CyberWire Daily - Chrome’s high-risk bug gets squashed.
Episode Date: July 16, 2025Google and Microsoft issue critical updates. CISA warns of active exploitation of a critical flaw in Wing FTP Server. Cloudflare restores their DNS Resolver service following a brief outage. A critica...l vulnerability in a PHP documentation tool allows attackers to execute code on affected servers. NSA and FBI officials say they’ve disrupted Chinese cyber campaigns targeting U.S. critical infrastructure. A UK data breach puts Afghan soldiers and their families at risk. Researchers find malware hiding in DNS records. A former U.S. Army soldier pleads guilty to charges of hacking and extortion. Ben Yelin joins us with insights on the Senate Armed Services Committee’s response to rising threats to critical infrastructure.The large print giveth and the small print taketh away. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Ben Yelin, co host of our Caveat podcast and Program Director for Public Policy & External Affairs at the University of Maryland Center for Cyber Health and Hazard Strategies, discussing the Senate Armed Services Committee’s and Trump administration nominees’ recent conversation about rising threats to critical infrastructure. You can find the article Ben discusses here. Selected Reading Google fixes actively exploited sandbox escape zero day in Chrome (Bleeping Computer) Windows KB5064489 emergency update fixes Azure VM launch issues (Bleeping Computer) Exploited Wing file transfer bug risks ‘total server compromise,’ CISA warns (The Record) Cloudflare 1.1.1.1 incident on July 14, 2025 (Cloudflare) Critical template Injection flaw in LaRecipe Documentation Package enables remote code execution (Beyond Machines) NSA: Volt Typhoon was ‘not successful’ at persisting in critical infrastructure (The Record) Defence secretary 'unable to say' if anyone killed after Afghan data breach (BBC News) Hackers exploit a blind spot by hiding malware inside DNS records (Ars Technica) 21-year-old former US soldier pleads guilty to hacking, extorting telecoms (The Record) WeTransfer says files not used to train AI after backlash (BBC News) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed.
Indeed's Sponsored Jobs helps you stand out and hire fast.
Your post jumps to the top of search results, so the right candidates see it first.
And it works.
Sponsored jobs on Indeed get 45% more applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed, according
to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75 sponsored job credit to get
your jobs more visibility at indeed.com slash cyber wire. Just go to indeed.com slash cyber
wire right now and support our show by saying you heard about indeed on this podcast. Indeed.com
slash cyber wire. Terms and conditions apply. Hiring, indeed, is all you need.
Google and Microsoft issue critical updates.
CISA warns of active exploitation of a critical flaw in Wing FTP server.
CloudFlare restores their DNS resolver service following a brief outage.
A critical vulnerability in a PHP documentation tool allows attackers to execute code on affected servers.
NSA and FBI officials say they've disrupted Chinese cyber campaigns targeting US critical
infrastructure.
A UK data breach puts Afghan soldiers and their families at risk.
Researchers find malware hiding in DNS records.
A former US Army soldier pleads guilty to charges of hacking and extortion.
Ben Yellen joins us with insights on the Senate Armed Services Committee's response to rising
threats to critical infrastructure, and the large print giveth and the small print taketh away.
It's Wednesday, July 16, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here today.
It's great to have you with us.
Google has issued a critical Chrome update fixing six vulnerabilities, including one
actively exploited flaw.
Rated High Severity, 8.8, this bug allows attackers to escape Chrome's sandbox via
a specially crafted HTML page.
It targets ANGLE, a graphics layer that processes untrusted GPU commands from websites.
Discovered by Google's Threat Analysis Group, the flaw affects multiple Chrome versions.
While technical details remain restricted, the risk is serious, as sandbox escapes can
allow malware to spread beyond the browser.
Users are urged to update Chrome immediately.
The patch also addresses five
additional flaws, though none were exploited. This marks the fifth exploited Chrome vulnerability
fixed in 2025.
Meanwhile, Microsoft has issued an emergency update to fix a bug that blocked some Azure
virtual machines from starting. The issue affected Windows Server 2025
and Windows 11 24H2 systems using VBS
with Trusted Launch Disabled,
particularly on older VM SKUs.
It stemmed from a secure kernel initialization problem
introduced in the July Patch Tuesday update.
Microsoft advises impacted users to install the new patch and recommends enabling trusted
launch to prevent similar issues.
Updated VM images now include the fix.
A critical flaw in Wing FTP server is being actively exploited, prompting a CISA alert.
The vulnerability, rated 10 out of 10 in severity, allows total server compromise and affects
Windows, Linux, and Mac OS versions.
CISA added it to the known-exploited vulnerabilities catalog, ordering federal agencies to patch
by August 4.
WING-FTP is used by major organizations like the U.S. Air Force and Sony.
Exploits were observed as early as July 1, with attackers attempting file downloads,
reconnaissance, and remote monitoring installs.
Huntress and Arctic Wolf researchers confirmed the threat and shared detection guidance.
Despite attackers' clumsy execution, the bug is actively targeted.
Shadow server found 2000 exposed instances.
Census reported over 8000.
Organizations are urged to upgrade immediately to mitigate risk.
Yesterday CloudFlare's 1.1.1.1 DNS resolver service went offline globally for over an
hour due to a misconfiguration introduced in June during internal preparations for a
new data localization service.
A configuration error mistakenly included 1.1.1.1 in a test topology, and when activated, this change caused the withdrawal of the resolver's
IP routes from Cloudflare's network. DNS traffic dropped immediately, effectively cutting off
many users' internet access. Cloudflare reverted the change and fully restored service. While
a brief BGP hijack occurred during the outage,
it wasn't the cause.
Cloudflare pledged to accelerate deprecation
of legacy systems and adopt stage deployments
to prevent future outages.
DNS over HTTPS remained mostly unaffected
throughout the incident.
A critical vulnerability in La Recipe, a PHP documentation
tool, allows attackers to execute code on affected
servers via server-side template injection.
With a CVSS score of 10.0, the flaw stems from insecure
handling of user input in templates.
Exploitation requires minimal skill,
using standard SSTI payloads to read files, execute commands,
or access environment variables.
Users should upgrade immediately and audit systems
for signs of compromise.
US cybersecurity officials from the NSA and FBI say they've disrupted Chinese cyber
campaigns, particularly Volt Typhoon, which targeted U.S. critical infrastructure.
Speaking at the International Conference on Cybersecurity at Fordham University in New
York City yesterday, NSA's Christina Walter confirmed China's attempts to quietly infiltrate networks were
unsuccessful thanks to coordination between the NSA, FBI, and private sector.
Volt Typhoon aimed to set the stage for future sabotage, especially around naval infrastructure
in places like Guam.
Public disclosures forced Chinese hackers to adapt, burning older tactics.
FBI Cyber Director Brett Leatherman also detailed a real-time cyber battle with China's Flax
Typhoon, where the FBI temporarily hijacked botnet infrastructure before Chinese actors
retaliated with a DDoS attack, only to shut down their own systems upon learning the FBI was involved.
Both officials emphasized the Chinese cyber ecosystem blends government and private entities.
U.S. efforts to expose these operations aim to disrupt their tactics and force resource-draining
resets, building friction into their campaigns. Sometimes a cyber breach isn't just about stolen data.
It can put lives at risk.
A leaked database from 2022 exposed personal details of nearly 19,000 Afghans
who supported British forces and applied to relocate to the UK after the Taliban takeover.
The breach, caused by a UK defence official, remained secret until this week, when a super-injunction
was lifted.
Defence Secretary John Healey admitted he couldn't confirm whether the leak led to any deaths,
but called it a grave failure.
About 600 Afghan soldiers and their families remain in Afghanistan, potentially
exposed. The UK's response includes a £850 million resettlement scheme, yet critics question
the secrecy and delays. Officials stress that while the Taliban likely already had much
of the data, the breach heightened fear and panic among those affected. The incident reignites debate over accountability, transparency, and the deadly consequences
of cyber-negligence during wartime evacuations.
Hackers are hiding malware inside DNS records, an area often overlooked by security tools.
Domain tools researchers found a strain of nuisance malware called JokeScreenMate embedded
in the text records of subdomains on whitetreecollective.com.
The malware was encoded in hexadecimal, split into chunks, and hidden in DNS records.
Attackers can reassemble the chunks using normal-looking DNS queries, bypassing standard
defenses.
With growing use of encrypted DNS protocols like DOH and DOT, detecting such activity
becomes even harder.
This stealthy tactic isn't new.
PowerShell scripts have been hidden in DNS for years, but it's evolving.
Researchers also found DNS records used to host prompt injection attacks targeting AI
chatbots.
These included bizarre or dangerous commands designed to manipulate the AI.
As Ian Campbell of Domain Tools puts it, DNS remains a strange and enchanting place where attackers can quietly operate beyond
the reach of conventional cybersecurity tools.
Former U.S. Army soldier Cameron John Wagenius has pleaded guilty to wire fraud, extortion,
and identity theft after hacking U.S. telecom companies and attempting to ransom or sell
stolen customer data. While on
active duty, he and accomplices breached systems using stolen credentials,
stealing call and text metadata from hundreds of thousands of users,
including high-profile targets. Prosecutors say Wagenius demanded up to
$500,000 in cryptocurrency and even offered stolen data to a foreign intelligence agency.
Documents revealed he tried to defect, violated military orders, and continued hacking even
after federal searches.
He posted stolen data on cybercrime forums like BreachForums and Telegram, with some
of the compromised files containing government officials phone records. Authorities seized over 17,000 identity documents
from his devices. Wagenius faces up to 27 years in prison and will be sentenced
on October 6. He's considered a significant flight risk and national
security threat.
Coming up after the break, Ben Yellen joins us with insights on the Senate Armed Services Committee's response to rising threats to critical infrastructure.
And the large print giveth and the small print taketh away.
Stick around.
Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed up.
DeleteMe keeps finding and removing my personal information from data broker sites and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
DeleteMe also offers solutions for businesses, helping companies protect their employees'
personal information and reduce exposure to social engineering and phishing threats. And right now our listeners get a special deal,
20% off your DeleteMe plan. Just go to
joindeleteeme.com slash n2k
and use promo code n2k at checkout.
That's joindeleteeme.com slash n2k
code n2K.
Did you know Active Directory is targeted in 9 out of 10 cyberattacks? Once attackers get in, they can take control of your entire network.
That's why Semperis created PurpleKnight, the free security assessment tool that scans
your Active Directory for hundreds of vulnerabilities and shows you how to fix them. Join thousands
of IT pros using PurpleKnight to stay ahead of threats. Download it now at sempris.com slash purple dash night. And it is always my pleasure to welcome back to the show my caveat co-host Ben Yellen.
He is from the University of Maryland Center for Cyber Health and Hazard Strategies.
Ben, welcome back.
Good to be with you again, Dave.
So interesting story came by, this is from the folks over at Defense One, and they're
talking about the Senate Armed Services Committee looking to place some cybersecurity requirements
on the Pentagon.
Can you unpack this for us, Ben?
Sure.
So right now, Congress is considering the 2026 National Defense Authorization Act.
Pretty much every year Congress enacts a defense authorization bill which sets policy for the
Department of Defense, for intelligence agencies, and pretty much anybody associated with protecting
the country from foreign threats. So the Senate Armed Services Committee has put a provision in there requiring a new strategy
from the Pentagon to deter cyber attacks
on critical infrastructure in this country
using the full range of military options.
Lawmakers have pointed to recent cyber attacks,
Volt Typhoon, Salt Typhoon, as evidence
that China has been aggressive against our critical infrastructure
and that any previous efforts at deterrent clearly aren't working if they're still propagating
these attacks.
So we need a full comprehensive response, not just a defensive strategy to protect our
infrastructure, but also potentially offensive measures.
So for defensive measures, we talk about things like zero trust architecture,
active defense, further information sharing, private public sector collaboration, and then
the importance of potential offensive cyber operations, which it's kind of unclear exactly
what form that would take, probably by design. We don't want to reveal to our enemies
what our strategies are,
but this is something that the Senate Armed Services Committee
wants the Pentagon to consider.
One hiccup in all of this is we've lost a lot of talent.
Just through natural attrition
and the Department of Government Deficiency,
the government has lost a lot of its cyber expertise, at the same time that threats against our critical infrastructure through cyber
attacks are at a high point, not just from China, but from other adversaries like Iran,
North Korea, other international criminal organizations.
So one thing that this National Defense Authorization Act would do is try to encourage through various
incentives the hiring of additional cyber experts to work in our national government
on offensive and defensive operations and to figure out a way for us to retain that
type of talent once we are able to hire these people.
And this is a bipartisan effort, right?
Yeah, it's weird.
Like, somehow partisan politics kind of flies over the National Defense Authorization Bill.
It is usually one of the only truly bipartisan bills, both actually in support and opposition.
Your typical pattern is like a 300 to 135 vote in favor of this with the
no vote split between dovish Democrats and America first international skeptic Republicans.
I see.
But yeah, this is generally a process that is bipartisan.
And I think at least on the Armed Services Committee, this initiative is completely bipartisan.
Right. bipartisan and I think at least on the Armed Services Committee this initiative is completely bipartisan.
Right.
I think both sides of the aisle fully understand the need to harden our approach against cyber
threats and institutionalize that approach within the Department of Defense.
And this is the way for Congress to tell the Pentagon these are the things we think are
important and we're going to demonstrate our desires in the way that we fund it.
Exactly, exactly.
And the one stick that Congress has is the power of the purse, at least theoretically.
They can say one of the conditions of these billions of dollars to the Pentagon is that
you have to develop this new strategy.
And that's a weapon that Congress can use even if the Pentagon was reticent.
Now I don't think the Pentagon is reticent, I think.
Right.
It seems to me, when I was reading through this, I would, at the risk of being flippant,
I could imagine the top brass of the Pentagon saying, well, duh.
Right?
We're on board.
We're all in agreement that China is a threat and we should, you
know, go at it.
Thank you for your concern.
Sometimes it's an accountability measure, because then you can put in like provisions
like we need an annual report from the Department of Defense on what they've done in the last
fiscal year on cyber operations.
That can be a confidential report that's just submitted
to the relevant congressional committees,
but it's a way that Congress can hold the administration
accountable for its promises.
And so I would expect that they put something like that,
some type of reporting requirement
in the defense authorization bill as it's being considered.
And what's the timeline for this to go through?
Usually by the end of the calendar year is when next year's defense authorization bill
gets passed.
So it's one of the year end tasks that Congress has to undertake usually at the last minute
before they adjourn until the next session, which starts in January of 2026.
To what degree is this one a political football?
We talked about, you know, both bipartisan support and and
Opposition but this one tend to sail through it does unless there are some poison pills in it
so somebody's gonna propose an amendment related to like
transgender service members or
think of your controversial subject of the day and
or think of your controversial subject of the day, and whether that amendment is agreed to or not
is gonna affect whether 100 different members of Congress
vote for the final package.
So that's generally where it runs into trouble,
are these policy writers.
But the Defense Authorization Act
almost always passes even despite that.
Yeah.
All right.
Well, Ben Yellen is my co-host over on the Caveat Podcast, and he is from the University
of Maryland Center for Cyber Health and Hazard Strategies.
Ben, thanks so much for joining us.
Thanks for having me. You hear from us here at the CyberWire Daily every single day.
Now we'd love to hear from you.
Your voice can help shape the future of N2K networks.
Tell us what matters most to you by completing our annual audience survey.
Your insights help us grow to better meet your needs.
There's a link to the survey in our show notes.
We're collecting your comments through August 31st.
Thanks.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy. Just use Indeed. When it comes to hiring
Indeed is all you need. Stop struggling to get your job post noticed.
Indeed's Sponsored Jobs helps you stand out and hire fast.
Your post jumps to the top of search results so the right candidates
see it first. And it works. Sponsored jobs on Indeed get 45% more applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K CyberWire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you,
23 hires were made on Indeed,
according to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed,
and listeners to this show will get a $75 sponsored job credit
to get your jobs more visibility at Indeed.com slash Cyberwire.
Just go to Indeed.com slash Cyberwire right now
and support our show by saying you heard about Indeed on this podcast.
Indeed.com slash Cyberwire.
Terms and conditions apply. H apply hiring indeed is all you need.
Krogel is AI built for the enterprise sock fully private schema free and capable of running in
sensitive air gapped environments,
Krogel autonomously investigates thousands of alerts weekly,
correlating insights across your tools without data leaving your perimeter.
Designed for high availability across geographies,
it delivers context-aware, auditable decisions aligned to your workflows.
Krogel empowers analysts to act faster and focus on critical threats, replacing repetitive triage with intelligent automation to
help your sock operate at scale with precision and control. Learn more at
Krogl.com. That's C-R-O-G-L dot com. And finally, as 20th century philosopher and musician Tom Waits so eloquently stated, the
large print giveth and the small print taketh away.
File transfer utility WeTransfer recently updated its terms of service and promptly sent privacy
advocates into mild hysteria.
Content creators, understandably jumpy about their hard work being fed into some ravenous
AI, took to ex-Twitter to say they were jumping ship.
The fuss centered around wording that suggested WeTransfer might
use uploaded files to train machine learning models. Cue the panic.
In a brisk about face, WeTransfer clarified that no, they're not selling your audition
tape to Skynet. They've since scrubbed the language and now promise their only goal is
to improve the service.
The change takes effect August 8th.
This isn't the first AI-fueled freakout either.
Dropbox faced similar outrage in 2023.
As one privacy lawyer quipped, in the age of AI gold rushes, your data is the new pickaxe,
and vague terms are the minefield.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the CyberWire.com.
We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of this summer. There is a link in the show notes. Please take a minute and check it out.
N2K's senior producer is Alice Carruth, our cyberwire producer is Liz Stokes. We're
mixed by Trey Hester with original music by Elliot Peltsman. Our executive producer is
Jennifer Iben, Peter Kielpe is our publisher, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Hi, Kim Jones here.
On CISO Perspectives, we get candid with the thinkers, doers, and trailblazers shaping
cybersecurity leadership.
No scripts, no sales pitches.
Just real stories and hard-earned lessons from folks who've been there.
If you're looking to grow as a leader, or just want to hear how others are navigating
this ever-evolving field,
listen to CISO Perspectives.
Get your seat at the table.
Buying more tools won't make you more secure, continually training your people will.
In this episode, Cloudrange co-founder and CEO Debbie Gordon shares how real-world simulations
are transforming readiness in 2025.
Because your last line of defense isn't software, it's your team.
Tune in now, your stack depends on it.