Inside Intel’s internal web maze.
A researcher uncovers vulnerabilities across Intel’s internal websites that exposed sensitive employee and supplier data. The Kimsuky group (APT43) targets South Korean diplomatic missions. A new DDoS vulnerability bypasses the 2023 “Rapid Reset” fix. Drug development firm Inotiv reports a ransomware attack to the SEC. The UK drops their demand that Apple provide access to encrypted iCloud accounts. Hackers disguise the PipeMagic backdoor as a fake ChatGPT desktop app. The source code for a powerful Android banking trojan was leaked online. A Nebraska man is sentenced to prison for defrauding cloud providers to mine nearly $1 million in cryptocurrency. On this week’s Threat Vector, David Moulton speaks with Liz Pinder and Patrick Bayle for a no holds barred look at context switching in the SOC. A UK police force fails to call for backup.
Today is Tuesday August 19th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
A researcher uncovers major vulnerabilities across Intel’s internal websites that exposed sensitive employee and supplier data.
Security researcher Eaton Zveare uncovered four major vulnerabilities across Intel’s internal websites that exposed sensitive employee and supplier data. First, Intel’s business card ordering site allowed login bypass, enabling access to a global employee database of over 270,000 records. Second, the “Hierarchy Management” site stored weakly encrypted hardcoded credentials, allowing attackers to decrypt passwords, impersonate admins, and access employee and product data. Third, the “Product Onboarding” portal leaked multiple hardcoded credentials, including GitHub tokens, which could have allowed rogue product uploads. Finally, Intel’s SEIMS supplier site had broken authentication checks, letting attackers enumerate employees and access confidential supplier agreements. While Intel patched the flaws after disclosure, its bug bounty program excluded website vulnerabilities, leaving the researcher unrewarded despite reporting critical issues.
The Kimsuky group (APT43) targets South Korean diplomatic missions.
Elsewhere, Trellix researchers exposed a North Korea–linked espionage campaign by the Kimsuky group (APT43) targeting South Korean diplomatic missions between March and July. At least 19 spear-phishing emails impersonated trusted contacts, using password-protected ZIP files hosted on Dropbox and Daum. The lures mimicked real events such as EU meetings and U.S. Independence Day celebrations. Once opened, malicious LNK files launched obfuscated PowerShell scripts that pulled base64-encoded payloads from GitHub, where attackers maintained private repositories for command-and-control (C2). Victims ultimately received XenoRAT, a remote access trojan enabling full system control, data theft, and surveillance. Infrastructure analysis linked operations to DPRK but noted Chinese holiday pauses, suggesting activity from China. The campaign maps to MITRE ATT&CK techniques, remains ongoing, and underscores the need for stronger diplomatic network defenses.
A new DDoS vulnerability bypasses the 2023 “Rapid Reset” fix.
Researchers from Tel Aviv University have uncovered “MadeYouReset” (CVE-2025-8671), a new DDoS vulnerability in the HTTP/2 protocol that bypasses the 2023 “Rapid Reset” fix. Like Rapid Reset, it abuses HTTP/2’s concurrent stream design to overwhelm servers, but instead of clients canceling requests, attackers send invalid control frames that force the server to cancel streams on their behalf. This allows attackers to repeatedly trigger backend work, mimicking Rapid Reset’s devastating effect. The flaw could impact up to one-third of websites worldwide. Severity varies across implementations, with Netty rated 8.2 and F5 BIG-IP rated 6.9. While many vendors had already hardened systems after Rapid Reset, others only patched recently. Mitigation is complex, requiring stricter stream cancellation handling or backend limits, but inconsistent vendor responsibility leaves risks unresolved.
Drug development firm Inotiv reports a ransomware attack to the SEC.
Indiana-based drug development firm Inotiv reported a ransomware attack to the SEC after discovering the incident on August 8, 2025. Threat actors encrypted key systems, forcing shutdowns that disrupted internal data storage, business applications, and overall operations. The company is relying on offline alternatives while working to restore systems, with no timeline yet for recovery. Law enforcement was notified, though no group has claimed responsibility. Inotiv, which earned $374.9 million in the first three quarters of 2025, said financial impacts remain uncertain.
The UK drops their demand that Apple provide access to encrypted iCloud accounts.
The UK has reportedly dropped a demand requiring Apple to provide access to encrypted iCloud accounts, according to U.S. Director of National Intelligence Tulsi Gabbard. The order, known as a Technical Capability Notice (TCN), was criticized as a “back door” into user data, though the British government disputes that characterization. Apple had disabled Advanced Data Protection for UK users in 2023 to comply, since the feature made certain iCloud data accessible only from user devices. Apple is challenging the order at the Investigatory Powers Tribunal with support from civil society groups. The UK government emphasized safeguards under existing U.S.-UK data-sharing agreements, stressing that neither nation can target the other’s citizens, while reaffirming its commitment to balancing security with privacy protections.
Hackers disguise the PipeMagic backdoor as a fake ChatGPT desktop app.
Microsoft has warned that hackers are disguising the PipeMagic backdoor as a fake ChatGPT desktop app to prepare ransomware attacks. Attributed to threat group Storm-2460, the malware exploits a Windows zero-day (CVE-2025-29824) in the Common Log File System Driver to gain persistence and escalate privileges before deploying ransomware. PipeMagic has been observed targeting IT, financial, and real estate sectors worldwide. First seen in 2022, the malware resurfaced in 2024. Victims see only a blank screen, while attackers gain remote access and data theft capabilities.
The source code for a powerful Android banking trojan was leaked online.
Researchers from Hunt.io have discovered that the source code for ERMAC v3.0, a powerful Android banking trojan, was leaked online in March 2024 via an exposed archive named Ermac 3.0.zip. The leak contained the trojan’s backend, frontend panel, exfiltration server, builder, and obfuscator. ERMAC v3.0 expanded targeting from 467 apps in version 2 to over 700 financial, shopping, and crypto apps, while adding stronger AES-CBC encryption, upgraded form-injection techniques, fake push notifications, device control, and remote uninstallation. Hunt.io also uncovered live infrastructure tied to the operation, including command-and-control servers with weak security such as hardcoded tokens and default credentials. While the leak undermines ERMAC’s malware-as-a-service credibility, it may enable defenders to improve detection — but also risks new, harder-to-detect variants emerging.
A Nebraska man is sentenced to prison for defrauding cloud providers to mine nearly $1 million in cryptocurrency.
Nebraska man Charles O. Parks III, aka “CP3O,” was sentenced to one year in prison for defrauding cloud providers of $3.5 million to mine nearly $1 million in cryptocurrency. Between January and August 2021, he used aliases and shell companies to access massive computing power from providers believed to be Microsoft and Amazon, without paying. Parks laundered proceeds through crypto exchanges, banks, and even an NFT marketplace, funding luxury purchases. Prosecutors said he falsely branded himself as a crypto influencer and innovator.
A UK police force fails to call for backup.
South Yorkshire Police (SYP) has earned itself a polite scolding from the UK’s data watchdog after it somehow managed to delete 96,000 pieces of bodycam evidence—a feat of digital spring cleaning nobody asked for. According to the Information Commissioner’s Office (ICO), the trouble began after an IT upgrade in May 2023 left the force’s Digital Evidence Management System groaning under the weight of video files. Footage was temporarily stored on a local disk, until July 26, when a third-party transfer to a new “Storage Grid” turned into a large-scale vanishing act. SYP admits the data probably went missing “in error,” which is as reassuring as it sounds. Although most of the footage had already been copied elsewhere, the force can’t say how much was lost forever, thanks to years of poor record keeping and unresolved backup issues. Unfortunately, when the files went missing, the IT team couldn’t radio for backup.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.
We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.
N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
