Podcasts
CyberWire Daily
Ep 2329
The CyberWire Daily Podcast 6.13.25
Ep 2329 | 6.13.25

Cloudflare’s cloudy day resolved.

Show Notes
Transcript

Cloudflare says yesterday’s widespread outage was not caused by a cyberattack. Predator mobile spyware remains highly active. Microsoft is investigating ongoing Microsoft 365 authentication services issues. An account takeover campaign targets Entra ID users by abusing a popular pen testing tool. Palo Alto Networks documents a JavaScript obfuscation method dubbed “JSFireTruck.” Trend Micro and Mitel patch multiple high-severity vulnerabilities. CISA issues multiple advisories. My Hacking Humans cohost Joe Carrigan joins us to discuss linkless recruiting scams. Uncle Sam wants an AI chatbot.

Today is Friday June 13th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Cloudflare says yesterday’s widespread outage was not caused by a cyberattack, and no data was lost. 

Cloudflare has confirmed that a widespread outage on its network was not caused by a cyberattack, and no data was lost. The incident began at 17:52 UTC and lasted about 2.5 hours, triggered by a failure in Workers KV—a critical key-value store used across Cloudflare’s serverless platform. The root cause was an outage at a third-party cloud provider supporting the KV backend. The failure impacted many services, including Google Cloud Platform, and disrupted authentication, streaming, image uploads, and AI functions. Cloudflare is now moving to reduce reliance on that provider by migrating storage to its own R2 system. The company will also add safeguards and new tools to better manage future outages and restore service without triggering cascading failures.

Predator mobile spyware remains highly active. 

Despite international sanctions and public exposure, the Predator mobile spyware remains highly active and adaptable. Originally developed by Cytrox and now part of the Intellexa alliance, Predator uses both 1-click and zero-click methods to infect devices, granting access to microphones, cameras, and sensitive data. It targets high-value individuals, including journalists, politicians, and activists. Researchers from Recorded Future have observed new infrastructure and operations in over a dozen countries, with heavy use in Africa and a newly reported presence in Mozambique. Predator’s evolving five-tier infrastructure—now linked to a Czech firm—makes tracking difficult. Fake websites and new server strategies help evade detection. Its modular design allows remote updates, reinforcing its persistence. Predator’s use remains strategic, costly, and deeply concerning for civil society and cross-border surveillance.

Microsoft is investigating ongoing Microsoft 365 authentication services issues. 

Microsoft is investigating an ongoing Microsoft 365 issue affecting authentication services, particularly self-service password resets and adding multi-factor authentication (MFA) methods. The problem, linked to a recent configuration change aimed at improving MFA, is impacting users across Asia Pacific, Europe, the Middle East, and Africa. Microsoft has issued a temporary fix and reports signs of improvement. Affected users, including NHSmail in the UK, are seeing errors like “no methods available.” This follows recent Microsoft 365 authentication and access issues in January, April, and May.

An account takeover campaign targets Entra ID users by abusing a popular pen testing tool. 

A major account takeover campaign is targeting Entra ID users by abusing the TeamFiltration penetration testing tool, according to Proofpoint. Originally designed for ethical hacking, TeamFiltration can automate password spraying, account enumeration, and data exfiltration. The tool requires an AWS account and a Microsoft 365 Business Basic license to function. Since December 2024, a threat actor—dubbed UNK_SneakyStrike—has used it against roughly 100 cloud tenants, peaking in January 2025. Attacks rely on the Microsoft Teams API and global AWS infrastructure for stealthy, high-intensity bursts. Smaller tenants saw broad targeting, while larger ones had focused user targeting. The campaign used outdated Microsoft Teams clients and exploited OAuth app IDs to obtain bearer tokens via Entra ID. Most attack traffic came from AWS servers in the US, Ireland, and the UK.

Palo Alto Networks documents a JavaScript obfuscation method dubbed “JSFireTruck.”

Palo Alto Networks’ Unit 42 has uncovered a large-scale malware campaign that compromised nearly 270,000 websites using a JavaScript obfuscation method dubbed “JSFireTruck.” This technique relies on JavaScript’s type coercion and only six ASCII characters—(), [], !, and $—to encode functioning code. Though the obfuscated scripts are long and conspicuous, they are difficult to analyze without automation. Attackers used JSFireTruck alongside layered obfuscation methods, reconstructing payloads through arrays and mixing readable and encoded elements. These scripts detect if users arrive via search engines and then redirect them using full-page iframes, potentially leading to phishing or malware. The activity surged in mid-April 2025. Unit 42 urges admins to patch systems and check for infections. Veracode recently found a similar obfuscation-heavy campaign using a malicious npm package with at least seven hiding techniques. It is worth noting that while Palo Alto Networks refers to the method as JSFireTruck, the creators of the campaign internally use a different F word. 

Speaking of Palo Alto Networks, they have released patches for multiple vulnerabilities across their products, including GlobalProtect App, Cortex XDR, PAN-OS, and Prisma Access Browser. The most critical flaw, CVE-2025-4232, is an authenticated code injection in GlobalProtect for macOS with a CVSS score of 7.1. Two PAN-OS flaws scored medium severity (5.7 and 6.1). The Prisma Access Browser received 12 fixes, including a cache issue and 11 Chrome-related bugs, with a combined CVSS score of 8.6. No active exploitation has been reported.

Trend Micro and Mitel patch multiple high-severity vulnerabilities. 

Trend Micro has issued critical security updates for its Apex Central and Endpoint Encryption (TMEE) PolicyServer products, addressing multiple high-severity and critical remote code execution and authentication bypass vulnerabilities. These flaws, mostly caused by insecure deserialization, allow unauthenticated attackers to execute code as SYSTEM or bypass authentication entirely. While no exploitation has been reported, immediate patching is strongly advised. Apex Central also had two critical RCE flaws (CVE-2025-49219 and CVE-2025-49220), both with CVSS scores of 9.8. These were patched in on-premise version B7007, with fixes automatically applied to Apex Central as a Service. No workarounds exist for these vulnerabilities.

Meanwhile, Mitel has released patches for a critical, untracked vulnerability in its MiCollab platform’s NuPoint Unified Messaging component. The flaw, a path traversal issue, allows unauthenticated remote attackers to access provisioning data and perform unauthorized admin actions. It affects MiCollab versions up to 9.8 SP2, with fixes in 9.8 SP3 and later. Researcher Dahmani Toumi, who found the flaw, said over 20,000 internet-exposed instances may be at risk. The issue is a bypass of a previously patched flaw, CVE-2024-41713.

CISA issues multiple advisories. 

CISA warns that ransomware actors are exploiting CVE-2024-57727, a path traversal flaw in SimpleHelp RMM software, to target customers of a utility billing software provider. The vulnerability, with a CVSS score of 7.5, allows attackers to steal credentials and API keys. It was patched in January 2025, along with two related flaws. DragonForce ransomware previously exploited this in May. CISA urges immediate patching, disconnection of vulnerable systems, and threat hunting, especially for users running SimpleHelp version 5.5.7 or earlier.

CISA also issued ten new ICS advisories addressing vulnerabilities in products from Siemens, AVEVA, and PTZOptics. These advisories cover critical systems including Siemens SCALANCE, RUGGEDCOM, SIMATIC S7-1500 CPUs, Tecnomatix Plant Simulation, and AVEVA’s PI software suite. One advisory also targets pan-tilt-zoom cameras. CISA urges industrial system administrators to review these advisories for detailed vulnerability information and recommended mitigations to protect against potential exploits in industrial environments.

Coming up, I’m joined by one of my Hacking Humans co-hosts, Joe Carrigan, to talk about linkless recruiting scams. We’ll be right back.

Welcome back. You can find a link to the article Joe discussed in our show notes and be sure to tune in to Hacking Humans each Thursday to hear the latest on the social engineering scams that are making the headlines. 

Uncle Sam wants an AI chatbot. 

And finally, less than a month from launch, the federal government is preparing to unveil AI.gov, a new initiative designed to bring artificial intelligence tools into widespread use across agencies. Discovered through a GitHub repository that has since been archived, the site appears to be a central hub to help agencies integrate AI into their operations.

Led by Thomas Shedd, a former Tesla software engineering manager and current head of the General Services Administration’s Technology Transformation Services (TTS), the project is built around three core features: a chatbot, an “all-in-one API” to connect with models from providers like OpenAI and Google, and a tool called CONSOLE for monitoring AI usage across agencies.

According to the staging site, the platform will use FedRAMP-certified services via Amazon Bedrock, although one listed model—by Cohere—may not yet be certified. AI.gov is expected to launch July 4, signaling a major push to modernize federal operations through artificial intelligence.

Finally, a chatbot to fix government inefficiency.  What could possibly go wrong?

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.