CyberWire Daily: "Tea Time is Over" – July 29, 2025

Hosted by Dave Bittner of N2K Networks

Introduction

In today's episode of CyberWire Daily, host Dave Bittner delves into a series of significant cybersecurity incidents, explores vulnerabilities affecting major software platforms, and discusses the evolving tactics of cyber threat actors. The episode also features an in-depth conversation with Jason Schultz, Technical Leader for Cisco Talos Security Intelligence and Research Group, focusing on the security of PDF files and the unintended privacy challenges posed by data brokers.

Key Cybersecurity Incidents and Vulnerabilities

1. Major Breach in Dating App "T"

A second significant data breach has impacted the women's dating safety app "T," exposing over 1.1 million private messages. This breach includes highly sensitive user discussions about personal topics such as cheating and abortions, along with shared contact information like phone numbers and social media handles, making real identities vulnerable.

• Method of Breach: Attackers accessed a live database using users' own API keys, enabling them to view recent messages and even send push notifications to all users.

• Impact: The app, boasting 1.6 million users, faces scrutiny as the leaked data includes messages as recent as the previous week. The initial breach involved Firebase, which had already leaked selfies and IDs, now being exploited further.

• Response: "T" is actively investigating the breach with the assistance of cybersecurity experts and has engaged law enforcement authorities to address the situation.

2. CISA Identifies Critical Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog:

• Cisco ISE (Identity Services Engine): Two critical flaws allowing remote, unauthenticated attackers to gain root access via crafted API requests. These affect multiple ISE versions with no available workarounds other than patching.

• PaperCut NG&MF: A third vulnerability affects this print management software, with organizations advised to apply patches by August 18.

CISA has confirmed attempted exploits targeting these vulnerabilities, emphasizing the urgency for affected organizations to implement the necessary patches promptly.

3. Critical Flaw in Google's Gemini AI Assistant

Researchers at Tracebit have uncovered a critical vulnerability in Google's Gemini CLI, an AI-powered coding assistant. This flaw could allow silent remote code execution by leveraging improper input validation and prompt injection techniques.

• Attack Vector: Malicious actors exploited the AI's ability to process buried instructions within PDFs, such as annotations containing URLs, leading to data exfiltration, including sensitive credentials.

• Google's Response: Initially downplaying the issue, Google later acknowledged the severity and patched the flaw on July 25. This incident underscores the growing risks associated with agentic AI tools that possess broad system access and unpredictable behaviors.

4. Missouri Health System Settles Over Privacy Claims

BJC Health System in Missouri has agreed to a $9.25 million settlement over allegations of using web tracking tools that unlawfully shared patients' private data without consent. These tools reportedly transmitted sensitive information from platforms like Mychart to third-party firms, including Facebook and Google, affecting users between June 2017 and August 2022.

• Settlement Details: Eligible patients can claim $35 by October 8, with final approvals set for October 16. BJC Health System maintains that it did not engage in wrongdoing despite the settlement.

5. Sploit Light Bypasses Apple's TCC Framework

A newly patched macOS vulnerability, dubbed Sploit Light, enables attackers to bypass Apple's Transparency, Consent, and Control (TCC) framework, facilitating the theft of sensitive data.

• Exploitation Method: Leveraging Spotlight plugins, attackers can access data such as intelligence cache, geolocation, search history, facial recognition metadata, and information from iCloud-linked devices without detection.

• Apple's Mitigation: The flaw was addressed in the macOS Sequoia 15.4 update. However, the impact remains severe due to Sploit Light's capability to silently extract large volumes of user data.

6. Malware in Endgame Gear's Mouse Configuration Tool

Endgame Gear has confirmed that malware was embedded in a recent version of their mouse configuration tool, available on their official website between June 26 and July 9. Users who downloaded the tool during this window were infected, while clean versions remain accessible via other sources like GitHub and Discord.

7. Oyster Backdoor Spread Through Fake IT Tools

A sophisticated malvertising and SEO poisoning campaign has been spreading the Oyster backdoor (also known as Broomstick or Cleanup Loader) through trojanized versions of IT tools such as Putty and WinSCP. The campaign employs fake websites impersonating legitimate software portals to deceive IT professionals.

• Persistence Mechanism: Once the fake installers are executed, Oyster gains persistence by scheduling tasks to run malicious DLLs, enabling remote access and further malware deployment.

• Recent Activity: In July, a malicious Putty installer signed with a revoked certificate was discovered on a counterfeit site, with one recent infection being halted before causing damage.

8. FBI Seizes Bitcoin from Chaos Ransomware Gang

The FBI has successfully seized over $2.4 million in Bitcoin from the Chaos ransomware gang, which initially concealed 20.2 Bitcoin valued at approximately $1.7 million. The U.S. government is pursuing formal forfeiture, alleging the funds are linked to cybercrimes such as extortion and money laundering.

• Gang's Profile: Chaos ransomware group is believed to include former members of other cybercriminal organizations and has targeted various sectors. This seizure is part of a broader strategy under a March 2025 executive order to establish a strategic U.S. Bitcoin reserve from forfeited digital assets.

Interview with Jason Schultz: Security of PDF Files and Privacy Paradox of Data Brokers

Guest: Jason Schultz, Technical Leader, Cisco Talos Security Intelligence and Research Group

Security of PDF Files

Jason Schultz discusses the prevalent exploitation of PDF files in cyberattacks, emphasizing their ubiquity and the inherent flexibility of the PDF format that allows malicious actors to embed harmful content discreetly.

• Malicious PDF Techniques:

  • Inline Display: PDFs can be displayed directly within emails, eliminating the need for victims to click on attachments.
  • Hidden Content: Malicious URLs and links can be embedded as annotations, logos, or within QR codes, making them difficult to detect through standard security scans.

• Notable Quote:
  “There’s a lot of different places for malicious actors to be able to hide some of this link information... PDFs provide a lot of flexibility for where content is included.”
  (13:56)

• Attack Delivery Methods:

  • QR Codes and Phone Numbers: Attackers use QR codes or telephone numbers instead of clickable links. When scanned or called, they lead victims to phishing sites or connect them directly with attackers for social engineering.

• Telephone Oriented Attack Delivery (TOAD):

  • Description: Malicious emails contain phone numbers that, when called, engage victims in conversations designed to extract sensitive information or install further compromises.
  • Challenges: Phone numbers are less likely to be blocked or flagged by standard email security measures, allowing attackers to exploit delays in blocking these numbers.

• Notable Quote:
  “They’re just exploiting that sort of gap in the current protection that exists for most anti-spam services.”
  (21:25)

Recommendations for Organizations

1. Technical Defenses:

   • Implement brand impersonation detection tools to identify suspicious attachments and verify the authenticity of senders.
   • Monitor for anomalies in email attachments, such as mismatched logos or unexpected content within PDFs.

2. User Education:

   • Train employees to recognize and report suspicious emails, especially those prompting immediate actions like phone calls or QR scans.
   • Encourage verification of unsolicited communications through official channels rather than using provided contact information.

• Notable Quote:
  “Pairing the technical means of stopping this with the educational aspect is really the best way to sort of neutralize these malicious type emails.”
  (21:25)

Security of PDF Handling

Jason elaborates on how security packages typically scan the contents of PDFs for malicious content, but the flexibility of the PDF format allows attackers to conceal harmful elements in various sections of the file. This necessitates advanced detection mechanisms and user vigilance to mitigate risks effectively.

• Notable Quote:
  “Malicious actors can hide link information or even logos and things... inside of the PDF file format itself.”
  (14:06)

Unintended Privacy Paradox of Data Brokers

The episode also touches upon a study from UC Irvine highlighting the challenges users face when attempting to control their personal information held by data brokers.

• Key Findings:

  • Approximately 40% of California's registered data brokers ignored legally mandated requests for data disclosures.
  • Many data brokers implemented convoluted processes involving multiple forms, phone calls, and extensive verification steps, deterring users from successfully opting out.

• Implications:

  • This creates an unintended privacy paradox where efforts to enhance privacy inadvertently require individuals to divulge more personal information.
  • Critics argue that such practices amount to privacy theater, where the appearance of privacy protection exists without substantive action.

• Notable Quote:
  “Opt outs seem designed to discourage people from even trying to as one expert put it, it's privacy theater, just without an intermission.”
  (22:52)

Conclusion

Today's episode of CyberWire Daily underscores the dynamic and multifaceted nature of cybersecurity threats, from large-scale data breaches and critical software vulnerabilities to sophisticated social engineering tactics targeting everyday users. The insights shared by Jason Schultz highlight the importance of both technological defenses and user education in combating these evolving threats. Additionally, the discussion on the privacy paradox emphasizes the ongoing challenges in protecting personal data in an increasingly interconnected digital landscape.

Additional Resources:

• For detailed analysis and further information on today's topics, visit TheCyberWire.com.

Production Credits:

• Senior Producer: Alice Carruth
• Producer: Liz Stokes
• Mixing: Trey Hester
• Original Music: Elliot Peltzman
• Executive Producer: Jennifer Iban
• Publisher: Peter Kilpe

Thank you for listening to CyberWire Daily. Join us again tomorrow for more insights into the world of cybersecurity.