Turbulence in the cloud.
Hawaiian Airlines reports a cybersecurity incident. Microsoft updates its Windows Resiliency Initiative after the 2024 CrowdStrike crash. CitrixBleed 2 is under active exploitation in the wild. Researchers disclose a critical vulnerability in Open VSX. Malware uses prompt injection to evade AI analysis. A new report claims Cambodia turns a blind eye to scam compounds. Senators propose a ban on AI tools from foreign adversaries. An NSA veteran is named top civilian at U.S. Cyber Command. Maria Varmazis speaks with Ian Itz from Iridium Communications on allowing IoT devices to communicate directly with satellites. One Kansas City hacker’s bold marketing campaign ends with a guilty plea.
Today is Friday June 27th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Hawaiian Airlines reports a cybersecurity incident.
Hawaiian Airlines has reported a cybersecurity incident affecting some of its IT systems. The airline posted updates on June 26, confirming that flights are operating safely and on schedule despite the disruption. The company stated it is working with experts and federal authorities while restoring systems in an “orderly” manner, implying some systems were taken offline. No details have been released about the nature of the cyber event or whether customer data was impacted. The FAA said it is in contact with the airline and monitoring the situation. This incident follows a similar cyberattack on Canada’s WestJet Airlines less than two weeks ago. Hawaiian Airlines was recently acquired by Alaska Airlines, with plans to integrate their systems under a single passenger service platform.
Microsoft updates its Windows Resiliency Initiative after the 2024 CrowdStrike crash.
Microsoft has shared progress on its Windows Resiliency Initiative (WRI), launched after last year’s major CrowdStrike incident that caused global Windows outages. In July 2024, a faulty CrowdStrike update crashed systems due to its use of kernel drivers for security functions. In response, Microsoft announced a redesign to reduce risks when endpoint security software interacts with the Windows kernel.
The WRI, launched in November 2024, aims to boost Windows reliability and resilience. Microsoft is working with vendors like CrowdStrike, Bitdefender, SentinelOne, and Trend Micro to ensure safer update processes. Starting next month, some partners will preview a new security platform allowing antivirus and endpoint protection tools to run in user mode instead of the kernel, enhancing stability and recovery.
Microsoft has also released an e-book on digital resilience and introduced features like quicker PC recovery, hotpatch security updates without reboots, and Windows 365 Reserve, offering temporary Cloud PCs when primary devices fail.
CitrixBleed 2 is under active exploitation in the wild.
A critical vulnerability, CVE-2025-5777, dubbed CitrixBleed 2, has been discovered in Citrix NetScaler ADC and Gateway devices and is reportedly being exploited in the wild. This out-of-bounds read flaw allows attackers to extract session tokens, bypass multifactor authentication, and hijack user sessions . Similar to the 2023 CitrixBleed, CVE-2025-5777 targets session tokens rather than cookies . It affects versions 14.1 ≤ 43.56, 13.1 ≤ 58.32, and earlier FIPS/NDcPP builds . Security firm ReliaQuest reports “medium confidence” of active exploitation, based on session hijacking, MFA bypass, LDAP reconnaissance, and activity from VPN-related IPs. Additionally, a separate memory-overflow vulnerability (CVE-2025-6543, CVSS 9.2) is under active attack, potentially causing denial-of-service. Citrix urges immediate patching and session termination.
Researchers disclose a critical vulnerability in Open VSX.
Researchers at Koi Security have disclosed a critical vulnerability in Open VSX, the open source extension marketplace hosted by the Eclipse Foundation. The flaw exposed the publishing account’s secret token to any extension or its dependencies. This token acts as a super-admin credential, giving attackers the ability to publish malicious extensions or overwrite existing ones, potentially compromising over 8 million developers. Open VSX is widely used by VS Code-based editors like Cursor, Gitpod, and Windsurf as an alternative to Microsoft’s marketplace. Koi Security warned that attackers could have installed keyloggers, information stealers, or backdoors, posing a SolarWinds-like supply chain risk for developer tooling. The vulnerability was discovered in early May and has now been patched after thorough vetting. SecurityWeek has reached out to the Eclipse Foundation for further comment.
Malware uses prompt injection to evade AI analysis.
Check Point researchers have discovered a malware sample containing a prompt injection designed to bypass AI code analysis tools. Uploaded to VirusTotal in early June 2025, the sample included a string instructing large language models to “act as a calculator” and reply with “NO MALWARE DETECTED.” Named “Skynet” by its author, the malware is half-complete and acts as a proof-of-concept rather than fully functional malware. It uses byte-wise rotating XOR obfuscation with a hardcoded key, sandbox evasion techniques, and decrypts an embedded Tor client to create a controllable proxy before deleting its installation directory to cover its tracks. OpenAI’s o3 and GPT-4.1 models identified the prompt injection as a jailbreak attempt. Researchers warn this reflects the next evolution in malware, targeting AI-driven defenses with prompt injection and jailbreak methods to evade detection.
A new report claims Cambodia turns a blind eye to scam compounds.
Amnesty International has condemned what it calls Cambodia’s “grossly inadequate” response to human trafficking in online scamming compounds. Its two-year study, released Thursday, documented 53 active scam centers where workers are forced to assist in fraudulent operations, often under threat from guards armed with electric batons. Victims are lured with fake job offers, trapped in prison-like compounds, and made to run cryptocurrency scams, create fake websites, or set up bank accounts for money laundering. Some described pig butchering scams, where scammers build trust before defrauding victims. Despite police “rescues,” Amnesty says abuses continue, with authorities often freeing only those who contact them while ignoring others. Survivors also reported collusion between police and traffickers. The UN estimates Southeast Asia’s scam centers generate $40 billion annually. The Thai government has closed border crossings and halted fuel exports to Cambodia in response, as organized criminal networks shift operations from Myanmar to Cambodia.
Senators propose a ban on AI tools from foreign adversaries.
Senators Rick Scott and Gary Peters have introduced the No Adversarial AI Act to ban federal agencies from using AI tools made in countries deemed “foreign adversaries,” including China, Russia, Iran, and North Korea. The bill would create and update a federal list every 180 days, prohibiting tools like China’s DeepSeek, which reportedly aids China’s military and shares user data with its government. Exceptions would exist for research, requiring written justification to Congress. The legislation aims to protect national security and personal data from potential exploitation by adversarial AI systems. It follows reports that a USDA employee attempted to access DeepSeek but was blocked. Lawmakers compared the move to past bans on foreign software such as TikTok and Kaspersky, framing it as necessary to keep U.S. government technology secure against evolving threats.
An NSA veteran is named top civilian at U.S. Cyber Command.
Patrick Ware, a 34-year NSA veteran, has been appointed executive director of U.S. Cyber Command, becoming its top civilian leader. He replaces Morgan Adamski, who is expected to move to the private sector after serving in the role since June 2024. The position, traditionally filled by an NSA official, is the No. 3 role at Cyber Command. Ware takes over during a period of leadership uncertainty, as Cyber Command has lacked a permanent chief since Gen. Timothy Haugh was fired nearly three months ago. A planned appointment of Lt. Gen. Richard Angle was reportedly rejected by the White House for undisclosed reasons. Ware will oversee strategic initiatives, talent management, and partnerships amid questions about the future of the “Cyber Command 2.0” overhaul. Ware holds electrical engineering degrees from the University of Maryland and Johns Hopkins University.
We wish Mr. Ware the very best as he steps into this critical role, guiding U.S. Cyber Command through its next chapter of challenges and opportunities.
Our guest today comes from T-Minus Space Daily’s Deep Space program. Host Maria Varmazis speaks with Ian Itz, Executive Director at the IoT Line of Business at Iridium Communications. They talk about how Iridium allows IoT devices, like sensors and trackers, to communicate directly with satellites, bypassing terrestrial infrastructure. We’ll be right back.
Welcome back. We have a link in the show notes to Ian and Maria’s full conversation on Deep Space. Be sure to check out T-Minus Space Daily brought to you by N2K CyberWire each weekday on your favorite podcast app.
One Kansas City hacker’s bold marketing campaign ends with a guilty plea.
In a plot straight out of an awkward startup pitch, Kansas City’s Nicholas Michael Kloster, 32, has pleaded guilty to hacking multiple organizations – all to advertise his own cybersecurity services. Prosecutors say Kloster’s methods were bold but far from sophisticated. At one gym, he strolled in, hacked their computer to access security cameras, erased his photo from their system, and reduced his membership fee to a bargain-bin $1. Then, like any enterprising entrepreneur, he emailed the owners the next day, offering his “professional services.”
His business development tour continued at a nonprofit, where he used a boot disk to reset passwords and install VPN software for future access – presumably in preparation for his follow-up sales email. Kloster’s resume also includes using his employer’s credit card to buy a hacking thumb drive, which led to his termination. He now faces up to five years in prison and a hefty fine. Talk about a failed penetration test.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
And that’s the CyberWire Daily, brought to you by N2K CyberWire.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.
We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.
N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben.Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
