Appetite for tracking: A feast on private data.

Researchers uncover a major privacy violation involving tracking scripts from Meta and Yandex. A compliance automation firm discloses a data breach. PumaBot stalks vulnerable IoT devices. The Ramnit banking trojan gets repurposed for ICS intrusions. The North Face suffers a credential stuffing attack. Kaspersky says the Black Owl team is a cyber threat to Russia. CISA releases ISC advisories. An Indian grocery delivery startup suffers a devastating data wiping attack. The UK welcomes their new Cyber and Electromagnetic (CyberEM) Command. Our guest is Rohan Pinto, CTO of 1Kosmos, discussing the implications of AI deepfakes for biometric security. The cybersecurity sleuths at Sophos unravel a curious caper.

Today is Wednesday June 4th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Researchers uncover a major privacy violation involving tracking scripts from Meta and Yandex. 

Researchers have uncovered a major privacy violation involving tracking scripts from Meta and Yandex embedded in millions of websites, Ars Technica reports.  These scripts exploit legitimate browser features to link web activity with identities in Android apps like Facebook, Instagram, and Yandex. This bypasses Android’s security model and browser privacy protections, effectively breaking the “sandbox” that separates web and app data. Meta began this tracking in 2023, while Yandex has used similar methods since 2017.

The abuse involves covert communication via local ports and misused protocols like WebRTC. Although Meta and Yandex claim no sensitive data is collected, the technique de-anonymizes users—even in private browsing. Chrome, DuckDuckGo, Brave, and Vivaldi have introduced partial fixes, but researchers warn these are temporary. They urge platform-level reforms to control local port access and enhance transparency.

Google is investigating, and both Meta and Yandex say they’ve paused the feature. However, the issue underscores ongoing risks in how mobile ecosystems handle privacy and app-browser interactions.

A compliance automation firm discloses a data breach. 

Vanta, a compliance automation firm, disclosed a data exposure incident affecting fewer than 4% of its customers—potentially impacting hundreds of organizations. The breach stemmed from a product code change that broke data isolation in Vanta’s multi-tenant platform, leading to cross-customer data leakage. As a result, a subset of data from under 20% of third-party integrations was exposed and shared bidirectionally between accounts.

Leaked information included employee names, roles, security configurations, MFA usage, and integration details. While the total number of affected individuals remains undisclosed, Vanta confirmed all impacted customers have been notified. The issue was identified on May 26, 2025, with full remediation expected by June 4. Vanta supports compliance with frameworks like SOC 2, ISO 27001, HIPAA, and GDPR, making the incident especially sensitive for its security-conscious clientele.

PumaBot stalks vulnerable IoT devices. 

Researchers at PolySwarm have uncovered a stealthy new Linux-based botnet named PumaBot, targeting vulnerable IoT devices, especially surveillance systems. Written in Go, PumaBot differs from typical malware by using curated IP lists from command-and-control servers instead of scanning the internet broadly. This targeted approach helps it avoid detection.

PumaBot brute-forces SSH credentials to gain access, with a particular focus on devices from Pumatronix, a surveillance equipment maker. Once inside, it establishes persistence by disguising itself as legitimate services like Redis or MySQL and embeds into system directories to survive reboots.

Its main goal is cryptocurrency mining, executing tools like “xmrig” to generate illicit profits. The malware also gathers system data and sends it back to attackers, who maintain inventories of infected devices. PumaBot’s emergence underscores growing IoT risks tied to default credentials and weak security practices.

The Ramnit banking trojan gets repurposed for ICS intrusions. 

Honeywell’s latest security report reveals a sharp rise in ransomware attacks targeting industrial organizations, with over half of 2024’s SEC-reported incidents affecting operational technology (OT). More notably, data from Honeywell’s SMX USB scanning solution uncovered nearly 1,800 unique threats among 31 million scanned files, including 124 previously unseen. The standout malware was Win32.Worm.Ramnit, responsible for 42% of all detections and showing a staggering 3,000% spike in Q4 2024 versus Q2.

Ramnit, originally a banking trojan, appears to be repurposed to extract industrial control system (ICS) credentials. Its surge aligns with the widespread use of Windows-based ICS platforms, making it a potent threat via USB-borne infections. Honeywell’s cybersecurity lead, Paul Smith, suggests that its effectiveness in stealing credentials and use of built-in system tools (LOL binaries) may explain its dominance—whether by accident or targeted design.

The North Face suffers a credential stuffing attack. 

On April 23, 2025, outdoor apparel brand The North Face suffered a credential stuffing attack, where hackers used stolen login details from other breaches to access customer accounts. Though payment data remained secure, personal details like contact info, shipping addresses, and purchase history were exposed. The attackers exploited users’ tendency to reuse passwords across sites. The company responded by disabling compromised credentials, forcing password resets, and urging customers to use unique passwords to reduce cross-platform security risks. No internal systems were breached.

Kaspersky says the Black Owl team is a cyber threat to Russia. 

The pro-Ukraine hacker group BO Team, also known as Black Owl, has emerged as a major cyber threat to Russian institutions, according to Kaspersky. Active since early 2024, the group operates independently with its own tools, often targeting Russian government agencies and industries. A notable attack recently disrupted a third of Russia’s national court filing system. BO Team gains access via phishing and delays action to avoid detection—unusual for hacktivists. Their toolkit includes backdoors like DarkGate, BrockenDoor, and Remcos, and they often delete backups or use Babuk ransomware for extortion. The group disguises malware as legitimate software and shares details of attacks on Telegram. Despite their pro-Ukraine stance, BO Team works solo, without ties to other hacktivist groups, setting them apart in Russia’s threat landscape.

CISA releases ISC advisories. 

CISA issued critical advisories for severe vulnerabilities in Schneider Electric and Mitsubishi Electric industrial products, threatening critical infrastructure like energy and manufacturing. The most serious flaw (CVSS 9.3) affects Schneider’s now-unsupported home automation devices, enabling remote code execution via buffer overflow. Another Schneider vulnerability allows local code execution in EcoStruxure software. Mitsubishi’s MELSEC iQ-F PLCs face a CVSS 9.1 info disclosure flaw from improper input validation. CISA urges immediate mitigations, including firmware updates and network security enhancements.

An Indian grocery delivery startup suffers a devastating data wiping attack. 

Indian grocery delivery startup KiranaPro suffered a devastating cyberattack that wiped all its data, including app code and sensitive customer information. The breach, discovered on May 26, 2025, occurred after hackers accessed root accounts on AWS and GitHub, likely via a former employee’s credentials. The attack rendered KiranaPro’s app unable to process orders, halting operations for its 30,000+ active users across 50 cities. Founded in December 2024, KiranaPro runs on India’s Open Network for Digital Commerce and supports voice-based grocery ordering in multiple languages. The startup had ambitious expansion plans, now stalled by the breach. Despite using Google Authenticator for multi-factor authentication, hackers deleted all EC2 instances, leaving no logs or recovery options. KiranaPro is pursuing legal action and investigating the incident with GitHub. 

The UK welcomes their new Cyber and Electromagnetic (CyberEM) Command. 

The UK’s Ministry of Defence (MoD) has unveiled its Strategic Defence Review (SDR), emphasizing the critical role of the new Cyber and Electromagnetic (CyberEM) Command. This new domain integrates cyber operations and electromagnetic warfare, now recognized as foundational to modern military strategy. The CyberEM Command will lead both offensive and defensive cyber missions, coordinate across services, and work alongside the National Cyber Force without overlapping authority. It will also anchor the UK’s new Digital Targeting Web, designed to connect military assets for rapid, precision strikes. The government aims to have the Command operational by year’s end and will invest over £1 billion to support it. These moves come amid rising cyber threats and follow a damning report on UK military readiness. UK Defence Secretary John Healey promises to reverse years of decline by growing force size, expanding tech capabilities, and returning the military to a war-ready posture by 2027.

The cybersecurity sleuths at Sophos unravel a curious caper. 

And finally, cybersecurity sleuths at Sophos have unraveled a curious caper: over 130 open-source GitHub projects booby-trapped with backdoors, all courtesy of a mystery dev known only as ischhfd83. The plot kicked off when a user questioned the safety of “Sakura RAT”—a so-called malware tool that was less weapon, more whoopee cushion. Upon inspection, researchers found the code discreetly downloaded extra malware mid-compilation, targeting not businesses, but, in a karmic twist, other hackers and wannabes.

What followed was a journey through a thicket of copy-pasted chaos: automated commits, copycat accounts, and layers of obfuscation cloaking nasties like Lumma Stealer. Sophos suspects this is part of a broader Distribution-as-a-Service racket. Their conclusion? The digital supply chain’s underbelly remains as shady as ever, and if you’re downloading “free hacking tools” from strangers on GitHub—well, maybe you’re the mark.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.