CyberWire Daily Summary: "Turbulence in the Cloud" (June 27, 2025)

Hosted by N2K Networks, the "CyberWire Daily" episode titled "Turbulence in the Cloud" delves into pressing cybersecurity incidents, industry updates, and expert insights shaping the digital landscape. Released on June 27, 2025, this episode provides a comprehensive overview of significant events and developments in the cybersecurity realm.

1. Hawaiian Airlines Reports Cybersecurity Incident

Timestamp: [02:00]

Hawaiian Airlines has recently disclosed a cybersecurity incident impacting some of its IT systems. While the specifics of the breach remain undisclosed, the airline assured passengers that all flights are maintaining safe operations without delays. The company is collaborating with cybersecurity experts and federal authorities to methodically restore affected systems. No information has been provided regarding potential compromises of customer data. This incident mirrors a similar attack on Canada’s WestJet Airlines less than two weeks prior. Notably, Hawaiian Airlines is in the process of integrating its systems with Alaska Airlines under a unified passenger service platform following its recent acquisition.

2. Microsoft Enhances Windows Resiliency Initiative Post-CrowdStrike Crash

Timestamp: [04:00]

Microsoft has provided an update on its Windows Resiliency Initiative (WRI), a strategic response to the 2024 CrowdStrike incident that led to widespread Windows outages. The problematic CrowdStrike update, released in July 2024, caused system crashes by utilizing kernel drivers for security functions. In response, Microsoft has embarked on redesigning its approach to minimize risks associated with endpoint security software interacting with the Windows kernel.

The WRI, initiated in November of the previous year, aims to bolster Windows' reliability and resilience. Microsoft is collaborating with prominent security vendors including CrowdStrike, BitDefender, SentinelOne, and Trend Micro to refine update processes. Starting next month, select partners will have the opportunity to preview a new security platform that permits antivirus and endpoint protection tools to operate in user mode rather than the kernel, thereby enhancing system stability and recovery capabilities.

Additional advancements from Microsoft include:

• Quicker PC Recovery: Streamlined processes for system recovery.
• Hot Patch Security Updates: Security patches can now be applied without necessitating system reboots.
• Windows 365 Reserve: Introduction of temporary cloud-based PCs to ensure continuity if primary devices fail.

Microsoft has also released an ebook on digital resilience, emphasizing the importance of these new features in safeguarding Windows environments.

3. Citrix Bleed 2 Vulnerability Under Active Exploitation

Timestamp: [06:30]

A critical vulnerability, identified as Citrix Bleed 2, has been discovered in Citrix’s Netscaler, ADC, and Gateway devices. This out-of-bounds read flaw is actively being exploited in the wild, allowing attackers to extract session tokens, bypass multi-factor authentication (MFA), and hijack user sessions. Similar to the 2023 Citrix Bleed vulnerability, Citrix Bleed 2 specifically targets session tokens rather than cookies, affecting multiple versions of the software.

ReliaQuest, a security firm, reports a medium confidence level in the active exploitation of this vulnerability, citing signs of session hijacking, MFA bypass attempts, LDAP reconnaissance, and suspicious activities originating from VPN-related IP addresses. Additionally, a separate memory overflow vulnerability associated with Citrix Bleed 2 is being exploited, potentially leading to denial of service (DoS) attacks. Citrix has urgently advised users to apply patches and terminate affected sessions to mitigate the threat.

4. Critical Vulnerability in OpenVSX Disclosed

Timestamp: [09:00]

Researchers at COI Security have unveiled a critical vulnerability in OpenVSX, the open-source extension marketplace maintained by the Eclipse Foundation. The flaw exposes the publishing account’s secret token to any extension or its dependencies, effectively granting attackers super admin credentials. This vulnerability poses a severe risk, allowing malicious actors to publish harmful extensions or overwrite existing ones, thereby jeopardizing over 8 million developers who utilize OpenVSX through editors like VS Code, Cursor, Gitpod, and Windsurf.

Koi Security highlighted the potential for attackers to deploy keyloggers, information stealers, or backdoors, presenting a supply chain risk akin to the SolarWinds incident. Discovered in early May, the vulnerability has since been patched after thorough vetting. Attempts by Security Week to obtain comments from the Eclipse Foundation have not yet yielded a response.

5. Malware 'Skynet' Utilizes Prompt Injection to Evade AI Analysis

Timestamp: [11:30]

Check Point researchers have identified a malware specimen named Skynet, which employs prompt injection techniques to circumvent AI-driven code analysis tools. Uploaded to VirusTotal in early June, the malware includes strings directing large language models (LLMs) to function as calculators, thereby misleading AI systems into reporting no malicious activity detected.

Skynet remains a proof-of-concept rather than a fully operational malware, featuring byte-wise rotating XOR obfuscation with a hard-coded key and sandbox evasion techniques. It decrypts an embedded Tor client to establish a controllable proxy before self-deleting its installation to obscure its presence. OpenAI's O3 and GPT 4.1 models successfully identified the prompt injection as a jailbreak attempt. Experts warn that such methods represent the next frontier in malware development, aiming to exploit AI defenses through sophisticated injection and jailbreak strategies.

6. Amnesty International Condemns Cambodia's Negligent Response to Online Scamming

Timestamp: [13:45]

Amnesty International has denounced Cambodia for its inadequate response to human trafficking within online scamming operations. A two-year study published on Thursday detailed 53 active scam centers where individuals are coerced into perpetrating fraudulent activities under threat of violence from armed guards. Victims are enticed with bogus job offers, confined in compound-like prisons, and compelled to engage in cryptocurrency scams, fake website creation, and bank account setups for money laundering.

Amnesty’s report highlights "pig butchering scams," where scammers cultivate trust before defrauding victims. Despite some police interventions, abuses persist, with authorities often only assisting those who proactively reach out for help, neglecting others. Survivors have also reported collusion between law enforcement and traffickers. The United Nations estimates that Southeast Asia’s scam centers generate approximately $40 billion annually. In retaliation, the Thai government has shut down border crossings and halted fuel exports to Cambodia, as organized criminal networks relocate from Myanmar to Cambodia.

7. Senators Propose Ban on AI Tools from Foreign Adversaries

Timestamp: [16:00]

Senators Rick Scott and Gary Peters have introduced the No Adversarial AI Act, aiming to prohibit federal agencies from utilizing AI tools developed by nations considered foreign adversaries, including China, Russia, Iran, and North Korea. The bill stipulates the creation and periodic updating (every 180 days) of a federal list that identifies prohibited AI tools, such as China’s DeepSeq, which is alleged to support China's military operations and share user data with its government.

The legislation allows exceptions for research purposes, contingent upon written justification to Congress. The primary objectives are to safeguard national security and protect personal data from exploitation by adversarial AI systems. This legislative move echoes previous bans on foreign software like TikTok and Kaspersky, underscoring the necessity to secure U.S. government technology against evolving cyber threats. The proposal follows an incident where a USDA employee was blocked from accessing DeepSeek, reinforcing the urgency of such measures.

8. Patrick Ware Appointed as Executive Director of US Cyber Command

Timestamp: [18:30]

Patrick Ware, a 34-year veteran of the NSA, has been appointed as the Executive Director of US Cyber Command, ascending to its top civilian leadership position. Ware succeeds Morgan Adamski, who is anticipated to transition to the private sector after serving since June 2024. Historically, the role has been filled by an NSA official, making Ware’s appointment a continuation of this tradition.

Ware’s appointment comes amid leadership uncertainties, with Cyber Command lacking a permanent chief since the dismissal of General Timothy Hogg three months prior. A proposed appointment of Lieutenant General Richard Angle was reportedly declined by the White House for undisclosed reasons. In his new role, Ware will oversee strategic initiatives, talent management, and partnerships, particularly during the ongoing Cyber Command 2.0 overhaul. Ware holds electrical engineering degrees from the University of Maryland and Johns Hopkins University. His expertise is expected to guide the command through forthcoming challenges and opportunities.

9. Interview: Maria Ramazes with Ian Itz on IoT and Satellite Communications

Timestamp: [20:00]

In the episode's featured interview, Maria Ramazes engages with Ian Itz, Executive Director of the IoT Line of Business at Iridium Communications. The discussion centers on Iridium's role in enabling IoT devices, such as sensors and trackers, to communicate directly with satellites, bypassing terrestrial infrastructure.

Key Highlights from the Interview:

• Ian Itz's Background and Role: Itz shares his journey from working on satellite navigation technologies to leading Iridium’s IoT division, emphasizing his passion for small, reliable mobile devices.

  "I always aspired to be part of the Iridium team. They had all the pieces right—great constellation, small devices, reliable products." [14:56]

• Defining IoT in Satellite Context: IoT is characterized by small devices transmitting minimal data efficiently over satellite networks, making it ideal for environments lacking terrestrial coverage.

• Advancements in IoT Capabilities: Iridium is developing new modules capable of transmitting richer data sets, including images and voice snippets, enhancing applications for safety-of-life scenarios.

  "The ability to send images and voice snippets from remote locations aids in situations where someone might be injured." [19:27]

• Integration with Cloud and AI: Iridium has integrated with major cloud platforms like AWS, enabling seamless data transmission and leveraging edge computing, machine learning, and AI to optimize data usage and reduce costs.

  "Edge computing and AI give users the benefit of analyzing their data and making decisions on the edge, only passing critical data over satellite links." [21:29]

• Vision for Non-Terrestrial Networks (NTN): The goal is to create a seamless connectivity experience where users remain unaware of the underlying satellite or terrestrial network being used.

  "The transition to satellite should be seamless from the customer’s perspective. They just want to send data without knowing which network is providing the service." [25:32]

• Developer Support: Iridium emphasizes developer-friendly tools, offering kits that allow quick deployment and integration of satellite communication capabilities.

  "For our latest module, you can receive a kit within a couple of days and start transmitting within minutes." [26:50]

This interview underscores Iridium’s pivotal role in advancing IoT applications through robust satellite communications, highlighting the intersection of satellite technology with cloud computing and AI.

10. Kansas City Hacker Pleads Guilty in Unconventional Marketing Scheme

Timestamp: [28:00]

In a case that underscores the unconventional methods employed by cybercriminals, Nicholas Michael Kloster, a 32-year-old from Kansas City, has pleaded guilty to hacking multiple organizations to promote his own cybersecurity services. Prosecutors describe Kloster’s tactics as bold yet unsophisticated. His actions included:

• Gym Infiltration: Accessed security cameras, erased personal photos, and reduced his membership fee to $1, subsequently offering professional services via email.

• Non-Profit Breach: Utilized a boot disk to reset passwords and install VPN software for ongoing access, likely in preparation for future unsolicited service offers.

• Unauthorized Purchases: Employed his employer’s credit card to buy a hacking thumb drive, leading to his termination.

Kloster faces up to five years in prison and substantial fines for his actions, serving as a cautionary tale of how cybercrime can intersect with misguided entrepreneurial ventures.

Conclusion

This episode of "CyberWire Daily" provides an insightful overview of current cybersecurity challenges and innovations. From significant vulnerabilities affecting major corporations and critical infrastructure to legislative measures aimed at securing AI use, the discussions highlight the dynamic and evolving nature of cybersecurity threats and defenses. The interview with Ian Itz further illuminates the symbiotic relationship between IoT and satellite communications, showcasing how industry leaders are navigating and shaping the future of connected technologies. Lastly, the case of Nicholas Kloster serves as a reminder of the varied motivations and methods within the cybercriminal landscape.

For detailed updates and expert analyses, tuning into "CyberWire Daily" remains essential for staying informed in the fast-paced world of cybersecurity.