tools, we need to scrutinize how they ingest, how they, and how they act on external data. Developers should update Cursor immediately if they're using it, audit connected integrations, and treat AI agents with the same caution you would a junior developer, eager, capable, and potentially dangerous if misled. Palo Alto Networks is investigating a new ransomware attack that exploited disclosed vulnerabilities in Microsoft SharePoint Server specifically tied to the tool shell flaw for SharePoint Server on prem, the attackers left behind a ransom note and claimed files had been encrypted using a strain known as 4L4MD. For our ransomware, the ransom note included a stark warning any attempt to decrypt the files independently would result in permanent data deletion. According to Palo Alto Networks researchers, The attackers use PowerShell commands to disable real time protection in Windows Defender, giving them a clear path to encrypt files undetected. They also bypass certificate validation, which allowed them to execute malicious payloads without raising security alarms. While details about the targeted organization remain undisclosed, this incident highlights a troubling reality. Attackers are moving quickly to weaponize newly revealed vulnerabilities in widely used platforms like SharePoint. The tool shell flaw provides a foothold, and from there attackers escalate privileges, disable defenses, and can do things like steal data or launch ransomware operations. At this stage, Palo Alto Networks is still analyzing the full scope of intrusion and working with the affected parties. This entire SharePoint disaster over the last couple of weeks, from the failed patch to now reports that Microsoft is investigating whether the fact that it was working on a fix for the failed patch leaked ahead of time and caused the attacker feeding frenzy we saw before the fix was ready demands a full independent investigation. Too bad for all of us. The Cybersecurity and Infrastructure Security Agency has been gutted and will likely never have the full story on this mess. Cybersecurity researchers are tracking a sophisticated ongoing campaign where attackers are using fake Microsoft OAuth applications backed by the tycoon phishing as a service toolkit to compromise Microsoft 365 accounts across hundreds of organizations detected in early 2025. The campaign impersonates legitimate brands like Adobe DocuSign, RingCentral and SharePoint, tricking victims into granting permissions to lookalike apps via phishing emails posing as things like quote requests or contract offers. Once clicked, the victim lands on a real Microsoft OAuth consent screen for a fake app and is prompted to grant limited access to their profile and email, regardless of whether the user accepts or declines. They're redirected to a captcha page followed by a fake Microsoft login designed to harvest credentials and MFA codes using adversary in the middle techniques. Proofpoint researchers say this activity is part of a broader set of tycoon based attacks that have targeted over 900 Microsoft 365 environments this year alone. The campaign also exploits email platforms like Twilio, SendGrid and newer variants disguised links inside PDFs appearing as invoices or property listings. Attackers also increasingly deploy remote monitoring tools like Atera, ActionOne or Screen Connect as a stealthy first step to further access. The key takeaway identity is the new perimeter, and attackers are getting better at slipping through. Organizations need to Double down on OAuth hygiene, restricting third party app access and adopting stronger admin consent policies for those apps. As always, stay skeptical and stay patched. And if your insurance says you need mfa, you better have it deployed everywhere you can. I'll be at Hacker Summer camp this week, aka BSides, Las Vegas, def CON and Black Hat. So if you're a listener and you see me around, please say hi. I'm going to be working on a special episode as well for Monday, August 11th. I'm going to work on a special episode for Monday, August 11, recapping key highlights from North America's largest hacking events of the year. We're always interested in your opinion and you can contact us@editorechnewsday ca or or leave a comment under the YouTube video as well. Help us spread the word. Give us a Like or Subscribe. Leave us a rating or review on your favorite podcast platform, and if you like the show, please tell others we'd love to grow our audience even more and we need your help I've been your host. David Shipley. Jim Love will be back on Wednesday. Thanks for listening.