Podcasts
CyberWire Daily
Ep 2344
The CyberWire Daily Podcast 7.8.25
Ep 2344 | 7.8.25

Memory leaks and login sneaks.

Show Notes
Transcript

Researchers release proof-of-concept exploits for CitrixBleed2. Grafana patches four high-severity vulnerabilities. A hacker claims to have breached Spanish telecom giant Telefónica. Italian police arrest a Chinese man wanted by U.S. authorities for alleged industrial espionage. Beware of a new ransomware group called Bert. Call of Duty goes offline after reports of RCE vulnerabilities. President Trump's spending bill allocates hundreds of millions for cybersecurity. Nearly 26 million job seekers’ resumes and personal data are leaked. CISA adds four actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. For Threat Vector, host ⁠David Moulton⁠ speaks with ⁠Daniel Frank⁠ and ⁠Tom Fakterman⁠ from Palo Alto Networks' threat research team about “Hunting Threats in Developer Environments.” Outsmarting AI scraper bots with math.

Today is Tuesday July 8th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Researchers release proof-of-concept exploits for CitrixBleed2. 

Researchers have released proof-of-concept exploits for CitrixBleed2 (CVE-2025-5777), a critical flaw in Citrix NetScaler ADC and Gateway devices. The bug lets attackers steal user session tokens by sending malformed POST login requests, revealing memory contents. CitrixBleed2 is similar to the 2023 CitrixBleed flaw exploited by ransomware gangs. Technical analyses by watchTowr and Horizon3 show that modifying the login parameter without an equal sign leaks roughly 127 bytes of memory per request, enabling repeated data theft. Citrix claims there’s no active exploitation, but ReliaQuest and researcher Kevin Beaumont report evidence of attacks since mid-June. Citrix has released patches, urging all organizations to apply them immediately and review sessions for suspicious activity before termination, as public exploits are now available.

Grafana patches four high-severity vulnerabilities. 

Grafana, an open-source data visualization and dashboard platform, released security updates to fix four high-severity vulnerabilities in its Image Renderer plugin and Synthetic Monitoring Agent. The most critical, CVE-2025-6554, is a type confusion flaw in Chrome’s V8 engine exploited as a zero-day, allowing arbitrary read/write. Other patched bugs include CVE-2025-5959 (type confusion enabling code execution), CVE-2025-6191 (integer overflow), and CVE-2025-6192 (use-after-free). Users should update Grafana Image Renderer to 3.12.9+ and Synthetic Monitoring Agent to 0.38.3+, while cloud deployments are already patched.

A hacker claims to have breached Spanish telecom giant Telefónica. 

A hacker known as “Rey,” linked to the Hellcat Ransomware group, claims to have stolen 106GB of data from Spanish telecom giant Telefónica in a May 30 breach. Rey says they exfiltrated the data over 12 hours due to a Jira misconfiguration. To prove the breach, the hacker leaked a 2.6GB archive containing over 20,000 files, including internal communications, invoices, customer records, and employee data. Telefónica has not acknowledged the breach, with one O2 employee dismissing it as an extortion attempt using old data. However, leaked samples include email addresses of current employees and invoices for clients in Spain, Germany, Chile, and Peru. Rey warns they will continue leaking data if Telefónica does not comply with undisclosed demands.

Italian police arrest a Chinese man wanted by U.S. authorities for alleged industrial espionage. 

Italian police arrested 33-year-old Xu Zewei, a Chinese man wanted by U.S. authorities for alleged industrial espionage targeting projects including COVID vaccine development. Xu, from Shanghai, was detained at Milan’s Malpensa airport under a U.S. arrest warrant linked to an FBI investigation. He is accused of being part of a hacking team that tried to access the University of Texas’s COVID vaccine research in 2020. Charges include wire fraud, identity theft, and unauthorized computer access. Xu faces an extradition hearing in Milan on Tuesday.

Beware of a new ransomware group called Bert. 

A new ransomware group called Bert is targeting healthcare, tech, and event services firms across Asia, Europe, and the U.S., according to Trend Micro. First identified in April, Bert’s ransomware affects both Windows and Linux systems. While their exact access method is unclear, researchers found a PowerShell script that disables security tools before deploying the ransomware. Victims receive a ransom note saying: “Hello from Bert! Your network is hacked and files are encrypted.” Bert’s malware is under active development, with multiple variants seen. Trend Micro noted possible ties to Russian infrastructure and found that Bert reuses code from REvil’s Linux variant. REvil was dismantled in 2021, though Russian courts recently sentenced several unrelated REvil members for carding fraud, releasing them for time served in pre-trial detention.

Call of Duty goes offline after reports of RCE vulnerabilities. 

The PC version of Call of Duty: World War 2 was taken offline after reports of a remote code execution (RCE) vulnerability allowing hackers to take over players’ computers during live matches. The issue emerged shortly after the game was released on Xbox GamePass on June 30. Players shared videos showing their PCs freezing, executing Windows command files, shutting down, or displaying pornographic images. MalwareBytes researchers explained that older Call of Duty games switch to peer-to-peer networking instead of dedicated servers, exposing players to attacks from malicious hosts. Exploits targeting Call of Duty titles have existed for years, with previous proof-of-concept RCEs published on Steam. Activision has not confirmed if the takedown was directly due to the exploit, and no further updates have been posted since July 5.

President Trump's spending bill allocates hundreds of millions for cybersecurity. 

A report from CyberScoop examines President Trump's tax and spending bill, which allocates hundreds of millions for cybersecurity, mostly for military programs. U.S. Cyber Command will receive $250 million for artificial intelligence initiatives, while DARPA gains $20 million for cybersecurity research. Indo-Pacific Command gets $1 million for cyber offensive operations targeting adversaries like Russia, China, and North Korea. The Defense Department will use $90 million partly to support cybersecurity for non-traditional contractors. The Coast Guard’s $2.2 billion maintenance budget includes cyber asset upkeep, while $170 million for maritime domain awareness also covers cyber. The only civilian cyber funding is in a rural health program, allowing grants for cybersecurity capability development. Democrats criticized the bill for ignoring CISA funding, accusing Republicans of neglecting national cybersecurity threats despite growing attacks from foreign adversaries and criminals.

Nearly 26 million job seekers’ resumes and personal data are leaked. 

TalentHook, an applicant tracking system owned by Resource Edge, leaked nearly 26 million job seekers’ resumes and personal data due to a misconfigured Azure Blob storage container left publicly accessible. Exposed information includes names, emails, phone numbers, education details, work history, and some home addresses. The leak, discovered in January 2025 but disclosed in April, poses phishing and fraud risks for affected individuals. It remains unclear if TalentHook has secured the data, and no official count of impacted people has been released.

CISA adds four actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. 

CISA added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2014-3931 (MRLG buffer overflow), CVE-2016-10033 (PHPMailer command injection), CVE-2019-5418 (Ruby on Rails path traversal), and CVE-2019-9621 (Zimbra SSRF). These pose significant risks to federal networks. Under Binding Operational Directive 22-01, federal agencies must remediate these by set deadlines, though CISA urges all organizations to prioritize patching KEV-listed flaws to reduce cyberattack exposure.

Coming up on our Threat Vector segment, host David Moulton sits down with Daniel Frank⁠ and ⁠Tom Fakterman⁠ from Palo Alto Networks' threat research team about “Hunting Threats in Developer Environments.” We’ll be right back.

Welcome back. You can find a link to David, Daniel and Tom's full discussion from Threat Vector in our show notes, and catch new episodes every Thursday on your favorite podcast app.

Outsmarting AI scraper bots with math. 

And finally, an article from 404Media reminds us that AI bots scraping web pages might sound harmless—just machines reading text, right? But when these bots hammer sites relentlessly to harvest data for training AI models, small servers crash under the strain, users get locked out, and entire communities lose their online homes. Enter Xe Iaso (zee-YAH-so), whose Git server collapsed under an Amazon bot’s enthusiastic clicks. Her solution? Anubis, a free, open-source “uncaptcha” that forces visitors’ browsers to do cryptographic math—easy for humans, prohibitively expensive for bots scraping millions of pages. Since January, Anubis has been downloaded nearly 200,000 times, protecting projects like GNOME and FFmpeg. Iaso jokes poisoning AI datasets is like “pissing in the ocean” and says if AI companies want to stop her work, they should distract her with top-tier Final Fantasy XIV expansions. Until then, she’ll keep fine-tuning Anubis in the never-ending quest to keep the “small internet” alive against hungry bots.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.