Cyber Mornings Daily

RubyGems attack, Exim RCE risk, TrickMo turns phones into pivots

npm supply chain worm, Canvas leak deal, cPanel backdoor abuse

Purple teaming goes autonomous, Hugging Face stealer, Ollama memory leak

Active PAN-OS RCE, PAM backdoor, cPanel patching

WhatsApp trojan spreads, Linux supply-chain RAT, 7.3M scam apps

PAN-OS RCE, cloud worm steals creds, Ivanti EPMM exploited

Phone Link OTP theft, MuddyWater Teams lure, PyPI supply chain malware

PAN-OS RCE, DAEMON Tools backdoor, MetInfo RCE exploitation

cPanel weaponized, Weaver RCE exploited, Microsoft phishing surge

cPanel weaponized, SaaS extortion, China-linked espionage

Patch cPanel auth bypass, fix Linux root bug, watch SaaS extortion

Supply-chain credential theft, PyPI package compromise, cross-distro local root exploit

Critical Gemini CLI RCE, SAP npm packages compromised, cPanel zero-day exploited

GitHub critical RCE via single git push, LiteLLM SQL-injection enabling credential theft, and VECT 2.0 ransomware that irreversibly destroys large files.

Supply-chain leaks, GlassWorm extensions, TrueConf exploit chains

Cyber Mornings Daily brings you the latest cybersecurity news, starting with the UK arrests of 'Scattered Spider' teenagers linked to the Transport for London hack and US healthcare attacks, with one suspect facing charges for over 120 global network breaches. We also examine ShinyHunters' claim of 1.5 billion Salesforce records stolen through compromised Salesloft Drift OAuth tokens, along with FBI warnings about associated threat actors and Google's confirmation of a fraudulent law enforcement account. Today's show also covers the ransomware breach at VC giant Insight Partners, which compromised thousands after a sophisticated social engineering attack, and reviews alarming trends like the doubling of password cracking incidents.

For today's Cyber Mornings Daily, we're tracking major headlines in digital privacy and online security. French regulators have fined Google $379 million and Chinese e-commerce giant Shein $175 million for violating cookie consent laws, specifically for setting advertising cookies on users' browsers without securing their consent and encouraging choices that favored personalized advertisements. Google also faces a $425 million judgment in the U.S., as a jury found the company violated users' privacy by collecting their data even after they opted out of Web & App Activity tracking. Child data privacy is a significant focus as well, with Disney agreeing to a $10 million settlement with the U.S. Federal Trade Commission (FTC) over allegations that it collected personal data from children watching YouTube videos without parental notification or consent, violating the U.S. Children's Online Privacy Protection Rule (COPPA). The FTC is also taking action against Apitor Technology, a China-based robot toy maker, for allegedly permitting a third-party to collect children's geolocation data without their knowledge and parental consent via its Android app. In a new and evolving threat, actors are exploiting X's built-in AI assistant, Grok, to bypass link posting restrictions. This technique, dubbed "Grokking," involves hiding malicious links in video ad metadata and then prompting Grok to reply with the clickable link, thereby boosting its credibility and reach to millions of impressions. Lastly, in a major law enforcement success, the Alliance for Creativity and Entertainment (ACE) and Egyptian authorities have successfully disrupted Streameast, which was identified as the world's largest illegal live sports streaming network, leading to the arrest of two individuals allegedly associated with the operation and the redirection of many of its domains.

On today's Cyber Mornings Daily, we discuss Cloudflare's recent mitigation of a record-setting volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps), lasting about 35 seconds and primarily originating from Google Cloud. This incident highlights a significant increase in hyper-volumetric DDoS attacks, which rose from 700 in Q1 2025 to 6,500 in Q2 2025, often launched by botnets like RapperBot. We then cover a major privacy development as Disney agrees to pay $10 million to settle claims from the U.S. Federal Trade Commission (FTC). The claims state that Disney illegally collected children's personal data on YouTube by failing to correctly label "kid-directed" videos as "Made for Kids" (MFK), thereby violating the Children's Online Privacy Protection Rule (COPPA). The settlement also mandates Disney to notify parents before collecting children's data and implement a new program to ensure correct video designation. Finally, we examine a substantial cybercrime attempt where hackers tried to steal $130 million from Sinqia S.A., Evertec's Brazilian subsidiary. The breach occurred on August 29, 2025, when hackers gained unauthorized access to Sinqia’s environment on Brazil's Pix payment system using stolen IT vendor credentials. While some funds have been recovered, the investigation is ongoing, and Sinqia's access to Pix has been temporarily revoked by the Central Bank of Brazil.

Welcome to Cyber Mornings Daily! This week, we're covering a range of critical cybersecurity incidents and updates. Jaguar Land Rover recently announced that a cyberattack "severely disrupted" its production and retail operations, forcing the company to proactively shut down certain systems as a mitigation effort. While the automaker stated there is no evidence of customer data theft at this stage, dealers faced issues registering new cars and supplying parts. The incident, which occurred over a weekend, has no public timeline for resolution or details on the attack type. In proactive security news, Microsoft is set to enforce multi-factor authentication (MFA) for all Azure resource management actions starting in October 2025, as part of its Secure Future Initiative (SFI). This move, which applies to users performing create, update, or delete operations via Azure CLI, PowerShell, SDKs, and APIs, aims to protect against unauthorized access, with Microsoft noting that 99.99% of MFA-enabled accounts resist hacking attempts. Finally, the fallout continues from a major data breach at AI chatbot maker Salesloft, involving the mass-theft of authentication tokens from its Drift application. Google's Threat Intelligence Group (GTIG) warned that attackers, tracked as UNC6395, stole valid authentication tokens for hundreds of integrated corporate services, including Slack, Google Workspace, Amazon S3, and Microsoft Azure, and siphoned large amounts of data while searching for sensitive credentials. Google has strongly advised organizations using Salesloft Drift with third-party integrations to consider their data compromised and immediately invalidate all affected tokens, highlighting the concern of "authorization sprawl" where legitimate access tokens are abused by attackers. Salesloft has engaged Mandiant to investigate the breach's root cause.

Recent cybersecurity reports highlight significant vulnerabilities and a proactive defense strategy. One notable incident involved McDonald's McHire job chatbot platform, which exposed chat transcripts and personal data from over 64 million job applications due to a combination of an Insecure Direct Object Reference (IDOR) vulnerability and the use of weak default credentials, "123456" for both login and password, on a test franchise's admin panel. This allowed researchers to access details like names, email addresses, phone numbers, and home addresses, with the issue being reported and subsequently fixed by Paradox.ai, the platform provider. Separately, a Google Gemini flaw enables attackers to create phishing scams by embedding invisible prompt injections within emails; when Gemini summarizes these emails, it obeys the hidden directives, potentially presenting fake security alerts to users without needing attachments or direct links. To counter such evolving threats and strengthen national cybersecurity, the UK's National Cyber Security Centre (NCSC) has launched a new Vulnerability Research Initiative (VRI), aiming to improve the UK's ability to identify and understand software and hardware vulnerabilities through structured collaboration with external cybersecurity experts, including those in emerging areas like AI-powered vulnerability discovery.

The sources provided discuss two primary topics: recent cybersecurity incidents and advancements in artificial intelligence. One significant cybersecurity event is the ongoing outage at IT giant Ingram Micro, which was caused by a SafePay ransomware attack that led to the shutdown of internal systems. It is believed that the threat actors initially breached Ingram Micro through its GlobalProtect VPN platform, impacting systems such as the Xvantage and Impulse platforms, though other internal services like Microsoft 365, Teams, and SharePoint continued to operate. The SafePay ransomware operation, which emerged in November 2024 and has accumulated over 220 victims, is known for breaching corporate networks via VPN gateways using compromised credentials or password spray attacks. Another major cybersecurity incident reported is a hacker's threat to leak 106GB of data allegedly stolen from Spanish telecommunications company Telefónica. The hacker, known as "Rey" and a member of the Hellcat Ransomware group, claims the breach occurred due to a Jira misconfiguration, and the purportedly leaked data includes internal communications, purchase orders, internal logs, customer records, and employee data. On the artificial intelligence front, the sources cover OpenAI's plans for GPT-5, which is expected to unify breakthroughs from different models. OpenAI aims for GPT-5 to combine the reasoning capabilities found in its "o" series and the multi-modality of its GPT-series, intending to make existing models significantly better and reduce the need for model switching.

A significant vulnerability found in Google that allowed researchers to brute-force recovery phone numbers for Google accounts, creating a substantial risk for targeted phishing and SIM-swapping incidents. Another key topic is Microsoft Outlook's planned security enhancement to block additional risky attachment types, such as .library-ms and .search-ms files, starting in July 2025, which aims to counter their past use in malware and phishing schemes. Lastly, the sources describe the 'EchoLeak' attack, identified as the first zero-click AI vulnerability affecting Microsoft 365 Copilot, which enabled the exfiltration of sensitive data from a user's context without any interaction, highlighting a new category of large language model scope violations.

United Natural Foods (UNFI), a large grocery wholesale distributor, experienced an attack that forced them to take certain systems offline, disrupting customer orders. Kettering Health, a healthcare network, confirmed a breach by the Interlock ransomware group, which stole data, including sensitive patient and personnel information. The Interlock group is noted as a newer ransomware operation that frequently targets healthcare organizations. Additionally, Optima Tax Relief, a tax resolution firm, was hit by the Chaos ransomware gang, leading to the theft and leaking of corporate and customer data containing sensitive personal information. These incidents highlight the ongoing threat of cyberattacks, including those involving ransomware and data exfiltration, impacting various sectors.

The Federal Criminal Police Office of Germany (BKA) has identified Vitaly Nikolaevich Kovalev as the alleged leader of the Trickbot and Conti cybercrime gangs, known for using various malware variants including Ryuk and Diavol, and for infecting hundreds of thousands of systems worldwide to obtain significant funds. This identification follows leaks like TrickLeaks and ContiLeaks which exposed Kovalev's leadership and contributed to Conti's shutdown. In a related effort under Operation Endgame, international law enforcement took down AVCheck, a service cybercriminals used to test malware against antivirus software, highlighting the ecosystem of counter antivirus and crypting services used to make malware undetectable. Separately, companies such as Victoria's Secret are experiencing security incidents, which led to them taking down their website and some in-store services as a precaution while they investigate. These incidents are part of a broader trend affecting retailers, with groups like DragonForce and Scattered Spider linked to attacks on companies like Marks & Spencer, Dior, and Adidas.

These news excerpts focus on recent cybersecurity incidents and legal actions. One article details the FTC's order requiring GoDaddy to improve its security measures following multiple data breaches. Another reports on a system-wide outage at Kettering Health attributed to a likely ransomware attack, forcing canceled procedures. The third piece covers a college student pleading guilty to cyber extortion for stealing and threatening to leak student and teacher data from PowerSchool. Together, the articles highlight the ongoing threats of cyberattacks and the efforts by regulatory bodies and law enforcement to address security failures and criminal activity.

One source details a global cyberespionage campaign called 'RoundPress', attributed with medium confidence to the Russian state-sponsored hackers APT28. This campaign targeted government webmail servers in various countries by exploiting XSS vulnerabilities in products like Roundcube, Horde, MDaemon, and Zimbra to steal credentials and email content. Another source describes a new tool named 'Defendnot' that can disable Microsoft Defender on Windows devices. This tool functions by registering a fake antivirus product using an undocumented Windows Security Center API and injecting a DLL into a trusted system process to bypass security checks. A separate source reports on a data breach at Nova Scotia Power, a Canadian utility, where hackers stole sensitive customer data including personal information, account history, and in some cases, bank account and Social Insurance Numbers. The company discovered the unauthorized access and later confirmed the data theft, offering credit monitoring services to affected customers.

Android 16 is introducing expanded 'Advanced Protection' with device-level security, strengthening defenses against spyware and consolidating features like verified boot, strong sandboxing, and automatic reboots. The sources also detail a new "Branch Privilege Injection" flaw, tracked as CVE-2024-45332, in modern Intel CPUs that allows sensitive data leakage from privileged memory by exploiting a race condition in branch predictors. Finally, the material discusses the iClicker student engagement platform website being compromised in a "ClickFix" attack, where a fake CAPTCHA prompt tricked students and instructors into installing malware by pasting and executing a PowerShell script from their clipboard. These topics highlight recent developments in mobile security, hardware vulnerabilities, and social engineering techniques used in website compromises.

Based on the sources provided, the primary topics covered include a recent data breach affecting over 430,000 patients of the Ascension healthcare system, which was linked to a vulnerability in third-party software used by a former business partner. The sources also detail ongoing cyberattacks targeting SAP NetWeaver servers by Chinese hackers who are exploiting a maximum severity vulnerability that allows remote code execution. Additionally, the sources discuss a new feature being added to Microsoft Teams that will block screen capture during meetings to help protect sensitive information shared by users.

Based on the sources, the key topics focus on recent cybersecurity incidents. One significant event detailed is a ransomware attack against Hitachi Vantara, where the company took servers offline to contain the incident attributed to the Akira ransomware operation. Akira has impacted over 300 organizations and collected millions in ransom payments. The sources also describe a Chinese espionage campaign by a group called PurpleHaze, which attempted reconnaissance against cybersecurity company SentinelOne's infrastructure and customers. This group utilizes tools like ORB networks and backdoors such as GoReShell and ShadowPad. Furthermore, a data breach at VeriSource Services is reported, impacting four million people by exposing sensitive personal data including names, addresses, dates of birth, genders, and Social Security numbers. Although the incident occurred in February 2024, the full scope wasn't determined until April 2025, leading to delayed notifications.

One major topic is a technical issue at Coinbase where a logging error misidentified failed password attempts as "2FA failures," leading to user concerns about account compromise and potential misuse of these errors in social engineering attacks. Another significant topic is the evolution of the ransomware landscape, specifically the DragonForce group's introduction of a "ransomware cartel" model offering white-label branding and infrastructure to other ransomware operations. Finally, the sources also discuss Google's advancements in its Unified Security platform, including new features for threat detection, automation, and integration of Mandiant's threat intelligence, as well as key findings from Mandiant's 2025 M-Trends report on attack trends.

The sources discuss several recent cybersecurity incidents, including how hackers are exploiting Zoom's remote control feature to conduct crypto-theft attacks. This involves social engineering tactics where attackers impersonate legitimate entities to trick users into granting remote access, potentially leading to the theft of sensitive data and cryptocurrency. Additionally, Marks & Spencer confirmed they are dealing with a cyberattack that has impacted their operations, particularly the Click and Collect service. Furthermore, SK Telecom issued a warning about a malware attack that resulted in the exposure of customer USIM data. The sources also include tutorials on various computer security and maintenance tasks, such as accessing the dark web, using the Windows Registry Editor, removing malware, and showing hidden files.

The sources discuss several important cybersecurity topics, including vulnerability management with the active exploitation of a Microsoft NTLM vulnerability (CVE-2025-24054) that could lead to leaked credentials and system compromise. The exploitation requires minimal user interaction and is currently targeting specific organizations, emphasizing the need for immediate patching. Another critical issue highlighted is a maximum severity flaw (CVE-2025-32433) in Erlang/OTP SSH, which could allow attackers to execute arbitrary code without authentication, posing a significant risk to various systems, especially those in critical infrastructure. Lastly, the sources cover data security and government regulations with the HHS fining a Guam hospital for HIPAA violations following a ransomware attack, underscoring the importance of risk assessments and compliance in the healthcare sector.

One source details a high-severity vulnerability in Cisco Webex that could allow unauthenticated attackers to gain remote code execution through malicious meeting invite links. This article also briefly mentions other security news, including a CISA funding extension for CVE services, Microsoft blue screen issues, and various cyberattacks and vulnerabilities affecting different systems. Another source reports on a data breach at Legends International, an entertainment services company, where unauthorized access led to the exfiltration of personal data. Finally, the third source describes an incident that disrupted multiple Zoom services due to a domain name resolution problem caused by an error at the domain registry.

The sources discuss several distinct cybersecurity-related topics. One major subject is the extension of funding for the Common Vulnerabilities and Exposures (CVE) program by CISA to prevent any lapse in this critical service. This announcement followed a warning about potential disruptions and the expiration of funding for MITRE, the organization that maintains the CVE program. In response to these concerns, members of the CVE Board also announced the launch of the CVE Foundation, aiming to secure the program's independence. Another key topic is the major hack that took down the online forum 4chan, with the group Soyjak.party claiming responsibility and leaking alleged staff information and source code. Finally, the sources cover Microsoft's decision to block all ActiveX controls by default in Windows versions of Microsoft 365 and Office 2024 applications due to the security risks associated with this legacy software framework.

The sources discuss several security-related topics, including a ransomware attack on the kidney dialysis firm DaVita, which resulted in the encryption of parts of its network and impacted some operations. Another key topic is Microsoft Defender for Endpoint's new capability to isolate undiscovered endpoints to prevent attackers from moving laterally across a network. Finally, the sources also detail security breaches and a data leak at Western Sydney University, involving the compromise of a single sign-on system and the appearance of personal information on the dark web.

The sources discuss several cybersecurity-related topics, including Coinbase's plan to fix a confusing 2FA error message that was causing user anxiety and could be used in social engineering attacks. Another topic is a resurgence of phishing scams impersonating E-ZPass and other toll agencies, aiming to steal personal and credit card information via text messages and fake websites. Finally, one source details how Microsoft credited the hacker persona EncryptHub for reporting Windows security vulnerabilities, providing insights into the actor's background and extensive cybercriminal activities.

Australian pension funds have been targeted by a significant wave of credential stuffing attacks, This occurred over the weekend of March 29-30, 2025, and affected multiple large Australian super funds, potentially compromising thousands of members' accounts. The Association of Superannuation Funds of Australia (ASFA) acknowledged that some members were affected, although most attempts were repelled. Reuters reported that over 20,000 accounts were breached, with some members reportedly losing savings. Several major funds, including AustralianSuper, Hostplus, REST, Australian Retirement Trust, and Insignia Financial, confirmed that some of their members' accounts were breached. AustralianSuper reported at least 600 breached accounts, while REST disclosed that around 8,000 members had limited personal information accessed. Insignia Financial stated that approximately 100 accounts on its Expand Platform were compromised. ASFA has established a hotline and released a toolkit to enhance coordination within the superannuation industry in response to such financial crimes.

A vulnerability in Verizon's Call Filter API allowed users to potentially access the incoming call logs of other Verizon Wireless customers. Security researcher Evan Connelly discovered in February 2025 that the API endpoint used by the Call Filter app to retrieve a user's call history did not verify the phone number in the request against the logged-in user's phone number. As a result, by manipulating the `X-Ceq-MDN` header, any user could have requested and viewed the incoming call history of a different Verizon phone number using their own valid authentication token. Verizon addressed and patched this flaw in mid-March, stating that it only impacted iOS devices and that there was no indication of exploitation. This incident highlights potential risks associated with API security and the handling of sensitive call data.

Recent cybersecurity news includes Google's introduction of easy end-to-end encryption (E2EE) for Gmail business users, which simplifies the process of sending encrypted emails to any recipient by abstracting away complex certificate requirements. In another development, Microsoft utilized its AI-powered Security Copilot to discover twenty previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders, highlighting the potential for attackers to bypass security protections like UEFI Secure Boot. Additionally, retail giant Sam's Club is currently investigating claims of a potential data breach by the Clop ransomware gang, after the gang listed the company on their dark web leak site.

Genetic testing provider 23andMe has filed for Chapter 11 bankruptcy after facing years of financial difficulties and plans to sell its assets. Following this news, privacy experts have raised concerns about the potential exposure of customers' genetic information, even though the company has stated its commitment to safeguarding data. Consequently, the Office of California's Attorney General has advised 23andMe customers to request the deletion of their data and the destruction of their test samples. The UK's Information Commissioner's Office has also emphasized the sensitive nature of genetic information and the need for strict security standards. This development follows a previous data breach in 2023 where the data of 6.4 million customers was exposed.

A recent GitHub Actions supply chain attack primarily targeted Coinbase, a cryptocurrency exchange. The attack involved injecting malicious code into the `reviewdog/action-setup@v1` GitHub Action, which led to the dumping of CI/CD secrets and authentication tokens in GitHub Actions logs. Threat actors then used a stolen Personal Access Token to push a malicious commit to another GitHub Action, `tj-actions/changed-files`, again dumping secrets. Although this malicious commit specifically targeted Coinbase projects, including their `coinbase/agent kit`, and attackers gained write access to the repository, Coinbase reported that the attack was ultimately unsuccessful and did not impact their assets. While 23,000 projects used the compromised action, only 218 repositories were affected.

Human error is now the primary factor in data breaches, accounting for 95% of incidents in 2024. This is often exploited through social engineering tactics like phishing, where employees overestimate their ability to detect scams, with nearly 50% admitting to falling for them. Threat actors, such as Blind Eagle and those behind the KoSpy spyware, utilize phishing emails to gain initial access to systems. While email remains a common threat, attacks via collaboration tools are also increasing. Organizations face challenges in addressing these risks due to budget constraints and the need for more effective human risk management programs beyond basic security awareness training. Simultaneously, threats are becoming more sophisticated with the use of AI in phishing attacks and deepfakes, although AI is also being leveraged in cyber defense.

In March 2025, cybersecurity incidents were reported, including Chinese cyberspies backdooring Juniper routers, Mozilla warning Firefox users to update their browsers, and the social media platform X (formerly Twitter) being hit by a massive cyberattack. The attack on X, claimed by the hacktivist group Dark Storm, led to worldwide outages and the implementation of DDoS protections from Cloudflare. Meanwhile, Chinese hackers were found deploying backdoors on Juniper Networks Junos OS MX routers that are no longer receiving security updates. Mozilla cautioned Firefox users to update to the latest version to avoid security risks due to an expiring root certificate.

Recent cybersecurity news includes a data breach at NTT impacting 18,000 companies, a ransomware gang using a webcam to bypass EDR, and US cities warning about unpaid parking phishing texts. The NTT data breach, discovered in early February 2025, compromised the information of almost 18,000 corporate customers. An Akira ransomware gang utilized an unsecured webcam to encrypt a victim's network, circumventing EDR. Multiple US cities are also issuing warnings about a wave of phishing texts related to unpaid parking invoices.

Several recent cybersecurity incidents and advisories have been reported, including the detection of Stingray attacks using the open-source tool 'Rayhunter'. Additionally, the Chinese cyber-espionage group 'Silk Typhoon' is now targeting IT supply chains to breach networks. Furthermore, YouTube has issued a warning about AI-generated videos of its CEO being used in phishing attacks to steal creators' credentials.

Recent cybersecurity news includes a vulnerability in Cisco Webex for BroadWorks that could allow remote access to credentials, addressed by a configuration change. Scammers are sending fake BianLian ransom notes via mail to U.S. companies, demanding Bitcoin payments. A new botnet, Eleven11bot, has infected over 86,000 IoT devices, mainly security cameras and NVRs, to conduct DDoS attacks.

In recent cybersecurity news, several important developments have emerged: The Cybersecurity and Infrastructure Security Agency (CISA) is continuing its monitoring of Russian cyber threats, refuting claims that it would stop. Google has addressed multiple Android vulnerabilities, including zero-day exploits used by Serbian authorities. Rubrik, a cybersecurity company specializing in data protection, has rotated authentication keys following a breach of a server hosting log files.

In the realm of cybersecurity, recent events highlight the growing concerns around data privacy and security. Mozilla updated its Firefox terms of use following criticism over broad data license language. A study revealed that nearly 12,000 API keys and passwords were found in AI training datasets, raising concerns about insecure coding practices and potential misuse. Furthermore, Serbian police reportedly used a Cellebrite zero-day hack to unlock Android phones, raising concerns about privacy rights abuse and the exploitation of vulnerabilities in mobile devices.

The discussion centers on three major cybersecurity concerns: the security of access management systems, legislative threats to digital privacy, and the proliferation of malware botnets. Flaws in access management systems can lead to unauthorized access and data breaches. Simultaneously, legislative actions, particularly those that mandate backdoors in encrypted systems or limit VPN access, raise concerns about governmental overreach and the potential compromise of digital privacy. Finally, the expansion of malware botnets like Vo1d highlights the growing threat of large-scale cybercriminal operations.

Several organizations have recently reported data breaches and ransomware attacks. Genea, an Australian IVF provider, was breached by the Termite ransomware gang, who claimed to have stolen roughly 700GB of data. EncryptHub (aka Larva-208) has compromised at least 618 organizations since June 2024 using phishing and social engineering to deploy infostealers and ransomware. DISA Global Solutions, a US drug testing firm, reported a data breach impacting 3.3 million people.