Podcasts
CyberWire Daily
Ep 2341
The CyberWire Daily Podcast 7.2.25
Ep 2341 | 7.2.25

Houken blends stealth and chaos.

Show Notes
Transcript

French authorities report multiple entities targeted by access brokers. A ransomware group extorts a German hunger charity. AT&T combats SIM swapping and account takeover attacks. A Missouri physician group suffers a cyber attack. Qantas doesn’t crash, but their computers do. Researchers uncover multiple critical vulnerabilities in Agorum Core Open. A student loan administrator in Virginia gets hit by the Akira ransomware group. The Feds sanction a Russian bulletproof hosting service. Johnson Controls notifies individuals of a major ransomware attack dating back to 2023. Will Markow, CEO of FourOne Insights and N2K CyberWire Senior Workforce Analyst shares the latest technology workforce trends. The ICEBlock app warms up to users.

Today is Wednesday July 2nd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

French authorities report multiple entities targeted by access brokers. 

France’s cybersecurity agency ANSSI reported that multiple government, telecom, media, finance, and transport entities were targeted last year by a hacking campaign exploiting zero-day vulnerabilities in Ivanti Cloud Service Appliances. The intrusion set, dubbed “Houken,” is linked to the same threat actor Mandiant tracks as UNC5174. ANSSI suspects Houken is run by private operators selling access and data to state-linked bodies, resembling Chinese contractor hacking groups such as APT41. The campaign showed both espionage and profit motives, including cryptominer deployments and mass email theft from a South American ministry. Attackers used advanced zero-day exploits alongside noisy, public Chinese tools, suggesting a multiparty approach. ANSSI warns Houken and UNC5174 remain active, targeting internet-facing systems globally for opportunistic exploitation.

A ransomware group extorts a German hunger charity. 

German charity Deutsche Welthungerhilfe (WHH), which provides food and emergency aid globally, has been attacked by a ransomware-as-a-service group. The hackers listed WHH on their darknet leak site, demanding 20 bitcoin (around $2.1 million) for stolen data. It’s unclear if the charity’s systems were encrypted, but WHH confirmed it will not pay the ransom. The charity immediately shut down affected systems, engaged cybersecurity experts, informed data protection authorities, and involved police. Despite the attack, WHH continues its humanitarian work in Gaza, Ukraine, Sudan, and beyond. The same ransomware group has previously targeted hospitals and nonprofits, including Easterseals. WHH emphasized that their mission remains unchanged, stating their aid is “more important than ever” amid ongoing global crises.

AT&T combats SIM swapping and account takeover attacks. 

AT&T widely launched its Wireless Account Lock feature Tuesday to combat SIM swapping and account takeover attacks. Available for individual, business, and prepaid customers, the lock prevents changes to billing info, number transfers, SIM swaps, and device upgrades without verification via the app or customer support. Only primary and secondary account holders can manage settings. This follows similar security moves by T-Mobile and Verizon. The launch comes amid heightened concerns after breaches like Salt Typhoon, with experts urging stronger multi-factor protections.

A Missouri physician group suffers a cyber attack. 

Esse Health, a physician group in Greater St. Louis, suffered a cyberattack exposing data of 263,601 patients. Discovered on April 21, 2025, the breach affected electronic medical records and disabled phone systems, forcing staff to use manual processes. Stolen data includes names, Social Security numbers, medical records, and insurance details. The attack’s method was not disclosed. There is no evidence of misuse so far, but Esse Health is offering 12 months of free identity protection while law enforcement investigates.

Qantas doesn’t crash, but their computers do. 

Qantas has reported Australia’s largest data breach in years after a hacker accessed a third-party call centre platform containing data on six million customers. Exposed information includes names, emails, phone numbers, birth dates, and frequent flyer numbers. The airline detected unusual activity and acted quickly to contain the breach, with no impact on operations or flight safety. While cybercrime group Scattered Spider has targeted other airlines recently, Qantas has not attributed the breach. The incident adds to Qantas’ reputational challenges following COVID-era controversies, illegal worker dismissals, and ticketing scandals. CEO Vanessa Hudson apologized, emphasizing data security is taken seriously. The airline notified national cybersecurity and privacy agencies and said no passwords or login credentials were compromised, though a significant data exposure is expected.

Researchers uncover multiple critical vulnerabilities in Agorum Core Open. 

Security researchers at usd HeroLab discovered multiple critical vulnerabilities in Agorum Core Open that allow unauthenticated attackers to fully compromise systems. Chained together, these flaws enable remote code execution with root privileges. Issues include command injection, path traversal, plaintext password storage, XML external entity attacks, SSRF, cross-site scripting, and incorrect authorization. The findings were responsibly disclosed to Agorum. These vulnerabilities pose a severe risk, enabling full system takeover without authentication if left unpatched.

A student loan administrator in Virginia gets hit by the Akira ransomware group. 

Southwood Financial, a private student loan administrator in Virginia, suffered a ransomware attack attributed to the Akira ransomware group. The incident began on March 25, 2025, when suspicious activity disrupted its computer network. An investigation revealed that personal data belonging to borrowers and potential employees was compromised. Exposed information includes names, Social Security numbers, birth dates, addresses, phone numbers, emails, and other account details. The number of affected individuals has not been disclosed. Southwood began notifying impacted people on June 27 and filed a data breach report with Vermont’s Attorney General on June 30. The company is offering credit monitoring services and set up a helpline at 1-833-367-4551 for questions and assistance related to potential identity theft or fraud.

The Feds sanction a Russian bulletproof hosting service. 

The U.S. Treasury Department sanctioned Russia-based Aeza Group, accusing it of providing bulletproof hosting services to ransomware gangs and darknet drug markets. Aeza Group allegedly helped criminals evade law enforcement by renting IP addresses, servers, and domains used for malware, fraud, and cyberattacks targeting U.S. defense and tech firms. CEO Arsenii Penzev and three other leaders were sanctioned; Penzev and general director Yurii Bozoyan were arrested in Russia for drug trafficking ties to the BlackSprut marketplace. Aeza has also been linked to pro-Kremlin disinformation campaigns like Doppelgänger. Subsidiaries Aeza International, Aeza Logistic, and Cloud Solutions were included in the sanctions, part of a broader crackdown on criminal infrastructure used by cyber gangs. The action was coordinated with the U.K. and international partners.

Johnson Controls notifies individuals of a major ransomware attack dating back to 2023. 

Johnson Controls is notifying individuals affected by a major ransomware attack that disrupted its global operations from February to September 2023. The multinational building automation and HVAC giant, employing over 100,000 people across 150 countries, confirmed attackers accessed its systems, stealing data and encrypting devices. The Dark Angels ransomware group is suspected, demanding a $51 million ransom to decrypt systems and delete 27 TB of stolen corporate data. The attack forced Johnson Controls to shut down parts of its IT infrastructure, affecting customer services worldwide. Costs for incident response and remediation had reached $27 million by early 2024 and are expected to rise. Dark Angels uses double-extortion tactics, threatening to leak stolen data online to pressure victims into paying ransoms.

2023…I guess you can’t rush these things.

 

The ICEBlock app warms up to users. 

ICEBlock, an iPhone app for anonymously spotting ICE agents, has soared to the top of Apple’s U.S. App Store – thanks, in part, to U.S. Attorney General Pam Bondi’s criticism, which apparently doubled as free marketing. About 20,000 users in Los Angeles alone now receive alerts whenever ICE is sighted within a five-mile radius, making it something of a Pokémon Go for immigration enforcement. TechCrunch verified the app doesn’t collect user data. After Bondi’s late Monday remarks, downloads exploded overnight, proving once again that if you want something to disappear from public interest, the worst thing you can do is talk about it on national TV.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.