CyberWire Daily - Jedai tricks, human risks.
Episode Date: June 10, 2025An unsecured Chroma database exposes personal information of Canva Creators. A researcher brute-forces Google phone numbers. Five zero-day vulnerabilities in Salesforce Industry Cloud are uncovered.... Librarian Ghouls target Russian organizations with stealthy malware. SAP releases multiple security patches including a critical fix for a NetWeaver bug. Sensata Technologies confirms the theft of sensitive personal data during an April ransomware attack.SentinelOne warns of targeted cyber-espionage attempts by China-linked threat actors. Skitnet gains traction amongst ransomware gangs. The UK’s NHS issues an urgent appeal for blood donors. On today’s Threat Vector, host David Moulton talks with Arjun Bhatnagar, CEO of Cloaked, about why protecting your digital privacy is more urgent than ever. The FBI’s Cyber Division welcomes a new leader. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector Segment In this segment of Threat Vector, host David Moulton talks with Arjun Bhatnagar, CEO of Cloaked, about why protecting your digital privacy is more urgent than ever. From building better cybersecurity habits to understanding the hidden risks in everyday apps, Arjun shares practical advice that listeners can use immediately. You can hear David and Arjun's full discussion on Threat Vector here and catch new episodes every Thursday on your favorite podcast app. Selected Reading Canva Creators' Data Exposed Via AI Chatbot Company Database (Cyber Security News) Google brute-force attack exposes phone numbers in minutes (The Register) Five Zero-Days, 15 Misconfigurations Found in Salesforce Industry Cloud (SecurityWeek) 'Librarian Ghouls' APT Group Actively Attacking Organizations To Deploy Malware (Cyber Security News) Critical Vulnerability Patched in SAP NetWeaver (SecurityWeek) Sensitive Information Stolen in Sensata Ransomware Attack (SecurityWeek) SentinelOne Warns Cybersecurity Vendors of Chinese Attacks (Infosecurity Magazine) Skitnet Malware Actively Adopted by Ransomware Gangs to Enhance Operational Efficiency (GB Hackers) NHS calls for 1 million blood donors as UK stocks remain low following cyberattack (The Record) – mentioning this in the Briefing Brett Leatherman to follow Bryan Vorndran as head of FBI Cyber Division (The Record) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed.
Indeed's Sponsored Jobs helps you stand out and hire fast.
Your post jumps to the top of search results, so the right candidates see it first.
And it works.
Sponsored jobs on Indeed get 45% more applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed, according
to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75 sponsored job credit to get
your jobs more visibility at indeed.com slash cyber wire. Just go to indeed.com slash cyber
wire right now and support our show by saying you heard about indeed on this podcast. Indeed.com
slash cyber wire. Terms and conditions apply. Hiring, indeed, is all you need.
An unsecured Chrome database exposes personal information of Canva creators.
A researcher brute-forces Google phone numbers.
Five zero-day vulnerabilities in Salesforce industry cloud are uncovered.
Librarian ghouls target Russian organizations with stealthy malware.
SAP releases multiple security patches, including a critical fix for a NetWeaver bug.
Sensata Technologies confirms the theft of sensitive personal data during an April ransomware attack, Sentinel-1
warns of targeted cyberespionage attempts by China-linked threat actors, Skitnet gains
traction amongst ransomware gangs, the UK's NHS issues an urgent appeal for blood donors.
On today's threat vector, host David Moulton talks
with Arjun Bhatnagar, CEO of Cloaked,
about why protecting your digital privacy
is more urgent than ever.
And the FBI's cyber division welcomes a new leader.
["Dreams of a New World"]
It's Tuesday, June 10th, 2025. I'm Dave Fittner and this is your CyberWire Intel Briefing. Thanks for joining us here today.
It's great as always to have you with us.
A data breach exposed personal information from 571 Canva creators after a Russian AI
firm, My Jedi, left a Chrome database unsecured. The database, used to train AI chatbots,
included survey responses detailing
creators' professional and financial data,
posing phishing and competitive risks.
Discovered by UpGuard, the breach highlights vulnerabilities
in the fast-growing AI supply chain,
where tools like Chroma are deployed rapidly without mature security
practices.
My Jedi secured the data within 24 hours of notification.
This marks the first known Chroma-related leak and underscores how the rush to adopt
AI has sometimes outpaced safeguards, increasing the risk of misconfigurations and data exposure.
A white hat hacker known as BruteCat uncovered a flaw in Google's authentication process
that exposed users' phone numbers to brute force attacks.
The exploit required only an email address and used Google's account recovery hints
to deduce phone numbers, enabling potential SIM swapping
attacks.
BruteCat bypassed protections using cloud services and Google Looker Studio, exploiting
a non-JavaScript recovery form and leveraging IPv6 to sidestep IP-based rate limits.
By automating the process, phone numbers could be cracked in seconds to minutes
depending on the region. Despite the severity, Google awarded a modest $5,000 bounty, though
they quickly patched the issue. The incident highlights the need for stronger safeguards
in account recovery workflows and how overlooked legacy systems can create significant security
risks.
Security researchers at App Omni uncovered five zero-day vulnerabilities
and 15 serious misconfigurations in Salesforce Industry Cloud,
potentially impacting tens of thousands of organizations.
Salesforce Industry Cloud offers low-code tools tailored for sectors like healthcare,
finance and government, but its ease of use can lead to risky default settings.
Three of the five flaws were fixed by Salesforce directly, while two require customer action.
The remaining issues stem from common misconfiguration traps, often caused by non-technical users unknowingly
applying insecure access settings.
These missteps could lead to major data breaches, including exposure of sensitive health or
financial data.
App Omni's scans show these risks are widespread among industry cloud users, raising serious concerns about security in low-code enterprise platforms
designed for speed and simplicity.
The Librarian Ghouls APT Group, also known as Rare Werewolf or Resit, has been actively
targeting Russian and CIS organizations through a stealthy and persistent malware campaign
extending into May of this year. This group leverages legitimate third-party
software, PowerShell scripts, and phishing emails to avoid detection.
Victims receive password-protected archives containing fake business
documents initiating a multi-stage attack that installs legitimate-looking
tools like 4T tray minimizer to conceal activity.
Once infected, systems are exploited for credential theft, data exfiltration, and cryptocurrency
mining.
Targets include industrial and educational institutions, suggesting an intent to steal
intellectual property.
The campaign uses scheduled tasks, any desk for remote access, and disables security tools
to ensure persistence.
Hundreds have been affected, highlighting the group's sophisticated social engineering
and technical execution.
SAP released 14 security patches in its June 2025 security patch day, including a critical fix for a
netweaver bug rated 9.6 on the CVSS scale.
The flaw allows privilege escalation through a missing authorization check in the RFC framework.
Onapsis warns it could severely impact application integrity and availability.
SAP also addressed five high severity
and multiple medium and low severity flaws affecting various components. No
active exploitation has been reported but immediate patching is strongly
recommended. Sensata Technologies confirmed that hackers accessed and stole
sensitive personal data during a ransomware attack that disrupted operations in April.
The attackers had access from March 28th through April 6th
and exfiltrated files containing names,
Social Security numbers, financial and health data,
likely belonging to employees.
At least 362 Maine residents are affected.
The Massachusetts-based firm, which supplies electrical components globally, At least 362 main residents are affected.
The Massachusetts-based firm, which supplies electrical components globally, hasn't appeared
on any known ransomware leak sites, and it remains unclear if a ransom was paid.
Sentinel-1 is calling for greater industry transparency after revealing targeted cyber espionage attempts by China-linked threat
actors APT-15 and APT-41.
The first campaign, Purple Haze, involved reconnaissance on Sentinel-1 servers and attacks
using Avanti Zero-Day Flaws and the Gore-Shell Backdoor.
A second operation, tied to APT--41 aimed to infiltrate a Sentinel-1
supplier via shadow pad malware in a suspected supply chain attack. These
incidents highlight a growing trend. Cybersecurity vendors are becoming
direct targets. Sentinel-1 warns the industry to stay vigilant, citing a
pattern of stealthy long-term intrusions focused on
high-value infrastructure.
SkitNet, also known as BossNet, has rapidly become a favored tool among ransomware groups
this year, notably BlackBasta and Cactus.
Marketed as a user-friendly post-exploitation toolkit, it gained traction following a takedown
of major botnets like QuackBot filling a gap in the cybercrime ecosystem.
Distributed via underground forums like Ramp, SkitNet's Malware-as-a-Service model enables
even low-skilled actors to launch advanced attacks.
Technically sophisticated, it uses a Rust loadader and ChaCha20 encrypted NIM payload
to establish stealthy DNS-based reverse shells.
Its persistence techniques include DLL hijacking, startup shortcuts, and use of tools like AnyDesk
and PowerShell.
The malware also features anti-forensic measures, log wiping, and living-off-the-land
tactics, making detection and attribution difficult. Skitnet's rise underscores the
growing industrialization of cybercrime and the need for proactive defense strategies.
The UK's NHS has issued an urgent appeal for 1 million blood donors as national blood supplies
remain critically low, especially for O-negative blood, following a 2023 ransomware attack
on pathology provider Sinovus.
The attack disrupted services, forcing hospitals to rely heavily on O-type blood, leading
to a fragile supply. The NHS is particularly seeking O-negative donors and those of black heritage, crucial
for treating conditions like sickle cell disease.
Meanwhile, over 900,000 patients were impacted by the synovus breach, which exposed sensitive
medical data, including cancer and STI records. Despite legal obligations to notify affected individuals, many remain uninformed.
The NHS warns that without immediate donor support, the system risks entering a red alert
state where demand exceeds supply, threatening patient care and public safety.
Coming up after the break on today's Threat Vector, David Moulton speaks with Arjun Bhatnagar, CEO of Cloat, about why protecting your digital privacy is more urgent than ever.
And the FBI's cyber division welcomes a new leader. Stay with us.
Hey everybody, Dave here. I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites, and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The Delete Me team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
Delete Me also offers solutions for businesses, helping companies protect their employees'
personal information and reduce exposure to social engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your DeleteMe plan.
Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n2k code n2k.
And now a word from our sponsor ThreatLocker.
Keeping your system secure shouldn't mean constantly reacting to threats.
Threat Locker helps you take a different approach by giving you full control over what software
can run in your environment. If it's not approved, it doesn't run. Simple as that.
It's a way to stop ransomware and other attacks before they start without adding extra complexity
to your day. See how Threat Locker can help you lock down your environment at
www.threatlocker.com.
On this week's Threat Vector segment, host David Moulton speaks with Arjun Bhatnagar, CEO of Cloaked.
They're speaking about why protecting your digital privacy is more urgent than ever.
Hi, I'm David Moulton, host of the Threat Vector podcast, where we explore the evolving
cybersecurity landscape and bring you insider insights into the threats and opportunities
shaping the future of digital security.
In our next episode, I sat down with Arjun Banagar, CEO and co-founder of Cloat,
and someone who's been hacking and building since he was 12 years old,
to talk about something that we all take for granted, our privacy. Arjun shares how building
an AI to track his own health data during the pandemic led to a much bigger discovery.
Your phone number might be all someone needs to find your social security number, your
home address, and your most personal details.
That one data point could be the key to your entire digital identity.
If you've ever wondered what a hacker sees when they look at your digital life, this
is the episode that you can't afford to miss.
Check it out wherever you get your podcasts.
Arjun, you've been developing and hacking since you were, what, 10 years old.
And then it was like the pandemic where your interest in
or your journey to privacy really took off.
Thanks to this like AI data box
that you built for your own health.
Can you take me back to that moment
and walk us through how that experience
sparked the idea for Cloaked?
Absolutely.
And I'm excited to talk about it.
It's been an interesting journey for me, learning
about privacy. I've always been privacy centric, but that moment really clarified for me what I
really wanted to do. So back in 2020, I was really interested in my own data. What does my data look
like? Where does it live? What's going on with it? Because I wanted to see if there's a way to
correlate different things about me to make me feel better, understand what can I do better to ultimately be happier or minimize issues or
kind of keep track of things around health that I should pay attention to.
So I ended up getting a Mac mini, putting it in my apartment, and I wrote integrations
into everything about myself.
Basic stuff like my Google Calendar, my Facebook data,
I hacked iMessage, my Google Calendar, my health data,
my eating data, my banking data, my GPS data, movement data,
everything about me I put in this box.
And in that box, as it's pulling everything,
I started writing some crude models
to start analyzing this data and telling me what's going on,
what can I do about it, and can you help me take some actions?
And without me even realizing it, very quickly it started doing things.
It said, hey, I noticed you missed your workout yesterday.
Do 15 push-ups between these two meetings.
Based on my spending habits, it said let's cut back on the alcohol and
the Chinese food.
But it hit me in the face one day when I lunched with somebody and
I put my phone down.
End of lunch, I picked up my phone and realized my really crude AI had a full conversation
with my then girlfriend. It told her, I love you. It sent her memes and did the entire
conversation while I was eating. And I picked up my phone and realized, holy cow, this is
crazy. But I realized in that moment that I didn't own any of my own data.
And two, that we're headed into some AI future.
It's going to be important to figure out what data ownership my privacy means.
Because if I can do this in my backyard type of thinking,
well, when AI and big tech gets into AI and my personal data, it's going to be crazy.
Well, it wouldn't be a safe summer type of podcast
if we didn't talk about passwords
and the headache of passwords.
We know we need them, but I know a lot of people
struggle to manage them.
I've used a password manager for years.
I've tried to insist on that within the area where
I'm the resident geek and as far out as I can insist on that within the area where I'm the resident geek and as far out as I can,
but just creating strong passwords isn't enough.
You know, we need unique ones.
We need different ones for different accounts.
Can you talk about why it's worth the hassle
to have unique passwords and why a password manager
may be the right choice for a lot of folks who have
maybe resisted it.
So I'll break this into a few different points around the password headaches.
I totally get it.
And I'm a little contrarian here where their security professionals will just say, you
need complex individualized passwords to every service, full stop.
But the problem is when you make that statement, it's a big leap from where people are today.
So what I'd say is that how do you progressively get better?
When you get passwords, I'd say people have heard of password managers and it's definitely
a great tool.
I'll get to that in a second.
The real part is how do you think about passwords?
One, we want to create the distinct nature, and I'll explain why that's important.
When you have a password, if someone wants to compromise an individual and hack into their account, etc.,
they're not going to necessarily try to hack into your bank account, your JP Morgan account, etc.,
because that cash party probably is pretty secure, they have a lot of incidents.
However, when you do use the same password, I'm going to go compromise the gene shop you bought gene from recently because their security might be weak and
they're not investing in a massive security team to make sure your
information is safe. But somebody might go find a compromise there or they might
have been already compromised and if you use the same password, well somebody's
just going to use that to then get into your bank account.
And this is where password reuse is a big problem because I'm just going to find the
weakest website that has not the best security, find that compromise, and then use that to
work my way to your Gmail or your bank account, primarily your Gmail or your Verizon or phone
bill company because I can use those to compromise
other accounts and become the chain of attacks.
So that's why password use is bad.
But then what do you do about it?
I'd say coming back to habits, having a habit around passwords is really important.
So what I would say is first off, thinking about the different types of passwords you
want to have.
That's the first way of approaching this. So for example, my computer password is unique to my computer and I do not use that anywhere else.
So fundamentally, and I do not use that anywhere online because it's offline my computer and if
you get into my computer, you basically have gotten the keys to kingdom there. So that one is unique.
you basically have gotten the keys to the kingdom there. So that one is unique. I do then say for my bank account, my Gmail, my Apple, these things have distinct passwords.
And I'll tell you about how I kind of waste my passwords in a second, but that information
of like, these are very sensitive things and can compromise me. I make those distinct.
And then for as against other accounts, I just create password habits I make those distinct. And then for Asagint to other accounts,
I just create password habits to make them useful.
Now I use Clip Password Manager,
Cloaked is my password manager,
but I'd say that what I've always done
is just following these rules.
Coming into making a password,
when people realize that it's a famous comic,
that your password is teaching you 12 characters, a
symbol, and all that stuff. That's not the best password. A long password is actually
much safer than a short one with a bunch of random symbols in it. You adding an extra
dollar sign to your password is not making it that much harder for someone to crack it.
It's really the length of it is what makes it really hard.
So in front of me, like I'm looking at things like I've got a napkin, a remote, a marker
and a cable.
Napkin remote marker cable, one exclamation point, great password.
It's easy to remember and it's going to fit all the criteria and very hard to crack.
And it should be, you make it easy to remember,
but then also harder to compromise.
That's how I do my passwords,
is to kind of have a pass phrase or system things
that you can remember,
but they're really hard to compromise.
At South By in Austin, you gave a demonstration
where you asked the crowd to call a phone number
that's part of Cloaked.
And I have to say it was the best demonstration
of software I'd seen because I lost count
of the number of gasps from the crowd
as people were listening to the message that came up and they were hearing their name,
they were hearing most of the social security number,
they were hearing information about themselves.
And I think it was really back to our opening conversation
about how being able to see your data
can change your behavior.
In this case, you can hear what data is publicly available
about you just from your phone number.
I believe people left that demonstration
with a different mindset
about what they're going to give away
and what they wanted to do to feel comfortable
to operate in the modern world
where data is just flowing out
and if they wanted to control their privacy.
So if you're out there and you're thinking,
I got to see what this Dynamo is that Arjun gave or Dave's talking about
That's on the website and and I gotta say I recommend going and giving it a try. It was it was jaw-dropping man
Well, I think this is I'm glad you appreciated it
The the demo is really focusing on the point that we know our data is out there
but we don't really understand the extent of how much that is. And we don't have any of this data. They and all
these companies are aggregating, selling, but it's so easy to find it. And I don't
know if you want, I can share this or we can point it at cloak.com, but it's such a
powerful tool because it's visceral. And we made the phone number because it's like,
hey, just call it.
No information needed.
You don't have to type anything.
You feel it right then and there.
The episode is called a Hacker's Insights on Your Privacy,
and it dropped June 5th.
Catch it in your threat vector feed and find out what your phone number it dropped June 5th. Catch it in your Threat Vector feed and
find out what your phone number is really saying about you.
And of course, do check out the entire episode of Threat Vector right here on the N2K CyberWire
Network or wherever you get your favorite podcasts.
Compliance regulations, third-party risk and customer security demands
are all growing and changing
fast.
Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or
wrangling manual processes just to keep your GRC program on track, you're not alone.
But let's be clear, there is a better way. Vanta's Trust Management Platform takes the headache out of governance, risk, and compliance.
It automates the essentials, from internal and third-party risk to consumer trust, making
your security posture stronger, yes, even helping to drive revenue.
And this isn't just nice to have. According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity.
That's not a typo, that's real impact.
So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious
efficiency to your GRC game.
Vanta GRC. How much easier trust can be. And finally, the FBI's cyber Division is welcoming a new leader. Brett Leatherman, a longtime FBI veteran with deep cyber expertise, will step in as assistant
director following Brian Vornedren's retirement.
Leatherman brings more than 20 years of experience, from field offices to leading cyber operations,
and recently served as deputy assistant director for cyber operations.
In a LinkedIn post he expressed gratitude for the opportunity to lead
pledging to disrupt cyber threats and support victims. Known for his
collaborative forward-looking approach, Leatherman aims to build on the FBI's
mission to make cybercrime unsustainable. He steps into big shoes.
Vornedrin helped modernize the FBI's cyber strategy,
taking bold steps to disrupt hacking groups
and boost victim support.
The cyber community will be watching closely
as Leatherman carries the torch forward
with fidelity, bravery, and integrity.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire dot
com.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of August this year.
There's a link in the show notes.
Please take a moment and check it out.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and
sound design by Elliot Peltsman. Our executive producer is Jennifer Iben. Peter Kilpey is our
publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches,
malware and phishing to neutralize identity-based threats like account takeover, fraud and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what
attackers already know.
That's spycloud.com slash Cyberwire.