Podcasts
CyberWire Daily
Ep 2366
The CyberWire Daily Podcast 8.7.25
Ep 2366 | 8.7.25

Exchange hybrid flaw raises cloud alarm.

Show Notes
Transcript

Microsoft warns of a high-severity vulnerability in Exchange Server hybrid deployments. A Dutch airline and a French telecom report data breaches. Researchers reveal new HTTP request smuggling variants. An Israeli spyware maker may have rebranded to evade U.S. sanctions. CyberArk patches critical vulnerabilities in its secrets management platform. The Akira gang use a legit Intel CPU tuning driver to disable Microsoft Defender. ChatGPT Connectors are shown vulnerable to indirect prompt injection. Researchers expose new details about the VexTrio cybercrime network. SonicWall says a recent SSLVPN-related cyber activity is not due to a zero-day. Ryan Whelan from Accenture is our man on the street at Black Hat. Do androids dream of concierge duty?

Today is Thursday August 7th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Microsoft warns of a high-severity vulnerability (CVE-2025-53786) in Exchange Server hybrid deployments. 

Microsoft has issued a warning about a high-severity vulnerability (CVE-2025-53786) in Exchange Server hybrid deployments. The flaw could let attackers with access to on-premises Exchange escalate privileges in Exchange Online undetected. In hybrid setups, both environments share a service principal for authentication. If attackers compromise the on-prem server, they can exploit this shared identity to forge trusted tokens or API calls, bypassing cloud-side security logs. These actions may go unnoticed in Microsoft 365 audit tools. The vulnerability affects Exchange Server 2016, 2019, and the Subscription Edition. While no active exploitation has been seen yet, Microsoft flagged it as “Exploitation More Likely.” CISA also warned of potential total domain compromise and urged admins to patch systems and disconnect unsupported Exchange or SharePoint servers from the internet.

A Dutch airline and a French telecom report data breaches. 

Dutch airline KLM has reported a data breach involving a third-party customer service platform that exposed customer names, contact info, and Flying Blue loyalty program details. While no sensitive data like passwords or travel details were leaked, the breach raises phishing risks. Air France was also affected. The incident didn’t impact flight operations, and both airlines notified EU data regulators. KLM urges customers to stay alert for suspicious emails and has enhanced security measures in response. The total number of affected users remains undisclosed.

Elsewhere, Bouygues Telecom [bwiyg]  has disclosed a cyberattack that exposed personal data from 6.4 million customer accounts. The company did not specify the attack’s nature or which customers were affected but said the issue was resolved quickly and impacted users were notified. Bouygues, France’s third-largest mobile operator, reported the breach to authorities. The incident follows a similar attack on Orange. France’s ANSSI has warned of ongoing state-sponsored cyber threats targeting the telecom sector for espionage purposes.

Researchers reveal new HTTP request smuggling variants. 

At Black Hat, PortSwigger’s James Kettle revealed new HTTP request smuggling variants impacting CDNs, major companies, and millions of websites. These “desync” attacks exploit how frontend and backend servers process HTTP requests, letting attackers sneak in malicious code. One variant, named 0.CL, targets HTTP/1.1 and led to data exposure in systems at T-Mobile, GitLab, and Akamai. Akamai traced the root cause to its infrastructure (CVE-2025-32094) and patched it. Cloudflare also faced a related vulnerability. Attackers could steal sessions, redirect users, or poison web caches. The team earned $276,000 in bug bounties and urged migration from HTTP/1.1 to HTTP/2+ for stronger security.

An Israeli spyware maker may have rebranded to evade U.S. sanctions. 

Researchers from Recorded Future’s Insikt Group uncovered eight malware clusters tied to Israeli spyware maker Candiru, suggesting the company may have rebranded to evade U.S. sanctions. These clusters, found in Hungary, Saudi Arabia, Indonesia, and Azerbaijan, are linked to the deployment of DevilsTongue, a powerful Windows spyware capable of extracting files, stealing browser data, and accessing encrypted messages. Candiru, blacklisted by the U.S. in 2021, has changed names multiple times and was reportedly acquired by Integrity Partners in 2024. Despite international scrutiny, the spyware industry remains active, using tactics like rebranding, jurisdiction hopping, and shell companies to skirt export controls. Experts urge stronger, standardized policies across the EU and global cooperation to curb the proliferation of commercial spyware.

CyberArk patches critical vulnerabilities in its secrets management platform. 

CyberArk has patched critical vulnerabilities in its Conjur secrets management platform that could allow unauthenticated remote code execution. Discovered by Cyata researchers, the flaws impact both the open source and enterprise versions and could let attackers bypass IAM authentication, escalate privileges, and execute arbitrary code without credentials. The vulnerabilities, now patched, posed a serious risk to organizations managing cloud and DevOps secrets. Cyata also uncovered similar flaws in HashiCorp Vault. No in-the-wild exploitation has been reported, but users are urged to update immediately.

The Akira gang use a legit Intel CPU tuning driver to disable Microsoft Defender. 

Akira ransomware operators are using a legitimate Intel CPU tuning driver, rwdrv.sys from ThrottleStop, to disable Microsoft Defender. This is part of a “Bring Your Own Vulnerable Driver” (BYOVD) attack, where attackers load the vulnerable driver to gain kernel-level access and install a second malicious driver, hlpdrv.sys. This tool disables Defender protections via Windows registry edits. Guidepoint Security has seen this tactic repeatedly since mid-July and released detection tools, including YARA rules and IoCs. Akira has also been linked to attacks on SonicWall SSLVPNs. The attackers employ Bumblebee malware via trojanized IT tools to establish access, perform reconnaissance, exfiltrate data, and deploy ransomware. Admins are urged to monitor for Akira indicators, enforce MFA, and avoid software from unverified sources.

ChatGPT Connectors are shown vulnerable to indirect prompt injection. 

Researchers have uncovered a serious vulnerability in OpenAI’s ChatGPT Connectors, showing how attackers can exploit linked services like Google Drive through indirect prompt injection. Connectors provide functionality for data to flow between ChatGPT and, say, your email account or calendar. In a demo dubbed AgentFlayer, a malicious document shared via Google Drive tricked ChatGPT into extracting API keys and sending them to an attacker’s server using hidden prompts in white, size-one text. This zero-click attack requires no user interaction. It highlights the risks of linking AI models to external systems, as doing so expands the potential attack surface. OpenAI has since deployed mitigations. The incident underscores broader concerns about prompt injection threats in AI-integrated environments. As LLMs become more powerful by connecting to user data, they also become more vulnerable to manipulation, turning a convenience into a possible security gateway for hackers.

Researchers expose new details about the VexTrio cybercrime network. 

Researchers at Infoblox have exposed new details about VexTrio, a cybercrime network active since 2017 that uses traffic distribution systems (TDS), DNS manipulation, and domain generation algorithms to spread malware, scams, and illegal content. The group compromises websites, often WordPress-based, and reroutes traffic through malicious redirects tailored by geolocation and device. VexTrio also runs fake antivirus apps, porn sites, crypto scams, and ad fraud schemes. Their infrastructure, surprisingly, operates on fewer than 250 virtual machines. Infoblox linked the operation to two affiliate marketing networks in Europe that merged in 2020, forming a multinational criminal enterprise spanning nearly 100 companies. Researchers named eight individuals tied to the group, connected to businesses in countries like Switzerland, Czechia, and Canada. An 80-page report was released during Black Hat USA 2025 detailing the full scope of VexTrio’s activities and operators.

SonicWall says a recent SSLVPN-related cyber activity is not due to a zero-day. 

SonicWall has confirmed that recent SSLVPN-related cyber activity on Gen 7+ firewalls is not due to a zero-day but is linked to the previously disclosed vulnerability CVE-2024-40766. Fewer than 40 incidents are under investigation, many tied to Gen 6-to-Gen 7 migrations where user passwords weren’t reset as advised. SonicOS 7.3 offers stronger brute-force protections. Customers are urged to update to version 7.3.0, reset SSLVPN account passwords, and follow best practices like enabling MFA, botnet protection, and removing inactive accounts.

Do androids dream of concierge duty? 

At Japan’s Henn na Hotel, “Henn na” meaning “weird,” and yes, they own it, robots are on staff, but not everywhere, and not always. Management says the decision to deploy them is based on market conditions, guest preferences, and, presumably, how much patience the robots have that day. Amid Japan’s labor crunch, these humanoid helpers offer cost-cutting charm and unwavering 24/7 availability. Some, like RoBoHoN, can control lights, recommend sushi joints, and dance over 70 routines, because why wouldn’t a concierge do flamenco? Headcount has dropped drastically at some locations, with bots outnumbering humans like it’s a sci-fi reboot of Fawlty Towers. But expectations are tricky: make a robot too lifelike, and guests expect them to fold towels and feel feelings. Henn na’s solution? Keep them quirky, keep them dancing, and maybe skip the bedtime stories.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.