CyberWire Daily - Exchange hybrid flaw raises cloud alarm.
Episode Date: August 7, 2025Microsoft warns of a high-severity vulnerability in Exchange Server hybrid deployments. A Dutch airline and a French telecom report data breaches. Researchers reveal new HTTP request smuggling variant...s. An Israeli spyware maker may have rebranded to evade U.S. sanctions. CyberArk patches critical vulnerabilities in its secrets management platform. The Akira gang use a legit Intel CPU tuning driver to disable Microsoft Defender. ChatGPT Connectors are shown vulnerable to indirect prompt injection. Researchers expose new details about the VexTrio cybercrime network. SonicWall says a recent SSLVPN-related cyber activity is not due to a zero-day. Ryan Whelan from Accenture is our man on the street at Black Hat. Do androids dream of concierge duty? Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We continue our coverage from the floor at Black Hat USA 2025 with another edition of Man on the Street. This time, we’re catching up with Ryan Whelan, Managing Director and Global Head of Cyber Intelligence at Accenture, to hear what’s buzzing at the conference. Selected Reading Microsoft warns of high-severity flaw in hybrid Exchange deployments (Bleeping Computer) KLM suffers cyber breach affecting six million passengers (IO+) Cyberattack hits France’s third-largest mobile operator, millions of customers affected (The Record) New HTTP Request Smuggling Attacks Impacted CDNs, Major Orgs, Millions of Websites (SecurityWeek) Candiru Spyware Infrastructure Uncovered (BankInfoSecurity) Enterprise Secrets Exposed by CyberArk Conjur Vulnerabilities (SecurityWeek) Akira ransomware abuses CPU tuning tool to disable Microsoft Defender (Bleeping Computer) A Single Poisoned Document Could Leak ‘Secret’ Data Via ChatGPT (WIRED) Researchers Expose Infrastructure Behind Cybercrime Network VexTrio (Infosecurity Magazine) Gen 7 and newer SonicWall Firewalls – SSLVPN Recent Threat Activity (SonicWall) Want a Different Kind of Work Trip? Try a Robot Hotel (WIRED) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
And now a word from our sponsor, Threat Locker,
the powerful zero-trust enterprise solution that stops ransomware in its tracks.
Allow listing is a deny-by-default software that makes application control simple and fast.
Ring fencing is an application containment strategy,
Ensuring apps can only access the files, registry keys, network resources, and other applications they truly need to function.
Shut out cybercriminals with world-class endpoint protection from Threat Locker.
Microsoft warns of a high-severity vulnerability in exchange server hybrid deployment.
deployments. A Dutch airline and a French telecom report data breaches. Researchers reveal new
HTTP request smuggling variants. An Israeli spyware maker may have rebranded to evade U.S. sanctions.
CyberArk patches critical vulnerabilities in its secrets management platform. The Akira gang uses a
legit Intel CPU tuning driver to disable Microsoft Defender. ChatGPT connectors are shown vulnerable to
indirect prompt injection.
Researchers expose new details about the Vex Trio Cybercrime Network.
Sonic Wall says a recent SSL VPN-related cyber activity is not due to a zero-day.
Ryan Whelan from Accenture is our man on the street at Black Hat, and to Android's dream of concierge duty.
It's Thursday, August 7th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel Briefing.
Thanks for joining us. It's great to have you with us, as always.
Microsoft has issued a
warning about a high severity vulnerability in exchange server hybrid deployments. The flaw could
let attackers with access to on-premises exchange escalate privileges in exchange online undetected.
In hybrid setups, both environments share a service principle for authentication. If attackers
compromise the on-prem server, they can exploit this shared identity to forge trusted tokens
or API calls, bypassing cloud-side security logs.
These actions may go unnoticed in Microsoft 365 audit tools.
The vulnerability affects Exchange Server 2016-2019 and the subscription edition.
While no active exploitation has been seen yet, Microsoft flagged it as exploitation more likely.
SISA also warned of potential total domain compromise and urged admins to
patch systems and disconnect unsupported exchange or SharePoint servers from the internet.
Dutch Airline KLM has reported a data breach involving a third-party customer service platform
that exposed customer names, contact info, and flying blue loyalty program details.
While no sensitive data like passwords or travel details were leaked, the breach raises fishing risks,
Air France was also affected. The incident didn't impact flight operations and both airlines
notified EU data regulators. KLM urges customers to stay alert for suspicious emails and has enhanced
security measures in response. The total number of affected users remains undisclosed.
Elsewhere, Boyg Telecom has disclosed a cyber attack that exposed personal data from 6.4 million customer
accounts. The company did not specify the attack's nature or which customers were affected,
but said the issue was resolved quickly and impacted users were notified. Boyg, France's third
largest mobile operator, reported the breach to authorities. The incident follows a similar
attack on Orange. France's ANSI has warned of ongoing state-sponsored cyber threats
targeting the telecom sector for espionage purposes.
At Black Hat, Port Swiggers James Kettle revealed new HTTP request smuggling variants impacting CDNs, major companies, and millions of websites.
These desync attacks exploit how front-end and back-end servers process HTTP requests, letting attackers sneak in malicious code.
One variant, named O.CL, targets HTTP 1.1, and led to data exposure and systems.
at T-Mobile, GitLab, and Akamai.
Akamai traced the root cause to its infrastructure and patched it.
Cloudflare also faced a related vulnerability.
Attackers could steal sessions, redirect users, or poison webcashes.
The team earned a $276,000 bug bounty and urged migration from HTTP 1.1 to 2+.
for stronger security.
Researchers from Recorded Futures InSICT group
uncovered eight malware clusters tied to Israeli spyware maker Kandiru,
suggesting the company may have rebranded to evade U.S. sanctions.
These clusters found in Hungary, Saudi Arabia, Indonesia, and Azerbaijan
are linked to the deployment of Devil's Tong,
a powerful Windows spyware capable of extracting files,
stealing browser data and accessing encrypted messages.
Kandiru, blacklisted by the U.S. in 2021, has changed names multiple times
and was reportedly acquired by integrity partners in 2024.
Despite international scrutiny, the spyware industry remains active,
using tactics like rebranding, jurisdiction hopping, and shell companies to skirt export controls.
Experts urge stronger standardized policies across the EU and global cooperation to curb the proliferation of commercial spyware.
CyberArk has patched critical vulnerabilities in its conjure secrets management platform that could allow unauthenticated remote code execution.
Discovered by researchers at Sciata, the flaws impact both the open source and enterprise versions and could let attackers bypass
IAM authentication, escalate privileges, and execute arbitrary code without credentials.
The vulnerabilities, now patched, posed a serious risk to organizations managing cloud
and DevOps secrets.
Sayada also uncovered similar flaws in Hashikorp Vault.
No in-the-wild exploitation has been reported, but users are urged to update immediately.
Akira Ransomware operators are using a legitimate Intel CPU tuning driver
RWDRV.Sys from throttle stop to disable Microsoft Defender.
This is part of a Bring Your Own Vulnerable Driver attack
where attackers load the vulnerable driver to gain kernel level access
and install a second malicious driver.
This tool disables defender protections via Windows registry edits.
Guidepoint security has seen this tactic repeatedly since mid-July and release detection tools,
including Yarra rules and IOCs.
Akira has also been linked to attacks on Sonic Wall SSL VPNs.
The attackers employ bumblebee malware via trojanized IT tools to establish access,
perform reconnaissance, exfiltrate data, and deploy ransomware.
Admins are urged to monitor for Akira indicators, enforce MFA, and avoid software from unverified sources.
Researchers have uncovered a serious vulnerability in OpenAI's ChatGPT connectors, showing how attackers can exploit linked services like Google Drive through indirect prompt injection.
Connectors provide functionality for data to flow between ChatGPT and, say, your email account,
or calendar. In a demo dubbed Agent Flair, a malicious document shared via Google Drive,
tricked ChatGPT into extracting API keys and sending them to an attacker's server using
hidden prompts in white size 1 text. This zero-click attack requires no user interaction. It highlights
the risks of linking AI models to external systems as doing so expands the potential attack
surface. OpenAI has since deployed mitigations. The incident underscores broader concerns about
prompt injection threats in AI-integrated environments. As LLMs become more powerful by connecting
to user data, they also become more vulnerable to manipulation, turning a convenience into a
possible security gateway for hackers. Researchers at Info blocks have exposed new details about
Vex Trio, a cybercrime network active since 2017 that uses traffic distribution systems,
DNS manipulation, and domain generation algorithms to spread malware, scams, and illegal content.
The group compromises websites, often WordPress-based, and reroutes traffic through malicious redirects
tailored by geolocation and device.
Vex Trio also runs fake antivirus apps, porn sites, crypto-scripts,
scams and ad fraud schemes. Their infrastructure, surprisingly, operates on fewer than 250 virtual
machines. Info blocks linked the operation to two affiliate marketing networks in Europe that merged
in 2020, forming a multinational criminal enterprise spanning nearly 100 companies. Researchers named
eight individuals tied to the group, connected to businesses in countries like Switzerland,
Chetchia and Canada, an 80-page report was released during Black Hat,
detailing the full scope of Vex Trio's activities and operators.
Sonic Wall has confirmed that recent SSL-VPN-related cyberactivity on Gen 7-plus firewalls
is not due to a zero-day, but is linked to a previously disclosed vulnerability.
Fewer than 40 incidents are under investigation, many tied to J.S.E.
gen 6 to Gen 7 migrations, where user passwords weren't reset as advised.
SonicOS 7.3 offers stronger brute force protections.
Customers are urged to update, reset SSL VPN account passwords,
and follow best practices like enabling MFA, botnet protection, and removing inactive accounts.
Coming up after the break,
Ryan Whelan from Accenture is our man on the street at Black Hat
and do Androids dream of concierge duty.
Stay with us.
New adversary tactics and emerging tech
to meet these threats is developing all the time.
On threat vector, we keep you a step ahead.
We dig deep into the threats that matter and the strategies that work.
How do they help that customer know that what they just created is safe?
The future is now and our expectations are wrong.
Join me, David Moulton, Senior Director of Thought Leadership for Uniforty 2 at Palo Alto Networks,
and our guest who lived this work every day.
We're not just talking about some encryption and paying multimillion
Ransom, we're talking about fundamentally being unable to operate.
Automated eradication and containment.
So being able to very rapidly ID what's going on in an environment and contain that immediately.
They're hiding in plain sight.
So if you're looking to sharpen your strategy and stay ahead of what's next, tune in and listen to Threat Vector.
Your front line for Security Insights.
CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1,
and without securing them, trust, uptime, outages, and compliance are at risk.
CyberArk is leading the way with the only unified platform purpose-built to secure every machine identity,
certificates, secrets, and workloads across all environments, all clouds, and all AI agents.
Designed for scale, automation, and quantum readiness,
CyberArk helps modern enterprises secure their machine future.
Visit cyberarc.com slash machines to see how.
Compliance regulations, third-party risk, and customer security demands are all growing and changing fast.
Is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right.
GRC can be so much easier, and it can strengthen your security posture while actually driving revenue for your business.
You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program.
Their trust management platform automates those key areas, compliance, internal and third-party risk, and even customer trust, so you're not buried under spreadsheets and endless manual tasks.
Vanta really streamlines the way you gather and manage information across your entire business, and this isn't just theoretical.
A recent IDC analysis found that compliance teams using Vanta are 129% more productive.
It's a pretty impressive number.
So what does it mean for you?
It means you get back more time and energy to focus on what actually matters,
like strengthening your security posture and scaling your business.
Vanta, GRC, just imagine how much easier trust can be.
Visit Vanta.com slash cyber to sign up today for a free demo.
That's V-A-N-T-A-com slash cyber.
Ryan Whelan is managing director and global head of Accenture Cyber Intelligence.
He is also at Black Hat this week, so we checked in with him for what's buzzing at the conference.
Well, Ryan, thank you for joining us here today.
And before we get into some of the details from the show floor, I have to check in with you to make sure that you are surviving what I understand.
is a not insignificant heat wave out there in summertime Las Vegas. Is that right?
It has been incredibly hot, Dave. So every time I walk outside, I'm hit with that blast of air.
But luckily, I have almost no time to be outside, confident that heat. So survive and okay.
And it's a dry heat, right?
Yeah, exactly. It's a dry heat. Well, let's dig into Blackhead itself. I mean, just starting off with the overall
tone. As you're walking around and seeing the different booths that people have set up and having
those side conversations, what's the tone? What's the attitude? How does it seem like people are
feeling this year? Yeah, I mean, one of the things I love about Black Hat every year is that it's
really a practitioner-focused conference. That's kind of where it got its birth. And so I think there's
always a lot of energy, a lot of excitement around, you know, discovering new TTPs, right? What are the new
tactics that we're seeing adversaries use.
You know, I think this year there's, I think every conversation includes some discussion
of AI or agentic targeting, right, those sorts of things, as well as then, you know,
what we're seeing on the defensive side for solutions, right?
We're bringing innovation to get after those threats in new ways.
And so I think that energy continues.
And it's, you know, it's always, it's always nice to be able to take a step back and kind
of take a broader view at what's happening in the industry.
in terms of the sessions are there any particular areas that you're looking to get a little new knowledge on oh man i think
we could spend this whole segment just talking about that but i think you know there's there's a few that
for me were pretty interesting right i think one of the things that we're consistently tracking are like
new and emerging threat vectors and so iot and kind of iot security is one of those it's a really
interesting talk on, you know, how adversaries are targeting EV stations, right, and how that could
potentially be used as an access point into EVs. And so I think security in that way from how
we're securing, right, these pump stations that are now becoming ubiquitous across the
country. I think that's really interesting. Saw another one that I think reflects on one of the
threat factors that we're talking about regularly here, like I said, on the AI side, that's looking
at, you know, with our increasing reliance on LLMs, how are we conditioning ourselves, allowing
ourselves to be conditioned by these LLMs? So, right, human influence and conditioning of these
solutions that we're using to make our lives easier, but may also be exerting influence over
how we think and see the world. And I think that's a really interesting risk.
Yeah, that is interesting. It reminds me of, you know, sometimes I wonder how much have I trained
to my dog and how much has my dog trained me.
That's right. It's exactly.
Exactly right.
And I think what's a little bit concerning about it is we absolutely see adversaries
kind of playing in this space of doing things like, you know, data poisoning,
model poisoning for those LLMs.
And so if you marry that, you know, adversarial intent and activity that we're seeing,
then you marry that with, and then you marry that with this increasing use to those
and the ability to influence our thinking there,
it really presents a risk to organizations
as they deploy solutions like that.
For you, beyond the conference itself,
I mean, beyond the sessions and the displays
and all those sorts of things,
what do you hope to get out of a conference like this?
I mean, there's really a human face-to-face element as well.
Yeah, absolutely.
And, you know, post-COVID,
I think it's always harder to find time
for that face-to-face interaction.
You know, for me, and I'll tell you this, and I got out of meetings earlier today with a number of colleagues in this space, right?
And so I love the opportunity to just connect with the community, right?
And it, as you know, Dave, because it's one of the things you do, community is such a critical aspect of security, right?
And so much of security comes back to the fundamentals, being able to just drive collaboration, be able to share what we're seeing, having the personal.
relationship with folks where, you know, I can text another threat intel lead and make sure
that we're, you know, they're seeing similar things that we are. Or, you know, we can check
analysis on things like that. It's critical to doing this right and to giving value to clients.
So I think that's probably, that community factor is probably the biggest takeaway for me
beyond the, beyond the sessions. For someone who's never been to Black Hat, what is the value
proposition for you? What sets this conference apart and makes it,
worth you investing your time in?
Yeah, I'll go back to kind of where I started the conversation and say it's really that practitioner
level visibility and knowledge, right, the ability to take a look at how, you know,
on the one hand, we're seeing adversaries employ these new tactics, right?
How we're seeing them do things like, you know, test voice deep fakes and employ those in advanced
social engineering and some of those sorts of things.
But then, you know, pivot that around to what are we seeing on the solution side, right?
How are we thinking about agentic security and some of the new identity challenges that are now emerging around controlling agents that are running across organizations and things like that.
And so I think that practitioner view, like I said, we don't often, as an industry, we're so caught up in response, right?
We're so caught up in the day-to-day of security.
I think having that opportunity to take a step back, you've got to watch your schedule, right?
You've got to manage your schedule because you can get overwhelmed.
at these things. But I think take that step back and really seek out that practitioner level
view. That's the advantage of a place like this. That's Ryan Whelan, managing director and
global head of cyber intelligence at Accenture.
And finally, at Japan's Hennah Hotel, Hennah meaning weird, and yes, they own it,
robots are on staff, but not everywhere and not always.
Management says the decision to deploy them is based on market conditions,
guest preferences, and presumably how much patients the robots have that day.
Amid Japan's labor crunch, these humanoid helpers offer cost-cutting charm
and unwavering 24-7 availability.
Some, like Robohan, can control lights, recommend sushi joints, and dance over 70 routines,
because why wouldn't a concierge do flamenco?
Headcount has dropped drastically at some locations with bots outnumbering humans,
like it's a sci-fi reboot of faulty towers.
Expectations are tricky, make a robot too lifelike,
and guests expect them to fold towels and feel feelings.
And Na's solution, keep them quirky, keep them dancing, and maybe skip the bedtime stories.
We'd love to hear from you. We're conducting our annual audience survey to learn more about
our listeners. We're collecting your insights through the end of August. There's a link in the show
notes. Please take a moment and check it out. N2K's senior producer is Alice Carruth. Our
Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by
Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher.
I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Thank you.