Transcript
Dave Buettner (0:02)
You're listening to the Cyberwire Network powered by N2K. We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed when it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed Indeed Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first and it works. Sponsored Jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed plus with Sponsored Jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed according to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility at indeed.com cyberwire just go to indee indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need. Cloudflare says yesterday's widespread outage was not caused by a cyber attack. Predator Mobile spyware remains highly active. Microsoft is investigating ongoing 365 authentication services issues. An account takeover campaign targets Entra ID users by abusing a popular pen testing tool. Palo Alto Networks documents a JavaScript obfuscation method dubbed JS Firetruck, Trend Micro and Mitel Patch. Multiple high severity vulnerabilities CISA issues Multiple advisories My Hacking Humans co host Joe Kerrigan joins us to discuss linkless recruiting scams and Uncle Sam wants an AI chatbot. It's Friday, June 13, 2025. I'm Dave Buettner and this is your Cyberwire Intel Brief. Happy Friday and thanks for joining us here. It's great as always to have you with us. Cloudflare has confirmed that a widespread outage on its network was not caused by a cyber attack and no data was lost. The incident lasted about two and a half hours, triggered by a failure in WorkersKV, a critical key value store used across Cloudflare's serverless platform. The root cause was an outage and a third party cloud provider supporting the KV backend. The failure impacted many services including Google Cloud platform and disrupted authentication, streaming image uploads and AI functions. Cloudflare is now moving to reduce reliance on that provider by migrating storage to its own R2 system. The company will also add safeguards and new tools to better manage future outages and restore service without triggering cascading failures. Despite international sanctions and public exposure, the Predator mobile spyware remains highly active and adaptable. Originally developed by Cytrox and now part of the IntelLexa alliance, Predator uses both one click and zero click methods to infect devices, granting access to microphones, cameras and sensitive data. It targets high value individuals including journalists, politicians and activists. Researchers from recorded future have observed new infrastructure and operations in over a dozen countries with heavy use in Africa and a newly reported presence in Mozambique. Predator's evolving five tier infrastructure, now linked to a Czech firm, makes tracking difficult. Fake websites and new server strategies help evade detection. Its modular design allows remote updates, reinforcing its persistence. Predators use remains strategic, costly and deeply concerning for civil society and cross border surveillance. Microsoft is investigating an ongoing Microsoft 365 issue affecting authentication services, particularly self service password resets and adding multi factor authentication methods. The problem, linked to a recent configuration change aimed at improving mfa, is impacting users across Asia Pacific, Europe, the Middle east and Africa. Microsoft has issued a temporary fix and reports signs of improvement. Affected users, including NHS mail in the UK are seeing errors like no methods available. This follows recent Microsoft 365 authentication and access issues. In January, April and May, a major account takeover campaign is targeting Entra ID users by abusing the Team Filtration penetration testing tool. According to Proofpoint, originally designed for ethical hacking, team filtration can automate password spraying, account enumeration and data exfiltration. The tool requires an AWS Account and a Microsoft 365 Business Basic license to function. Since December 2024, a threat actor dubbed UNK Sneaky Strike has used it against roughly 100 cloud tenants, peaking in January of this year. Attacks rely on the Microsoft Teams API and Global AWS infrastructure for stealthy high intensity bursts. Smaller tenants saw broad targeting while larger ones had focused user targeting. The campaign uses outdated Microsoft Teams clients and exploited OAuth app IDs to obtain bearer tokens via Entra ID. Most attack traffic came from AWS servers in the US, Ireland and the UK. Palo Alto Networks Unit 42 has uncovered a large scale malware campaign that compromised nearly 270,000 websites using a JavaScript obfuscation method dubbed JS Firetruck. This technique relies on JavaScript's type coercion and only six ASCII characters to encode functioning code. Though the obfuscated scripts are long and conspicuous, they're difficult to analyze without automation. Attackers use JS Firetruck alongside layered obfuscation methods, reconstructing payloads through arrays and mixing readable and encoded elements. These scripts detect if users arrive via search engines and then redirect them using full page iframes, potentially leading to phishing or malware. The activity surged in mid April. Unit 42 urges admins to patch systems and check for infections. Veracode recently found a similar obfuscation heavy campaign using a malicious NPM package with at least seven hiding techniques. It is worth noting that while Palo Alto Networks refers to the method as JS Firetruck, the creators of the campaign internally use a different F word. Speaking of Palo Alto Networks, they've released patches for multiple vulnerabilities across their products, including Global Protect app, Cortex xdr, Pan os, and Prisma Access browser. The most critical flaw is an authenticated code injection in global Protect for macOS, with a CVSS score of 7.1. Two PAN OS flaws scored medium severity. The Prisma Access Browser received 12 fixes, including a cache issue and 11 Chrome related bugs with a combined CVSS score of 8.6. No active exploitation has been reported. Trend Micro has issued critical security updates for its Apex Central and Endpoint Encryption Policy server products addressing multiple high severity and critical remote code execution and authentication bypass vulnerabilities. These flaws, mostly caused by insecure deserialization, allow unauthenticated attackers to execute code as system or bypass authentication entirely. While no exploitation has been reported, immediate patching is strongly advised. Apex Central also had two critical RCE flaws, both with CVSS scores of 9.8. These were patched in a recent on premise version, but with fixes automatically applied to Apex Central as a service. No workarounds exist for these vulnerabilities. Meanwhile, Mitel has released patches for a critical untracked vulnerability in its MyCollab platform's NewPoint unified messaging component. The flaw, a path traversal issue, allows unauthenticated remote attackers to access provisioning data and perform unauthorized admin actions. It affects multiple MyCollab versions with fixes in recent versions. Researcher Damani Tomi, who found the flaw, said over 20,000 Internet exposed instances may be at risk. The issue is a bypass of a previously patched flaw. CISA warns that ransomware actors are exploiting a path traversal flaw in SimpleHelp RMM software to target customers of a utility billing software provider the vulnerability, with a CVSS score of 7.5, allows attackers to steal credentials and API keys. It was patched in January along with two related flaws. Dragon Force Ransomware previously exploited this in May. CISA urges immediate patching, disconnection of vulnerable systems, and threat hunting, especially for users running simple help version 5.5.7 or earlier. CISA also issued 10 new ICS advisories addressing vulnerabilities in products from Siemens, Eveva and PTZ Optics. These advisories cover critical systems including Siemens Scalance, rugged comm, Simatic S1500 CPUs, Technomatics plant simulation, and Aviva's PI software suite. One advisory also targets pan tilt zoom cameras. CISA urges industrial system administrators to review these advisories for detailed vulnerability information and recommended mitigations to protect against potential exploits in industrial environments. Coming up after the break, my Hacking Humans co host Joe Kerrigan joins us to discuss linkless recruiting scams. And Uncle Sam wants an AI chatbot. Stay with us. Hey everybody, Dave here. I've talked about Delete Me before and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. Delete Me keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Delete Me team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. DeleteMe also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now our listeners get a special deal. 20% off your DeleteMe plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K and now a word from our sponsor, ThreatLocker. Keeping your system secure shouldn't mean constantly reacting to threats. ThreatLocker helps you take a different approach by giving you full control over what software can run in your environment. If it's not approved, it doesn't run. Simple as that. It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com. and joining me once again is Joe Kerrigan he is my co host over on the Hacking Humans podcast along with Maria Vermasis. Joe, it's great to have you back.