Podcasts
CyberWire Daily
Ep 2327
The CyberWire Daily Podcast 6.11.25
Ep 2327 | 6.11.25

Ghost students “haunting” online colleges.

Show Notes
Transcript

Patch Tuesday. Mozilla patches two critical FireFox security flaws. A critical flaw in Salesforce OmniStudio exposes sensitive customer data stored in plain text. The Badbox botnet continues to evolve. AI-powered “ghost students” enrolling in online college courses to steal government funds. Hackers steal nearly 300,000 vehicle crash reports from the Texas Department of Transportation. ConnectWise rotates its digital code signing certificates. The chair of the House Homeland Security Committee announces his upcoming retirement. Our guest is Matt Radolec, VP of Incident Response, Cloud Operations & SE EU from Varonis, wondering if AI may be the Cerberus of our time. Friendly skies…or friendly spies? 

Today is Wednesday June 11th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Patch Tuesday

This month’s Patch Tuesday rolled out with a bang—Microsoft released fixes for over 60 vulnerabilities, including one actively exploited zero-day, nine critical severity issues covering remote code execution and privilege escalation, and around 56 other patches addressing memory corruption, information leaks, and more  .

One headline-grabber: a WebDAV zero-day, CVE‑2025‑33053, actively exploited in the wild—dubbed a top priority fix . Other high-risk patches include a public SMB Client privilege escalation (CVE‑2025‑33073) and several Office component heap overflow and use-after-free bugs, all teed up for urgent deployment  .

However, the rollout hit a snag for Windows 11 24H2 users. Microsoft throttled its own June cumulative (!!) update (KB5060842) due to a compatibility issue with a limited number of devices. The company assured admins a revised version with all security fixes would be released by “end of the day”  . In a rare move, they paused the full-scale deployment—a reminder that even well-tested updates can misfire in production.

Beyond OS and Office, the industrial realm isn’t off the hook either. Siemens, Schneider Electric, Aveva, and CISA released critical advisories this week in support of OT infrastructure. Siemens’ standout fix, CVE‑2025‑40585, plugs a glaring flaw—default admin credentials in the G5 Digital Fault Recorder—that could let remote attackers hijack recording equipment.  Schneider and Aveva have joined in with their own mitigations, closing loopholes before they can be weaponized.

Mozilla  patches two critical FireFox security flaws. 

Mozilla has released Firefox 139.0.4 to patch two critical security flaws that could crash the browser or allow hackers to run malicious code. The first, CVE-2025-49709, involves memory corruption in Firefox’s canvas rendering system. If triggered by specially crafted web content, it could let attackers exploit memory issues and compromise browser stability. The second flaw, CVE-2025-49710, is an integer overflow in Firefox’s JavaScript engine, specifically in the OrderedHashTable structure. This could lead to heap buffer overflows and similar risks when handling JavaScript-heavy websites. Both vulnerabilities are rated high severity with CVSS scores over 8. Mozilla urges users and enterprise admins to update to version 139.0.4 immediately via the built-in updater or Mozilla’s website to protect against potential exploitation.

A critical flaw in Salesforce OmniStudio exposes sensitive customer data stored in plain text. 

A critical flaw in Salesforce OmniStudio exposes sensitive customer data stored in plain text, affecting thousands of organizations. The vulnerability stems from misconfigurations in OmniStudio’s data pipeline, allowing input fields to bypass encryption. Simple API requests can exploit the flaw, which impacts key components like FlexCard and OmniScript. Healthcare, finance, and retail sectors are particularly at risk, with exposed data including names, Social Security numbers, and payment info. About 15% of implementations show signs of the flaw, often due to disabled advanced security settings. AppOmni researchers found that weak or missing encryption in data transmissions between components leads to GDPR, CCPA, and HIPAA compliance risks. The issue enables potential privilege escalation and identity theft. Organizations are urged to audit configurations and enforce encryption until patches are issued.

The Badbox botnet continues to evolve. 

Badbox 2.0, a botnet infecting millions of low-cost Android smart devices, is evolving toward a new wave of fraud, according to Gavin Reid, CISO at Human Security. First uncovered in 2022 by Reid’s team, Badbox used backdoored firmware to spread malware across streaming boxes, projectors, and infotainment systems. Despite takedowns by Human Security, the FBI, and others, Badbox resurfaced in 2025 with more advanced tactics. Reid and VP of threat intel Lindsay Kaye report that attackers have shifted from ad fraud to residential proxy services, exploiting real user IPs for attacks like DDoS and data theft. A new malware variant, vo1d2, uses rotating command-and-control domains to evade detection. With continued demand for cheap, insecure Android devices, Reid warns that Badbox 3 is likely on the horizon.

AI-powered “ghost students” enrolling in online college courses to steal government funds. 

Financial aid fraud is on the rise, fueled by identity theft and AI-powered “ghost students” enrolling in online college courses to steal government funds. Criminals use stolen personal data to apply for grants and loans, often enrolling in community colleges where low tuition means more aid goes directly to students. In 2024 alone, California colleges reported 1.2 million fake applications, leading to over 223,000 suspected fraudulent enrollments and at least $11.1 million in unrecoverable aid. Victims often learn about the fraud only after seeing credit score drops or loan notifications. Clearing their names can take years. To combat the trend, the U.S. Education Department now requires ID verification for new aid applicants. However, federal staffing cuts may undermine efforts to detect and prevent these increasingly sophisticated scams.

Hackers steal nearly 300,000 vehicle crash reports from the Texas Department of Transportation. 

Hackers accessed a compromised user account to steal nearly 300,000 crash reports from the Texas Department of Transportation. The stolen data included names, addresses, driver’s licenses, insurance policy numbers, and license plates. Although not legally required, the agency notified affected individuals after detecting unusual activity on May 12. The compromised account was disabled, and security measures are being enhanced. The department advises victims to file taxes early and stay alert for suspicious emails or messages related to crash data.

ConnectWise rotates its digital code signing certificates. 

ConnectWise is rotating its digital code signing certificates for ScreenConnect, Automate, and RMM tools after a third-party security researcher raised concerns about potential misuse of configuration data. The issue involves how the ScreenConnect installer handles certain settings, which could be exploited by threat actors with system-level access. While ConnectWise states this action is not linked to any security breach, including a recent nation-state attack, it is also releasing updates to improve configuration handling. The certificates, issued by DigiCert, were initially set to be revoked on June 10, but the deadline was extended to June 13 to allow time for updates. On-prem and cloud users must update builds to avoid service disruptions. Cloud users will receive automatic updates but should verify their agents are current.

The chair of the House Homeland Security Committee announces his upcoming retirement. 

Rep. Mark Green, a key advocate for cybersecurity and chair of the House Homeland Security Committee, announced his upcoming retirement, potentially shifting the landscape for cyber legislation. Green prioritized cyber workforce development and the reauthorization of the 2015 Cybersecurity Information Sharing Act (CISA), which expires in September. His departure could delay or complicate progress on these initiatives. Possible successors include Rep. Michael McCaul, a past chair and cyber policy veteran, and Rep. Clay Higgins, who also has a cybersecurity focus. The committee says it will maintain cyber as a top priority, with increased responsibility likely falling to Rep. Andrew Garbarino, who leads the cybersecurity subcommittee. Green is leaving for a private sector role after a final vote on a domestic policy bill. The fate of key cyber programs remains uncertain in his absence.

Coming up on our Industry Voices segment, Matt Radolec, VP of Incident Response, Cloud Operations & SE EU from Varonis, returns to share insights on AI: The Cerberus of our time. We’ll be right back.

Welcome back. You can find a link to Matt’s interview and more information about what he discussed in our show notes. 

 Friendly skies…or friendly spies? 

It turns out the major U.S. airlines—yes, the ones that can’t find your luggage—have been quietly selling your domestic flight data to Customs and Border Protection (CBP). An investigative report from 404 Media reveals that through a data broker the airlines own called ARC, airlines shared names, itineraries, and payment info, all while telling CBP not to mention them by name. This cloak-and-dagger data deal, documented through FOIA requests, supports tracking “persons of interest” without pesky things like warrants. The program, known as the Travel Intelligence Program, updates daily and holds over a billion records. Civil liberties advocates are, unsurprisingly, unimpressed. One called it a digital-age revival of the “collect it all” mentality. Meanwhile, Congress is starting to ask airlines why their loyalty programs apparently come with complimentary government surveillance.

Turn out, when it comes to data collection…the sky’s the limit. 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by Varonis
Sponsored by Varonis

Varonis is a leader in data security, fighting a different battle than conventional cybersecurity companies. Varonis’ cloud-native Data Security Platform continuously discovers and classifies critical data, removes exposures, and detects advanced threats with AI-powered automation. Learn more.