A

Extinction Level Identity vulnerability in Microsoft's Entra cyberattack hits major European airports Spam GPT gives cybercriminals an AI powered CRM zero click AI vulnerability Canadian police slay Trade Ogre crypto platform and seize 40 million this is cybersecurity Today and I'm your host David Shipley coming to you from beautiful fall like Fredericton on this the last day of summer 2025. Now, fair warning, if you're feeling good after Jim's Feel Good Friday Good News edition, well take a big sip of your coffee tea or wake up beverage of choice and buckle up for a crash. Back to cyber dystopian reality with me. Let's start with Microsoft's Extinction Level cloud vulnerability in its Entra ID system that could have let a hacker gain access to any corporate tenant on the planet. You heard that right. Tracked is CDE 2020555241 and coined one token to rule them all by security researcher Dirp Jan Molima. This vulnerability would have given attackers global administrator access across any corporate tenant, except maybe for national government ones in separate cloud instances. Yeah, you heard that right. The problem involved two things, so called actor tokens and a legacy API called the Azure Ad Graph API. So what are these actor tokens? Think of them as special backend tokens Microsoft uses for internal service to service work. Almost like secret passes. Their own services show each other and the issue these actor tokens could be used to pretend to be any user in any Entra ID tenant, even global admins. Because the legacy Graph API didn't check these carefully enough and didn't check which tenant the request was coming from. Those tokens were accepted across tenants. Technically speaking, the tokens included fields like NetID and internal identifier for the user and weren't properly signed when used with Graph. And in some cases that meant you could craft a token in one tenant and trick it into impersonating someone in another tenant. This bypassed normal security controls like conditional access and wait for it. No logs would show the token issuance or usage in your victim tenant. I want to directly quote Dirk's blog because, well, he said it perfectly. Quote Actor token design is something that should never have existed. It lacks almost every security control that you would want, including there are no logs when actor tokens are issued. Since these services can craft unsigned impersonation tokens without talking to Entra id, there are also no logs when they are created or used. They cannot be revoked within their 24 hour validity. They completely bypass any restrictions configured in conditional access and we have to rely on logging from the resource provider to even know these tokens were used in the tenant. So what did Microsoft do when they were notified by the researcher this summer? Once notified, the good news is they did fix the vulnerability within days and issued CD 2020555241 and blocked applications from using actor tokens within the Graph API when issued via Service Principles. Now why this matters should be pretty obvious, but worth saying. If these were exploited, an attacker could read or change everything in a compromised tenant. Users role settings policies, read emails, files, cats and dogs. This is not good. And because much of this would leave no trace, it's a huge risk. So what do we do now? Well, one would hope that if this flaw was found to have been actively used when Microsoft checked its own logs for however long those logs went back. For however long this flaw existed, the customers would be notified by now. So I'm hoping this truly was an undiscovered nightmare. But we may never know now. Dirk's blog is a great read for your security team. I'm sure it's going to make their day. And the good news is incident teams are going to want to read it and work through the IOCs that have been made available. And I imagine my CISO is going to work this particular nightmare scenario into our next executive tabletop, which is going to be another white knuckle Dungeons and Dragons fun for all of us. So let's move on from this nightmare in the cloud to one that's Grounded flights and caused chaos at major European airports this weekend. After a cyber attack crippled check in systems this weekend, hackers appear to have targeted check in systems and thrown travel plans into disarray for tens of thousands of people, forcing major airports like Heathrow and Brussels to cancel flights continuing into Monday. So what happened? Starting Friday, airports across Europe began experiencing issues with passenger check in systems supplied by Collins Aerospace. These systems are crucial for getting passengers checked in and their bags processed, and without them, things go off the rails pretty quickly. By Sunday, Brussels airport was hit the hardest with nearly 20% of scheduled departures canceled, and they warned airlines to Cancel up to 50% of flights for Monday. Meanwhile, airports like London Heathrow, the busiest airport in Europe, reported that the majority, not all, the majority of flights continued thanks to quick work from airlines and their tech teams. But it's clear it's been a massive disruption. Dublin airport said they expected to operate normally, but other airports were working to manage passenger flow while trying to fix and work through the software issues. So the check behind this is made by Collins Aerospace and it provides a software that powers the check in systems. Collins is a subsidiary of rtx, formerly known as Raytheon Technologies. By Saturday, the company confirmed it was aware of a cyber related disruption and said it was working hard to fix the issue. RTX explained while the impact was mostly limited to electronic check ins and baggage drops, they said it could be mitigated by the airlines moving to manual operations. Not sure who in the PR department thought that was a great line, but I hope they take a chance to walk into a major modern airport sometime soon and take a good look around at all the automated terminals that replaced humans and manual processes a long time ago. I'm sure the absolute exhausted and harried airline staff that have been surviving this weekend would appreciate them taking that look. This incident is a stark reminder of just how vulnerable the aviation sector is to cyber attacks. The aviation industry saw a 600% increase in cyber attacks last year, according to a report by Telus. The trend is clear. As air travel becomes more connected and uses more cloud services, the risks from cyber continue to go up. So while we're getting a 2010 style fail well for online check ins from one of the world's top aviation suppliers, we're also getting news of powerful new business productivity tools for criminals. Yeah, Meet spamgpt, a new productivity tool for hackers that automates the process of crafting phishing emails, scams and other malicious campaigns. And what makes this so alarming isn't it's built using GPT technology, making phishing attempts feel more convincing, more personalized, and harder to spot. It's essentially a customer relationship management or CRM system for cybercriminals. That means they're not just firing off random phishing emails or scripting and forgetting they have a full blown marketing campaign management system for their illegal activities. Think HubSpot for crooks. Now, with features like email automation, targeting specific victims and tracking success rates, SpamGPT is offering criminals tools previously only available to legitimate businesses. This is part of the AI game changer for the cybercriminal ecosystem, and it streams lines and scales up operations, helping them become even more efficient and widespread. Because, you know, cybercriminals were having a productivity crisis or not. And just one point Dear criminals, could you do me just one favor? Could you please rebrand this to be Phish GPT Spam is supposed to be unwanted but legitimate Commercial email your stuff. It ain't that Cyber threat Researchers at Radware recently uncovered a serious vulnerability they've dubbed Shadow Leak. It's a zero Click flaw in OpenAI's deep research agent, and it means an attacker can trigger that agent without any interaction from the user. Here's how it works. A malicious actor sends a carefully crafted email containing invisible instructions, white on white text, tiny fonts hiding the material using CSS tricks. To a human, the email looks totally innocent, but Deep Research parses everything and reads through the instructions. Those hidden instructions then become indirect prompt injections and become converted commands that tell the agent to sift through the victim's Gmail data and exfiltrate it to an external server. Crucially, this flaw doesn't rely on the user clicking on anything or rendering an image locally. Everything happens in OpenAI's cloud environment automatically because of the agent, and that bypasses many of the typical security controls that would be watching for this on the client device. Once Deep Research is asked to analyze the user's Gmail, the agent obeys the hidden instructions, encodes private information into base 64, and sends it out using tools like browser open. OpenAI was notified about the vulnerability via Responsible Disclosure back in June and patched the vulnerability in August. However, the potential attack surface here is very broad. This won't be the last time we see this, and any connector that Deep Research or similar agents support think things like Google Drive, Outlook, Dropbox, et cetera. These will be continuous targets. Shadow Leak underscores a critical lesson. As AI agents gain capability, they also broaden the attack vectors. And given that AI can be social engineered as well as, and perhaps even better than humans who at least we can give security awareness training to, this new agentic revolution is going to lead to more sleepless nights for more security teams. Now in fairness, that's a lot of bad news for one morning. So in the spirit of Jim's feel good Friday, here's a compensating Control Monday Good news story, Kind of the Mounties the Royal Canadian Mounted Police just took down TradeOgr. Now if you're thinking, what is this TradeOgre, this crypto platform? And why would a legitimate platform call itself TradeOGR? Trade Ogre wasn't your typical crypto exchange. It lived in the shadows and had no kyc, no know your customer, no identity checks, just a haven for, you know, things like privacy coins like Monero and other crypto. And by the way, that lack of KYC know your customer is a huge red flag. KYC is a rule that forces banks and legitimate exchanges to verify who you are. Driver's license, passport, proof of address. It's the same reason you can't just walk into a bank, open an account under John Doe and start moving millions of dollars. Without kyc, regulators can't trace where money comes from or where it goes to. And that makes an exchange like TradeOgre the perfect laundromat for dirty crypto. For hobbyists, I'm sure the platform felt edgy. For criminals, it felt perfect. But in June 2024, Canada's Money Laundering Investigative Team, or EMLIT, which sounds like it belongs in a spy thriller, got a tip from Europol. By late July, Trade Ogre vanished. Website gone. Users left hanging, Exit scam or something bigger? We got our answer. This month the RCMP announced they dismantled Trade Ogre and seized more than 40 million in crypto. That's the largest asset seizure tied to a crypto exchange in Canadian history. The takedown is a reminder Anonymity cuts both ways. On one side, privacy advocates and small time traders value their privacy. On the other, ransomware gangs, fraudsters, and organized crime. When you build an exchange on the no questions asked principle, don't be surprised when law enforcement knocks on your door. Check showing up with all the questions. The trade order saga proves that KYC isn't just about paperwork. It's an important guardrail that keeps financial institutions and markets from turning into a free for all for criminals. And given Canada is super sensitive about accusations around money laundering right now, it's good to see this kind of action. If you haven't been following the Maple Money Washington We've had some big issues involving some of our big banks, Chinese organized crime, even provincial lottery corporations, real estate, you name it, we've been politely enabling it. Think of all the worst Hollywood Swiss banking stereotypes and dress it up in red plaid with a smile. And that was us. Good news is not so much anymore. Those are your Updates for Monday, September 22nd. Happy last day of summer. I'll be back October 6th after I hopefully return from a hopefully relaxing trip to Europe. So pumped to be flying right now. And I speak at Sector Canada's version of Black Hat on why fishing simulations and training do in fact work if you do it properly. I've been your host, David Shipley, Jim Love will be back on Wednesday.