This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Jimmy Sanders, president, ISSA International. ISSA International April 2025- will be celebrating its 40th Anniversary in April 2025. Watch for notifications at ISSA.org
Missed the live show? Check it out on YouTube
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
The intrigue behind Salt Typhoon telco penetration continues
This past week, T-Mobile CSO Jeff Simon stated that the massive Salt Typhoon cyber-espionage campaign used a novel technique, quote, “not something that I’ve seen in my 15-plus-year career in cyber security. It’s not something that is well published or read about. There’s no CVE for it.” He was was referring to the way the cyber-spies “hopped between organizations’ networks.” Added to the intrigue is a statement from Jeff Greene, CISA’s executive assistant director for cyber security, who said, “we cannot say with certainty that the adversary has been evicted, because we still don’t know the scope of what they’re doing.” Then White House cyber and emerging tech lead Anne Neuberger, speaking at a conference said the Chinese cyberspies recorded “very senior” US political figures as well as stealing private communications.
Black Basta evolves strategy
The Black Basta ransomware group has shifted tactics, using social engineering methods like email bombing, impersonating IT staff, and distributing malicious payloads such as Zbot and DarkGate to gain initial access. Once victims install remote access tools like AnyDesk or TeamViewer, attackers deploy malware to harvest credentials, steal VPN configurations, and bypass MFA protections, facilitating deeper infiltration. The shift showcases the ransomware groups move from purely botnet-reliant approaches to a hybrid model that integrates social engineering.
Texas adds Allstate-linked data broker to list of alleged privacy law violators
The attorney general of Texas has accused the data broker Arity of sharing consumers’ information without clear notice or consent. “In the past six weeks, six of the mobile apps that Arity says are partners have been accused by the state of improperly sharing user data with third parties.” Arity is owned by the insurer Allstate. Its official description says it “sells recommendations to insurers for how to price individual customers’ plans based on their driving behaviors. It gathers data through a software development kit (SDK) embedded inside the mobile apps belonging to its partners.”
Thanks to today’s episode sponsor, ThreatLocker
ThreatLocker helps you take a proactive, default-deny approach to cybersecurity and provides a full audit of every action, allowed or blocked, for risk management and compliance. Onboarding and operation are fully supported by their US-based support team.
To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit ThreatLocker.com.
Microsoft MFA bypassed in AuthQuake attack
Researchers at Oasis Security presented details of an attack technique that could have given threat actors access to Outlook emails, OneDrive files, Teams chats, and Azure cloud instances. Needing only an hour to execute, it required no user interaction, and it would not trigger any notification to the victim. The attack is based on exploitation of the authenticator app process, in which a user to obtains a six-digit MFA code on their app. The researchers saw that one session supports up to 10 failed attempts to prevent brute-force attacks, but they then saw that an attacker could execute multiple attempts simultaneously, enabling them to go through possible combinations relatively fast. Oasis named this attack method AuthQuake, and reported it to Microsoft in late June. A temporary fix was deployed a few days later, followed by a permanent fix in October.
Snowflake to make MFA mandatory
Starting in November 2025, Snowflake will block sign-ins using single-factor passwords. Since October 2024, the company has made multi-factor authentication the default for new accounts. Both moves were part of its commitments to CISA’s Secure by Design pledge. As part of the rollout, in April 2025, Snowflake will require all human users to enroll in MFA on their next login attempt, excluding those with a custom authentication policy. In August, MFA will be required for all human password sign-ins.
Yahoo cybersecurity team sees layoffs, outsourcing under new CTO
Yahoo’s famous cybersecurity team, known as The Paranoids, has lost 25% of its staff over the last year, according to TechCrunch. The Paranoids’ offensive security team, which “conducts cyberattack simulations to identify weaknesses in the company’s network before external hackers can,” was completely eliminated this week and will now be outsourced. Valeri Liborski, Yahoo’s new chief technology officer announced these changes in an email to staff, stating, “This was a very difficult decision and one I have not taken lightly.”