Podcasts
CyberWire Daily
Ep 2359
The CyberWire Daily Podcast 7.29.25
Ep 2359 | 7.29.25

Tea time is over.

Show Notes
Transcript

Things get worse in the Tea dating app breach. CISA adds three vulnerabilities to its Known Exploited Vulnerabilities catalog. Researchers uncover a critical flaw in Google’s AI coding assistant. A Missouri Health System agrees to a $9.25 million settlement over claims it used web tracking tools. “Sploitlight” could let attackers bypass Apple’s TCC framework to steal sensitive data. Malware squeaks its way into a mouse configuration tool. Threat actors hide the Oyster backdoor in popular IT tools. The FBI nabs over $2.4 million in Bitcoin from the Chaos ransomware gang. Our guest is Jaeson Schultz, Technical Leader for Cisco Talos Security Intelligence & Research Group, to talk about their work on the security of PDF files. The unintended privacy paradox of data brokers. 

Today is Tuesday July 29th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Things get worse in the Tea dating app breach. 

A second major data breach at women’s dating safety app Tea exposed over 1.1 million private messages—many recent and highly sensitive. Users discussed cheating, abortions, and shared personal info like phone numbers and social handles, making real identities easy to uncover. Despite Tea’s claim the earlier breach was from a “legacy system,” this new leak affected messages as recent as last week. Hackers could even send push notifications to all users. The vulnerability stemmed from users being able to access a live database using their own API keys. The first breach, involving Firebase, had already leaked selfies and IDs, now being misused on a site mocking user appearances. Tea says it’s investigating with cybersecurity help and has contacted law enforcement. The app reportedly has 1.6 million users.

CISA adds three vulnerabilities to its Known Exploited Vulnerabilities catalog. 

CISA added three vulnerabilities to its Known Exploited Vulnerabilities catalog on July 28. Two critical flaws in Cisco ISE and ISE-PIC (CVE-2025-20281 and CVE-2025-20337) allow remote, unauthenticated attackers to gain root access via crafted API requests. Rated CVSS 10, they affect multiple ISE versions, with no workarounds except patching. Cisco has confirmed attempted exploits. A third flaw, CVE-2023-2533, impacts PaperCut NG and MF print management software. CISA set an August 18 deadline for organizations to apply patches.

Researchers uncover a critical flaw in Google’s AI coding assistant. 

Researchers at TraceBit uncovered a critical flaw in Google’s Gemini CLI, an AI coding assistant, that could’ve allowed silent remote code execution. The bug, disclosed and patched before going public, stemmed from improper input validation, prompt injection, and misleading UX. Researchers tricked Gemini into exfiltrating data—including credentials—via a malicious README file. The AI processed buried instructions as commands, bypassing developer scrutiny. Gemini also supports web shells, which can be exploited if commands are whitelisted. Google initially downplayed the issue but later upgraded it to highest severity and patched it on July 25. This incident highlights growing risks in “agentic” AI tools, which act with broad system access and unpredictable behavior. Privacy experts warn these systems could dangerously blur boundaries between user-facing applications and operating systems.

A Missouri Health System agrees to a $9.25 million settlement over claims it used web tracking tools. 

BJC Health System in Missouri has agreed to pay up to $9.25 million to settle a lawsuit over claims it used web tracking tools that shared patients’ private data without consent. The tools allegedly sent sensitive information from MyChart and other BJC websites to firms like Facebook and Google. The settlement covers patients who used the portal between June 2017 and August 2022. BJC denies wrongdoing. Eligible patients can claim $35 by Oct. 8, with final approval set for Oct. 16.

“Sploitlight” could let attackers bypass Apple’s TCC framework to steal sensitive data. 

A recently patched macOS flaw, CVE-2025-31199—dubbed “Sploitlight”—could let attackers bypass Apple’s Transparency, Consent, and Control (TCC) framework to steal sensitive data. TCC restricts app access to private data, but Microsoft researchers found Spotlight plugins could be exploited to bypass these protections. Using this method, attackers could access Apple Intelligence cache data, geolocation info, search history, facial recognition metadata, and even data from other iCloud-linked devices. Though Apple patched the bug in macOS Sequoia 15.4, the researchers warned its impact is more severe than past TCC bypasses like “powerdir” and “HM-Surf.” This is due to Sploitlight’s ability to quietly extract large amounts of sensitive user data using Spotlight’s privileged access, putting both local and remote iCloud-linked device data at risk.

Malware squeaks its way into a mouse configuration tool. 

Endgame Gear has confirmed malware was embedded in its OP1w 4k v2 mouse configuration tool hosted on its official site from June 26 to July 9, 2025. Users who downloaded the tool during that window from the product page were infected. Other sources like the main downloads page, GitHub, and Discord provided clean versions. The company, known for high-performance gaming mice, didn’t detail the breach method. Reddit users initially flagged the issue, noting suspicious differences in the installer.

Threat actors hide the Oyster backdoor in popular IT tools. 

Since early June 2025, threat actors have been spreading the Oyster backdoor—also known as Broomstick or CleanupLoader—via trojanized versions of IT tools like PuTTY and WinSCP in a sophisticated malvertising and SEO poisoning campaign. They create fake sites mimicking legitimate software portals, targeting IT pros searching for admin tools. Once victims run the fake installers, Oyster gains persistence through scheduled tasks using rundll32.exe to execute malicious DLLs like twain_96.dll. This enables remote access, reconnaissance, and further malware deployment. The campaign, active since at least 2023, has also used fake Chrome and Teams installers and may involve KeyPass. In July 2025, a malicious PuTTY installer signed with a revoked certificate was found on a fake site. While one recent infection was blocked before damage, it underscores the danger of downloading unverified software.

The FBI nabs over $2.4 million in Bitcoin from the Chaos ransomware gang. 

The FBI has seized over $2.4 million in Bitcoin from the Chaos ransomware gang, initially confiscating 20.2 BTC in April 2025—then valued at $1.7 million. The U.S. government is now seeking formal forfeiture, alleging the funds are tied to cybercrime, including extortion and money laundering. Chaos is believed to include former BlackSuit/Royal members and has targeted various sectors. This seizure aligns with a broader strategy under a March 2025 Executive Order to build a U.S. Strategic Bitcoin Reserve from forfeited digital assets.

 

The unintended privacy paradox of data brokers. 

Turns out, when you ask data brokers what they know about you, the response is often… silence. A new study from UC Irvine reveals that about 40% of California’s registered data brokers—those lovely folks profiting off your digital breadcrumbs—ignored legally mandated requests for data disclosures. The rest? Many responded with a confusing choose-your-own-adventure of forms, phone calls, and hoop-jumping.

In a wry twist, these privacy hawkers suddenly care about identity verification—but only when you’re trying to opt out. Researchers called it an “unintended privacy paradox”: to protect your privacy, you have to hand over even more personal information. Critics say the law is clear, but enforcement is limp, and friction-filled opt-outs seem designed to discourage people from trying. As one expert put it, it’s privacy theater—just without the intermission.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.