In today’s cybersecurity news…
Police clean ups SocGholish-infected sites tied to Evil Corp
This joint action, supported by Europol and Eurojust, formed part of Operation Endgame. One of the objectives of Operation Endgame was to disrupt a key infection chain linked to Evil Corp. Law enforcement authorities from the Netherlands, Canada, the U.S. and Germany (BKA) cleaned SocGholish malware infections from 14,971 compromised WordPress websites and took 106 servers and domains offline. While they removed malware and backdoors from the infected sites, the agencies also advised website owners to “change their credentials, enable multi‑factor authentication, delete any unknown WordPress accounts, and keep their WordPress site up‑to‑date.”
Klue OAuth breach linked to Icarus Salesforce data theft attacks
The market intelligence platform Klue “suffered an OAuth breach that enabled threat actors from Icarus to steal Salesforce CRM data from multiple organizations in an ongoing extortion campaign.” BleepingComputer reports that “numerous organizations had their Salesforce data stolen and were now being extorted” by this group. Cybersecurity firms ReliaQuest and Huntress have both confirmed the security incident, with Huntress stating that their Salesforce data was stolen in the attack. Salesforce has now disabled the connection between itself and the Klue Battlecards app.
Hostile states behind three-quarters of attacks on Britain’s critical infrastructure, says cyber chief
Richard Horne, chief executive of the National Cyber Security Centre (NCSC), said “his teams had handled more than 200 incidents affecting critical infrastructure and its supporting ecosystem in the year to May, of which about 75% were believed to be the work of state actors.” This follows his disclosure from earlier this year that his agency was “handling four nationally significant cyber incidents a week, with the majority traced back to what are believed to be hostile governments rather than criminal hackers.” Speaking at the annual security lecture at the Royal United Services Institute on Wednesday, Horne warned that “kinetic targeting in any conflict tomorrow will be based on intelligence gathered today,” and that adversaries were “prepositioning” throughout British critical infrastructure.
Warner warns of CISA cuts, staffing gaps in letter to acting chief
On Tuesday, Sen. Mark Warner (D-VA) sent a letter to CISA Acting Director Nick Andersen in which he expressed alarm over “widespread cuts at the agency, short-staffed regional divisions and the disbanding of an information sharing and analysis center that supports state and local critical infrastructure operators.” Warner also last week introduced legislation known as the Guaranteeing Universal Access to Cybersecurity Act, which would fund the Multi-State Information Sharing and Analysis Center, which had been shuttered by now former DHS Secretary Kristi Noem. Also on Tuesday, Warner sent a letter to current DHS Secretary Markwayne Mullin, stressing that the DHS must prioritize CISA and pay for the MS-ISAC.
Huge thanks to our episode sponsor, ThreatLocker
How do we enable innovation without creating unnecessary risk?
That’s the challenge behind cloud adoption. Behind AI. Behind automation. And behind every major technology decision.
ThreatLocker helps organizations take a Zero Trust approach to that challenge—giving them greater control over what can execute, what can access their environment, and what users and applications are allowed to do.
That’s why ThreatLocker is proud to support Cyber Security Headlines.
Because security works best when innovation and control move together.
Apple fixes Beats Studio Buds flaw that allowed eavesdropping
Security updates have now been deployed to patch a high-severity flaw affecting the Beats Studio Buds wireless earbuds that “could allow attackers in Bluetooth range to spy on users’ conversations.” Specifically, Apple explained in an advisory, “an attacker within Bluetooth range may be able to listen through the microphone of a device which is not yet paired and actively seeking pair requests.” Apple blames the CVE-numbered flaw (CVE-2025-20701) on a vulnerability in open source code, with Apple Software among its affected projects. The vulnerability stems from a missing authentication weakness in the Bluetooth BR/EDR radio.
DragonForce hackers abuse Microsoft Teams relays to hide C2 traffic
A custom Go-based remote access trojan (RAT) called Backdoor.Turn is being used to conceal command-and-control (C2) traffic inside Microsoft Teams relay infrastructure. Symantec and Carbon Black state the backdoor has been deployed against a major U.S. services firm, although the name of the company has not been disclosed. In short, Backdoor.Turn “obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to set up the connection, and then runs a QUIC session to the attacker’s real command-and-control (C2) server,” while remaining invisible to network defenders.
F5 patches critical NGINX vulnerabilities enabling unauthenticated code execution
Out-of-band patches “have been issued for multiple NGINX vulnerabilities, including two critical flaws, respectively tracked as CVE-2026-42530 and CVE-2026-42055 (CVSS 9.2).” These affect HTTP modules and can be exploited remotely “without authentication, to trigger memory corruption, potentially causing service restarts or enabling arbitrary code execution.” The first of these is a critical Use-After-Free vulnerability in a module of NGINX Open Source, while the other is a critical heap-based buffer overflow vulnerability.
Majority of Internet-Accessible REDCap servers outdated, says Censys
REDCap is a browser-based platform used for building and managing clinical research data in the medical field. It was developed by Vanderbilt University and is used by academic, healthcare, and non-profit organizations. A report just issued by Google’s Threat Intelligence Group (GTIG), says legacy REDCap servers are “routinely targeted by a China-linked threat actor tracked as UNC6508 for cyberespionage purposes.” In one instance, the attacker deployed the InfiniteRed backdoor three months after the initial intrusion. One year after remaining undetected, the hacking group used the harvested credentials to access the organization’s internal network and exfiltrate data. According to the Censys report, there are approximately 8,500 internet-exposed REDCap instances globally, but just over 1% of them run the latest version available.