Workday’s bad day.
HR software giant Workday discloses a data breach. Researchers uncover a zero-day in Elastic’s EDR software. Ghost-tapping is an emerging fraud technique where cybercriminals use NFC relay attacks to exploit stolen payment card data. Germany may be on a path to ban ad blockers. A security researcher documents multiple serious flaws in McDonald’s systems. There’s a new open-source framework for testing 5G security flaws. New York’s Attorney General sues the banks behind Zelle over fraud allegations. The DOJ charges the alleged Zeppelin ransomware operator and seizes over $2.8 million in cryptocurrency. Tim Starks from CyberScoop discusses the overlooked changes that two Trump executive orders could bring to cybersecurity. Bots build their own echo chambers.
Today is Monday August 18th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
HR software giant Workday discloses a data breach.
HR software giant Workday has disclosed a data breach after attackers accessed a third-party CRM platform through a social engineering campaign. While customer tenants and their data were not affected, some business contact information—including names, emails, and phone numbers—was exposed. Workday said attackers impersonated HR or IT staff via phone and text to trick employees into giving access.
The breach, discovered on August 6, appears linked to the ShinyHunters extortion group, which has recently targeted Salesforce CRM systems at several major companies, including Adidas, Qantas, Google, Louis Vuitton, and Chanel. The group uses malicious OAuth apps to steal CRM data, then extorts victims by threatening leaks. Workday emphasized that only commonly available contact data was exposed but warned it may fuel further phishing attempts.
Researchers uncover a zero-day in Elastic’s EDR software.
Researchers at Ashes Cybersecurity have uncovered a zero-day flaw in Elastic’s Endpoint Detection and Response (EDR) software. The bug, a NULL Pointer Dereference in the Microsoft-signed driver elastic-endpoint-driver.sys, can be used to crash systems, bypass security, execute remote code, or plant malicious drivers for persistence. The issue affects version 8.17.6 and later, with no patch available. Despite multiple disclosure attempts, Elastic has not responded. The flaw poses a serious risk, allowing attackers to undermine Elastic’s security stack.
Ghost-tapping is an emerging fraud technique where cybercriminals use NFC relay attacks to exploit stolen payment card data.
Recorded Future’s Insikt group have published research on Ghost-tapping, an emerging fraud technique where Chinese-speaking cybercriminals use NFC relay attacks to exploit stolen payment card data linked to mobile wallets like Apple Pay or Google Pay. An NFC relay attack is a type of cyberattack where criminals intercept and forward communication between a contactless payment card or mobile wallet (like Apple Pay or Google Pay) and a payment terminal. Mules equipped with burner phones make in-person purchases of luxury goods, which are later resold for profit. Analysts at Insikt Group identified Telegram actor @webu8 advertising ghost-tapping services and burner devices to syndicates. Following the May 2025 closure of Huione Guarantee, criminals have shifted to Xinbi Guarantee and Tudou Guarantee marketplaces to coordinate fraud, recruit mules, and launder money. Operations are concentrated in China and Southeast Asia but can be executed globally. Ghost-tapping’s effectiveness stems from weak KYC checks at retailers, making detection difficult. Victims include retailers, banks, payment providers, and insurers.
Germany may be on a path to ban ad blockers.
A recent ruling from Germany’s Federal Supreme Court (BGH) threatens the legality of ad blockers, raising concerns about user choice and privacy online. The case stems from a decade-long legal battle between publisher Axel Springer and Eyeo, maker of Adblock Plus. While lower courts largely upheld ad blockers as tools that enable user choice, the BGH overturned part of a 2022 ruling and sent the case back for review. The court asked whether ad blockers alter copyright-protected code and under what conditions such interference is lawful. Critics warn the decision could set a precedent that undermines not just ad blocking, but also browser extensions that enhance privacy, accessibility, and security. If Germany restricts ad blockers, it risks joining China as one of the few jurisdictions to ban them.
A security researcher documents multiple serious flaws in McDonald’s systems.
A security researcher, BobDaHacker, uncovered multiple serious flaws in McDonald’s systems, affecting employees and internal platforms worldwide. Initial testing revealed that the McDonald’s app failed to validate reward points server-side, allowing free food. Further digging exposed wider vulnerabilities: the Design Hub used weak client-side protections, allowed anyone to register accounts, emailed passwords in plaintext, and exposed API keys and Algolia indexes with personal data. Crew-level accounts could access executive systems, impersonate staff, and even alter franchise content through the GRS portal, which lacked authentication. Misconfigurations also exposed internal documents, and the new CosMc’s platform allowed coupon abuse and order manipulation. Reporting these flaws was difficult—McDonald’s had removed its security.txt contact file, forcing the researcher to cold-call HQ. While most issues were fixed, reporting channels remain inadequate.
There’s a new open-source framework for testing 5G security flaws.
Researchers from the Singapore University of Technology and Design have released Sni5Gect, an open-source framework for testing 5G security flaws. Unveiled at USENIX Security 2025, the tool exploits the pre-authentication phase of 5G connections, when traffic between devices and base stations is unencrypted. Using off-the-shelf radios, Sni5Gect can sniff uplink and downlink traffic with 80% accuracy at ranges up to 20 meters and inject packets with a 70–90% success rate. Demonstrated attacks include a 5G-to-4G downgrade exploit, enabling surveillance and further compromise. The tool also supports denial-of-service, fingerprinting, and multi-stage payload injection. While the core framework is public on GitHub, more dangerous exploits are restricted to vetted institutions. The GSMA confirmed the downgrade flaw and assigned it CVD-2024-0096 under its disclosure program.
New York’s Attorney General sues the banks behind Zelle over fraud allegations.
New York Attorney General Letitia James has filed a lawsuit against the banks behind Zelle, alleging the payment platform facilitated over $1 billion in fraud between 2017 and 2023. James claims Zelle’s operator, Early Warning Services (EWS)—owned by major banks including JPMorgan Chase, Bank of America, and Wells Fargo—rushed the product to market without proper safeguards. The lawsuit cites weak registration processes that allowed scammers to pose as legitimate businesses or government agencies, tricking victims into sending unrecoverable funds. James also alleges EWS failed to act quickly on fraud complaints, remove bad actors, or reimburse victims, despite marketing Zelle as “safe.” While Zelle denies wrongdoing, James seeks restitution and damages for New Yorkers. The case echoes earlier scrutiny by the Consumer Financial Protection Bureau.
The DOJ charges the alleged Zeppelin ransomware operator and seizes over $2.8 million in cryptocurrency.
The US Department of Justice has charged Ianis Aleksandrovich Antropenko, an alleged Zeppelin ransomware operator, and seized over $2.8 million in cryptocurrency, plus cash and a luxury vehicle tied to his crimes. Antropenko and co-conspirators encrypted and stole victims’ data, demanding ransom to prevent leaks. They allegedly laundered funds through ChipMixer and structured cash deposits. Zeppelin, first seen in 2019 and linked to VegaLocker, mainly targeted healthcare and tech sectors. Antropenko faces charges of computer fraud, abuse, and money laundering conspiracy.
Bots build their own echo chambers.
Researchers at the University of Amsterdam decided to see what happens when 500 AI chatbots are let loose on a stripped-down social network — no ads, no algorithms, no dopamine-driven content feeds. Surely, without those manipulative nudges, the bots would live in perfect harmony, right? Wrong. Much like their human inspirations, the bots quickly self-sorted into echo chambers, following only like-minded peers and amplifying the loudest partisan voices.
Across five experiments and 10,000 interactions, the results were depressingly familiar: extremism attracted followers, and interventions like chronological feeds, hiding bios, or downplaying virality barely made a dent (sometimes making things worse). The study suggests polarization isn’t just an algorithmic quirk — it’s a structural feature of social media itself. In other words, it’s not just the mirror that’s warped; it’s us.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.
We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.
N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
