Read Time: 8 minutes

Brought to you by:

Howdy friends!

Writing you from Washington D.C. where I’m really excited to go to my first ever Sleuthcon - I’ll be honest, when I go to conferences these days I don’t spend a lot of time in the talks. I go to meet with a lot of people that I only get to see at cons. But this one is different, it’s one track and all the talks have a singular focus: Cybercrime. The people talking are the small part of the industry actually focused on catching the bad guys all day.

ICYMI

🖊️ Something I wrote: Definitely important for security teams to watch OpenAI feature announcements: "ChatGPT now ingests Google Workspace, Microsoft 365, Dropbox, Box, SharePoint and OneDrive data"

🎧️ Something I heard: How Neuroscience Can Help Us Battle 'Alert Fatigue' - This is a solid webinar I got to be a part of. They paired me with a neuroscientist, so I felt like I was coloring at the kids table, but learned a lot even though I was a guest presenting!

🎤 Something I said: Doubled ChatGPT last week. 1) OpenAI got a court order mandating they retain all user logs. Bad for privacy, and also a weird/bad precedent on court ordering something like this. 2) ChatGPT o3 model found an 0day. Not efficiently, and under tightly scoped test, but it found it.

🔖 Something I read: My AI Skeptic Friends Are All Nuts - Really good read on the state of AI coding and the general attitude towards it.

Vulnerable News

Double Tap from Google Threat Intel on Voice Phishing Threats

Google Cloud’s Threat Intelligence Group (GTIG) walks through a focused case study that zeroes in on UNC6040, a financially motivated crew abusing social-engineering phone calls to trick employees into authorizing a doctored Salesforce Data Loader “connected app.” Once the victim pastes a “connection code,” the actor can bulk-exfiltrate CRM data and, weeks later, surface with ShinyHunters-style extortion demands. GTIG’s post is as much a playbook for defenders as it is a map of the attacker infrastructure (Mullvad VPN + Okta phishing panel), which overlaps with other “The Com” actors, and ends with a Salesforce-specific hardening checklist covering connected-app allow-listing, IP controls, and FIDO-key MFA. (Read more: The Cost of a Call: From Voice Phishing to Data Extortion)

The companion piece from Mandiant zooms out from that single campaign to dissect the entire voice phishing kill chain and contrast UNC6040 with the better-known UNC3944 / Scattered Spider playbook. It details OSINT pretext building, AI voice-cloning, service-desk MFA resets, and how red-teamers have recreated the same TTPs to hand clients actionable gaps. The back half reads like a SOC runbook: positive ID verification flows, phishing-resistant MFA enrollment controls, and SIEM rules for password-reset + MFA-fatigue correlation. Together, the two posts form a concise “what happened” + “how to emulate/detect it” bundle. (Read more: Hello, Operator? A Technical Analysis of Vishing Threats)

Think your workforce is secure? Think again.*

In today’s world of fluid users, devices, and data, identity is both the key to access and a top target for attackers. With GenAI and deepfakes on the rise, MFA alone isn’t always enough.

Join Persona’s demo of their Know Your Employee solution, which easily integrates with Okta and Duo solutions, to see how companies are adding employee identity verification to stop insider threats, stay compliant, and streamline operations—without adding friction for HR or IT.

Register now.

*Sponsored

Critical Cisco ISE Auth Bypass Flaw Impacts Cloud Deployments on AWS, Azure, and OCI

Cisco dropped a nasty one with CVE-2025-20286, scoring a near-perfect 9.9 CVSS for their Identity Services Engine running in the cloud. The bug is embarrassingly simple - when you deploy ISE on AWS, Azure, or OCI, different deployments end up sharing the same static credentials as long as they're running the same software version on the same platform. So every ISE 3.1 instance on AWS basically has identical login creds.

This means that if an attacker compromises one cloud ISE deployment, they can potentially gain access to any other deployment running the same version on that platform. The good news is it only affects cloud-deployed Primary Administration nodes, not on-premises setups. But wait. There’s more! There's already a proof-of-concept floating around and Cisco's only real fix involves either heavily restricting access or factory resetting your entire config. (read more)

Iranian APT 'BladedFeline' Hides in Network for 8 Years

ESET just dropped a massive deep dive on BladedFeline, an Iranian APT group that's been quietly wreaking havoc since 2017. These guys have been focused on Kurdish and Iraqi government officials, and they're probably a subgroup of the well-known OilRig crew. Their toolset is interesting. Especially the Whisper backdoor that hijacks compromised Exchange accounts to communicate via email attachments. Pretty clever way to blend into normal corporate email traffic.

The technical analysis is impressive, showing how BladedFeline has maintained persistent access to Kurdistan Regional Government systems for over seven years while expanding into Iraqi government networks and even a telecom provider in Uzbekistan. Their PrimeCache IIS module shares code similarities with OilRig's RDAT backdoor, which helped ESET connect the dots. (read more)

Meta pauses mobile port tracking tech on Android after researchers cry foul

Meta and Yandex got caught using a localhost port listening trick to bypass Android privacy protections. Their native apps would open local ports to receive tracking data from Meta Pixel and Yandex Metrica scripts running in mobile browsers, effectively linking web browsing to user identities. This bypassed everything from Incognito Mode to cookie clearing to Android's permission system.

After researchers exposed this, Meta quickly "paused" the feature and stripped most of the tracking code from their Pixel script. Chrome 137 already includes some protections against the SDP Munging technique they used, while Firefox is working on a fix. Brave and DuckDuckGo users were already protected. Yandex has apparently been doing this since 2017. Google's considering a new "local network access" permission to prevent this kind of localhost abuse in the future. (read more)

UK tax authority reveals scammers stole £47 million

HMRC is saying scammers made off with £47 ($63) million last year by filing bogus tax rebate claims. The criminals didn't hack the tax authority directly. They used stolen personal info (likely from phishing campaigns or data breaches) to hijack or create fake accounts and claim refunds they weren't entitled to. About 100,000 taxpayers are getting letters in the next few weeks letting them know their accounts were compromised.

The good news is that individual taxpayers aren't on the hook for any losses, though their accounts are locked down for now. (read more)

This is getting out of hand. At this point do we call it a cyber crime spree? I’ve got at least 13 victims in the last 4-6 weeks all in the retail sector. A few seem to be hacked via a 3rd party customer support tool. Then some seem to be straight up phishing → ransomware or credential stuffing. All fingers being pointed towards Scattered Spider, but loose evidence on that. I dig through all the incidents we know about in the YouTube video.

Germany fines Vodafone $51 million for privacy, security breaches

Vodafone's German arm just got slapped with a €45M fine for some security mess-ups. First, their partner agencies' employees were running wild, creating fake contracts and making unauthorized changes to existing ones (€15M of the fine). But the bigger hit came from authentication flaws in their MeinVodafone app and hotline that left customer eSIM profiles exposed (€30M worth of pain).

Credit where it's due - Vodafone played nice with the investigators and owned up to their mistakes. They've since cleaned house by updating their systems, tightening partner agency oversight, and cutting ties with the sketchy partners. They've already paid up and even threw some extra millions at orgs fighting for data protection and cybersecurity education. Kudos to them for taking their lumps and actually trying to fix things, so it seems. (read more)

Ransomware Gang Leaks Alleged Kettering Health Data

Interlock ransomware gang leaked 941GB of data allegedly swiped from Kettering Health in Ohio, following their system-wide outage earlier this month. The healthcare network had been slowly getting back on their feet, recently relaunching their Epic EHR system, but apparently chose not to pay the ransom. The leaked data supposedly includes ID cards, financial reports, and payment info across 732,490 files.

Interlock's been making waves since October, racking up about 40 victims including DaVita and Texas Tech University. They're also potentially tied to those NodeSnake RAT infections that hit UK universities. This attack fits their MO of targeting healthcare and education sectors. (read more)

ViLE gang members sentenced for extortion, police portal breach

Two members of the doxing group ViLE just got prison time for hacking a federal law enforcement database and running an extortion racket. Sagar "Weep" Singh (21) and Nicholas "Ominous" Ceraolo (26) were sentenced to 27 and 25 months, respectively, after accessing a sensitive law enforcement intelligence portal using stolen credentials. They grabbed SSNs and narcotics seizure records, then threatened to leak victims' info unless paid. In one case, Singh threatened a victim's parents to gain control of Instagram accounts.

The group's MO involved a mix of social engineering, bribes, and fake legal requests to gather personal data for extortion. Four other ViLE members remain at large, with DOJ investigations ongoing. (read more)

China Issues Warrants for Alleged Taiwanese Hackers and Bans a Business for Pro-Independence Links

China's escalating its cyber warfare rhetoric against Taiwan, issuing arrest warrants for 20 Taiwanese nationals they claim were running hacking operations on behalf of Taiwan's ruling Democratic Progressive Party. The alleged crew was supposedly led by someone named Ning Enwei, though Beijing didn't get too specific about what exactly they're accused of doing. Classic move - lots of drama, light on technical details.

Meanwhile, they're also going after a Taiwanese bicycle parts company called Sicuens International, banning all business dealings because the owner Puma Shen apparently runs the Kuma Academy - a civilian defense training organization that teaches Taiwanese folks how to prepare for potential invasion. (read more)

Hacker arrested for breaching 5,000 hosting accounts to mine crypto

Ukrainian police arrested a cryptojacker who compromised 5,000 hosting accounts since 2018, racking up $4.5M in damages through unauthorized crypto mining. What, can’t a man have hobbies? The 35-year-old moved between regions to avoid detection while using OSINT to identify vulnerable infrastructure.

During the raid, police found evidence linking him to stolen credentials, crypto wallets, mining management scripts, and remote access tools. He's looking at up to 15 years under Ukrainian law, and there's still an open question about whether the hosting provider's clients will be stuck with the inflated bills from all that unauthorized compute time. (read more)

Hacker targets other hackers and gamers with backdoored GitHub code

A clever campaign targeting hackers, gamers, and researchers was found spreading malware through 141 GitHub repos. The attacker's main lure was Sakura RAT - a supposedly "free" remote access trojan that actually drops malware when compiled. They've got repos pushing everything from game cheats to exploit builders, all backdoored with stealers and RATs like Lumma, AsyncRAT and Remcos.

It’s wild the amount of effort put into making these repos look legit. Automated commits (one repo had 60k!), consistent contributor patterns, and traffic driven through YouTube and Discord. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay