CyberWire Daily - "Cloudflare’s Cloudy Day Resolved" Summary

Release Date: June 13, 2025
Host: Dave Buettner, N2K Networks

Introduction

In this episode of CyberWire Daily, host Dave Buettner delves into a series of critical cybersecurity events and updates impacting the industry. The episode provides in-depth analysis of Cloudflare's recent outage, the persistent threat of Predator Mobile spyware, ongoing issues with Microsoft 365 authentication services, sophisticated account takeover campaigns targeting Entra ID users, emerging malware threats uncovered by Palo Alto Networks, recent vulnerability patches from Trend Micro and Mitel, and multiple advisories issued by CISA. Additionally, guest Joe Kerrigan from the Hacking Humans podcast discusses the latest linkless recruiting scams.

Cloudflare Outage Resolved

At the outset, Dave addresses Cloudflare’s recent widespread outage. Contrary to initial speculations, Cloudflare confirmed that the disruption was not a result of a cyberattack.

“Cloudflare has confirmed that a widespread outage on its network was not caused by a cyber attack and no data was lost.” [00:00:30]

Key Details:

• Duration: Approximately two and a half hours.
• Cause: A failure in WorkersKV, a critical key-value store on Cloudflare’s serverless platform, compounded by issues with a third-party cloud provider supporting the KV backend.
• Impact: Affected services included Google Cloud Platform, disrupted authentication processes, streaming image uploads, and AI functionalities.

Resolution Measures:

• Migration to R2 System: Cloudflare is reducing reliance on third-party providers by moving storage to its proprietary R2 system.
• Enhanced Safeguards: Implementation of new tools to manage future outages more effectively and prevent cascading failures.

“The root cause was an outage in a third-party cloud provider supporting the KV backend.” [00:03:10]

Predator Mobile Spyware Remains Active

The episode highlights the unsettling persistence of Predator Mobile spyware despite international sanctions and public scrutiny.

“Predator mobile spyware remains highly active and adaptable.” [00:04:20]

Insights:

• Development: Originally developed by Cytrox, Predator is now part of the IntelLexa alliance.
• Capabilities: Utilizes both one-click and zero-click infection methods to compromise devices, granting access to microphones, cameras, and sensitive data.
• Target Demographics: High-value individuals such as journalists, politicians, and activists.
• Operational Footprint: New infrastructure observed in over a dozen countries, with significant activity in Africa and newly reported operations in Mozambique.
• Technical Sophistication: Utilizes a five-tier infrastructure linked to a Czech firm, employs fake websites, sophisticated server strategies, and a modular design for remote updates, enhancing its persistence and evasion capabilities.

“Its modular design allows remote updates, reinforcing its persistence.” [00:05:45]

Microsoft 365 Authentication Services Issues

Microsoft is addressing ongoing issues affecting its 365 authentication services, particularly impacting self-service password resets and multi-factor authentication (MFA) additions.

“Microsoft is investigating an ongoing Microsoft 365 issue affecting authentication services.” [00:07:10]

Details:

• Cause: A recent configuration change aimed at improving MFA is linked to the disruptions.
• Affected Regions: Asia Pacific, Europe, the Middle East, and Africa.
• Impact: Users, including NHS Mail in the UK, experience errors such as "no methods available" during authentication processes.
• Mitigation: Microsoft has deployed a temporary fix and reports signs of improvement.

Account Takeover Campaign Targeting Entra ID Users

A significant account takeover campaign is exploiting the Entra ID platform by abusing the Team Filtration penetration testing tool.

“A major account takeover campaign is targeting Entra ID users by abusing the Team Filtration penetration testing tool.” [00:09:05]

Campaign Characteristics:

• Name: UNK Sneaky Strike
• Methodology: Utilizes Team Filtration to automate password spraying, account enumeration, and data exfiltration.
• Requirements for Attackers: An AWS account and a Microsoft 365 Business Basic license.
• Scale: Since December 2024, targeting approximately 100 cloud tenants with peaks in January 2025.
• Execution: Exploits Microsoft Teams API and Global AWS infrastructure to maintain stealth and execute high-intensity attack bursts.
• Technical Exploits: Uses outdated Microsoft Teams clients and exploited OAuth app IDs to obtain bearer tokens via Entra ID.
• Geographical Distribution of Attack Traffic: Predominantly from AWS servers in the US, Ireland, and the UK.

“Attacks rely on the Microsoft Teams API and Global AWS infrastructure for stealthy high intensity bursts.” [00:10:15]

Palo Alto Networks Uncovers JS Firetruck Malware Campaign

Palo Alto Networks' Unit 42 has identified a large-scale malware campaign employing a JavaScript obfuscation technique known as JS Firetruck.

“Palo Alto Networks Unit 42 has uncovered a large scale malware campaign that compromised nearly 270,000 websites using a JavaScript obfuscation method dubbed JS Firetruck.” [00:11:00]

Technical Overview:

• Technique: JS Firetruck leverages JavaScript's type coercion with minimal ASCII characters to encode functional code, making the scripts lengthy and complex but efficient in evading manual analysis.
• Attack Mechanism: Scripts detect search engine referrals and redirect users via full-page iframes to phishing sites or to download malware.
• Evasion Tactics: Combines JS Firetruck with layered obfuscation methods, including payload reconstruction through arrays and mixed readable and encoded elements.
• Impact: Recent surge in mid-April; approximately 270,000 websites compromised.
• Response: Palo Alto Networks advises immediate patching and thorough system checks to identify and eliminate infections.

“These scripts detect if users arrive via search engines and then redirect them using full page iframes, potentially leading to phishing or malware.” [00:11:30]

Vulnerability Patches from Trend Micro and Mitel

Trend Micro:

• Products Affected: Apex Central and Endpoint Encryption Policy Server.
• Vulnerabilities Addressed: Multiple high-severity and critical remote code execution (RCE) and authentication bypass weaknesses, primarily due to insecure deserialization.
• Impact: Allows unauthenticated attackers to execute code with system privileges or bypass authentication.
• Urgency: Immediate patching is strongly advised as no workarounds exist. Patches automatically apply to Apex Central as a service.

“These flaws, mostly caused by insecure deserialization, allow unauthenticated attackers to execute code as system or bypass authentication entirely.” [00:13:10]

Mitel:

• Product Affected: MyCollab platform’s NewPoint unified messaging component.
• Vulnerability: Critical path traversal issue permitting unauthenticated remote attackers to access provisioning data and perform unauthorized administrative actions.
• Scope: Affects multiple MyCollab versions with fixes available in recent releases.
• Risk: Over 20,000 Internet-exposed instances potentially vulnerable.

“The flaw, a path traversal issue, allows unauthenticated remote attackers to access provisioning data and perform unauthorized admin actions.” [00:13:45]

CISA Issues Multiple Advisories

The Cybersecurity and Infrastructure Security Agency (CISA) has released several new advisories addressing vulnerabilities in industrial control systems (ICS) and customer-facing software.

“CISA warns that ransomware actors are exploiting a path traversal flaw in SimpleHelp RMM software.” [00:14:20]

Key Advisories:

• SimpleHelp RMM Software:

  • Vulnerability: Path traversal flaw with CVSS score of 7.5.
  • Exploit: Allows attackers to steal credentials and API keys.
  • Affected Versions: SimpleHelp version 5.5.7 or earlier.
  • Recommendations: Immediate patching, disconnection of vulnerable systems, and proactive threat hunting.

• Industrial Control Systems:

  • Affected Products: Siemens Scalance, Technomatics plant simulation, Simatic S1500 CPUs, Eveva, and PTZ Optics cameras.
  • Nature of Vulnerabilities: Critical systems integrity threats, including unauthorized access and control.
  • Action: Industrial system administrators should review detailed advisories and implement recommended mitigations promptly.

“CISA urges industrial system administrators to review these advisories for detailed vulnerability information and recommended mitigations.” [00:14:50]

Linkless Recruiting Scams Discussion with Joe Kerrigan

In a segment following the breaking news, co-host Joe Kerrigan joins Dave Buettner to discuss a novel scam targeting recruiters on LinkedIn, dubbed as linkless recruiting scams.

“This is the cyberwire for links to all of today's stories, check out our daily briefing@thecyberwire.com.” [Note: Potential misattribution; skipping transcript anomalies]

Scam Overview:

• Originating Group: Fin6 cybercriminal group, also known as “Fin 6” in MITRE designations.
• Methodology:
  • Approach: Targets recruiters by sending plain text messages claiming to be from job applicants.
  • Content: Messages encourage recipients to visit a fraudulent website (e.g., bobbyweissman.com) to view resumes and additional information.
  • Technical Execution:
    • Website Analysis: Captures IP addresses, browser strings, and operating systems.
    • Malware Delivery: For Windows users, the site presents a CAPTCHA followed by a zip file download containing a malicious link (.lnk file) that installs JavaScript malware, creates backdoors, exfiltrates data, and potentially installs ransomware.

“This is a good social engineering trick, I think. I think it's going to be surprisingly effective against Windows users.” [15:43]

Key Insights:

• Bypassing Security Filters: The absence of clickable links allows the scam to evade inbound email filtering systems that typically analyze URLs.
• User Compliance: Users may inadvertently download malicious files under the guise of accessing a job applicant’s portfolio.
• Social Engineering: The scam leverages trust in professional communications to deceive recipients into compromising their systems.

“There is no link to click. You actually have to physically enter bobbyweissman.com.” [17:23]

Recommendations:

• Awareness: Recruiters and professionals should scrutinize unsolicited messages, especially those prompting downloads without clear context.
• Verification: Always verify the legitimacy of job applicants through official channels and platforms.
• Security Practices: Implement strict security protocols to prevent unauthorized downloads and installations.

Conclusion

Dave Buettner wraps up the episode by emphasizing the importance of staying informed about the evolving cybersecurity landscape. The discussions underscore the necessity for robust security measures, proactive threat hunting, and continuous vigilance against both technical vulnerabilities and sophisticated social engineering attacks.

Notable Quotes

• Dave Buettner [00:03:10]: “The root cause was an outage in a third-party cloud provider supporting the KV backend.”
• Joe Kerrigan [15:43]: “This is a good social engineering trick, I think. I think it's going to be surprisingly effective against Windows users.”
• Dave Buettner [17:23]: “There is no link to click. You actually have to physically enter bobbyweissman.com.”

This comprehensive summary encapsulates the key discussions and insights shared in the "Cloudflare’s Cloudy Day Resolved" episode of CyberWire Daily, providing listeners and non-listeners alike with a clear understanding of the current cybersecurity challenges and responses.