CyberWire Daily - Cloudflare’s cloudy day resolved.
Episode Date: June 13, 2025Cloudflare says yesterday’s widespread outage was not caused by a cyberattack. Predator mobile spyware remains highly active. Microsoft is investigating ongoing Microsoft 365 authentication services... issues. An account takeover campaign targets Entra ID users by abusing a popular pen testing tool. Palo Alto Networks documents a JavaScript obfuscation method dubbed “JSFireTruck.” Trend Micro and Mitel patch multiple high-severity vulnerabilities. CISA issues multiple advisories. My Hacking Humans cohost Joe Carrigan joins us to discuss linkless recruiting scams. Uncle Sam wants an AI chatbot. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, we are joined by Joe Carrigan, one of Dave’s Hacking Humans co-hosts, to talk about linkless recruiting scams. You can learn more in this article from The Record: FIN6 cybercriminals pose as job seekers on LinkedIn to hack recruiters. Tune in to Hacking Humans each Thursday on your favorite podcast app to hear the latest on the social engineering scams that are making the headlines from Joe, Dave and their co-host Maria Varmazis. Selected Reading Cloudflare: Outage not caused by security incident, data is safe (Bleeping Computer) Predator Mobile Spyware Remains Consistent with New Design Changes to Evade Detection (Cyber Security News) Microsoft confirms auth issues affecting Microsoft 365 users (Bleeping Computer) TeamFiltration Abused in Entra ID Account Takeover Campaign (SecurityWeek) 270K websites injected with ‘JSF-ck’ obfuscated code (SC Media) Palo Alto Networks Patches Series of Vulnerabilities (Infosecurity Magazine) SimpleHelp Vulnerability Exploited Against Utility Billing Software Users (SecurityWeek) Trend Micro fixes critical vulnerabilities in multiple products (Bleeping Computer) Critical Vulnerability Exposes Many Mitel MiCollab Instances to Remote Hacking (SecurityWeek) CISA Releases Ten Industrial Control Systems Advisories (CISA) Trump team leaks AI plans in public GitHub repository (The Register) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed.
Indeed's Sponsored Jobs helps you stand out and hire fast.
Your post jumps to the top of search results, so the right candidates see it first.
And it works.
Sponsored jobs on Indeed get 45% more applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed, according
to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75 sponsored job credit to get
your jobs more visibility at indeed.com slash cyber wire. Just go to indeed.com slash cyber
wire right now and support our show by saying you heard about indeed on this podcast. Indeed.com
slash cyber wire. Terms and conditions apply. H hiring indeed is all you need.
CloudFlare says yesterday's widespread outage was not caused by a cyber attack.
Predator mobile spyware remains highly active.
Microsoft is investigating ongoing 365 authentication services issues.
An account takeover campaign targets intra-ID users by abusing a popular pen testing tool.
Palo Alto Networks documents a JavaScript obfuscation method dubbed JS
firetruck. Trend Micro and Mitel patch multiple high severity vulnerabilities.
CISA issues multiple advisories. My Hacking Humans co-host Joe Carrigan
joins us to discuss linkless recruiting scams and Uncle Sam wants an AI chatbot.
It's Friday, June 13, 2025. I'm Dave Vintner and this is your CyberWire Intel Briefing.
Happy Friday and thanks for joining us here.
It's great as always to have you with us.
Cloudflare has confirmed that a widespread outage on its network was not caused by a
cyberattack and no data was lost.
The incident lasted about two and a half hours, triggered by a failure in Worker's KV, a
critical key value store used across Cloudflare's serverless platform.
The root cause was an outage at a third-party
cloud provider supporting the KV backend. The failure impacted many services,
including Google Cloud Platform, and disrupted authentication, streaming, image
uploads, and AI functions. Cloudflare is now moving to reduce reliance on that
provider by migrating storage to its own R2 system.
The company will also add safeguards and new tools to better manage future outages and
restore service without triggering cascading failures.
Despite international sanctions and public exposure, the Predator Mobile Spyware remains highly active and adaptable.
Originally developed by CyTrox and now part of the Intellexa Alliance, Predator uses both
one-click and zero-click methods to infect devices, granting access to microphones, cameras,
and sensitive data.
It targets high-value individuals, including journalists, politicians, and activists.
Researchers from Recorded Future have observed new infrastructure and operations in over
a dozen countries, with heavy use in Africa and a newly reported presence in Mozambique.
Predators evolving five-tier infrastructure, now linked to a Czech firm, makes tracking
difficult.
Fake websites and new server strategies help evade detection.
Its modular design allows remote updates, reinforcing its persistence.
Predators' use remains strategic, costly, and deeply concerning for civil society and
cross-border surveillance. Microsoft is investigating an ongoing Microsoft 365 issue affecting authentication services,
particularly self-service password resets and adding multi-factor authentication methods.
The problem, linked to a recent configuration change aimed at improving MFA, is impacting
users across Asia Pacific,
Europe, the Middle East, and Africa. Microsoft has issued a temporary fix and reports signs
of improvement. Affected users, including NHS Mail in the UK, are seeing errors like
no methods available. This follows recent Microsoft 365 authentication and access issues
in January, April, and May.
A major account takeover campaign is targeting Entra-ID users by abusing the TeamFiltration
penetration testing tool, according to Proofpoint. Originally designed for ethical hacking, team filtration can automate password
spraying, account enumeration, and data exfiltration. The tool requires an AWS account and a Microsoft
365 Business Basic license to function. Since December 2024, a threat actor dubbed UNK Sneaky
Strike has used it against roughly 100 cloud tenants
peaking in January of this year.
Attacks rely on the Microsoft Teams API and global AWS infrastructure for stealthy, high-intensity
bursts.
Smaller tenants saw broad targeting while larger ones had focused user targeting. The campaign uses outdated Microsoft Teams clients and exploited OAuth app IDs to obtain
bearer tokens via EntraID.
Most attack traffic came from AWS servers in the US, Ireland, and the UK.
Palo Alto Networks Unit 42 has uncovered a large-scale malware campaign that compromised
nearly 270,000 websites using a JavaScript obfuscation method dubbed JSFireTruck.
This technique relies on JavaScript's type coercion and only six ASCII characters to
encode functioning code.
Though the obfuscated scripts are long and conspicuous, they're difficult to analyze
without automation.
Attackers use JS Firetruck alongside layered obfuscation methods, reconstructing payloads
through arrays and mixing readable and encoded elements.
These scripts detect if users arrive via search engines and then redirect them using full-page
iframes, potentially leading to phishing or malware.
The activity surged in mid-April.
Unit 42 urges admins to patch systems and check for infections.
Veracode recently found a similar obfuscation heavy campaign using a malicious NPM package
with at least seven hiding techniques.
It is worth noting that while Palo Alto Networks refers to the method as JS Fire Truck, the
creators of the campaign internally use a different F word.
Speaking of Palo Alto Networks, they've released patches for multiple vulnerabilities across
their products, including Global Protect app, Cortex XDR, Pan OS, and Prisma Access browser.
The most critical flaw is an authenticated code injection in Global Protect for macOS
with a CVSS score of 7.1. Two Pan OS flaws scored medium severity. The Prisma
Access Browser received 12 fixes including a cache issue and 11 Chrome
related bugs with a combined CVSS score of 8.6. No active exploitation has been
reported. Trend Micro has issued critical security updates for its APEC Central and Endpoint Encryption
Policy Server products addressing multiple high severity and critical remote code execution
and authentication bypass vulnerabilities.
These flaws, mostly caused by insecure deserialization, allow unauthenticated attackers to execute code as system or
bypass authentication entirely. While no exploitation has been reported, immediate
patching is strongly advised. Apex Central also had two critical RCE flaws,
both with CVSS scores of 9.8. These were patched in a recent on-premise version with fixes
automatically applied to Apex Central as a service. No workarounds exist for these
vulnerabilities. Meanwhile, Mitel has released patches for a critical
untracked vulnerability in its MyCollab platform's NewPoint unified messaging
component. The flaw, a path traversal issue, allows unauthenticated remote
attackers to access provisioning data and perform unauthorized
admin actions.
It affects multiple MyCollab versions with fixes in recent versions.
Researcher Damani Thaumi, who found the flaw, said over 20,000
Internet-exposed instances may be at
risk.
The issue is a bypass of a previously patched flaw.
CISA warns that ransomware actors are exploiting a path traversal flaw in SimpleHelpRMM software
to target customers of a utility billing software provider. The vulnerability, with a CVSS score of 7.5,
allows attackers to steal credentials and API keys.
It was patched in January, along with two related flaws.
DragonForce Ransomware previously exploited this in May.
CISA urges immediate patching, disconnection of vulnerable systems, and threat hunting,
especially for users running SimpleHelp version 5.5.7 or earlier.
CISA also issued 10 new ICS advisories addressing vulnerabilities in products from Siemens,
Aviva, and PTZ Optics.
These advisories cover critical systems including Siemens
Scalance, RuggedCom, Sematic S1500 CPUs, Technomatics plant simulation, and Aviva's
Pi software suite. One advisory also targets pan-tilt zoom cameras. CISA
urges industrial system administrators to review these advisories for detailed
vulnerability information and recommended mitigations to protect CISA urges industrial system administrators to review these advisories for detailed vulnerability
information and recommended mitigations to protect against potential exploits in industrial
environments.
Coming up after the break, my Hacking Humans co-host Joe Carrigan joins us to discuss linkless recruiting scams,
and Uncle Sam wants an AI checkbox. Stay with us.
Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites, and they keep me updated
with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
DeleteMe also offers solutions for businesses,
helping companies protect their employees' personal information and reduce exposure to
social engineering and phishing threats. And right now, our listeners get a special deal,
20% off your DeleteMe plan. Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout that's join
delete me.com slash n2k code n2k
and now a word from our sponsor, ThreatLocker.
Keeping your system secure shouldn't mean constantly reacting to threats.
ThreatLocker helps you take a different approach by giving you full control over what software
can run in your environment.
If it's not approved, it doesn't run.
Simple as that.
It's a way to stop ransomware and other attacks before they start without
adding extra complexity to your day. See how ThreatLocker can help you lock down your environment
at www.threatlocker.com. And joining me once again is Joe Kerrigan.
He is my co-host over on the Hacking Humans podcast along with Maria Vermazes.
Joe, it's great to have you back.
Hi, Dave.
It's good to be back.
So we were recently talking about this scam over on Hacking Humans and I thought it was
one worth sharing
with our CyberWire audience here.
This one centers around some shenanigans on LinkedIn.
Yes, it is from the Fin6 Cyber Criminal Group,
which is a designation, I don't know,
in MITRE they're designated as Fin6.
They're also, their official designation, I guess,
Mage Cart Group 6.
Yeah, yeah, Skeleton Spider is another name for them.
Nice, camouflage, Tempest,
that's probably the Microsoft name for them.
Right.
Right, TAL, T-A-A-L, all these different names,
but they're financial crimes.
Mage Cart was a carting organization, I think,
if memory serves me right, but don't quote me on that.
Yeah. So what these guys are doing now a targeting organization, I think, if memory serves me right, but don't quote me on that.
So what these guys are doing now
is they're targeting recruiters on LinkedIn,
and they're sending them an email or a message.
And that message is just plain text, like ASCII text, right?
It says, thank you for your considering my application,
for your convenience, you can also view my full resume
along with additional information about my experience
and portfolio at bobbyweissman.com.
Now don't go to bobbyweissman.com.
I'll tell you what happens next.
Okay.
And then it has a nice closing
and a sincerely Robert Weissman to make it sound all nice.
So they've compromised some site
or they bought a website bobbyweissman to make it sound all nice. So they've compromised some site or they bought a website,
bobbyweissman.com.
When you go to this website, it analyzes,
it captures your IP address,
it analyzes what browser string you're using
and captures the operating system from that browser string.
And then it says, if you're not on a Windows machine,
we'll just show you some Bobby Weissman content.
And it looks like a professional website that you'd see. You know you remember all your
cool friends that set up websites and they still have them up? Sure. Yeah did
you ever do that? Yes. I have never done that. That's because I'm cooler than you.
Yes. Or perhaps the opposite. I've just never taken the time to do it. Yeah.
But you know, and somebody already bought the domain name joecarragon.com.
So there's some other Joe Carragon out there.
I think he's an insurance salesman.
Okay.
Anyway, what happens if you are on a Windows box is it gives you a CAPTCHA, right?
To make sure that you're human.
And then the next thing that happens is it downloads a zip file.
That zip file contains a link and.lnk file, which will install
some kind of JavaScript malware that puts a backdoor in your computer,
exfiltrates a bunch of data, and also probably starts beginning to install
ransomware.
Yeah.
So that's the game.
That's the trick.
There is no link to click.
You actually have to physically enter bobbyweissman.com.
That's the part that caught my eye though.
Right.
Because that's a little different than what we're used to.
Yeah.
Normally we say don't click the link.
And if that's your only bit of security awareness here,
you didn't violate it.
Right.
Right?
You complied.
So there's more to life than don't click the link.
Maybe we should put that in the bumper sticker.
More to life than don't click the link here.
Think about what you're doing.
When somebody says, here's my website,
go look at my portfolio, you would my website, go look at my portfolio,
you would expect to go to look at a portfolio,
not to immediately get asked to download some zip file.
Right, right.
And I think in this case, it tells,
it's trying to make you think that what you're downloading
is the resume.
Is the resume, correct.
Yeah. Yeah.
So, I don't know what to say here,
aside from you really need to be aware of what you're doing
and have a little bit of understanding here.
Because, like you said,
the don't click the link part of this,
this just completely gets bypassed.
This is a good social engineering trick, I think.
I think it's gonna be surprisingly effective
against Windows users.
Yeah, I mean, because you either have to copy and paste
this URL or just manually type it
in.
Correct.
So, it bypasses a lot of inbound filtering in your email program as well, because there's
no link to analyze.
That's right.
That's right.
This doesn't have the typical HTML layout with the A ref, the anchor tag in it,
the H ref.
That's having to go all the way back to when I used
to write web code, David.
It's been a while.
Yeah, no, it's an interesting one.
And like I said, it was the lack of a link
that I think sets this one apart.
And it's a subtle thing,
but it's an interesting evolution at the same time.
I would agree 100%.
Yeah.
All right, well, we will have a link to that story
in the show notes.
The original story for this came courtesy
of the folks over at The Record.
So we will link to them.
Joe Kerrigan, thanks so much for joining us.
My pleasure, Dave. Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets,
chasing down screenshots, or wrangling manual processes
just to keep your GRC program on track, you're not alone.
But let's be clear, there is a better way.
Banta's Trust Management Platform
takes the headache out of governance, risk, and compliance.
It automates the essentials, from internal and third-party risk to consumer trust, making
your security posture stronger, yes, even helping to drive revenue.
And this isn't just nice to have.
According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity.
That's not a typo, that's real impact.
So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious
efficiency to your GRC game.
Vanta GRC.
How much easier trust can be. Get started at vanta.com slash cyber.
And finally, less than a month from launch, the federal government is preparing to unveil
AI.gov, a new initiative designed to bring artificial intelligence tools into widespread use across
agencies.
Discovered through a GitHub repository that has since been archived, the site appears
to be a central hub to help agencies integrate AI into their operations.
Led by Thomas Shedd, a former Tesla software engineer manager and current head of the General Services
Administration's Technology Transformation Services, the project is built around three
core features, a chatbot, an all-in-one API to connect with models from providers like
OpenAI and Google, and a tool called Console for monitoring AI usage across agencies.
According to the staging site, the platform will use FedRAMP certified services via Amazon
Bedrock, although one listed model by Cohere may not yet be certified.
AI.gov is expected to launch July 4, signaling a major push to modernize federal operations
through artificial intelligence.
I know what you're saying.
Finally, a chatbot to fix government inefficiency.
What could possibly go wrong? And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
Be sure to check out this weekend's Research Saturday.
In my conversation with Ziv Karlener, Pillar Securities' co-founder
and CTO, we're discussing their research, New Vulnerability in GitHub Copilot and Cursor,
How Hackers Can Weaponize Code Agents.
That's Research Saturday, check it out.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original Music and Sound Design by Elliott Peltzman.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. And And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what
attackers already know. That's spycloud.com slash cyberwire.