The bug that let anyone in.

Sudo patch your Linux systems. Cisco has removed a critical backdoor account that gave remote attackers root privileges.The Hunters International ransomware group rebrands and closes up shop. The Centers for Medicare and Medicaid Services (CMS) notifies 103,000 people that their personal data was compromised. NimDoor is a sophisticated North Korean cyber campaign targeting macOS. Researchers uncover a massive phishing campaign using thousands of fake retail websites. The FBI’s top cyber official says Salt Typhoon is largely contained. Microsoft tells customers to ignore Windows Firewall error warnings. A California jury orders Google to pay $314 million for collecting Android user data without consent. Ben Yelin shares insights from this year’s Supreme Court session. Ransomware negotiations with a side of side hustle.

Today is Thursday July 3rd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Sudo patch your Linux systems. 

Security researchers have found two serious elevation of privilege (EoP) vulnerabilities in Sudo, a critical Linux utility installed on nearly all servers and workstations. The first flaw, CVE-2025-32463, affects Sudo versions 1.9.14 to 1.9.17. It lets local users gain full root access by abusing the chroot function, even without specific Sudo rules. This bug was introduced in June 2023 and impacts systems like Ubuntu 24.04.1 and Fedora 41 Server. Users are urged to upgrade to Sudo 1.9.17p1 or later immediately.

The second flaw is an EoP bug that remained hidden for 12 years. It affects Stable versions 1.9.0–1.9.17 and Legacy 1.8.8–1.8.32, allowing privilege escalation in configurations using Host or Host_Alias directives, common in enterprises. Though low severity, it still poses risk. Stratascale warns these vulnerabilities highlight operational gaps, urging businesses to audit environments, strengthen detection, and patch systems to avoid hidden threats undermining trust and compliance.

Cisco has removed a critical backdoor account that gave remote attackers root privileges.

Cisco has removed a critical backdoor account from its Unified Communications Manager (Unified CM) that allowed unauthenticated remote attackers to log in with root privileges. Tracked as CVE-2025-20309, the flaw results from static root credentials left over from development and testing. It affects Unified CM and CM SME ES releases 15.0.1.13010-1 through 15.0.1.13017-1. There are no workarounds; admins must upgrade to 15SU3 (July 2025) or apply patch CSCwp27755. Successful exploitation lets attackers execute commands as root. While Cisco has seen no active attacks yet, it released indicators of compromise to help detect breaches. This is the latest in a series of backdoor removals from Cisco products, including previous issues in IOS XE, DNA Center, WAAS, and Smart Licensing Utility, highlighting ongoing risks from hardcoded credentials in enterprise infrastructure.

The Hunters International ransomware group rebrands and closes up shop. 

The Hunters International ransomware group has shut down its operations and is offering free decryptors to help victims recover data without paying ransoms. In a dark web statement, the gang cited “recent developments” for its closure, likely referencing increased law enforcement scrutiny and declining profits. Hunters International emerged in late 2023 and was suspected to be a rebrand of Hive due to code similarities. It targeted nearly 300 organizations worldwide, including the U.S. Marshals Service, Hoya, Tata Technologies, AutoCanada, Austal USA, Integris Health, and Fred Hutch Cancer Center. While it previously combined encryption with extortion, the group recently launched “World Leaks,” an extortion-only operation. Victims can request decryption tools and recovery guidance via the gang’s website. Threat analysts warn this shutdown does not end its threat actors’ activities, as affiliates may migrate to other ransomware or data extortion groups.

The Centers for Medicare and Medicaid Services (CMS) notifies 103,000 people that their personal data was compromised. 

The Centers for Medicare and Medicaid Services (CMS) is notifying 103,000 people that their personal data was compromised after fraudsters created fake Medicare.gov accounts using valid beneficiary information between 2023 and 2025. The scheme came to light in May 2025 when beneficiaries reported account creation letters they didn’t initiate. Attackers used stolen data, including Medicare Beneficiary Identifiers, dates of birth, and ZIP codes, from unknown external sources to create accounts and potentially access additional information like provider details, diagnoses, and premium data. CMS deactivated affected accounts, replaced Medicare cards for victims, and blocked new account creation from foreign IP addresses. While no misuse has been reported yet, CMS continues to investigate. The incident follows broader warnings about rising healthcare scams exploiting people’s fear of losing access to care, as cybercriminals increasingly target government healthcare programs for profit.

NimDoor is a sophisticated North Korean cyber campaign targeting macOS. 

SentinelLabs has uncovered a sophisticated North Korean cyber campaign targeting Web3 and cryptocurrency firms using new macOS malware called NimDoor. Revealed on July 2, 2025, the report details multi-stage attacks leveraging social engineering, fake Zoom updates, and the rare Nim programming language to evade detection. Hackers pose as trusted contacts on Telegram, sending malicious Zoom SDK scripts heavily disguised to install additional tools. Once inside, they deploy a C++ injector to steal Keychain passwords, browser data, and Telegram chats, and install NimDoor for long-term access. The malware uses encrypted WebSocket communications and techniques to stay active even after shutdown. SentinelLabs warns that North Korea’s adoption of cross-platform languages like Nim, plus clever AppleScript use, makes detection harder. The report urges companies to strengthen defences against these evolving, persistent threats targeting the crypto and Web3 sector.

Researchers uncover a massive phishing campaign using thousands of fake retail websites. 

Researchers uncovered a massive phishing campaign using thousands of fake retail websites impersonating brands like Apple, PayPal, Nordstrom, and Hermes to steal credit card data. First flagged in Mexico, security firm Silent Push found it targets English and Spanish users globally. Some sites convincingly mimic real stores with scraped listings and Google Pay widgets, while others are poorly built. Technical indicators suggest Chinese cybercriminals are behind it. Many sites remain active despite takedowns, highlighting the persistent threat of retail-themed phishing scams.

The FBI’s top cyber official says Salt Typhoon is largely contained. 

In an interview with Tim Starks of CyberScoop, Brett Leatherman, the FBI’s new top cyber official, said Chinese hackers behind the telecommunications breach, known as Salt Typhoon, are currently “largely contained” and “dormant” within networks but still pose a threat. Although Salt Typhoon is known for espionage, Leatherman warned their access could pivot to destructive actions, similar to Volt Typhoon, which is prepositioned in U.S. critical infrastructure. Nine U.S. telecom companies were impacted, with more victims identified abroad due to information sharing. Leatherman emphasized continued focus on victim support, resilience, and deterrence, though offensive operations require further attribution. Evicting Salt Typhoon remains challenging due to their entrenched foothold. He also flagged North Korean IT scams as a growing insider risk that could evolve into intellectual property theft or brokering access for broader cyber operations.

Microsoft tells customers to ignore Windows Firewall error warnings. 

Microsoft has told customers to ignore Windows Firewall error warnings labeled ‘Event 2042’ appearing after the June 2025 preview update (KB5060829) on Windows 11 24H2 systems. These “Config Read Failed” errors result from a new, unfinished feature and do not affect firewall functionality or system processes. Microsoft said no action is required and is working on a fix. The errors appear in Event Viewer logs but can be safely disregarded, according to the company’s Windows release health dashboard this week.

A California jury orders Google to pay $314 million for collecting Android user data without consent. 

A California jury has ordered Google to pay $314 million for collecting Android user data over cellular networks without consent, in a class-action lawsuit dating back to 2019. Plaintiffs argued Google’s passive data transfers used users’ paid cellular data for its own benefit, including targeted ads, and continued even after apps were closed. The lawsuit said these transfers occurred silently, even while devices sat idle overnight, and couldn’t be fully disabled. Google argued the data transfers are minimal and essential for security and device performance, stating users consented through settings and terms of use. A spokesperson said Google will appeal, calling the ruling a “setback for users.”

 

Stick around after the break, you’ll hear my conversation with Ben Yelin who is sharing a wrap up of this year’s Supreme Court session.

 

Ransomware negotiations with a side of side hustle. 

And finally, our ransom shenanigans desk tells us that DigitalMint, a company that negotiates with ransomware hackers on behalf of victims, is now investigating one of its own. The former employee allegedly struck side deals with hackers to pocket some extra crypto – because apparently salary negotiations weren’t enough excitement. DigitalMint swiftly fired the employee, who remains unnamed, and is cooperating with the Justice Department’s probe. CEO Jonathan Solomon assured clients they acted “swiftly,” while President Marc Grens touted transparency as DigitalMint’s cultural backbone. Meanwhile, cybersecurity experts dryly note that ransom negotiators aren’t exactly incentivized to lower demands if their profits scale with payment size. As ever, analysts caution that paying ransoms only emboldens attackers. In short, even ransomware negotiators may need their own negotiators – preferably ones without side hustles. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

A programming note that we will not be publishing tomorrow, July 4th, in observance of Independence Day in the US. We plan to share some programming from across the N2K CyberWire network for you to enjoy. Have a safe holiday. 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.