Podcasts
CyberWire Daily
Ep 2321
The CyberWire Daily Podcast 6.3.25
Ep 2321 | 6.3.25

Zero-day déjà vu.

Show Notes
Transcript

Google issues an emergency patch for a Chrome zero-day. A new malware campaign uses fake DocuSign CAPTCHA pages to trick users into installing a RAT. A high-severity Splunk vulnerability allows non-admin users to access and modify critical directories. Experts warn congress that Chinese infiltrations are preparations for war. Senators look to strengthen cybersecurity collaboration in the U.S. energy sector. Crocodilus Android malware adds fake contacts to victims’ phones. SentinelOne publishes a detailed analysis of their recent outage. Cartier leaves some of its cyber sparkle exposed. Our guest is Jon Miller, CEO and Co-founder of Halcyon, discussing Bring Your Own Vulnerable Driver (BYOVD) attacks. Microsoft and CrowdStrike tackle hacker naming…or do they?

Today is Tuesday June 3rd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Google issues an emergency patch for a Chrome zero-day.

Google has issued an emergency update to patch a Chrome zero-day, the third such vulnerability in Chrome exploited in the wild this year. The flaw, found in Chrome’s V8 JavaScript engine, allows out-of-bounds memory access and was discovered by Google’s Threat Analysis Group. A mitigation was applied within a day, and the full fix is included in version 137.0.7151.68/.69 for Windows and Mac, and .68 for Linux. Updates are rolling out via the Stable channel. Google is withholding full details of the exploit until more users apply the patch. Earlier in 2025, Chrome zero-days were used in espionage and account hijacking campaigns. Last year, Google patched 10 exploited or demoed Chrome zero-days.

A new malware campaign uses fake DocuSign CAPTCHA pages to trick users into installing a RAT. 

A new malware campaign is using fake DocuSign CAPTCHA pages to trick users into installing the NetSupport Remote Access Trojan (RAT), according to DomainTools. The attack begins with a spoofed website that mimics DocuSign branding. Users are prompted to check a box, which triggers clipboard poisoning. A malicious PowerShell script is copied to the clipboard, with instructions to run it manually. If executed, the script downloads further payloads, sets up persistence via GitHub-hosted malware, and ultimately installs NetSupport RAT for remote control. The campaign uses familiar tools and layered tactics like ROT13 encoding and script chaining to evade detection. Domains mimicking Okta, Netflix, and Spotify were also used. DomainTools warns users to be cautious of sites prompting script execution and to inspect URLs and certificates carefully to avoid deception-based threats.

A high-severity Splunk vulnerability allows non-admin users to access and modify critical directories. 

A high-severity vulnerability (CVE-2025-20298) in Splunk Universal Forwarder for Windows allows non-admin users to access and modify critical directories due to incorrect permission settings during installation or upgrades. With a CVSS score of 8.0, this flaw affects versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9, posing significant risks to organizations that rely on Splunk for log forwarding and security monitoring. The bug enables potential exposure or manipulation of log data, which could lead to data breaches or tampered audit trails. Splunk urges immediate upgrades to patched versions. For those unable to upgrade, a mitigation using icacls.exe is available to strip vulnerable permissions. This fix must be applied after any install, upgrade, or reinstall to prevent unauthorized access and maintain security integrity.

Experts warn congress that Chinese infiltrations are preparations for war. 

Retired Lt. Gen. H.R. McMaster warned lawmakers that China’s deep infiltration into U.S. telecommunications and critical infrastructure is part of a broader war preparation strategy. Speaking at a House Homeland Security Committee field hearing, McMaster linked recent cyber campaigns like Volt Typhoon to China’s growing military ambitions, including a 44-fold defense budget increase and a possible first-strike nuclear capability. He also cited Chinese surveillance balloons aimed at U.S. strategic communications. Palo Alto Networks’ Wendi Whitmore echoed concerns, noting that China, alongside Russia, Iran, and North Korea, is becoming more aggressive in cyberspace. Palo Alto blocks up to 31 billion attacks daily, including millions of new threats. Whitmore stressed the need for faster, two-way public-private collaboration and supported legislation to strengthen the Joint Cyber Defense Collaborative.

The FCC proposes enhanced ownership reporting requirements. 

The FCC has issued a proposed rule that would expand ownership reporting requirements for nearly all entities it regulates, aiming to identify control by “foreign adversaries.” The rule would affect companies not currently required to report ownership, including private radio license holders and video service providers. Entities must disclose if they are controlled by foreign adversaries like China, Russia, Iran, or North Korea, including if such parties hold 10% or more in voting or equity interest. Failure to comply could result in fines or license revocation. If foreign control is reported, detailed ownership disclosures would be made public and could trigger national security reviews. The FCC is also considering requiring updates or periodic reporting, with final rules likely to take effect by 2026.

Senators look to strengthen cybersecurity collaboration in the U.S. energy sector. 

Senators Jim Risch (R-ID) and John Hickenlooper (D-CO) have introduced the Energy Threat Analysis Program Act to strengthen cybersecurity collaboration in the U.S. energy sector. The bill would formalize the Department of Energy’s Energy Threat Analysis Center as a central hub for cyber threat intelligence, coordinating efforts between the DOE, CISA, intelligence agencies, and private energy operators. The goal is to improve early warnings and threat mitigation in response to increasingly complex cyberattacks. The legislation comes amid growing concern over fragmented threat reporting and critical infrastructure vulnerabilities, highlighted by a recent blackout in Spain and Portugal. Both senators emphasized the need for a resilient energy grid and improved data sharing to safeguard national security.

Crocodilus Android malware adds fake contacts to victims’ phones. 

The latest version of the Crocodilus Android malware introduces a new feature that adds fake contacts to victims’ phones, allowing attackers to spoof calls from trusted sources like banks or friends. First observed in Turkey in early 2025, Crocodilus has since expanded globally, now targeting victims on every continent. Alongside enhanced social engineering, recent updates also include stronger evasion techniques, such as code packing and local data parsing. Researchers warn Crocodilus is evolving fast and urge users to download apps only from trusted sources.

SentinelOne publishes a detailed analysis of their recent outage. 

SentinelOne has published a detailed analysis of the global outage that impacted its services on May 29, 2025, attributing it to a flaw in a legacy infrastructure control system. The disruption, lasting about 20 hours, affected access to the SentinelOne management console but did not compromise endpoint protection or customer data. The incident began when a new account triggered faulty configuration logic, erasing critical DNS and network routes. SentinelOne has since taken steps to prevent recurrence, including accelerating its move to a new Infrastructure-as-Code (IaC) architecture, backing up Transit Gateway settings, and enhancing automated recovery and customer communication protocols. Notably, GovCloud customers were unaffected due to infrastructure segregation.

A Romanian citizen pleads guilty to conspiracy and making bomb threats as part of a swatting campaign. 

Thomasz Szabo, a 26-year-old Romanian citizen, pleaded guilty to conspiracy and making bomb threats as part of a swatting campaign targeting around 100 individuals, including a former U.S. president and members of Congress. The plot involved false emergency calls to provoke aggressive police responses. Szabo, extradited in 2024, acted with Serbian co-defendant Nemanja Radovanovic, who faces pending charges. The indictment describes politically neutral targeting and includes a January 2024 hoax involving a fake murder and bomb threat at a former official’s home.

Cartier leaves some of its cyber sparkle exposed. 

Cartier, the luxury brand known for diamond-studded discretion, has disclosed a data breach that left some of its sparkle exposed. In a politely worded note, Cartier admitted that an “unauthorized party” briefly wandered through its systems, collecting names, emails, and countries of residence—presumably not for a holiday card list. The company assures customers it’s now added extra polish to its cybersecurity, but advises staying wary of any “mysterious” messages. Fashionably late to the breach club, Cartier joins Dior and Tiffany in May’s cyber soirée.

Microsoft and CrowdStrike tackle hacker naming…or do they?

Tune in to hear Dave speak with Maria Varmazis, co-host of Hacking humans and host of T-Minus Space Daily.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.