Cyber Mornings Daily

Cyber Mornings Daily brings you the latest cybersecurity news, starting with the UK arrests of 'Scattered Spider' teenagers linked to the Transport for London hack and US healthcare attacks, with one suspect facing charges for over 120 global network breaches. We also examine ShinyHunters' claim of 1.5 billion Salesforce records stolen through compromised Salesloft Drift OAuth tokens, along with FBI warnings about associated threat actors and Google's confirmation of a fraudulent law enforcement account. Today's show also covers the ransomware breach at VC giant Insight Partners, which compromised thousands after a sophisticated social engineering attack, and reviews alarming trends like the doubling of password cracking incidents.

For today's Cyber Mornings Daily, we're tracking major headlines in digital privacy and online security. French regulators have fined Google $379 million and Chinese e-commerce giant Shein $175 million for violating cookie consent laws, specifically for setting advertising cookies on users' browsers without securing their consent and encouraging choices that favored personalized advertisements. Google also faces a $425 million judgment in the U.S., as a jury found the company violated users' privacy by collecting their data even after they opted out of Web & App Activity tracking. Child data privacy is a significant focus as well, with Disney agreeing to a $10 million settlement with the U.S. Federal Trade Commission (FTC) over allegations that it collected personal data from children watching YouTube videos without parental notification or consent, violating the U.S. Children's Online Privacy Protection Rule (COPPA). The FTC is also taking action against Apitor Technology, a China-based robot toy maker, for allegedly permitting a third-party to collect children's geolocation data without their knowledge and parental consent via its Android app. In a new and evolving threat, actors are exploiting X's built-in AI assistant, Grok, to bypass link posting restrictions. This technique, dubbed "Grokking," involves hiding malicious links in video ad metadata and then prompting Grok to reply with the clickable link, thereby boosting its credibility and reach to millions of impressions. Lastly, in a major law enforcement success, the Alliance for Creativity and Entertainment (ACE) and Egyptian authorities have successfully disrupted Streameast, which was identified as the world's largest illegal live sports streaming network, leading to the arrest of two individuals allegedly associated with the operation and the redirection of many of its domains.

On today's Cyber Mornings Daily, we discuss Cloudflare's recent mitigation of a record-setting volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps), lasting about 35 seconds and primarily originating from Google Cloud. This incident highlights a significant increase in hyper-volumetric DDoS attacks, which rose from 700 in Q1 2025 to 6,500 in Q2 2025, often launched by botnets like RapperBot. We then cover a major privacy development as Disney agrees to pay $10 million to settle claims from the U.S. Federal Trade Commission (FTC). The claims state that Disney illegally collected children's personal data on YouTube by failing to correctly label "kid-directed" videos as "Made for Kids" (MFK), thereby violating the Children's Online Privacy Protection Rule (COPPA). The settlement also mandates Disney to notify parents before collecting children's data and implement a new program to ensure correct video designation. Finally, we examine a substantial cybercrime attempt where hackers tried to steal $130 million from Sinqia S.A., Evertec's Brazilian subsidiary. The breach occurred on August 29, 2025, when hackers gained unauthorized access to Sinqia’s environment on Brazil's Pix payment system using stolen IT vendor credentials. While some funds have been recovered, the investigation is ongoing, and Sinqia's access to Pix has been temporarily revoked by the Central Bank of Brazil.

Welcome to Cyber Mornings Daily! This week, we're covering a range of critical cybersecurity incidents and updates. Jaguar Land Rover recently announced that a cyberattack "severely disrupted" its production and retail operations, forcing the company to proactively shut down certain systems as a mitigation effort. While the automaker stated there is no evidence of customer data theft at this stage, dealers faced issues registering new cars and supplying parts. The incident, which occurred over a weekend, has no public timeline for resolution or details on the attack type. In proactive security news, Microsoft is set to enforce multi-factor authentication (MFA) for all Azure resource management actions starting in October 2025, as part of its Secure Future Initiative (SFI). This move, which applies to users performing create, update, or delete operations via Azure CLI, PowerShell, SDKs, and APIs, aims to protect against unauthorized access, with Microsoft noting that 99.99% of MFA-enabled accounts resist hacking attempts. Finally, the fallout continues from a major data breach at AI chatbot maker Salesloft, involving the mass-theft of authentication tokens from its Drift application. Google's Threat Intelligence Group (GTIG) warned that attackers, tracked as UNC6395, stole valid authentication tokens for hundreds of integrated corporate services, including Slack, Google Workspace, Amazon S3, and Microsoft Azure, and siphoned large amounts of data while searching for sensitive credentials. Google has strongly advised organizations using Salesloft Drift with third-party integrations to consider their data compromised and immediately invalidate all affected tokens, highlighting the concern of "authorization sprawl" where legitimate access tokens are abused by attackers. Salesloft has engaged Mandiant to investigate the breach's root cause.

Recent cybersecurity reports highlight significant vulnerabilities and a proactive defense strategy. One notable incident involved McDonald's McHire job chatbot platform, which exposed chat transcripts and personal data from over 64 million job applications due to a combination of an Insecure Direct Object Reference (IDOR) vulnerability and the use of weak default credentials, "123456" for both login and password, on a test franchise's admin panel. This allowed researchers to access details like names, email addresses, phone numbers, and home addresses, with the issue being reported and subsequently fixed by Paradox.ai, the platform provider. Separately, a Google Gemini flaw enables attackers to create phishing scams by embedding invisible prompt injections within emails; when Gemini summarizes these emails, it obeys the hidden directives, potentially presenting fake security alerts to users without needing attachments or direct links. To counter such evolving threats and strengthen national cybersecurity, the UK's National Cyber Security Centre (NCSC) has launched a new Vulnerability Research Initiative (VRI), aiming to improve the UK's ability to identify and understand software and hardware vulnerabilities through structured collaboration with external cybersecurity experts, including those in emerging areas like AI-powered vulnerability discovery.

The sources provided discuss two primary topics: recent cybersecurity incidents and advancements in artificial intelligence. One significant cybersecurity event is the ongoing outage at IT giant Ingram Micro, which was caused by a SafePay ransomware attack that led to the shutdown of internal systems. It is believed that the threat actors initially breached Ingram Micro through its GlobalProtect VPN platform, impacting systems such as the Xvantage and Impulse platforms, though other internal services like Microsoft 365, Teams, and SharePoint continued to operate. The SafePay ransomware operation, which emerged in November 2024 and has accumulated over 220 victims, is known for breaching corporate networks via VPN gateways using compromised credentials or password spray attacks. Another major cybersecurity incident reported is a hacker's threat to leak 106GB of data allegedly stolen from Spanish telecommunications company Telefónica. The hacker, known as "Rey" and a member of the Hellcat Ransomware group, claims the breach occurred due to a Jira misconfiguration, and the purportedly leaked data includes internal communications, purchase orders, internal logs, customer records, and employee data. On the artificial intelligence front, the sources cover OpenAI's plans for GPT-5, which is expected to unify breakthroughs from different models. OpenAI aims for GPT-5 to combine the reasoning capabilities found in its "o" series and the multi-modality of its GPT-series, intending to make existing models significantly better and reduce the need for model switching.

A significant vulnerability found in Google that allowed researchers to brute-force recovery phone numbers for Google accounts, creating a substantial risk for targeted phishing and SIM-swapping incidents. Another key topic is Microsoft Outlook's planned security enhancement to block additional risky attachment types, such as .library-ms and .search-ms files, starting in July 2025, which aims to counter their past use in malware and phishing schemes. Lastly, the sources describe the 'EchoLeak' attack, identified as the first zero-click AI vulnerability affecting Microsoft 365 Copilot, which enabled the exfiltration of sensitive data from a user's context without any interaction, highlighting a new category of large language model scope violations.

United Natural Foods (UNFI), a large grocery wholesale distributor, experienced an attack that forced them to take certain systems offline, disrupting customer orders. Kettering Health, a healthcare network, confirmed a breach by the Interlock ransomware group, which stole data, including sensitive patient and personnel information. The Interlock group is noted as a newer ransomware operation that frequently targets healthcare organizations. Additionally, Optima Tax Relief, a tax resolution firm, was hit by the Chaos ransomware gang, leading to the theft and leaking of corporate and customer data containing sensitive personal information. These incidents highlight the ongoing threat of cyberattacks, including those involving ransomware and data exfiltration, impacting various sectors.

The Federal Criminal Police Office of Germany (BKA) has identified Vitaly Nikolaevich Kovalev as the alleged leader of the Trickbot and Conti cybercrime gangs, known for using various malware variants including Ryuk and Diavol, and for infecting hundreds of thousands of systems worldwide to obtain significant funds. This identification follows leaks like TrickLeaks and ContiLeaks which exposed Kovalev's leadership and contributed to Conti's shutdown. In a related effort under Operation Endgame, international law enforcement took down AVCheck, a service cybercriminals used to test malware against antivirus software, highlighting the ecosystem of counter antivirus and crypting services used to make malware undetectable. Separately, companies such as Victoria's Secret are experiencing security incidents, which led to them taking down their website and some in-store services as a precaution while they investigate. These incidents are part of a broader trend affecting retailers, with groups like DragonForce and Scattered Spider linked to attacks on companies like Marks & Spencer, Dior, and Adidas.

These news excerpts focus on recent cybersecurity incidents and legal actions. One article details the FTC's order requiring GoDaddy to improve its security measures following multiple data breaches. Another reports on a system-wide outage at Kettering Health attributed to a likely ransomware attack, forcing canceled procedures. The third piece covers a college student pleading guilty to cyber extortion for stealing and threatening to leak student and teacher data from PowerSchool. Together, the articles highlight the ongoing threats of cyberattacks and the efforts by regulatory bodies and law enforcement to address security failures and criminal activity.

One source details a global cyberespionage campaign called 'RoundPress', attributed with medium confidence to the Russian state-sponsored hackers APT28. This campaign targeted government webmail servers in various countries by exploiting XSS vulnerabilities in products like Roundcube, Horde, MDaemon, and Zimbra to steal credentials and email content. Another source describes a new tool named 'Defendnot' that can disable Microsoft Defender on Windows devices. This tool functions by registering a fake antivirus product using an undocumented Windows Security Center API and injecting a DLL into a trusted system process to bypass security checks. A separate source reports on a data breach at Nova Scotia Power, a Canadian utility, where hackers stole sensitive customer data including personal information, account history, and in some cases, bank account and Social Insurance Numbers. The company discovered the unauthorized access and later confirmed the data theft, offering credit monitoring services to affected customers.

Android 16 is introducing expanded 'Advanced Protection' with device-level security, strengthening defenses against spyware and consolidating features like verified boot, strong sandboxing, and automatic reboots. The sources also detail a new "Branch Privilege Injection" flaw, tracked as CVE-2024-45332, in modern Intel CPUs that allows sensitive data leakage from privileged memory by exploiting a race condition in branch predictors. Finally, the material discusses the iClicker student engagement platform website being compromised in a "ClickFix" attack, where a fake CAPTCHA prompt tricked students and instructors into installing malware by pasting and executing a PowerShell script from their clipboard. These topics highlight recent developments in mobile security, hardware vulnerabilities, and social engineering techniques used in website compromises.

Based on the sources provided, the primary topics covered include a recent data breach affecting over 430,000 patients of the Ascension healthcare system, which was linked to a vulnerability in third-party software used by a former business partner. The sources also detail ongoing cyberattacks targeting SAP NetWeaver servers by Chinese hackers who are exploiting a maximum severity vulnerability that allows remote code execution. Additionally, the sources discuss a new feature being added to Microsoft Teams that will block screen capture during meetings to help protect sensitive information shared by users.

Based on the sources, the key topics focus on recent cybersecurity incidents. One significant event detailed is a ransomware attack against Hitachi Vantara, where the company took servers offline to contain the incident attributed to the Akira ransomware operation. Akira has impacted over 300 organizations and collected millions in ransom payments. The sources also describe a Chinese espionage campaign by a group called PurpleHaze, which attempted reconnaissance against cybersecurity company SentinelOne's infrastructure and customers. This group utilizes tools like ORB networks and backdoors such as GoReShell and ShadowPad. Furthermore, a data breach at VeriSource Services is reported, impacting four million people by exposing sensitive personal data including names, addresses, dates of birth, genders, and Social Security numbers. Although the incident occurred in February 2024, the full scope wasn't determined until April 2025, leading to delayed notifications.

One major topic is a technical issue at Coinbase where a logging error misidentified failed password attempts as "2FA failures," leading to user concerns about account compromise and potential misuse of these errors in social engineering attacks. Another significant topic is the evolution of the ransomware landscape, specifically the DragonForce group's introduction of a "ransomware cartel" model offering white-label branding and infrastructure to other ransomware operations. Finally, the sources also discuss Google's advancements in its Unified Security platform, including new features for threat detection, automation, and integration of Mandiant's threat intelligence, as well as key findings from Mandiant's 2025 M-Trends report on attack trends.

The sources discuss several recent cybersecurity incidents, including how hackers are exploiting Zoom's remote control feature to conduct crypto-theft attacks. This involves social engineering tactics where attackers impersonate legitimate entities to trick users into granting remote access, potentially leading to the theft of sensitive data and cryptocurrency. Additionally, Marks & Spencer confirmed they are dealing with a cyberattack that has impacted their operations, particularly the Click and Collect service. Furthermore, SK Telecom issued a warning about a malware attack that resulted in the exposure of customer USIM data. The sources also include tutorials on various computer security and maintenance tasks, such as accessing the dark web, using the Windows Registry Editor, removing malware, and showing hidden files.

The sources discuss several important cybersecurity topics, including vulnerability management with the active exploitation of a Microsoft NTLM vulnerability (CVE-2025-24054) that could lead to leaked credentials and system compromise. The exploitation requires minimal user interaction and is currently targeting specific organizations, emphasizing the need for immediate patching. Another critical issue highlighted is a maximum severity flaw (CVE-2025-32433) in Erlang/OTP SSH, which could allow attackers to execute arbitrary code without authentication, posing a significant risk to various systems, especially those in critical infrastructure. Lastly, the sources cover data security and government regulations with the HHS fining a Guam hospital for HIPAA violations following a ransomware attack, underscoring the importance of risk assessments and compliance in the healthcare sector.

One source details a high-severity vulnerability in Cisco Webex that could allow unauthenticated attackers to gain remote code execution through malicious meeting invite links. This article also briefly mentions other security news, including a CISA funding extension for CVE services, Microsoft blue screen issues, and various cyberattacks and vulnerabilities affecting different systems. Another source reports on a data breach at Legends International, an entertainment services company, where unauthorized access led to the exfiltration of personal data. Finally, the third source describes an incident that disrupted multiple Zoom services due to a domain name resolution problem caused by an error at the domain registry.

The sources discuss several distinct cybersecurity-related topics. One major subject is the extension of funding for the Common Vulnerabilities and Exposures (CVE) program by CISA to prevent any lapse in this critical service. This announcement followed a warning about potential disruptions and the expiration of funding for MITRE, the organization that maintains the CVE program. In response to these concerns, members of the CVE Board also announced the launch of the CVE Foundation, aiming to secure the program's independence. Another key topic is the major hack that took down the online forum 4chan, with the group Soyjak.party claiming responsibility and leaking alleged staff information and source code. Finally, the sources cover Microsoft's decision to block all ActiveX controls by default in Windows versions of Microsoft 365 and Office 2024 applications due to the security risks associated with this legacy software framework.

The sources discuss several security-related topics, including a ransomware attack on the kidney dialysis firm DaVita, which resulted in the encryption of parts of its network and impacted some operations. Another key topic is Microsoft Defender for Endpoint's new capability to isolate undiscovered endpoints to prevent attackers from moving laterally across a network. Finally, the sources also detail security breaches and a data leak at Western Sydney University, involving the compromise of a single sign-on system and the appearance of personal information on the dark web.