Memory leaks and login sneaks. - CyberWire Daily

Summary6 min read

CyberWire Daily Summary: Episode “Memory Leaks and Login Sneaks”

Release Date: July 8, 2025
Host: N2K Networks

Introduction

In the latest episode of CyberWire Daily, hosted by N2K Networks, listeners are presented with a comprehensive overview of the most pressing cybersecurity issues of the day, followed by an in-depth discussion with experts from Palo Alto Networks' Threat Research Team. The episode titled “Memory Leaks and Login Sneaks” delves into recent vulnerabilities, significant breaches, and evolving threats in the cybersecurity landscape.

Top Cybersecurity News

1. Citrix Bleed 2 Vulnerability Exploited

Researchers have uncovered proof-of-concept exploits for Citrix Bleed 2, a critical vulnerability affecting Citrix Netscaler, ADC, and Gateway devices. This flaw allows attackers to steal user session tokens by sending malformed post-login requests, effectively revealing memory contents. Similar to the 2023 Citrix Bleed flaw, this vulnerability has been actively exploited by ransomware gangs.

“Modifying the login parameter without an equal sign leaks roughly 127 bytes of memory per request, enabling repeated data theft,” explained Kevin Beaumont of ReliaQuest (07:30).

Citrix has issued patches and urged organizations to apply them immediately while reviewing sessions for any suspicious activity.

2. Grafana Patches High Severity Vulnerabilities

Grafana, the popular open-source data visualization platform, has released security updates addressing four high-severity vulnerabilities in its image renderer plugin and synthetic monitoring agent. The most critical issue is a type confusion flaw in Chrome's V8 engine, allowing arbitrary read and write operations.

“Users should update to the latest versions immediately as public exploits are now available,” advised a Grafana spokesperson (09:15).

3. Telefonica Breach by Hacker “Ray”

A hacker known as Ray, affiliated with the Hellcat Ransomware Group, claims to have breached Spanish telecom giant Telefonica, stealing 106 gigabytes of data due to a JIRA misconfiguration. Ray has leaked a 2.6 gigabyte archive containing over 20,000 files, including internal communications and customer records. Telefonica has yet to confirm the breach, with some employees dismissing it as an extortion attempt using outdated data.

4. Arrest in Industrial Espionage Case

Italian authorities have arrested Zhu Ziwei, a 33-year-old Chinese national, under a US arrest warrant for alleged industrial espionage targeting projects like COVID vaccine development. Zhu faces charges including wire fraud, identity theft, and unauthorized computer access, and is set for an extradition hearing in Milan.

5. Emergence of Ransomware Group BERT

A new ransomware group named BERT has been targeting healthcare tech and event services firms across Asia, Europe, and the US. BERT's malware, affecting both Windows and Linux systems, utilizes PowerShell scripts to disable security tools before encrypting files. Trend Micro has identified potential ties to Russian infrastructure and connections to the formerly active Revil group.

6. Call of Duty RCE Vulnerability

The PC version of Call of World War II was taken offline following reports of a remote code execution (RCE) vulnerability. Exploits allowed hackers to take over players' computers during live matches, causing systems to freeze, shut down, or display inappropriate content. The issue surfaced shortly after the game's release on Xbox Game Pass on June 30.

7. US Cybersecurity Funding in President Trump's Spending Bill

President Trump's tax and spending bill allocates hundreds of millions for cybersecurity, predominantly for military programs. Significant allocations include:

$250 million for US Cyber Command's AI initiatives
$20 million for DARPA's cybersecurity research
$90 million for the Defense Department to support cybersecurity for non-traditional contractors

Democrats have criticized the bill for neglecting the Cybersecurity and Infrastructure Security Agency (CISA), arguing it overlooks national cybersecurity threats despite rising attacks from foreign adversaries and criminals.

8. TalentHook Data Leak

TalentHook, an applicant tracking system owned by Resource Edge, has leaked nearly 26 million job seekers’ resumes and personal data due to a misconfigured Azure Blob storage container. Exposed information includes names, emails, phone numbers, education details, work history, and some home addresses, posing significant phishing and fraud risks.

9. CISA Updates Vulnerability Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog:

MRLG Buffer Overflow Issue
PHP Mailer Command Injection
Ruby on Rails Path Traversal
Zimbra SSRF

Federal agencies are mandated to remediate these vulnerabilities by specific deadlines under binding Operational Directive 22-01.

In-Depth Interview: Hunting Threats in Developer Environments

Host: David Moulton
Guests: Daniel Frank & Tom Fakterman, Palo Alto Networks' Threat Research Team
Segment Duration: 13:32 - 21:26

David Moulton engages with Daniel Frank and Tom Fakterman to explore the emerging threats within developer environments. The discussion highlights how trusted developer tools are being exploited by advanced threat actors to deliver malware and conduct espionage.

Key Topics Discussed:

Rise of Low-Code/No-Code Platforms:
“With the rise of AI, more people don’t need to know how to code to perform their tasks. Low-code platforms empower users to create sophisticated automations without programming knowledge,” explains Daniel Frank (14:47).
Exploitation of Developer Tools:
Tom Fakterman elaborates, “If an attacker gains access to a platform like Visual Studio Code, they can create automated workflows for malicious activities without deploying additional malware.” (15:22)
Differences from Traditional Supply Chain Attacks:
“Unlike supply chain attacks that require inserting malware into legitimate software installations, these attacks often rely on social engineering to gain access to a developer’s IDE,” Tom adds (16:08).
Visibility Gaps in Development Environments:
Daniel Frank notes, “IDEs are trusted applications that perform numerous legitimate activities, making it challenging to distinguish between normal use and malicious abuse.” (16:39)
Closing the Visibility Gaps:
“Awareness is the first step. Organizations need to tailor detections and hunting queries to understand normal behavior within their development tools,” Daniel advises (17:31).
Indicators of Compromise (IoCs):
Daniel Frank identifies key IoCs such as IDEs spawning shell processes like CMD or PowerShell executing reconnaissance commands, mapping networks, or pulling credentials (18:12).
Success Stories:
Daniel shares a case where proactive detection blocked a North Korean threat actor's attempts by leveraging pre-developed detections (18:47).
Proactive Security Measures:
Tom Fakterman emphasizes the importance of scanning all external code and conducting regular security awareness training, especially for developers (20:04).

AI Scraper Bots and the Anubis Solution

Towards the end of the episode, David Moulton discusses a noteworthy article from 404 Media about the detrimental impact of AI bots scraping web pages. These bots not only harvest data for training AI models but also strain server resources, leading to crashes and user lockouts.

Developer Zyaso created Anubis, an open-source uncaptcha tool that forces visitors' browsers to perform cryptographic math, which is manageable for humans but prohibitively expensive for bots. Since its inception in January, Anubis has been downloaded nearly 200,000 times, protecting significant projects like GNOME and FFmpeg from malicious scraping.

“Poisoning AI datasets is like peeing in the ocean,” jokes Zyaso, underscoring the futility of AI companies attempting to halt her work without addressing the root causes (22:55).

Zyaso remains committed to enhancing Anubis to safeguard small internet projects against relentless bot attacks.

Conclusion

The “Memory Leaks and Login Sneaks” episode of CyberWire Daily offers a robust analysis of current cybersecurity threats, vulnerabilities, and proactive measures. From critical exploits in major platforms like Citrix and Grafana to sophisticated attacks targeting developer environments and the innovative responses against AI scraper bots, the episode underscores the dynamic and evolving nature of cybersecurity challenges. Listeners are equipped with valuable insights from industry experts, enabling them to better understand and mitigate emerging threats in their own organizations.

For more detailed stories and daily briefings, visit The CyberWire.

Loading summary

Transcript24 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network powered by N2K.
[00:14]
David Moulton
And now a word from our sponsor, Cloudrange. At Cloudrange, they believe cybersecurity readiness starts with people, not just technology. That's why their proactive simulation based training helps security teams build confidence and skill from day one by turning potential into performance. They empower SOC and incident response teams to respond quickly, smartly and in sync with evolving threats. Learn how Cloudrange is helping organizations stay ahead of cyber risks@www.cloudrange.com. researchers release proof of concept explo for Citrix bleed 2 Grafana patches 4 high severity vulnerabilities A hacker claims to have breached Spanish telecom giant Telefonica. Italian police arrest a Chinese man wanted by US Authorities for alleged industrial espionage. Beware A new ransomware group called Bert Call of Duty goes offline after reports of rce vulnerabilities. President Trump's spending bill allocates hundreds of millions for cybersecurity. Nearly 26 million job seekers, resumes and personal data are leaked. CISA adds four actively exploited vulnerabilities to the known exploited vulnerabilities Catalog for Threat Vector host David Moulton speaks with Daniel Frank and Tom Fakterman from Palo Alto Network's Threat Research Team about hunting threats in developer environments and outsmarting AI scraper bots with math. It's Tuesday, July 8th, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great to have you with us. Researchers have released proof of concept exploits for Citrix Bleed 2, a critical flaw in Citrix Netscaler, ADC and Gateway devices. The bug lets attackers steal user session tokens by sending malformed post login requests, revealing memory contents. Citrix Bleed 2 is similar to the 2023 Citrix Bleed flaw exploited by ransomware gangs. Technical analysis by Watchtower and Horizon 3 show that modifying the login parameter without an equal sign leaks roughly 127 bytes of memory per request, enabling repeated data theft. Citrix claims there's no act of exploitation, but ReliaQuest and researcher Kevin Beaumont report evidence of attacks. Since mid June, Citrix has released patches urging all organizations to apply them immediately and review sessions for suspicious activity before termination, as public exploits are now available. Grafana, an open source data visualization and dashboard platform, released security updates to fix four high severity vulnerabilities in its image renderer plugin and synthetic monitoring agent. The most critical is a type confusion flaw in Chrome's V8 engine exploiting a zero day, allowing arbitrary read write. Other patched bugs include type confusion, enabling code execution, integer overflow and use. After free, users should update to the latest versions. Cloud deployments are already patched. A hacker known as Ray linked to the Hellcat Ransomware Group, claims to have stolen 106 gigabytes of data from Spanish telecom giant Telefonica in a May 30 breach. Ray says they exfiltrated the data over 12 hours due to a JIRA misconfiguration. To prove the breach, the hacker leaked a 2.6 gigabyte archive containing over 20,000 files, including internal communications invoices, customer records and employee data. Telefonica has not acknowledged the breach, with one employee dismissing it as an extortion attempt using old data. However, leaked samples include email addresses of current employees and invoices for clients in Spain, Germany, Chile and Peru. Ray warns they'll continue leaking data if Telefonica does not comply with undisclosed demands. Italian police arrested 33 year old Zhu Ziwei, a Chinese man wanted by US authorities for alleged industrial espionage targeting projects including COVID vaccine development. Zhu, from Shanghai, was detained at Milan's Malpensa Airport under a US Arrest warrant linked to an FBI investigation. He's accused of being part of a hacking team that tried to access the University of Texas COVID vaccine research in 2020. Charges include wire fraud, identity theft and unauthorized computer access. Zhu faces an extradition hearing in Milan today. A new ransomware group called BERT is targeting healthcare tech and event services firms across Asia, Europe and the US according to Trend Micro. First identified in April, BERT's ransomware affects both Windows and Linux systems. While their exact access method is unclear, researchers found a PowerShell script that disables security tools. Before deploying the ransomware, victims receive a ransom note saying hello from Bert, your network is hacked and files are encrypted. Bert's malware is under active development with multiple variants seen. Trend Micro noted possible ties to Russian infrastructure and found that Bert reuses code from Arevil's Linux variant. Revil was dismantled in 2021, though Russian courts recently sentenced several unrelated Areevil members for carding fraud, releasing them for time served in pretrial detention. The PC version of Call of World War II was taken offline after reports of a remote code execution vulnerability allowing hacker to take over players computers during live matches. The issue emerged shortly after the game was released on Xbox game pass on June 30. Players shared videos showing their PCs freezing, executing windows command files, shutting down or displaying pornographic images. Malwarebytes researchers explained that older Call of Duty games switched to peer to peer networking instead of dedicated servers, exposing players to attacks from malicious hosts. Exploits targeting Call of Duty titles have existed for years, with previous proof of concept RCEs published on Steam. Activision has not confirmed if the takedown was directly due to the exploit, and no further updates have been posted since July 5th. A report from CyberScoop examines President Trump's tax and spending bill, which allocates hundreds of millions for cybersecurity, mostly for military programs. US Cyber Command will receive $250 million for artificial intelligence initiatives, while DARPA gains $20 million for cybersecurity research. Indo Pacific Command gets a million dollars for cyber offensive operations targeting adversaries like Russia, China and North Korea. The Defense department will use $90 million partly to support cybersecurity for non traditional contractors. The Coast Guard's $2.2 billion maintenance budget includes cyber asset upkeep, while $170 million for maritime domain awareness also covers cyber the only civilian cyber funding is in a rural health program allowing grants for cybersecurity capability development. Democrats criticize the bill for ignoring CISA funding, accusing Republicans of neglecting national cybersecurity threats despite growing attacks from foreign adversaries and criminals. Talenthook, an applicant tracking system owned by Resource edge, leaked nearly 26 million job seekers, resumes and personal data due to a misconfigured Azure Blob storage container left publicly accessible. Exposed information includes names, emails, phone numbers, education details, work history and some home addresses. The leak, discovered in January but disclosed in April, poses phishing and fraud risks for affected individuals. It remains unclear if Talent Hook has secured the data and no official count of impacted people has been released. CISA added four actively exploited vulnerabilities to its known exploited vulnerabilities catalog, an MRLG buffer overflow Issue, PHP Mailer command Injection, Ruby on Rails Path Traversal and Zimbra ssrf. These pose significant risks to federal networks, and under binding Operational Directive 22 01, federal agencies must remediate these by set deadlines. Coming up after the break for Threat Vector host David Moulton speaks with Daniel Frank and Tom Fakterman from Palo Alto Network's Threat Research Team about hunting threats in developer environments and outsmarting AI scraper bots with math. Stay with US Compliance regulations. Third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets screenshots, and all those manual processes. You're right, GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust trust can be. Visit vanta.com cyber to sign up today for a free demo that's V A n t a dot com Cyber CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1, and without securing them trust uptime, outages and compliance are at risk. Cyberark is leading the way with the only unified platform purpose built to secure every machine identity, certificates, secrets and workloads across all environments, all clouds, and all AI agents. Designed for scale, automation and quantum readiness, Cyberark helps modern enterprises secure their machine future. Visit cyberark.com machines to see how on our latest Threat Vector segment, host David Moulton speaks with Daniel Frank and Tom Factorman from Palo Alto Network's Threat Research team about hunting threats in developer environments.
[13:32]
Hi, I'm David Moulton, host of the Threat Vector Podcast where we break down cybersecurity threats, resilience, and the industry's trends that matter the most. This week, we're pulling back the curtain on an attack vector you're probably not watching, but should be. I sat down with Tom Thackerman and Daniel Frank from our threat research team to talk about how trusted developer tools think Things like Visual studio code, low code platforms, and even public repos are being turned into malware delivery systems by some of the most advanced threat actors out there. In this episode, we dug into the red flags you're probably missing in your CI CD pipeline, why the new insider threat might not even know they're an insider, and how North Korean attackers are quietly siphoning off crypto and IP without ever breaching the perimeter. If you care about securing your dev Environments. Don't miss this episode. It's called Hunting threats in developer environments and it's live now in your threat vector feedback. So Tom set us up. Why are low code no code environments becoming so popular for developers?
[14:47]
Daniel Frank
That's a good question. So I would say that now with the rise of AI and everything, you see that a lot more and more people don't need or want to know how to actually code to do all the stuff that they want to do in their day to day work. That's exactly what low code platforms gives the user. The ability to create sophisticated automations without needing to know how to program.
[15:17]
David Moulton
What kind of threats are you seeing in these platforms specifically?
[15:22]
Tom Fakterman
Okay, so local platforms, what they do is that they offer a lot of these powerful features. I mean they can access things like users files, they can access their clipboard and even their Internet connection. And this is just like to name a few. Right. And the best part, it's all the hun through and easy to use interface. So you don't need to be a coding expert or anything close to that. But here's the problem. So if an attacker gets hold on one of these platforms, they can create these automated workflows for all kinds of malicious activities and without needing to deploy any extra malware. I mean it's like they got this built in toolkit to do a lot of damage without even trying too hard.
[16:02]
David Moulton
How are the tactics different from like a traditional supply chain attack or backdoors planted in build processes?
[16:08]
Tom Fakterman
Well, I'd say that the main difference is that in supply chain attacks the attackers need to find a way to insert malware into installation process of this legitimate software or the other. But in this type of attacks that we're talking about, all the attackers really need is good social engineering skills to gain access to a developer's IDE and some bad intentions. I mean, it's that simple.
[16:33]
David Moulton
Tom, what telemetry or visibility gaps are allowing attackers to operate inside development tools without detection?
[16:39]
Daniel Frank
Yeah, so this is where things get kind of tricky. So one of the biggest challenges with dealing with IDE abuse is that at the end of the day these are legitimate applications and usually they are trusted in the environment. So it is not out of the ordinary for them to perform a lot of activity. So when they are doing stuff like accessing the file system, reaching out to external servers or spawning processes, that's not necessarily malicious. And that's exactly what attackers are banking on. They're hiding in plain sight. So this can make it hard for defenders to differentiate between day to day use of an ID and malicious abuse by a threat actor.
[17:27]
David Moulton
What'S going to need to change the most environments to close these gaps?
[17:32]
Daniel Frank
I would say the first step, like with a lot of these problems, is awareness. You've got to actually recognize that IDEs, while of course are essential, can also be attack surfaces. The next step will be to work on tailored detections and hunting queries. We need to understand what normal behavior looks like for tools like VS code and what sticks out. And that takes some environment specific tuning.
[18:00]
David Moulton
For defenders out there. What are some of the high fidelity indicators of compromise or maybe even the behavioral patterns that are tied to the developer platform abuse?
[18:12]
Daniel Frank
So obviously the exact indicators can shift depending on the technique and the attacker's playbook. But there are definitely some patterns that we see that are popping up over and over again. One of the biggest red flags we see is when an IDE spawns a shell process like a CMD or a PowerShell, and when those shells start running things like recon commands, trying to map the network, pull credentials, or even move laterally. Well, at this point, you should have the alarm ringing.
[18:42]
David Moulton
Oh, for sure. Can you share any success stories where those techniques were detected really early?
[18:48]
Daniel Frank
Oh, yeah, definitely. I love that question. So I have one story that happened pretty recently, and it is related to a campaign we call Contagious Interview. And we actually explored that one in our RSI conference session. So in this campaign, the North Korean threat actors were posing as recruiters and they were trying to trick developers into running malicious code under the guise of a fake job interview, hence the name, a Contagious Interview. And we spent a lot of time dissecting that campaign and mapping out the different ttps. And we've created a lot of different detections around our techniques. And not long after our investigation, we actually started seeing this threat actor attempting to target our customers using very similar ttps. But because of all of the work that we did on them, Cortex XDR was ready and it blocked all the malicious attempts. And this is an idea that we really focus on in our team. That research isn't just a theory. It directly powers our defenses.
[19:57]
David Moulton
Daniel, what are some of the proactive ways organizations can secure their development environments without slowing down their developers?
[20:05]
Tom Fakterman
This is a really important question, David, and I'm glad you asked it. Well, there are a few ways organizations can secure their development environments, but I will highlight two main ones. Well, first off, before running any code from outside sources, like third party code, and this is something that we talked about a lot during our RSA conference presentation. So it's really important to scan that code either manually or automatically. And this goes for code you're importing into existing projects or when you're starting a new project. And the same also applies for extensions. Now the second and probably even more important point is that regular security awareness training is key. Everyone in the company should be trained, but it's especially crucial for developers in this case to be aware of these kinds of threats and know how to recognize them.
[21:04]
David Moulton
If this got your attention, don't wait. Listen to the full episode now in your Threat Vector podcast feed. It's called Hunting Threats in Developer Environments and it's live Now. This one's a wake up call. Don't let it fly under your radar.
[21:26]
And you can check out the complete Threat Vector program right here on the N2K CyberWire network or wherever you get your favorite podcasts. And now a word from our sponsor. ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. Allow Listing is a deny by default software that makes application control simple and fast. Ring Fencing is an application control containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker.
[22:21]
Dave Bittner
With a Venmo debit card, you can Venmo more than just your friends. You can use your balance in so many ways. You can Venmo everything. Need gas? You can Venmo this. How about snacks? You can Venmo that. Your favorite band's merch? You can Venmo this or their next show? You can Venmo that. Visit Venmo Me Debit to learn more.
[22:39]
Daniel Frank
You can Venmo this or you can Venmo that. You can Venmo this or you can Venmo that.
[22:44]
Dave Bittner
The Venmo MasterCard is issued by the Bancorp bank and a pursuant to license. My MasterCard International Incorporated card may be used everywhere MasterCard is accepted. Venmo purchase restrictions apply.
[22:55]
David Moulton
And finally, an article from 404 Media reminds us that AI bots scraping web pages might sound harmless, just machines reading text, right? But when these bots hammer sites relentlessly to harvest data for training AI models, small servers crash under the strain, users get locked out and entire communities could lose their online homes. Enter Zyaso, a developer whose git server collapsed under an Amazon bot's enthusiastic clicks. Her solution? Anubis, a free open source uncaptcha that forces visitors browsers to do cryptographic math, which is easy for humans, but prohibitively expensive for bots. Scraping millions of pages since January, Anubis has been downloaded nearly 200,000 times, protecting projects like GNOME and FFmpeg. He also jokes that poisoning AI datasets is like peeing in the ocean and and says if AI companies want to stop her work, they should distract her with a top tier Final Fantasy expansion. Until then, she'll keep fine tuning Anubis in the never ending quest to keep the small Internet alive against hungry bots. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of this summer. There's a link in the show Notes. Please do check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic Identity Threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing. To neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire.