CyberWire Daily - Memory leaks and login sneaks.
Episode Date: July 8, 2025Researchers release proof-of-concept exploits for CitrixBleed2. Grafana patches four high-severity vulnerabilities. A hacker claims to have breached Spanish telecom giant Telefónica. Italian police a...rrest a Chinese man wanted by U.S. authorities for alleged industrial espionage. Beware of a new ransomware group called Bert. Call of Duty goes offline after reports of RCE vulnerabilities. President Trump's spending bill allocates hundreds of millions for cybersecurity. Nearly 26 million job seekers’ resumes and personal data are leaked. CISA adds four actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. Outsmarting AI scraper bots with math. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector Segment Cyber attackers are increasingly targeting the very tools developers trust—integrated development environments (IDEs), low-code platforms, and public code repositories. In this segment of Threat Vector, host David Moulton speaks with Daniel Frank and Tom Fakterman from Palo Alto Networks' threat research team about “Hunting Threats in Developer Environments.” You can hear David and Tyler's full discussion on Threat Vector here and catch new episodes every Thursday on your favorite podcast app. Selected Reading Public exploits released for Citrix Bleed 2 NetScaler flaw, patch now (Bleeping Computer) Grafana Patches Chromium Bugs, Including Zero-Day Exploited in the Wild (SecurityWeek) Hacker leaks Telefónica data allegedly stolen in a new breach (Bleeping Computer) Italian police arrest Chinese national wanted by FBI for alleged industrial espionage (Reuters) Beware of Bert: New ransomware group targets healthcare, tech firms (The Record) Call of Duty takes PC game offline after multiple reports of RCE attacks on players (CyberScoop) GOP domestic policy bill includes hundreds of millions for military cyber (CyberScoop) TalentHook leaks resumes of 26 Million job seekers (Beyond Machines) CISA Adds Four Known Exploited Vulnerabilities to Catalog (CISA) The Open-Source Software Saving the Internet From AI Bot Scrapers (404 Media) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, CloudRange.
At CloudRange, they believe cybersecurity readiness starts with people, not just technology.
That's why their proactive simulation-based training helps security teams build confidence
and skill from day one.
By turning potential into performance, they empower SOC and incident response teams to
respond quickly, smartly, and in sync with evolving threats.
Learn how CloudRange is helping organizations stay ahead of cyber risks at www.cloudrange.com.
Researchers release proof-of-concept exploits for Citrix Bleed 2, Grafana patches for high
severity vulnerabilities, a hacker claims to have breached Spanish telecom giant Telefonica,
Italian police arrest a Chinese man wanted by US authorities for alleged industrial espionage,
beware a new ransomware group called BERT.
Call of Duty goes offline after reports of RCE
vulnerabilities. President Trump's spending bill allocates hundreds of
millions for cybersecurity. Nearly 26 million job seekers' resumes and personal
data are leaked. CISA adds four actively exploited vulnerabilities to the known
exploited vulnerabilities catalog. For Threat Vector, host David Moulton speaks
with Daniel Frank and Tom Fachterman from
Palo Alto Network's Threat Research Team about hunting threats in developer environments
and outsmarting AI scraper bots with math.
It's Tuesday, July 8, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here today.
It's great to have you with us.
Researchers have released proof-of-concept exploits for Citrix Bleed 2, a critical flaw
in Citrix Netscaler ADC and Gateway devices.
The bug lets attackers steal user session tokens by sending malformed post-login requests,
revealing memory contents.
Citrix bleed 2 is similar to the 2023 Citrix bleed flaw exploited by ransomware gangs.
Technical analysis by Watchtower and Horizon 3 show that modifying the login parameter
without an equal sign leaks roughly 127 bytes of memory per request, enabling repeated data theft.
Citrix claims there's no active exploitation, but ReliaQuest and researcher Kevin Beaumont
report evidence of attacks since mid-June.
Citrix has released patches urging all organizations to apply them immediately and review
sessions for suspicious activity before termination,
as public exploits are now available.
Grafana, an open-source data visualization and dashboard platform,
released security updates to fix four high-severity vulnerabilities
in its ImageRenderer plugin and synthetic monitoring agent. The most critical is a type confusion flaw in Chrome's V8 engine exploiting a zero day,
allowing arbitrary read-write.
Other patched bugs include type confusion enabling code execution, integer overflow,
and use after free.
Users should update to the latest versions.
Cloud deployments are already patched.
A hacker known as Ray, linked to the Hellcat Ransomware group, claims to have stolen 106
gigabytes of data from Spanish telecom giant Telefonica in a May 30th breach. Ray says
they exfiltrated the data over 12 hours due to a Jira misconfiguration.
To prove the breach, the hacker leaked a 2.6GB archive containing over 20,000 files, including
internal communications, invoices, customer records, and employee data.
Telefonica has not acknowledged the breach, with one employee dismissing it as an extortion
attempt using old data.
However, leaked samples include email addresses of current employees and invoices for clients
in Spain, Germany, Chile, and Peru.
Ray warns they'll continue leaking data if Telefonica does not comply with undisclosed
demands.
Italian police arrested 33-year-old Zhu Zhewei, a Chinese man wanted by US authorities for
alleged industrial espionage targeting projects including COVID vaccine development.
Zhu from Shanghai was detained at Milan's Malpensa Airport under a US arrest warrant linked to an FBI
investigation. He's accused of being part of a hacking team that tried to access the University
of Texas's COVID vaccine research in 2020. Charges include wire fraud, identity theft,
and unauthorized computer access. Zhu faces an extradition hearing in Milan today.
A new ransomware group called BERT is targeting health care, tech, and event services firms
across Asia, Europe, and the US, according to Trend Micro.
First identified in April, BERT's ransomware affects both Windows and Linux systems.
While their exact access method is unclear, researchers found a PowerShell script that
disables security tools before deploying the ransomware.
Victims receive a ransom note saying,
Hello from BERT.
Your network is hacked and files are encrypted.
BERT's malware is under active development with multiple variants seen.
Trend Micro noted possible ties to Russian infrastructure and found that Burt reuses
code from rEvil's Linux variant. rEvil was dismantled in 2021, though Russian courts recently
sentenced several unrelated rEvil members for carding fraud, releasing them for time served in pretrial
detention.
The PC version of Call of Duty World War II was taken offline after reports of a remote
code execution vulnerability allowing hackers to take over players' computers during live
matches.
The issue emerged shortly after the game was released on Xbox Game Pass on June 30th.
Players shared videos showing their PCs freezing, executing Windows command files, shutting
down or displaying pornographic images.
Malwarebytes researchers explained that older Call of Duty games switched to peer-to-peer networking instead of dedicated servers,
exposing players to attacks from malicious hosts.
Exploits targeting Call of Duty titles have existed for years,
with previous Proof of Concept RCEs published on Steam.
Activision has not confirmed if the takedown was directly due to the exploit,
and no further updates have been posted since July 5th.
A report from Cyberscoop examines President Trump's tax and spending bill, which allocates
hundreds of millions for cybersecurity, mostly for military programs.
U.S. Cyber Command will receive $250 million for artificial intelligence initiatives, while DARPA gains $20 million for cybersecurity research.
Indo-Pacific Command gets a million dollars
for cyber-offensive operations targeting adversaries
like Russia, China, and North Korea.
The Defense Department will use $90 million,
partly to support cybersecurity for non-traditional contractors.
The Coast Guard's $2.2 billion maintenance budget includes cyberasset upkeep, while $170
million for maritime domain awareness also covers cyber.
The only civilian cyberfunding is in a rural health program, allowing grants for cybersecurity
capability development.
Democrats criticized the bill for ignoring CISA funding, accusing Republicans of neglecting
national cybersecurity threats despite growing attacks from foreign adversaries and criminals.
Talent Hook, an applicant tracking system owned by Resource Edge, leaked nearly 26 million
job seekers' resumes and personal data due to a misconfigured Azure Blob storage container
left publicly accessible.
Exposed information includes names, emails, phone numbers, education details, work history,
and some home addresses. The leak, discovered in January but disclosed in April,
poses phishing and fraud risks for affected individuals.
It remains unclear if Talent Hook has secured the data,
and no official count of impacted people has been released.
CISA added four actively exploited vulnerabilities
to its known exploited vulnerabilities catalog.
An MRLG buffer overflow issue, PHP mailer command injection, Ruby on Rails path traversal,
and Zimbra SSRF.
These pose significant risks to federal networks, and under binding operational directive 22-01, federal agencies must remediate
these by set deadlines.
Coming up after the break, for Threat Vector, host David Moulton speaks with Daniel Frank
and Tom Fachterman from Palo Alto Networks' Threat Research Team about hunting threats in developer environments
and outsmarting AI scraper bots with math.
Stay with us. Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient
than spreadsheets, screenshots, and all those manual processes, you're right. GRC can be so
much easier, and it can strengthen your security posture while actually driving revenue for your
business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program.
Their trust management platform automates those key areas – compliance, internal and
third-party risk, and even customer trust – so you're not buried under spreadsheets
and endless manual tasks.
Vanta really streamlines the way you gather and manage information across your entire
business.
And this isn't just theoretical.
A recent IDC analysis found that compliance teams using Vanta
are 129% more productive.
It's a pretty impressive number.
So what does it mean for you?
It means you get back more time and energy to focus on what actually matters,
like strengthening your security posture and scaling your business.
Vanta, GRC, just imagine how much easier trust can be.
Visit vanta.com slash cyber to sign up today for a free demo.
That's vanta.com slash cyber.
CISOs and CIOs know machine identities now
outnumber humans by more than 80 to 1 and without securing them
trust, uptime, outages and compliance are at risk.
CyberArk is leading the way with the only unified platform purpose-built to secure every machine identity.
Certificates, secrets and workloads across all environments, all clouds and all AI agents.
Designed for scale, automation and quantum readiness,
CyberArk helps modern enterprises secure their machine future.
Visit cyberark.com slash machines to see how.
On our latest Threat Vector segment, host David Moulton speaks with Daniel Frank and Tom Fachterman
from Palo Alto Network's Threat Research Team about hunting threats in developer environments.
Hi, I'm David Moulton, host of the Threat Vector Podcast, where we break down cybersecurity
threats, resilience, and the industry's trends that matter the most. This week,
we're pulling back the curtain on an attack vector you're probably not watching,
but should be.
I sat down with Tom Fakerman and Daniel Frank from our threat research team to talk about
how trusted developer tools, think things like Visual Studio Code, low code platforms,
and even public repos are being turned into malware delivery systems by some of the most
advanced threat actors out there.
In this episode we dug into the red flags you're probably missing in your CI CD pipeline,
why the new insider threat might not even know they're an insider, and how North Korean attackers are quietly siphoning off crypto and IP
without ever breaching the perimeter.
If you care about securing your dev environments,
don't miss this episode.
It's called Hunting Threats in Developer Environments,
and it's live now in your Threat Vector feed.
So, Tom, set us up.
Why are low-code, no-code environments
becoming so popular for developers?
That's a good question.
So I would say that now with the rise of AI and everything,
you see that a lot and more and more people
don't need or want to know how to actually code
to do all the stuff that they want to do
in their day-to-day
work.
That's exactly what low-code platforms give the user, the ability to create sophisticated
automations without needing to know how to program.
What kind of threats are you seeing in these platforms specifically?
Okay, so local platforms, what they do
is that they offer a lot of these powerful features.
I mean, they can access things like users' files.
They can access their clipboard and even
their internet connection.
And this is just to name a few.
And the best part, it's all done through an easy-to-use
interface, so you don't need to be a coding expert or anything
close to that.
But here's the problem.
So if an attacker gets hold on one of these platforms,
they can create these automated workflows
for all kinds of malicious activities
and without needing to deploy any extra malware.
I mean, it's like they got this built-in toolkit
to do a lot of damage without even trying too hard.
How are the tactics different
from like a traditional supply chain attack or backdoors
planted in build processes?
Well, I'd say that the main difference is that in supply chain attacks, the attackers
need to find a way to insert malware into an installation process of this legitimate
software or the other.
But in this type of attacks that we're talking about, all the attackers really need is good social engineering skills
to gain access to a developer's IDE
and some bad intentions.
I mean, it's that simple.
Tom, what telemetry or visibility gaps
are allowing attackers to operate
inside development tools without detection?
Yeah, so this is where things get kind of tricky.
So one of the biggest challenges with dealing with IDE abuse So this is where things get kind of tricky.
So one of the biggest challenges with dealing with IDE abuse
is that at the end of the day, these are legitimate applications.
And usually they are trusted in the environment.
So it is not out of the ordinary for them to perform a lot of activity.
So when they are doing stuff like accessing the file system
and reaching out to external servers or spawning processes, that's not necessarily malicious.
And that's exactly what attackers are banking on. They're hiding in plain sight.
So this can make it hard for defenders to differentiate between day-to-day use of an IDE and malicious abuse by a threat actor.
What's going to need to change the most environments to close these gaps?
I would say the first step, like with a lot of these problems, is awareness.
You've got to actually recognize that IDEs, while of course are essential, can also be attack surfaces.
The next step will be to work on tailor detections
and hunting queries.
We need to understand what normal behavior looks like
for a tool like VS Code and what sticks out.
And that takes some environment specific tuning.
For defenders out there,
what are some of the high fidelity indicators of compromise
or maybe even the behavioral patterns that are tied to the developer platform abuse?
So obviously the exact indicators can shift depending on the technique and the attacker's playbook.
But there are definitely some patterns that we see that are popping up over and over again.
One of the biggest red flags we see
is when an ID spawns a shell process,
like a CMD or a PowerShell.
And when those shells start running things
like a recon commands, trying to map the network,
pull credentials, or even move laterally,
well, at this point, you should have the alarm ringing.
Oh, for sure.
Can you share any success stories
where those techniques were detected really early?
Oh, yeah, definitely.
I love that question.
So I have one story that happened pretty recently,
and it is related to a campaign we call Contagious Interview.
And we actually explored that one
in our RSI conference session.
So in this campaign,
North Korean threat actors were posing as recruiters,
and they were trying to trick developers into running Maesh's code
under the guise of a fake job interview, hence the name, a contagious interview.
And we spent a lot of time dissecting that campaign and mapping out the different TTPs,
and we've created a lot of different detections around their techniques.
And not long after our investigation, we actually started seeing this redactor attempting to
target our customers using very similar TTPs.
But because of all of the work that we did on them, Cortex XDR was ready and it blocked
all their malicious attempts.
And this is an idea that we really focus on in our team.
That research isn't just a theory, it directly powers our defenses.
Daniel, what are some of the proactive ways organizations can secure their development environments without slowing down their developers? This is a really important question, David,
and I'm glad you asked it.
Well, there are a few ways organizations can secure
their development environments,
but I will highlight two main ones.
Well, first off, before running any code
from outside sources, like third-party code,
and this is something that we talked about a lot
during our RSA conference presentation.
So it's really important to scan that code,
either manually or automatically.
And this goes for code you're importing
into existing projects,
or when you're starting a new project.
And the same also applies for extensions.
Now, the second and probably even more important point
is that regular security
awareness training is key. Everyone in the company should be trained but it's especially crucial
for developers in this case to be aware of these kinds of threats and know how to recognize them.
If this got your attention, don't wait.
Listen to the full episode now in your ThreatVector podcast feed.
It's called Hunting Threats in Developer Environments and it's live now.
This one's a wake up call.
Don't let it fly under your radar. And you can check out the complete Threat Vector program right here on the N2K CyberWire
network or wherever you get your favorite podcasts. And now, a word from our sponsor ThreatLocker, the powerful zero-trust enterprise solution
that stops ransomware in its tracks.
AllowListing is a deny-by-default software that makes application control simple and
fast.
Ring-fencing is an application containment strategy, ensuring apps can only
access the files, registry keys, network resources and other applications they truly need to
function. Shut out cyber criminals with world-class endpoint protection from Threat Locker. Hey, so what did you want to talk about? Well, I want to tell you about Wagovie.
Wagovie?
Yeah, Wagovie.
What about it?
On second thought, I might not be the right person to tell you.
Oh, you're not?
No, just ask your doctor.
About Wagovie?
Yeah, ask for it by name.
Okay, so why did you bring me to this circus?
Oh, I'm really into lion tamers.
You know, with the chair and everything. Ask your doctor for Wagovie by name. Visit wagovie.ca for savings. And finally, an article from 404 Media reminds us that AI bots scraping webpages might sound
harmless just machines reading text, right?
But when these bots hammer sites relentlessly to harvest data for training AI models, small
servers crash under the strain, users get locked out, and entire communities could lose
their online homes.
Enter Zia Soh, a developer whose Git server collapsed under an Amazon bot's enthusiastic
clicks.
Her solution?
Anubis, a free open-source uncaptcha that forces visitors' browsers to do cryptographic
math, which is easy for humans but prohibitively expensive for bots scraping millions of pages. Since January, Anubis has been downloaded nearly 200,000 times, protecting projects
like Gnome and FFmpeg.
He also jokes that poisoning AI datasets is like peeing in the ocean, and says if AI companies
want to stop her work, they should distract her with a top-tier Final Fantasy expansion.
Until then, she'll keep fine-tuning Anubis in the never-ending quest to keep the small
Internet alive against hungry bots. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of this summer. There's a
link in the show notes. Please do check it out. N2K's senior producer is Alice
Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Elliot Peltsman
and Trey Hester with original music by Elliot Peltsman. Our executive producer
is Jennifer Ibane. Peter Kilpey is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Krogel is AI built for the enterprise SOC.
Fully private, schema-free, and capable of running in sensitive air-gapped environments,
Krogel autonomously investigates thousands of alerts weekly,
correlating insights across your tools without data leaving your perimeter.
Designed for high availability across geographies,
it delivers context-aware, auditable decisions aligned to your workflows.
Krogel empowers analysts to act faster and focus on critical threats,
replacing repetitive triage with intelligent automation
to help your sock operate at scale with precision and control.
Learn more at Krogl.com.
That's C-R-O-G-L dot com.