In today’s cybersecurity news…
Hackers’ attacks target Microsoft Entra ID accounts using pentesting tool
Researchers at Proofpoint are describing a hacking campaign that is using “the TeamFiltration pentesting framework to target more than 80,000 Microsoft Entra ID accounts at hundreds of organizations worldwide.” Laying blame on a threat actor called UNK_SneakyStrike. The attacks occurred from December of last year through to March. TeamFiltration was first published in 2022 by TrustedSec red-team researcher Melvin Langvik. It is thought that for this attack the gang “used AWS servers across multiple regions…and used a ‘sacrificial’ Office 365 account with a Business Basic license to abuse Microsoft Teams API for account enumeration.”
Google Cloud and Cloudflare outages reported
Google Cloud and Cloudflare suffered outages yesterday, affecting services such as Google Home/Nest, SnapChat, Discord, Shopify and Spotify, as well as creating access authentication failures and Cloudflare Zero Trust WARP connectivity issues. Downdetector received tens of thousands of reports, with impacted users experiencing Cloudflare and Google Cloud server connection, website, and hosting problems. The issue started around 1:15 p.m. ET and was being resolved through the afternoon.
House Homeland Chairman Mark Green announces his departure
Mark Green, the Tennessee Republican who chairs the House Homeland Security Committee has announced his pending retirement from Congress, which could place additional pressures on the fate of cyber legislation. “As head of the committee, Green championed cyber workforce legislation as his top priority, and recently called for a vote on the measure on the House floor. He has supported reauthorizing a cybersecurity 2015 information sharing law that expires in September.” Green said he would leave for an unspecified job in the private sector following a final vote on the President’s “big, beautiful bill.”
Fog ransomware attack uses employee monitoring software and a pentesting tool
This attack on a financial institution in Asia in May deployed the Fog ransomware tool by using a legitimate employee monitoring software called Syteca, paired with the GC2 penetration testing tool. A report from Symantec says that the GC2 “allows an attacker to execute commands on target machines using Google Sheets or Microsoft SharePoint List and exfiltrate files using Google Drive or Microsoft SharePoint documents.” Although the researchers are not sure of the role played by Syteca, James Maude, field CTO at BeyondTrust, said threat actors “typically use legitimate commercial software during attacks to reduce the chances that their intrusions are detected by security tools.”
Huge thanks to our sponsor, Vanta
With Vanta, GRC can be so. much. easier—while also strengthening your security posture and driving revenue for your business. Vanta automates key areas of your GRC program—including compliance, risk, and customer trust—and streamlines the way you manage information.
The impact is real: A recent IDC analysis found that compliance teams using Vanta are one hundred and twenty nine percent more productive.
Get back time to focus on strengthening security and scaling your business. Get started at Vanta.com/headlines.
Windows releases emergency update to fix Easy Anti-Cheat blue screen of death
Microsoft has released an out of band Windows 24H2 update to address a problem in which blue screen of death errors were triggered on systems with Easy Anti-Cheat, which is a popular service installed with many multiplayer games to prevent cheating while playing online. The update is a revised version of the Windows 11 cumulative update released during this month’s Patch Tuesday.
Graphite spyware used in Apple iOS zero-click attacks on journalists
A forensic investigation by Citizen Lab has confirmed that Paragon’s Graphite spyware was used in zero-click attacks targeting iPhones of at least two journalists in Europe. The attacks exploited a then-unknown vulnerability with a CVE number (CVE-2025-43200) in iOS 18.2.1, which allowed malicious photos or videos shared via iCloud Links to compromise devices. Apple notified the victims on April 29, identifying the spyware as “advanced.” The Graphite platform is believed to be part of Paragon’s mercenary spyware operations. The flaw has since been patched by Apple.
SinoTrack GPS device flaws lead to remote vehicle control and location tracking
CISA is warning of two vulnerabilities in SinoTrack GPS devices that can be exploited to access a vehicle’s device profile, track its location or even cut power to the fuel pump, depending on the model. The two vulnerabilities have CVE numbers CVE-2025-5484 and CVE-2025-5485 and have CVSS scores of 8.3 and 8.6. SinoTrack apparently uses the same default password for all units and does not require changing it during setup. “Since the username is just the device ID printed on the label, someone could easily gain access by either physically seeing the device or spotting it in online photos, such as on eBay. CISA is urging users to change their default passwords and hide device IDs. No public exploitation of the vulnerabilities has yet been reported.
Air-gapped data could be stolen via smartwatches, says researcher
A new technique for exfiltrating data from air-gapped systems through a smartwatch is being developed by a researcher from the Ben-Gurion University of the Negev. Mordechai Guri says the technique, called SmartAttack, uses a smartwatch’s built-in microphone to capture covert ultrasonic signals within range of 18–22 kHz, successfully enabling data theft based on certain environmental conditions. It must be said, however, that to succeed, a previous infiltration is required to implant malware that would transmit information “using the infected machine’s speakers in a frequency range that makes sounds inaudible to humans.”