Risky Bulletin: SentinelOne Dodges a Chinese APT Hack

Release Date: June 11, 2025 | Host: Caitlin Sorey | Source: Risky Business Team

1. SentinelOne’s Defense Against Chinese APT Attacks

At the forefront of this episode, Caitlin Sorey discusses a significant cybersecurity incident involving SentinelOne. According to the company, Chinese hackers attempted to breach its network through its hardware logistics vendor. However, "SentinelOne stopped the intrusion before it reached Sentinel One's network" (00:04). The attack was traced back to a group affiliated with the Chinese government, identified as Salt Typhoon. Sorey highlights that SentinelOne detected "extensive reconnaissance of its Internet exposed systems," indicating a well-planned espionage effort.

Further, speculative breaches regarding major telecommunications company Comcast and data center operator Digital Realty were mentioned. These claims stem from anonymous sources within the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA), as cited by nextgov. However, both companies have yet to publicly confirm these breaches.

2. Cyber Attack Disrupts U.S. Grocery Distributor

The episode shifts focus to United Natural Foods (UNFI), the largest grocery distributor in the United States. UNFI experienced a cyber attack that forced the company to "proactively take some IT systems offline" (00:04). This disruption has adversely affected their ability to fulfill and distribute customer orders, posing significant implications for the U.S. grocery supply chain.

3. Insights on U.S. Cyber Intelligence Strategy

Tulsi Gabbard, the U.S. Director of National Intelligence, is featured discussing the strategic direction of the intelligence community. Gabbard advocates for a shift away from developing proprietary tools, emphasizing that "U.S. agencies should buy tools from the private sector and focus on their core missions" (00:04). This sentiment is echoed by DNI Avril Haines, who urges agencies to leverage the private sector's expertise and capabilities to enhance national cybersecurity efforts.

4. Leadership Change in the FBI’s Cyber Division

A significant personnel update is reported with Brett Leatherman being appointed to lead the FBI's cyber division. Leatherman brings over two decades of experience, having been involved in major investigations including those against LockBit, Salt Typhoon, and Vault Typhoon. He succeeds Brian Vondren, who has transitioned to Microsoft's role as deputy chief information security officer (00:04).

5. Data Breach at Texas Department of Transportation

The episode details a concerning data breach at the Texas Department of Transportation, where hackers stole over 300,000 crash reports on May 12. The breach was executed by compromising an employee account, leading to the theft of sensitive information such as names, addresses, vehicle registration details, and insurance information. The department is actively notifying those affected (00:04).

6. Paragon Solutions Ends Contract with Italy Over Privacy Concerns

Paragon Solutions, an Israeli spyware manufacturer, has terminated its contract with the Italian government. The decision came after reports emerged that Italy had used Paragon’s platform to target journalists and activists. Despite a February release date, Paragon cited Italy's refusal to assist in investigating the alleged abuses as the primary reason for ending the partnership. Consequently, Italian company NEG has been contracted to provide alternative surveillance capabilities (00:04).

7. Kazakhstan Detains Individuals for Data Sale on Telegram

In a significant crackdown, Kazakhstan authorities have detained 140 individuals accused of selling citizens' personal data on Telegram. The group allegedly extracted this information from government databases, with some data being shared with debt collection agencies. This operation underscores the increasing scrutiny on data privacy and the illicit trade of personal information (00:04).

8. Russian Border Authorities Crack Down on Ukrainian Travelers’ Digital Footprints

Russian border authorities have been denying entry to Ukrainian travelers whose phones have been "wiped clean," including deletions of image galleries, messages, chats, or YouTube watch history. Some affected individuals have unsuccessfully attempted to challenge these decisions in court, highlighting the intersection of cybersecurity and immigration policies (00:04).

9. Middle Eastern APT Group Exploits Windows WebDAV Zero-Day

A cyber espionage group linked to the Middle Eastern APT group Stealth Falcon has been utilizing a Windows WebDAV zero-day vulnerability in phishing attacks. Users who engaged with malicious WebDAV links inadvertently installed malware on their systems. Check Point Security has associated these attacks with Stealth Falcon, and Microsoft has since released patches addressing the zero-day vulnerability during the latest Patch Tuesday. Additionally, Microsoft plans to block two more file extensions in Outlook—Library Ms. and Search Ms.—starting in July to mitigate further abuse (00:04).

10. Exposure of Danabot Malware Operators through Memory Leak

A critical vulnerability in Danabot malware’s command and control servers led to the inadvertent exposure of operator information. Zscaler, a security firm, identified that a memory leak allowed unauthorized access to details such as threat actor names, IP addresses, and cryptographic keys over a three-year period. This breach facilitated the collection of sensitive data, ultimately resulting in authorities seizing Danabot’s infrastructure in May and charging 16 suspects (00:04).

11. Surge in Mass Internet Scanning and Its Implications

Human Security reports a dramatic increase in mass Internet scanning, accounting for nearly 70% of all bot traffic. A significant portion of online reconnaissance activities stems from mass scans targeting git secrets and environment files, which often contain credentials that can be leveraged for further intrusions. This trend underscores the evolving tactics of cyber attackers in seeking exploitable vulnerabilities (00:04).

12. Romanian Distillery’s Network Compromised Leading to Scams

One of the most notable sources of Internet scams this year has been identified as the hacked network of a major Romanian distillery. Google intervened by patching a vulnerability in its Looker Studio data visualization product, which was exploited to expose user account details, including real names and phone numbers. The breach allowed attackers to extract information from the no JavaScript version of the password recovery interface. Security researcher Brute Cat, who discovered the bug, received a $5,000 reward from Google for this significant contribution (00:04).

13. Accusations Against Apple for Undisclosed Zero-Click iMessage Exploit Patch

Concluding the episode, a security researcher has leveled accusations against Apple for quietly addressing a zero-click iMessage exploit. Joseph Goydish claims that the exploit had the potential for remote code execution attacks and could facilitate the theft of secure enclave keys and cryptocurrency wallet data. He contends that Apple patched two bugs related to the exploit chain in April without providing credit or acknowledgment, despite following responsible disclosure protocols (00:04). This situation raises questions about transparency and recognition in cybersecurity practices.

This episode of Risky Bulletin provides a comprehensive overview of recent cybersecurity threats, breaches, and strategic responses within various sectors. From thwarted Chinese APT attacks on SentinelOne to significant data breaches and strategic shifts in U.S. intelligence operations, the bulletin underscores the ever-evolving landscape of cyber threats and the critical measures being undertaken to combat them.