Hackers exploit Langflow flaw, TP-Link routers still vulnerable, Russia detects SuperCard malware attacks
Today on CISO Series...
Subscribe to the CISO Series on YouTube
In today's cybersecurity news...
Hackers exploit critical Langflow flaw to unleash Flodrix botnet
Attackers are actively exploiting a critical vulnerability in Langflow, a Python-based AI workflow tool, to deploy the Flodrix botnet, enabling full system compromise and DDoS attacks. The flaw is present in versions before 1.3.0, and allows unauthenticated code execution due to missing input validation. Trend Micro and CISA urge immediate patching and restricted access, since the malware uses stealth techniques to evade detection and is being deployed widely in the wild. (Dark Reading)
Organizations warned of vulnerability exploited against discontinued TP-Link routers
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are exploiting a critical command injection flaw, affecting multiple discontinued TP-Link router models. Agencies must remove affected devices by July 7. CISA also flagged active exploitation of Apple products, a media-processing flaw used in targeted attacks—patched in February with iOS 18.3.1 and macOS 15.3.1. (SecurityWeek)
Russia detects first SuperCard malware attacks skimming bank data via NFC
Russian cybersecurity firm F6 has identified the first local attacks using SuperCard, a malicious variant of the NFCGate app, designed to steal payment card data via NFC. It was first seen in Italy, but SuperCard is now being marketed as malware-as-a-service by Chinese-speaking actors and sold via Telegram. It targets Android users, tricks them into installing the malware, and then harvests card data to enable fraudulent transactions. F6 reports 175,000 devices infected in Russia, with $5.5 million in damages in Q1 2025 (The Record)
Silver Fox APT targets Taiwan with complex Gh0stCringe and HoldingHands RAT malware
Researchers at Fortinet warn of a phishing campaign by China-linked group Silver Fox APT targeting Taiwan with two Gh0st RAT variants: Gh0stCringe and HoldingHands. Delivered via fake emails posing as government or business communications, the malware uses PDF and ZIP attachments to deploy shellcode through DLL sideloading, enabling remote access, data theft, and additional payload downloads. The attackers use sophisticated anti-VM and privilege escalation techniques, continuously refining their tools and methods across recent campaigns, including the earlier Winos 4.0 attacks. (The Hacker News)
Huge thanks to our sponsor, Adaptive Security
Pro-Israel hackers claim breach of Iranian bank amid military escalation
Predatory Sparrow, a group linked to Israeli military intelligence, claimed responsibility for a cyberattack on Iran’s Bank Sepah, allegedly in retaliation for the bank’s role in funding Iran’s military and nuclear programs. The attack disrupted banking services and may have also impacted gas stations and salary disbursements. Iranian officials haven’t confirmed the breach, but the bank was previously sanctioned by the U.S. in 2007 for missile development support. (The Record)
Microsoft fixes Surface Hub boot issues with emergency update
Microsoft released an out-of-band update () to fix a Secure Boot Violation error that was preventing Surface Hub v1 devices running Windows 10 22H2 from starting after installing the June security update. The issue doesn’t affect Surface Hub 2S or 3. Microsoft had paused the problematic update on June 11 and advised users that the emergency fix would prevent further failures. The original update was meant to fix Hyper-V issues but triggered broader compatibility problems. (Bleeping Computer)
UK ICO fines 23andMe £2.3m for data protection failings
The UK’s Information Commissioner’s Office has fined 23andMe £2.3 million for failing to protect sensitive genetic data during a 2023 credential-stuffing attack. Attackers accessed data on 7 million people—including 155,592 UK and 320,000 Canadian residents—via reused passwords, exploiting weaknesses in 23andMe’s authentication, monitoring, and incident response. The company, which is in U.S. bankruptcy proceedings, previously blamed user error. The fine follows 23andMe’s pending sale to a non-profit tied to its co-founder Anne Wojcicki, which has pledged to uphold existing privacy commitments. (Infosecurity)
Hacker steals 1 million Cock.li user records in webmail data breach
Privacy-focused email provider Cock.li confirmed a data breach affecting more than 1 million user accounts after attackers exploited an old SQL injection flaw in its now-retired Roundcube webmail platform. Exposed data includes email addresses, login timestamps, failed login counts, and some users’ contact info—but not passwords, IPs, or email content. Cock.li has permanently removed Roundcube, acknowledging poor security practices contributed to the breach. Users are advised to reset passwords and switch to IMAP/SMTP clients. (Bleeping Computer)
Google warns of Scattered Spider attacks targeting IT support teams at U.S. insurance firms
Google’s Threat Intelligence Group says the cybercrime gang Scattered Spider (aka UNC3944) is now actively targeting IT support teams at major U.S. insurance firms. Known for social engineering tactics, the group impersonates employees, bypasses MFA, and exploits help desks—often gaining broad access via MSPs and contractors. Google and Mandiant warn the group is likely seeking high-value enterprise targets. Experts recommend tightening identity controls, restricting access, and training support staff to verify identities before account changes. (The Hacker News)
Subscribe to Cyber Security Headlines podcast
Spotify, Apple Podcasts, YouTube, RSS link, Amazon Music, add as an Alexa Skill, or search "Cyber Security Headlines" on your favorite podcast app.