Exchange hybrid flaw raises cloud alarm.

Dave Bittner

You're listening to the Cyberwire Network powered by N2K and now a word from our sponsor, ThreatLocker, the powerful Zero Trust Enterprise Solution that stops ransomware in its tracks. Allow Listing is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only act access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker Microsoft warns of a high severity vulnerability in Exchange server hybrid deployments A Dutch airline and a French Telecom report data breach breaches. Researchers reveal new HTTP request smuggling variants an Israeli spyware maker may have rebranded to evade US sanctions. CyberArk patches critical vulnerabilities in its Secrets management platform. The Akira gang uses a legit Intel CPU tuning driver to Disable Microsoft Defender. ChatGPT connectors are shown vulnerable to indirect prompt injection. Researchers expose new details about the Vex Trio cybercrime network. Sonicwall says a recent SSL VPN related cyber activity is not due to a zero day. Ryan Wieland from Accenture is our man on the street at Black hat and to Android's dream of concierge duty. It's Thursday, August 7th, 2025. I've D Dave Buettner and this is your Cyberwire Intel Briefing. Thanks for joining us. It's great to have you with us as always. Microsoft has issued a warning about a high severity vulnerability in Exchange Server hybrid deployments. The flaw could let attackers with access to on premises Exchange escalate privileges in Exchange Online undetected. In hybrid setups. Both environments share a service principle for authentication. If attackers compromise the on prem server, they can exploit this shared identity to forge trusted tokens or API calls, bypassing cloud side security logs. These actions may go unnoticed in Microsoft 365 audit tools. The vulnerability affects Exchange Server 2016, 2019 and the subscription Edition. While no active exploitation has been seen yet, Microsoft flagged it as exploitation more likely. CISA also warned of potential total domain compromise and urged admins to patch systems and disconnect unsupported Exchange or SharePoint servers from the Internet. Dutch airline KLM has reported a data breach involving a third party customer service platform that exposed customer names, contact info and Flying Blue loyalty program details. While no sensitive data like passwords or travel details were leaked, the breach raises phishing risks. Air France was also affected. The incident didn't impact flight operations and both airlines notified EU data regulators. KLM urges customers to stay alert for suspicious emails and has enhanced security measures in response, the total number of affected users remains undisclosed. Elsewhere, Boyg Telecom has disclosed a cyber attack that exposed personal data from 6.4 million customer accounts. The company did not specify the attack's nature or which customers were affected, but said the issue was resolved quickly and impacted users were notified. Boig, France's third largest mobile operator, reported the breach to authorities. The incident follows a similar attack on Orange. France's ANSI has warned of ongoing state sponsored cyber threats targeting the telecom sector for espionage purposes. At Black Hat, Portswigger's James Kettle revealed new HTTP request smuggling variants impacting C VPNs, major companies and millions of websites. These desync attacks exploit how front end and back end servers process HTTP requests, letting attackers sneak in malicious code. One variant named O Cl targets HTTP 1.1 and led to data exposure in systems at T Mobile, GitLab and Akamai. Akamai traced the root cause to its infrastructure and patched it. Cloudflare also faced a related vulnerability. Attackers could steal sessions, redirect users or poison web caches. The team earned a $276,000 bug bounty and urged migration from HTTP 1.1 to 2 for strong Researchers from Recorded Futures insect group uncovered eight malware clusters tied to Israeli spyware maker Candiru, suggesting the company may have rebranded to evade U.S. sanctions. These clusters, found in Hungary, Saudi Arabia, Indonesia and Azerbaijan, are linked to the deployment of Devil's Tongue, a powerful Windows spyware capable of extracting files, stealing browser data and accessing encrypted messages. Candiru, blacklisted by the US in 2021, has changed names multiple times and was reportedly acquired by integrity partners in 2024. Despite international scrutiny, the spyware industry remains active, using tactics like rebranding, jurisdiction hopping and shell companies to skirt export controls. Experts urge stronger standardized policies across the EU and global cooperation to curb the proliferation of commercial spyware. Cyberarc has patched critical vulnerabilities in its Conjure Secrets management platform that could allow unauthenticated remote code execution. Discovered by researchers at ciata, the flaws impact both the open source and enterprise versions and and could let attackers bypass IAM authentication, escalate privileges, and execute arbitrary code without credentials. The vulnerabilities now patched posed a serious risk to organizations managing cloud and DevOps secrets. Sayada also uncovered similar flaws in HashiCorp Vault. No in the Wild exploitation has been reported, but users are urged to update immediately. Akira ransomware operators are using a legitimate Intel CPU tuning driver, RWDRV sys from Throttle Stop to disable Microsoft Defender. This is part of a bring your own vulnerable driver attack, where attackers load the vulnerable driver to gain kernel level access and install a second malicious driver. This tool disables defender protections via Windows registry edits. GuidePoint Security has seen this tactic repeatedly since mid July and released detection tools including Yara rules and IOCs. Akira has also been linked to attacks on SonicWall SSL VPNs. The attackers employ Bumblebee malware via trojanized IT tools to establish access, perform reconnaissance, exfiltrate data, and deploy ransomware. Admins are urged to monitor for Akira indicators, enforce mfa, and avoid software from unverified sources. Researchers have uncovered a serious vulnerability in OpenAI's ChatGPT connectors, showing how attackers can exploit linked services like Google Drive through indirect prompt injection. Connectors provide functionality for data to flow between ChatGPT and, say, your email account or calendar. In a demo dubbed Agent Flare, a malicious document shared via Google Drive tricked ChatGPT into extracting API keys and sending them to an attacker's server using hidden prompts in white size 1 text. This zero click attack requires no user interaction. It highlights the risks of linking AI models to external systems as doing so expands the potential attack. Surface OpenAI has since deployed mitigations. The incident underscores broader concerns about prompt injection threats in AI integrated environments. As LLMs become more powerful by connecting to user data, they also become more vulnerable to manipulation, turning a convenience into a possible security gateway for hackers. Researchers at infoblox have exposed new details about Vex Trio, a cybercrime network active since 2017 that uses traffic distribution systems, DNS manipulation and domain generation algorithms to spread malware scams and illegal content. The group compromises websites, often WordPress based, and reroutes traffic through malicious redirects tailored by geolocation and device. Vextrio also runs fake antivirus apps, porn sites, crypto scams and ad fraud schemes. Their infrastructure surprisingly operates on fewer than 250 virtual machines. Infoblox linked the operation to two affiliate marketing networks in Europe that merged in 2020, forming a multinational criminal enterprise spanning nearly 100 companies. Researchers named eight individuals tied to the group connected to businesses in countries like Switzerland, Czechia and Canada. An 80 page report was released during Black Hat detailing the full scope of Vex trio's activities and operators. SonicWall has confirmed that recent SSL VPN related cyber activity on Gen 7 firewalls is not due to a zero day, but is linked to a previously disclosed vulnerability. Fewer than 40 incidents are under investigation, many tied to Gen 6 to Gen 7 migrations where user passwords weren't reset as advised. Sonic OS 7.3 offers stronger brute force protections. Customers are urged to update reset SSL VPN account passwords and follow best practices like enabling MFA botnet protection and removing inactive accounts. Coming up after the break, Ryan Whelan from Accenture is our man on the street at Black Hat and do androids dream of concierge duty? Stay with us.

David Moulton

New adversary tactics and emerging tech to meet these threats is developing all the time. On Threat Vector, we keep you a step ahead. We dig deep into the threats that matter and the strategies that work.

Ryan Whelan

How do they help that customer know that what they just created is safe? The future is now and our expectations are wrong.

David Moulton

Join me, David Moulton, Senior Director of thought leadership for Unit 42 at Palo Alto Networks and our guest who lived this work every day.

Ryan Whelan

We're not just talking about some encryption and paying multi million dollar ransom. We're talking about fundamentally being unable to.

Dave Bittner

Operate automated eradication and containment, so being able to very rapidly ID what's going on in an environment and contain that immediately.

Ryan Whelan

They're hiding in plain sight.

David Moulton

So if you're looking to sharpen your strategy and stay ahead of what's next, tune in and listen to Threat Vector, your frontline for security insights.

Dave Bittner

CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1, and without securing them, trust, uptime, outages and compliance are at risk. Cyberark is leading the way with the only unified platform purpose built to secure every machine identity, certificates, secrets and workloads across all environments, all clouds and all AI agents. Designed for scale, automation and quantum readiness, Cyber Arc helps modern enterprises secure their machine future. Visit cyberark.com machines to see how compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key areas compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo. That's V A N-T A.com cyber Ryan Whelan is Managing Director and global head of Accenture Cyber Intelligence. He is also at Black Hat this week. So we checked in with him for what's buzzing at the conference. Well, Ryan, thank you for joining us here today. And before we get into some of the details from the show floor, I have to check in with you to make sure that you are surviving what I understand is a not insignificant heat wave out there in summertime Las Vegas. Is that right?

Ryan Whelan

It has been incredibly hot, Dave. So every time I walk outside, I'm hit with that blast of air, but luckily I have almost no time to be outside coughing that heat. So surviving. Okay.

Dave Bittner

And it's a dry heat, right?

Ryan Whelan

Yeah, exactly, it's a dry heat.

Dave Bittner

Well, let's dig into Black Hat itself. I mean, just starting off with the overall tone as you're walking around and seeing the different booths that people have set up and having those side conversations. What's the tone? What's the attitude? How does it seem like people are feeling this year?

Ryan Whelan

Yeah, I mean, one of the things I love about Black Hat every year is that it's really a practitioner focused conference. It's kind of where it got its birth. And so I think there's always a lot of energy, a lot of excitement around discovering new ttps. Right. What are the new tactics that we're seeing adversaries use? I think this year there's, I think every conversation includes some discussion of AI or agentic targeting. Right. Those sorts of things, as well as then what we're seeing on the defensive side for solutions. Right. Where we're bringing innovation to get after those threats in new ways. And so I think that energy continues and it's, you know, it's always, it's always nice to be able to take a step back and kind of take a broader view at what's happening in the industry.

Dave Bittner

In terms of the sessions, are there any particular areas that you're looking to get a little new knowledge on?

Ryan Whelan

Oh, man, I think we could spend this whole segment just talking about that, Dave. But I think you know, there's a few that for me were pretty interesting. Right. I think one of the things that we're consistently tracking are new and emerging threat vectors. And so Iot and kind of IoT security is one of those. It's a really interesting talk on how adversaries are targeting EV stations and how that could potentially be used as an access point into EVs. And so I think security in that way from how we're securing these pump stations that are now becoming ubiquitous across the country, I think that's really interesting. Saw another one that I think reflects on one of the threat vectors that we're talking about regularly here. Like I said, on the AI side, that's looking at, with our increasing reliance on LLMs, how are we conditioning ourselves, allowing ourselves to be conditioned by these LLMs. So human influence and conditioning of these solutions that we're using to make our lives easier, but may also be exerting influence over how we think and see the world. And I think that's a really interesting risk.

Dave Bittner

Yeah, that is interesting. It reminds me of, you know, sometimes I wonder how much have I trained my dog and how much has my dog trained me.

Ryan Whelan

That's right. That's exactly, exactly right. You know, and I think, I think what's a little bit concerning about it is we absolutely see adversaries kind of playing in this space of doing things like, you know, data poisoning, model poisoning for those LLMs. And so if you, if you marry that adversarial intent and activity that we're seeing them experiment with, and then you marry that with this increasing use of those and the ability to influence our thinking there, it really presents a risk to organizations as they deploy solutions like that.

Dave Bittner

For you, beyond the conference itself, I mean, beyond the sessions and the displays and all those sorts of things, what do you hope to get out of a conference like this? I mean, there's, there's really a human face to face element as well.

Ryan Whelan

Yeah, absolutely. And you know, post Covid, I think it's always harder to find time for, for that face to face interaction, you know, for me, and I'll tell you this, and I got out of meetings earlier today with a number of colleagues in this space. Right. And so I love the opportunity to just connect with the community. Right. And it, as, you know, Dave, because you're, you know, it's one of the things you do. Community is such a critical aspect of security. Right. And so much of security comes back to the fundamentals. Being able to just drive collaboration, being able to share what we're seeing having the personal relationship with folks where, you know, I can, I can test text another threat intel lead and make sure that we're, you know, they're seeing similar things that we are. You know, we can check analysis on things like that. It's critical to doing this right and to giving value to clients. So I think that's probably, that community factor is probably the biggest takeaway for me beyond the sessions.

Dave Bittner

For someone who's never been to Black Hat, what is the value proposition for you? What sets this conference apart and makes it worth you investing your time in?

Ryan Whelan

Yeah, I'll go back to kind of where I started the conversation and say it's really that practitioner level visibility and knowledge, the ability to take a look at how on the one hand we're seeing adversaries employ these new tactics, how we're seeing them do things like test voice deep fakes and employ those in advanced social engineering and some of those sorts of things, but then pivot that around to what are we seeing on the solution side, how are we thinking about Agentix security and some of the new identity challenges that are now emerging around controlling agents that are running across organizations and things like that. And so I think that practitioner view, like I said, it's. We don't often as an industry, we're so caught up in response, right? We're so caught up in the day to day of security. I think having that opportunity to take a step back, you got to watch your schedule, right? You got to manage your schedule because you can get overwhelmed with these things. But I think take that step back and really seek out that practitioner level view. That's, that's the advantage of a place like this.

Dave Bittner

That's Ryan Whelan, managing director and global head of cyber Intelligence at Accenture.

Advertiser

Abercrombie's viral denim sale is back and Spotify listeners get an extra 15% off with code. Spotify AF Abercrombie is known for their denim with 30 to 50% off all jeans. Find out how denim should fit. Shop the viral denim sale in the Abercrombie app online or in stores. Valid in stores and online through August 11, 2025 in US and Canada. Excludes clearance price reflects discount code. Valid in US and Canada through August 11, 2025. Exclusions apply. See details online.

This episode is brought to you by. Indeed, when your computer breaks, you don't wait for it to magically start working again. You fix the problem. So why wait to hire the people your company desperately needs? Use indeed sponsored jobs to hire top talent fast and even better, you only pay for results. There's no need to wait. Speed up your hiring with a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply.

Dave Bittner

And finally, at Japan's Henna Hotel, Henna meaning weird and yes, they own it. Robots are on staff, but not everywhere and not always. Management says the decision to deploy them is based on market conditions, guest preferences and presumably, how much patience the robots have that day. Amid Japan's labor crunch, these humanoid helpers offer cost cutting, charm and unwavering 24. 7 availability. Some, like Robohan, can control lights, recommend sushi joints and dance over 70 routines. Because why wouldn't a concierge do flamenco? Headcount has dropped drastically at some locations, with bots outnumbering humans like it's a sci Fi reboot of Fawlty Towers. Expectations are tricky. Make a robot too lifelike, and guests expect them to fold towels and feel feelings. Henna's solution? Keep them quirky, keep them dancing, and maybe skip the bedtime stories. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August. There's a link in the show Notes. Please take a moment and check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Pelton. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.