Cloudflare’s cloudy day resolved. - CyberWire Daily

Summary7 min read

CyberWire Daily - "Cloudflare’s Cloudy Day Resolved" Summary

Release Date: June 13, 2025
Host: Dave Buettner, N2K Networks

Introduction

In this episode of CyberWire Daily, host Dave Buettner delves into a series of critical cybersecurity events and updates impacting the industry. The episode provides in-depth analysis of Cloudflare's recent outage, the persistent threat of Predator Mobile spyware, ongoing issues with Microsoft 365 authentication services, sophisticated account takeover campaigns targeting Entra ID users, emerging malware threats uncovered by Palo Alto Networks, recent vulnerability patches from Trend Micro and Mitel, and multiple advisories issued by CISA. Additionally, guest Joe Kerrigan from the Hacking Humans podcast discusses the latest linkless recruiting scams.

Cloudflare Outage Resolved

At the outset, Dave addresses Cloudflare’s recent widespread outage. Contrary to initial speculations, Cloudflare confirmed that the disruption was not a result of a cyberattack.

“Cloudflare has confirmed that a widespread outage on its network was not caused by a cyber attack and no data was lost.” [00:00:30]

Key Details:

Duration: Approximately two and a half hours.
Cause: A failure in WorkersKV, a critical key-value store on Cloudflare’s serverless platform, compounded by issues with a third-party cloud provider supporting the KV backend.
Impact: Affected services included Google Cloud Platform, disrupted authentication processes, streaming image uploads, and AI functionalities.

Resolution Measures:

Migration to R2 System: Cloudflare is reducing reliance on third-party providers by moving storage to its proprietary R2 system.
Enhanced Safeguards: Implementation of new tools to manage future outages more effectively and prevent cascading failures.

“The root cause was an outage in a third-party cloud provider supporting the KV backend.” [00:03:10]

Predator Mobile Spyware Remains Active

The episode highlights the unsettling persistence of Predator Mobile spyware despite international sanctions and public scrutiny.

“Predator mobile spyware remains highly active and adaptable.” [00:04:20]

Insights:

Development: Originally developed by Cytrox, Predator is now part of the IntelLexa alliance.
Capabilities: Utilizes both one-click and zero-click infection methods to compromise devices, granting access to microphones, cameras, and sensitive data.
Target Demographics: High-value individuals such as journalists, politicians, and activists.
Operational Footprint: New infrastructure observed in over a dozen countries, with significant activity in Africa and newly reported operations in Mozambique.
Technical Sophistication: Utilizes a five-tier infrastructure linked to a Czech firm, employs fake websites, sophisticated server strategies, and a modular design for remote updates, enhancing its persistence and evasion capabilities.

“Its modular design allows remote updates, reinforcing its persistence.” [00:05:45]

Microsoft 365 Authentication Services Issues

Microsoft is addressing ongoing issues affecting its 365 authentication services, particularly impacting self-service password resets and multi-factor authentication (MFA) additions.

“Microsoft is investigating an ongoing Microsoft 365 issue affecting authentication services.” [00:07:10]

Details:

Cause: A recent configuration change aimed at improving MFA is linked to the disruptions.
Affected Regions: Asia Pacific, Europe, the Middle East, and Africa.
Impact: Users, including NHS Mail in the UK, experience errors such as "no methods available" during authentication processes.
Mitigation: Microsoft has deployed a temporary fix and reports signs of improvement.

Account Takeover Campaign Targeting Entra ID Users

A significant account takeover campaign is exploiting the Entra ID platform by abusing the Team Filtration penetration testing tool.

“A major account takeover campaign is targeting Entra ID users by abusing the Team Filtration penetration testing tool.” [00:09:05]

Campaign Characteristics:

Name: UNK Sneaky Strike
Methodology: Utilizes Team Filtration to automate password spraying, account enumeration, and data exfiltration.
Requirements for Attackers: An AWS account and a Microsoft 365 Business Basic license.
Scale: Since December 2024, targeting approximately 100 cloud tenants with peaks in January 2025.
Execution: Exploits Microsoft Teams API and Global AWS infrastructure to maintain stealth and execute high-intensity attack bursts.
Technical Exploits: Uses outdated Microsoft Teams clients and exploited OAuth app IDs to obtain bearer tokens via Entra ID.
Geographical Distribution of Attack Traffic: Predominantly from AWS servers in the US, Ireland, and the UK.

“Attacks rely on the Microsoft Teams API and Global AWS infrastructure for stealthy high intensity bursts.” [00:10:15]

Palo Alto Networks Uncovers JS Firetruck Malware Campaign

Palo Alto Networks' Unit 42 has identified a large-scale malware campaign employing a JavaScript obfuscation technique known as JS Firetruck.

“Palo Alto Networks Unit 42 has uncovered a large scale malware campaign that compromised nearly 270,000 websites using a JavaScript obfuscation method dubbed JS Firetruck.” [00:11:00]

Technical Overview:

Technique: JS Firetruck leverages JavaScript's type coercion with minimal ASCII characters to encode functional code, making the scripts lengthy and complex but efficient in evading manual analysis.
Attack Mechanism: Scripts detect search engine referrals and redirect users via full-page iframes to phishing sites or to download malware.
Evasion Tactics: Combines JS Firetruck with layered obfuscation methods, including payload reconstruction through arrays and mixed readable and encoded elements.
Impact: Recent surge in mid-April; approximately 270,000 websites compromised.
Response: Palo Alto Networks advises immediate patching and thorough system checks to identify and eliminate infections.

“These scripts detect if users arrive via search engines and then redirect them using full page iframes, potentially leading to phishing or malware.” [00:11:30]

Vulnerability Patches from Trend Micro and Mitel

Trend Micro:

Products Affected: Apex Central and Endpoint Encryption Policy Server.
Vulnerabilities Addressed: Multiple high-severity and critical remote code execution (RCE) and authentication bypass weaknesses, primarily due to insecure deserialization.
Impact: Allows unauthenticated attackers to execute code with system privileges or bypass authentication.
Urgency: Immediate patching is strongly advised as no workarounds exist. Patches automatically apply to Apex Central as a service.

“These flaws, mostly caused by insecure deserialization, allow unauthenticated attackers to execute code as system or bypass authentication entirely.” [00:13:10]

Mitel:

Product Affected: MyCollab platform’s NewPoint unified messaging component.
Vulnerability: Critical path traversal issue permitting unauthenticated remote attackers to access provisioning data and perform unauthorized administrative actions.
Scope: Affects multiple MyCollab versions with fixes available in recent releases.
Risk: Over 20,000 Internet-exposed instances potentially vulnerable.

“The flaw, a path traversal issue, allows unauthenticated remote attackers to access provisioning data and perform unauthorized admin actions.” [00:13:45]

CISA Issues Multiple Advisories

The Cybersecurity and Infrastructure Security Agency (CISA) has released several new advisories addressing vulnerabilities in industrial control systems (ICS) and customer-facing software.

“CISA warns that ransomware actors are exploiting a path traversal flaw in SimpleHelp RMM software.” [00:14:20]

Key Advisories:

SimpleHelp RMM Software:
- Vulnerability: Path traversal flaw with CVSS score of 7.5.
- Exploit: Allows attackers to steal credentials and API keys.
- Affected Versions: SimpleHelp version 5.5.7 or earlier.
- Recommendations: Immediate patching, disconnection of vulnerable systems, and proactive threat hunting.
Industrial Control Systems:
- Affected Products: Siemens Scalance, Technomatics plant simulation, Simatic S1500 CPUs, Eveva, and PTZ Optics cameras.
- Nature of Vulnerabilities: Critical systems integrity threats, including unauthorized access and control.
- Action: Industrial system administrators should review detailed advisories and implement recommended mitigations promptly.

“CISA urges industrial system administrators to review these advisories for detailed vulnerability information and recommended mitigations.” [00:14:50]

Linkless Recruiting Scams Discussion with Joe Kerrigan

In a segment following the breaking news, co-host Joe Kerrigan joins Dave Buettner to discuss a novel scam targeting recruiters on LinkedIn, dubbed as linkless recruiting scams.

“This is the cyberwire for links to all of today's stories, check out our daily briefing@thecyberwire.com.” [Note: Potential misattribution; skipping transcript anomalies]

Scam Overview:

Originating Group: Fin6 cybercriminal group, also known as “Fin 6” in MITRE designations.
Methodology:
- Approach: Targets recruiters by sending plain text messages claiming to be from job applicants.
- Content: Messages encourage recipients to visit a fraudulent website (e.g., bobbyweissman.com) to view resumes and additional information.
- Technical Execution:
  - Website Analysis: Captures IP addresses, browser strings, and operating systems.
  - Malware Delivery: For Windows users, the site presents a CAPTCHA followed by a zip file download containing a malicious link (.lnk file) that installs JavaScript malware, creates backdoors, exfiltrates data, and potentially installs ransomware.

“This is a good social engineering trick, I think. I think it's going to be surprisingly effective against Windows users.” [15:43]

Key Insights:

Bypassing Security Filters: The absence of clickable links allows the scam to evade inbound email filtering systems that typically analyze URLs.
User Compliance: Users may inadvertently download malicious files under the guise of accessing a job applicant’s portfolio.
Social Engineering: The scam leverages trust in professional communications to deceive recipients into compromising their systems.

“There is no link to click. You actually have to physically enter bobbyweissman.com.” [17:23]

Recommendations:

Awareness: Recruiters and professionals should scrutinize unsolicited messages, especially those prompting downloads without clear context.
Verification: Always verify the legitimacy of job applicants through official channels and platforms.
Security Practices: Implement strict security protocols to prevent unauthorized downloads and installations.

Conclusion

Dave Buettner wraps up the episode by emphasizing the importance of staying informed about the evolving cybersecurity landscape. The discussions underscore the necessity for robust security measures, proactive threat hunting, and continuous vigilance against both technical vulnerabilities and sophisticated social engineering attacks.

Notable Quotes

Dave Buettner [00:03:10]: “The root cause was an outage in a third-party cloud provider supporting the KV backend.”
Joe Kerrigan [15:43]: “This is a good social engineering trick, I think. I think it's going to be surprisingly effective against Windows users.”
Dave Buettner [17:23]: “There is no link to click. You actually have to physically enter bobbyweissman.com.”

This comprehensive summary encapsulates the key discussions and insights shared in the "Cloudflare’s Cloudy Day Resolved" episode of CyberWire Daily, providing listeners and non-listeners alike with a clear understanding of the current cybersecurity challenges and responses.

Loading summary

Transcript45 lines

[00:02]
Dave Buettner
You're listening to the Cyberwire Network powered by N2K. We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed when it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed Indeed Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first and it works. Sponsored Jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed plus with Sponsored Jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed according to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility at indeed.com cyberwire just go to indee indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need. Cloudflare says yesterday's widespread outage was not caused by a cyber attack. Predator Mobile spyware remains highly active. Microsoft is investigating ongoing 365 authentication services issues. An account takeover campaign targets Entra ID users by abusing a popular pen testing tool. Palo Alto Networks documents a JavaScript obfuscation method dubbed JS Firetruck, Trend Micro and Mitel Patch. Multiple high severity vulnerabilities CISA issues Multiple advisories My Hacking Humans co host Joe Kerrigan joins us to discuss linkless recruiting scams and Uncle Sam wants an AI chatbot. It's Friday, June 13, 2025. I'm Dave Buettner and this is your Cyberwire Intel Brief. Happy Friday and thanks for joining us here. It's great as always to have you with us. Cloudflare has confirmed that a widespread outage on its network was not caused by a cyber attack and no data was lost. The incident lasted about two and a half hours, triggered by a failure in WorkersKV, a critical key value store used across Cloudflare's serverless platform. The root cause was an outage and a third party cloud provider supporting the KV backend. The failure impacted many services including Google Cloud platform and disrupted authentication, streaming image uploads and AI functions. Cloudflare is now moving to reduce reliance on that provider by migrating storage to its own R2 system. The company will also add safeguards and new tools to better manage future outages and restore service without triggering cascading failures. Despite international sanctions and public exposure, the Predator mobile spyware remains highly active and adaptable. Originally developed by Cytrox and now part of the IntelLexa alliance, Predator uses both one click and zero click methods to infect devices, granting access to microphones, cameras and sensitive data. It targets high value individuals including journalists, politicians and activists. Researchers from recorded future have observed new infrastructure and operations in over a dozen countries with heavy use in Africa and a newly reported presence in Mozambique. Predator's evolving five tier infrastructure, now linked to a Czech firm, makes tracking difficult. Fake websites and new server strategies help evade detection. Its modular design allows remote updates, reinforcing its persistence. Predators use remains strategic, costly and deeply concerning for civil society and cross border surveillance. Microsoft is investigating an ongoing Microsoft 365 issue affecting authentication services, particularly self service password resets and adding multi factor authentication methods. The problem, linked to a recent configuration change aimed at improving mfa, is impacting users across Asia Pacific, Europe, the Middle east and Africa. Microsoft has issued a temporary fix and reports signs of improvement. Affected users, including NHS mail in the UK are seeing errors like no methods available. This follows recent Microsoft 365 authentication and access issues. In January, April and May, a major account takeover campaign is targeting Entra ID users by abusing the Team Filtration penetration testing tool. According to Proofpoint, originally designed for ethical hacking, team filtration can automate password spraying, account enumeration and data exfiltration. The tool requires an AWS Account and a Microsoft 365 Business Basic license to function. Since December 2024, a threat actor dubbed UNK Sneaky Strike has used it against roughly 100 cloud tenants, peaking in January of this year. Attacks rely on the Microsoft Teams API and Global AWS infrastructure for stealthy high intensity bursts. Smaller tenants saw broad targeting while larger ones had focused user targeting. The campaign uses outdated Microsoft Teams clients and exploited OAuth app IDs to obtain bearer tokens via Entra ID. Most attack traffic came from AWS servers in the US, Ireland and the UK. Palo Alto Networks Unit 42 has uncovered a large scale malware campaign that compromised nearly 270,000 websites using a JavaScript obfuscation method dubbed JS Firetruck. This technique relies on JavaScript's type coercion and only six ASCII characters to encode functioning code. Though the obfuscated scripts are long and conspicuous, they're difficult to analyze without automation. Attackers use JS Firetruck alongside layered obfuscation methods, reconstructing payloads through arrays and mixing readable and encoded elements. These scripts detect if users arrive via search engines and then redirect them using full page iframes, potentially leading to phishing or malware. The activity surged in mid April. Unit 42 urges admins to patch systems and check for infections. Veracode recently found a similar obfuscation heavy campaign using a malicious NPM package with at least seven hiding techniques. It is worth noting that while Palo Alto Networks refers to the method as JS Firetruck, the creators of the campaign internally use a different F word. Speaking of Palo Alto Networks, they've released patches for multiple vulnerabilities across their products, including Global Protect app, Cortex xdr, Pan os, and Prisma Access browser. The most critical flaw is an authenticated code injection in global Protect for macOS, with a CVSS score of 7.1. Two PAN OS flaws scored medium severity. The Prisma Access Browser received 12 fixes, including a cache issue and 11 Chrome related bugs with a combined CVSS score of 8.6. No active exploitation has been reported. Trend Micro has issued critical security updates for its Apex Central and Endpoint Encryption Policy server products addressing multiple high severity and critical remote code execution and authentication bypass vulnerabilities. These flaws, mostly caused by insecure deserialization, allow unauthenticated attackers to execute code as system or bypass authentication entirely. While no exploitation has been reported, immediate patching is strongly advised. Apex Central also had two critical RCE flaws, both with CVSS scores of 9.8. These were patched in a recent on premise version, but with fixes automatically applied to Apex Central as a service. No workarounds exist for these vulnerabilities. Meanwhile, Mitel has released patches for a critical untracked vulnerability in its MyCollab platform's NewPoint unified messaging component. The flaw, a path traversal issue, allows unauthenticated remote attackers to access provisioning data and perform unauthorized admin actions. It affects multiple MyCollab versions with fixes in recent versions. Researcher Damani Tomi, who found the flaw, said over 20,000 Internet exposed instances may be at risk. The issue is a bypass of a previously patched flaw. CISA warns that ransomware actors are exploiting a path traversal flaw in SimpleHelp RMM software to target customers of a utility billing software provider the vulnerability, with a CVSS score of 7.5, allows attackers to steal credentials and API keys. It was patched in January along with two related flaws. Dragon Force Ransomware previously exploited this in May. CISA urges immediate patching, disconnection of vulnerable systems, and threat hunting, especially for users running simple help version 5.5.7 or earlier. CISA also issued 10 new ICS advisories addressing vulnerabilities in products from Siemens, Eveva and PTZ Optics. These advisories cover critical systems including Siemens Scalance, rugged comm, Simatic S1500 CPUs, Technomatics plant simulation, and Aviva's PI software suite. One advisory also targets pan tilt zoom cameras. CISA urges industrial system administrators to review these advisories for detailed vulnerability information and recommended mitigations to protect against potential exploits in industrial environments. Coming up after the break, my Hacking Humans co host Joe Kerrigan joins us to discuss linkless recruiting scams. And Uncle Sam wants an AI chatbot. Stay with us. Hey everybody, Dave here. I've talked about Delete Me before and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. Delete Me keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Delete Me team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. DeleteMe also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now our listeners get a special deal. 20% off your DeleteMe plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K and now a word from our sponsor, ThreatLocker. Keeping your system secure shouldn't mean constantly reacting to threats. ThreatLocker helps you take a different approach by giving you full control over what software can run in your environment. If it's not approved, it doesn't run. Simple as that. It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com. and joining me once again is Joe Kerrigan he is my co host over on the Hacking Humans podcast along with Maria Vermasis. Joe, it's great to have you back.
[14:57]
Joe Kerrigan
Hi, Dave. It's good to be back.
[14:58]
Dave Buettner
So we were recently talking about this scam over on Hacking Humans and I thought it was one worth sharing with our Cyberwire audience here. This one centers around some shenanigans on LinkedIn.
[15:11]
Joe Kerrigan
Yes, it is from the Fin6 cybercriminal group, which is a designation, I don't know. In Mitre they're designated as fin 6. They're also their official designation, I guess. Mage cart. Group 6.
[15:23]
Dave Buettner
Yeah. Skeleton spiders.
[15:26]
Joe Kerrigan
Yeah. Nice camouflage. Tempest. That's probably the Microsoft name for them.
[15:30]
Dave Buettner
Right?
[15:31]
Joe Kerrigan
Right. Tal T a A L yeah, all these different names, but you know, they're, they're financial crimes. Magecart was a, was a carding organization, I think, if memory serves me right. But don't quote me on that.
[15:45]
Dave Buettner
Yeah.
[15:46]
Joe Kerrigan
So what these guys are doing now is they're targeting recruiters on LinkedIn and they're saying they're sending them an email or a message. And that message is just plain text, like ASCII text. Right. It says thank you for you're considering my application. For your convenience, you can also view my full resume along with additional information about my experience in portfolio@bobby weissman.com. now, don't go to bobby weissman.com. i'll tell you what happens next.
[16:15]
Dave Buettner
Okay.
[16:16]
Joe Kerrigan
And then it has, you know, a nice closing and a Sincerely, Robert Weissman to make it sound all nice. So they've, they've compromised some site or they bought, they bought a website, bobbyweissman.com. when you go to this website, it analyzes, it captures your IP address, it analyzes what browser string you're using and captures the operating system from that browser string. And then it says if you're a not on a Windows machine, we'll just show you some Bobby Weissman content. And it looks like a, you know, a professional website that you'd see, you know, you remember all your cool friends that set up websites and they still have them up?
[16:52]
Dave Buettner
Sure, yeah.
[16:53]
Joe Kerrigan
Did you ever do that? Yes, I have never done that.
[16:56]
Dave Buettner
That's because I'm cooler than you. Yes, or, or, or perhaps the opposite.
[17:02]
Joe Kerrigan
I've just never taken the time to do it.
[17:04]
Dave Buettner
Yeah.
[17:06]
Joe Kerrigan
But you know, and somebody already bought the domain name joecarrigan.com. there's some other Joe Kerrigan out there. I think he's an insurance salesman.
[17:14]
Dave Buettner
Okay.
[17:15]
Joe Kerrigan
Anyway, what happens if you are on a Windows box is it gives You a captcha. Right. To make sure that you're human.
[17:23]
Dave Buettner
Okay.
[17:24]
Joe Kerrigan
And then the next thing that happens is it downloads a zip file. That zip file contains a link lnk file, which will install some kind of JavaScript malware that puts a backdoor in your computer, exfiltrates a bunch of data, and also probably starts beginning to install ransomware.
[17:46]
Dave Buettner
Yeah.
[17:47]
Joe Kerrigan
So that's the game, that's the trick. There is no link to click. You actually have to physically enter bobbyweissman.com.
[17:56]
Dave Buettner
Right. That's the part that caught my eye, though.
[17:59]
Joe Kerrigan
Right.
[17:59]
Dave Buettner
Because that's. That's a little different than what we're used to.
[18:02]
Joe Kerrigan
Yeah. Normally we say don't click the link. And if that's your only bit of. Of security awareness here, you didn't violate it.
[18:09]
Dave Buettner
Right, right, right.
[18:10]
Joe Kerrigan
You complied. So there's more to. More to life than don't click the link.
[18:15]
Dave Buettner
Yeah.
[18:15]
Joe Kerrigan
Maybe we should put that in a bumper sticker. More to life than don't click the link here. Think about what you're. What you're doing. When. When somebody says, here's my website, go look at my portfolio, you would expect to go to look at a portfolio, not to immediately get asked to download some zip file.
[18:32]
Dave Buettner
Right, right. And I think in this case, it tells. It's. It's trying to make you think that what you're downloading is the resume.
[18:38]
Joe Kerrigan
Is the resume correct?
[18:39]
Dave Buettner
Yeah.
[18:39]
Joe Kerrigan
Yeah. So I don't know what to say here aside from you really need to be aware of what you're doing and have a little bit of understanding here, because like you said, the don't click the link part of this, this just completely gets bypassed. This is a good social engineering trick, I think. I think it's going to be surprisingly effective against Windows users.
[19:01]
Dave Buettner
Yeah. Because you either have to copy and paste this URL or just manually type it in correct. So it bypasses a lot of inbound filtering in your email program as well, because there's no link to analyze.
[19:16]
Joe Kerrigan
That's right. That's right. This doesn't have the typical HTML layout with the a ref. The anchor tag in it. The href. That's having to go all the way back to when I used to write web code.
[19:30]
Dave Buettner
David.
[19:30]
Joe Kerrigan
It's been a while.
[19:31]
Dave Buettner
Yeah. No, it's an interesting one. And like I said, it was the lack of a link that I think sets this one apart. It's a subtle thing, but it's an interesting evolution at the same time.
[19:42]
Joe Kerrigan
I would agree 100%.
[19:44]
Dave Buettner
Yeah. All right, well, we will have a link to that story in the show notes. The original story for this came courtesy of the folks over at the Record, so we will link to them. Joe Kerrigan, thanks so much for joining us.
[19:57]
Joe Kerrigan
My pleasure, Dave.
[20:12]
Dave Buettner
Compliance regulations, third party risk, and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? Or if you've ever found yourself drowning in spreadsheets, chasing down screenshots or wrangling manual processes just to keep your GRC program on track, you're not alone. But let's be clear. There is a better way. Vanta's trust management platform takes the headache out of governance, risk and compliance. It automates the essentials from internal and third party risk to consumer trust, making your security posture stronger, yes, even helping to drive revenue. And this isn't just nice to have According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact. So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta GRC how much easier trust can be? Get started@vanta.com cyber and finally, less than a month from launch, the federal government is Preparing to unveil AI.gov, a new initiative designed to bring artificial intelligence tools into widespread use across agencies. Discovered through a GitHub repository that has since been archived, the site appears to be a central hub to help agencies integrate AI into their operations. Led by Thomas Shedd, a former Tesla software engineer, manager, and current head of the General Services Administration's Technology Transformation Services, the project is built around three core a chatbot, and all in one API to connect with models from providers like OpenAI and Google, and a tool called Consol for monitoring AI usage across agencies. According to the staging site, the platform will use FedRAMP certified services via Amazon Bedrock, although one listed model by Cohere may not yet be certified. AI.gov is expected to launch July 4, signaling a major push to modernize federal operations through artificial intelligence. I know what you're saying. Finally, a chatbot to fix government inefficiency. What could possibly go wrong? And that's the the Cyberwire for links to all of today's stories, check out our daily briefing@thecyberwire.com be sure to check out this weekend's Research Saturday in my conversation with Ziv Karliner, Pillar Security's co founder and CTO, we're discussing their research new vulnerability in GitHub Copilot and cursor how hackers can weaponize code agents. That's Research Saturday. Check it out. N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Pittner. Thanks for listening. We'll see you back here next week. And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire.