this week in security — june 1 2025 edition
THIS WEEK, TL;DR
Feds probe effort to impersonate White House chief of staff
Wall Street Journal ($): Flip the counter back to zero, there's been another security incident at the White House. This time it's White House chief of staff Susie Wiles, reportedly Trump's closest adviser, who's been telling associates that her phone was "hacked" after some of her contacts were swiped from her personal, non-government issued phone. The WSJ broke the news and CBS News confirmed the reporting by and large. The White House said it's investigating how the contacts were taken from her phone and used to reach out to other top officials to impersonate her. It's bad enough that voice cloning is a thing now, but questions remain about how the data was stolen to begin with. Was it lacking security on her iCloud account (which wouldn't be great), or was she targeted by spyware (which would be very, very bad)? In any case, it's another example of the federal government seemingly not having a handle on its security scandal... and hoo boy, there's been a lot of it.
More: BBC News | TechCrunch | Associated Press | @kimzetter | @racheltobac
CISA sounds alarm after Commvault secrets theft
CISA: Back in February, Microsoft told data backup giant Commvault that hackers had accessed "a subset of app credentials that certain Commvault customers use to authenticate their [Microsoft 365] environments." Commvault says backups weren't accessed... but CISA said recently (and flagging here belatedly) that the attack on Commvault "may be part of a larger campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions." That's to say, Commvault likely isn't alone in having their Azure clouds raided because of poor configuration. Commvault says CVE-2025-3928 was used in its breach, affecting "all supported versions" of its software, suggesting the hackers' use of zero-days to get access to the data they want. Sources familiar with the Commvault incident tell NextGov and (more recently) DataBreachToday that the incident was linked to Salt Typhoon, the Chinese-backed hacking group targeting tech and telco companies (and the Treasury, welp), which suggests that this could be part of a broader campaign. All to say, shields up, folks.
More: Commvault | SecurityWeek | SC World
ConnectWise admits cloud breach affects some customers
CRN: Remote access giant ConnectWise said it had a "security event" (read: we were breached). The company says a nation-state accessed a "small number" of ScreenConnect cloud customers, and the exploit was fixed on April 24. ConnectWise hasn't said much else about the incident, such as how many customers were actually affected or if customer data was accessed and stolen. Mandiant is investigating the breach, per the company's statement. Once again, it's another reminder that privileged access and remote access tools are frequently abused by bad actors because they can be super effective when compromised. Russia and China have been linked to similar attacks on ConnectWise instances
More: ConnectWise | Mandiant | The Record
Australian businesses subject to new ransom reporting rule
The Register: New rules for Australian businesses kick in this week, requiring some firms down under to report ransomware payments when they're paid. It's not illegal to pay a ransom (though many governments have for years warned not to pay ransoms as it helps criminals profit from, well, crime) but under the country's new Cyber Security Act 2024, any payment by a company making $3 million AUD or more has to be disclosed to the central Australian government within 72 hours. The information will help with visibility, helping the folks track payments and understand means to crack down on the file-encrypting malware. The law's provisions kick in after a rough year or two in cyber in Australia, from massive breaches of healthcare data, prescriptions and IVF records, to an enormous theft of data from one of Australia's largest phone companies. It's a step in the right direction, some will argue, given that efforts to ban (or hinder) ransomware (or payments) have largely fallen flat, except for slow progress in the United Kingdom. But hey, the cyber insurance industry is booming, funny that.
More: Australian Government [PDF] | ASPI | CyberDaily.au
~ ~
THE STUFF YOU MIGHT'VE MISSED
Many VPN apps linked to China, sparking privacy concerns
Tech Transparency Project: Millions of Americans have downloaded VPN apps that funnel their internet traffic through Chinese companies, putting that sensitive data at risk of interception by the Chinese government and military, per the latest Tech Transparency Project report. While there is an ongoing cyber threat from China, it doesn't necessarily matter which country a VPN is associated with; the larger problem is "trusting" (heavy air-quotes) any free or commercial VPN to funnel your internet traffic and not lose it or abuse it, which frequently happens. The best VPN is one that you set up, secure, and use yourself. Here's a valuable tl;dr from Bruce Schneier.
U.S. sanctions Funnull, a tech outfit connected to cyber scams
TechCrunch: Funnull, a little-known company that last year took over the Polyfill.io in a supply chain attack that redirected website visitors to scam sites, has been sanctioned by the U.S. Treasury. The money bods said Funnull was linked to pig-butchering scams and more than $200 million in losses for Americans, and that Funnull was a facilitator of major cyber scams. More from Krebs on Security, and more background on how the Funnull-Polyfill.io takeover went down.
Enterprise security is a hot mess of CVEs and flaws
32x33: I enjoyed this read from Murdoc about the state of enterprise security... and in case you didn't know, it's bad. With so many flaws in enterprise tech, from edge devices like firewalls and routers to databases and other tech riddled with flaws. Some of the top CVEs in recent years are... *drumroll please* from enterprise vendors! Clearly something has to change. Your organization might not be able to escape enterprise tech entirely, but it's worth briefing those with budgets on who the worst offenders are and consider vendors you can actually have a relationship with.
China used Google Calendar as a malware command server
Google Threat Intelligence: The boffins at Google say they've found evidence that APT41 (aka China) is using malware that relies on Google Calendar to share commands from the malware's servers and the victims. Misuse of tech and cloud services isn't uncommon (think Telegram, Discord, and Dropbox, among others, since it looks like "regular" internet traffic that can blend in); anything with an internet connection can be a command-and-control server if you try hard enough.
Nobody knows how to deal with student-made AI CSAM
404 Media ($): A new report from the good folks at the Stanford Cyber Policy Center say that parents, schools, police and existing laws aren't prepared to deal with the growing problem of students and children using AI to generate child abuse imagery (aka CSAM). A good thread by @riana on the report's findings. This is a major problem — for privacy, safeguarding, and also policymaking — in part driven by the availability of generative AI-driven "nudify" apps, which the app store owners must do better at policing (rather than profiting from).
~ ~
~ ~
OTHER NEWSY NUGGETS
Another data broker got pwned: LexisNexis Risk Solutions, the data broker arm that uses personal data to help paying customers detect risk and fraud, had a breach of its GitHub account, affecting more than 364,000 people, per a filing with Maine's attorney general. Much of the data included Social Security numbers. (Sound the 'toot my own horn' alert: I wrote this story.) This breach was disclosed just a fortnight after White House advisor Russell Vought called a Biden-era rule reining in data brokers as "not necessary or appropriate." (via TechCrunch)
Japan 'net giant email pwned: Japanese internet giant IIJ had a breach dating back to August 2024, which saw hackers steal the email data of more than four million customers. A bug in the webmail software Active! was blamed for the hack. (via Piyolog, @campuscodi)
SentinelOne outage knocked services offline: Security giant SentinelOne had an hours-long outage this week, taking down its customers' ability to monitor and manage protections on their networks. Axios reports that network admins were effectively flying blind, unable to see what was being blocked or flagged during the outage. The company says the outage wasn't cyber-related but hasn't yet specified the cause yet. (via SentinelOne, )
Adidas breached, Victoria's Secret 'incident': Clothing maker Adidas confirmed customers' contact information (think names, addresses, etc.) was stolen in a recent cyberattack via a third-party provider. It's the latest in a series of retail giants to have been hacked in recent weeks. Victoria's Secret also offlined its site and email this week after an unspecified "security incident," per Bloomberg ($). Could it be another wave of Scattered Spider-linked hacks like what we saw in the U.K. of late? Maybe. The retail sector is always a prime target for thieves. (via The Verge, BBC News)
Five out of six CISA officials endorse... leaving: Most of U.S. cybersecurity agency CISA's top officials have departed the agency (or will soon), amid concerns of a growing void in expertise and leadership across the agency. Five out of six operational divisions have no leader, and six out of 10 regional officers don't either. This obviously comes in the wake of Trump's massive job cuts across the federal government, as the agency faces another 1,000 positions cut if the government's budget for 2026 goes ahead. (via Cybersecurity Dive, Federal News Network)
Pop, pop, open sesame: Researchers at Greynoise say now-patched vulnerabilities in Asus home and office routers are being abused by someone (clearly with skills, but beyond that attribution isn't known) using malware that can survive a reboot and firmware updates, granting persistent backdoor access with admin rights. It sounds like some kind of botnet in the making, so take the time to check if you're an Asus customer. (via Ars Technica, Greynoise)
~ ~
THE HAPPY CORNER
We made it, folks. We're here. The sun is shining, the birds are chirping, and this, of course, is the happy corner.
For those lucky enough to have been born after the early 2000s, aka youths, you have not had the joy of knowing what living through the golden age of mobile phone design was like. Like a walkie-talkie Bop It!, these brick-sized handhelds were at the time peak weird creations. You could twist them, slide them, hide the cameras, and more. Wonder and marvel at these bizarre creations of yesteryear (and yearn for a day where we can have phone camera privacy covers back!).
Some genuinely good news from Oregon, which has become the second state to ban the sale of precise geolocation data. The ban will take effect in October. It's a major move to combat the scourge of data brokers, which buy and sell huge amounts of our personal, financial, and location data to other companies, law enforcement, and the occasional military. Remember, the U.S. doesn't have a federal or nationwide data protection or privacy law for personal data, so any win, even at the state-level is... well, something.
In this week's Can It Run Doom?... and turns out it's a lot of things! Can It Run Doom? has its own website dedicated to the obscure, bizarre and downright odd installations of the legendary first-person shooter, Doom. From portable hotspots to the occasional lawnmower, Doom can be found on pretty much everything. Speaking of: Those crazy kids at 404 Media only went and put Doom on a tank top, for crying out loud. Consider buying one to support independent journalism while you're at it.
And finally... Bookmark this handy website: Terms of Service; Didn't Read, the website for parsing terms of service that you don't have to line-by-line yourself. It's a handy simple look-up site that explains what a company's terms of service means for you. And it's a great way to consider shifting towards other, better-run companies that won't faff with your data. (h/t @ClaudiaTranslates)
If you have good news you want to share, get in touch at: this@weekinsecurity.com.
~ ~
CYBER CATS & FRIENDS
Meet Loaf, this week's cyber cat loaf pupper, who can be seen here taking it easy after a busy day hacking. Cute face, but dangerous social engineering skills. Will use snuggles to steal passwords. Thanks so much to Katie B. for sending in!
Keep sending in your cyber-cats! Drop me an email with a photo and name of your cyber-cat (or non-feline friend!) and they'll be featured in a future newsletter.
~ ~
SUGGESTION BOX
That was a busy one! Join me again next Sunday for your usual cyber roundup from the week that was. In the meantime, if you have anything you want to share with me for the newsletter (or just want to get in touch), please reach out any time!
If you like this newsletter, please spread the word to a friend or colleague, or forward along a copy of the newsletter if you've found something useful! If you're really a fan, I'd hugely appreciate a donation to keep the costs of running the newsletter down.
Thanks so much for tuning in. For now, I'm off to find a bagel and enjoy the glorious weather in the New York area.
Ta ta for now,
@zackwhittaker