CISA orders agencies to deal with Microsoft Exchange fixes by Monday

Please help us keep the lights on

Metacurity has been a labor of love for years, and I’m so grateful for your readership. Your support can help ensure I can continue delivering the carefully curated weekly long-reads and daily digests of the most critical developments in cybersecurity.

If you find value in what Metacurity offers, please consider upgrading to a paid subscription. We also provide corporate subscription options, and soon we’ll be introducing affordable sponsorship opportunities—perfect for promoting your events or products to a highly engaged audience.

To learn more, feel free to reach out at cynthia@metacurity.com.

Thank you so much for being part of the Metacurity community.

If you can't commit to a subscription, please consider donating what you can afford to help keep Metacurity free to all.

The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive ordering all federal civilian agencies to assess their current Microsoft Exchange environment, install the necessary updates, and disconnect all end-of-life servers by Monday. 

The CISA alert links to a Microsoft blog post that explains recent changes to how Exchange servers are deployed in organizations.

Buried deep in the document is a brief mention of CVE-2025-53786 and a link to a page with more information on the vulnerability. In it, Microsoft explained that on April 18, it announced changes to how customers interact with Exchange Servers that were made “in the general interest of improving the security of hybrid Exchange deployments.”

“Following further investigation, Microsoft identified specific security implications tied to the guidance and configuration steps outlined in the April announcement,” the tech giant said.

Microsoft is issuing CVE-2025-53786 to document a vulnerability that is addressed by taking the steps documented with the April 18th announcement. Microsoft strongly recommends reading the information, installing the April 2025 (or later) Hot Fix, and implementing the changes in your Exchange Server and hybrid environment.”

Microsoft’s spokesperson added that the April push to change how customers interact with Exchange Servers was part of the broader Secure Future Initiative — an effort started in the wake of another high-profile Microsoft Exchange-related email breach involving the US Commerce Secretary and Congressman Don Bacon.

CISA said organizations need to implement Microsoft’s guidance or “risk leaving the organization vulnerable to a hybrid cloud and on-premises total domain compromise.”

The agency said it will send a report to the White House and Department of Homeland Security about the incident by December 1. (Jonathan Greig / The Record)

Related: CISA, Microsoft, Bleeping Computer, Meritalk

The Office of the Australian Information Commissioner (OAIC) has filed civil penalty proceedings in the Federal Court, alleging Optus breached privacy laws by failing to protect consumers' data adequately.

The OAIC has alleged that for a nearly three-year period until September 2022, when the breach occurred as the result of a cyber attack, Optus "seriously interfered with the privacy of approximately 9.5 million Australians by failing to take reasonable steps to protect their personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure" under the Privacy Act.

The regulator has claimed Optus failed to manage cybersecurity and information security adequately for an organisation of its size, for the volume of personal information it held, and for the company's "risk profile".

"The commencement of these proceedings confirms that the [Office of the Australian Information Commissioner] will take the action necessary to uphold the rights of the Australian community," one of the commissioners, Elizabeth Tydd, said.

The theoretical fine the telco may face could reach into trillions of dollars, as the Federal Court can impose a civil penalty of up to $2.22 million for each contravention under the Privacy Act.

The OAIC said it was alleging one contravention for "each of the 9.5 million individuals whose privacy it alleges Optus seriously interfered with", but the regulator noted any penalty was a matter for the court to determine. (Stephanie Chalmers and Rhiana Whitson / ABC.net.au)

Related: Reuters, News.com, Capital Brief, Sydney Morning Herald, 9News

US law enforcement agencies provided new details on an operation that dismantled critical infrastructure used by the BlackSuit ransomware gang after the organization’s leak site was replaced with a takedown banner nearly two weeks ago.

The group, which rebranded from its Royal name after a devastating 2023 attack that shut down the city of Dallas, successfully attacked more than 450 entities in the US. Since emerging in 2022, the gang has secured more than $370 million in ransom payments.

A splash page replaced the gang’s list of victims on its main TOR domain as well as its private negotiation pages, stating these sites were “seized by US Homeland Security Investigations (HSI)” as part of a coordinated international operation.

At the time, the Justice Department confirmed the disruption and website seizure but kept the warrant for the action sealed. 

The statements are the first recognition from US agencies of the operation. German officials confirmed the operation last week, noting that they confiscated technical infrastructure used by the group.

“Substantial amounts of data were secured, which are now being analyzed to investigate and identify other perpetrators,” German law enforcement said. 

US officials said the operation “resulted in the seizures of servers, domains, and digital assets used to deploy ransomware, extort victims, and launder proceeds.” (Jonathan Greig / The Record)

Related: ICE.gov, CyberScoop

Following Politico's report that the electronic case filing system used by the federal courts was compromised in a widespread hack, the Administrative Office of the US Courts said it was adopting additional security measures to protect its electronic case filing system in response to recent cyberattacks that may have exposed sensitive information.

The federal judiciary said it is “taking additional steps to strengthen protections for sensitive case documents in response to recent escalated cyberattacks of a sophisticated and persistent nature on its case management system.”

“The Judiciary is also further enhancing security of the system and to block future attacks, and it is prioritizing working with courts to mitigate the impact on litigants,” the statement added.

A spokesperson for the Senate Judiciary Committee, granted anonymity because they were not authorized to speak publicly about the attacks, said that the Senate and House Judiciary Committees, along with representatives from the House and Senate Appropriations Committees and the Senate Judiciary Subcommittee on Federal Courts, received a briefing about the attacks on July 23.

The spokesperson added that the committees had requested a classified follow-up briefing in September once Congress returns from its August recess. (Maggie Miller and John Sakellariadis / Politico)

Related: United States Courts, FedScoop

The founders of the Samourai Wallet cryptocurrency mixer pleaded guilty to laundering over $200 million for criminals.

​Samourai CEO Keonne Rodriguez and CTO William Lonergan Hill admitted to their involvement in the Samourai money laundering operation, pleading guilty to conspiracy for operating a money transmitting business that handled criminal proceeds, and are now facing a maximum sentence of five years in prison.

As part of their plea agreements, Rodriguez and Hill have also agreed to forfeit $237,832,360.55.

The two defendants were arrested in April 2024 and charged by the US Department of Justice with two counts of conspiracy: operating an unlicensed money-transmitting business (with a maximum sentence of 5 years) and money laundering (with a maximum sentence of 20 years). (Sergiu Gatlan / Bleeping Computer)

Related: US Department of Justice, MLex, Dark Reading, Compliance Week, Hoodline, Dark Reading

A group of white hat hackers called DEF CON Franklin is volunteering to help protect medium to small municipalities' water systems from hackers.

"We've seen both the urgency of the threat and the potential of a community-driven solution," said Jake Braun, DEF CON co-founder and the Executive Director at the University of Chicago's Cyber Policy Initiative.

"This next phase brings together top minds from DEF CON, academia, industry, and philanthropy to provide support in ways that are designed specifically for the unique realities of the water sector."

The goal is to provide "hacker-volunteers" to water utilities to shore up their cybersecurity systems. The volunteers are ethical hackers who help run through vulnerabilities to strengthen the cybersecurity system.

Franklin, which is providing the workforce behind the operation, is partnering with the National Rural Water Association (NRWA), Cyber Resilience Corps, Aspen Digital, the American Water Works Association, and UnDisruptable27. (Luke Barr / ABC News)

Related: PR Newswire, Inside Cybersecurity

Germany's highest court, the Bundesverfassungsgericht, ruled that law enforcement cannot use spyware to monitor personal devices in cases that carry less than a three-year maximum sentence.

The court was responding to a lawsuit brought by the German digital freedoms organization Digitalcourage.

The plaintiffs argued that a 2017 rules change enabling law enforcement to use spyware to eavesdrop on encrypted chats and messaging platforms could unfairly expose communications belonging to people who are not criminal suspects.

The 2017 change to the German criminal procedure code was not precise enough about when spyware can be used, the court ruled, saying that snooping software is only appropriate in investigations of serious cases.

Such surveillance causes a “very severe interference” with fundamental rights, the court said in a press release. (Suzanne Smalley / The Record)

Related: Bundesverfassungsgericht

One of France's largest telecom companies, Bouygues Telecom, said it suffered a data breach after the personal information of 6.4 million customers was exposed in a cyberattack.

Bouygues Telecom confirmed in a FAQ and a press statement that the attack occurred last Sunday, August 4, 2025.

Although Bouygues Telecom says that there has been no impact observed on customer services or networks, the personal data of 6.4 million customers was compromised.

A previous statement says that internal investigations confirmed that the attack was orchestrated by a 'known cybercriminal group' that targeted 'specific internal resources.'

The firm informed the French National Cybersecurity Agency (ANSSI) and the CNIL (French data protection authority) accordingly, noting that the perpetrator could face up to 5 years of imprisonment and a €150,000 fine for this attack. (Bill Toulas / Bleeping Computer)

Related: Bouygues, Capacity Media, Telecoms Tech News, Security Week, TechCrunch, The Record, CyberInsider, Dataconomy, International Business Times, Tech Radar, IT Pro

​An unknown threat actor has stolen the sensitive personal, financial, and health information of nearly 870,000 Columbia University current and former students and employees after breaching the university's network in May.

The breach was discovered and reported to law enforcement authorities following an outage that affected some of its systems on June 24, following an investigation with support from external cybersecurity experts.

In notification letters filed with the office of Maine's Attorney General, the university said that the data breach affects 868,969 individuals, including employees, applicants, current and former students, and family members. (Sergiu Gatlan / Bleeping Computer)

Related: Maine Attorney General, Security Week

Speaking at the Black Hat conference, Chris Butera, acting executive assistant director in CISA’s cybersecurity division, and Robert Costello, CISA’s chief information officer, committed to supporting the MITRE-backed Common Vulnerabilities and Exposures Program, just months after it faced a near-complete lapse in funding.

CISA is “heavily invested” in it and will “continue to fund the CVE Program and continue to improve the CVE Program,” Butera said.

The vulnerability standard is “really central to all of our cybersecurity operations,” Butera added.

Costello concurred, saying it’s an “extremely powerful tool, and it works extremely well.”

In mid-April, CISA extended its CVE contract following industry alarm sparked just hours prior, when MITRE warned of an imminent end to federal backing for the cornerstone cybersecurity project. (David DiMolfetta / NextGov / FCW)

At Black Hat, Bailey Bickley, chief of Defense Industrial Base (DIB) defense at the NSA Cybersecurity Collaboration Center, said that 80% of DIB firms are small businesses that need to be shielded from foreign adversaries.

“The DIB is no longer a handful of traditional defense contractors, but it now includes a lot of companies from nascent and emerging industries,” Bickley said on stage. Those can include AI providers, transportation companies, or even foreign-owned utilities.

No DIB company is too insignificant to be targeted by nation-state hackers, who often exploit unpatched vulnerabilities, she said, calling out major Chinese hacking collectives like Volt Typhoon and Salt Typhoon that have breached troves of core infrastructure across the US and the world. (David DiMolfetta / NextGov/FCW)

Related: Infosecurity Magazine, Forbes

Privacy groups report an "Orwellian" surge in UK police facial recognition scans of databases secretly stocked with passport photos lacking parliamentary oversight.

Big Brother Watch says the UK government has allowed images from the country's passport and immigration databases to be made available to facial recognition systems, without informing the public or parliament.

The group claims the passport database contains around 58 million headshots of Brits, plus a further 92 million made available from sources such as the immigration database, visa applications, and more.

By way of comparison, the Police National Database contains circa 20 million photos of those who have been arrested by, or are at least of interest to, the police. (Connor Jones / The Register)

Related: Privacy International

Researchers at Midnight Blue found that at least one implementation of the end-to-end encryption solution endorsed by the European Telecommunications Standards Institute (ETSI) to solve eavesdropping weaknesses in a TETRA-based radio used by critical infrastructure and law enforcement has a similar issue that makes it equally vulnerable to eavesdropping.

TETRA, short for Terrestrial Trunked Radio, has been baked into radio systems made by Motorola, Damm, Sepura, and others since the ’90s. Midnight Blue managed to obtain, reverse engineer, and analyze a popular TETRA E2EE solution to assess its security and uncovered three serious vulnerabilities.

The encryption algorithm used for the device they examined starts with a 128-bit key, but this gets compressed to 56 bits before it encrypts traffic, making it easier to crack. It’s not clear who is using this implementation of the end-to-end encryption algorithm, nor if anyone using devices with the end-to-end encryption is aware of the security vulnerability in them.

The end-to-end encryption the researchers examined, which is expensive to deploy, is most commonly used in radios for law enforcement agencies, special forces, and covert military and intelligence teams that are involved in national security work and therefore need an extra layer of security.

But ETSI’s endorsement of the algorithm two years ago to mitigate flaws found in its lower-level encryption algorithm suggests it may be used more widely now than at the time. 

Carlo Meijer, Wouter Bokslag, and Jos Wetzels of Midnight Blue presented their findings on the encryption vulnerabilities at Black Hat. (Kim Zetter / Wired)

Related: Midnight Blue

An apparent massive new trove of data, obtained by a cybersecurity researcher who uses the handle SttyK, sheds new light on how one group of alleged North Korean IT workers has been running its operations and the meticulous planning involved in its fake IT worker money-making schemes.

The cache of data, which represents a glimpse into the workaday life of some of North Korea’s IT workers, also purportedly includes fake IDs that may be used for job applications, as well as example cover letters, details of laptop farms, and manuals used to create online accounts. It reinforces how reliant upon US-based tech services, such as Google, Slack, and GitHub, the DPRK workers are.

SttyK, who presented their findings at the Black Hat security conference in Las Vegas, says an unnamed confidential source provided them with the data from the online accounts. “There are several dozen gigabytes worth of data. There are thousands of emails,” says SttyK.

Screenshots of one spreadsheet appear to list the potential real-world names of the IT workers themselves. Alongside each name is a register of the make and model of computer they allegedly have, as well as monitors, hard drives, and serial numbers for each device. The “master boss,” who does not have a name listed, is apparently using a 34-inch monitor and two 500GB hard drives. (Matt Burgess / Wired)

Researchers at Socket report they discovered two malicious NPM packages deploying destructive data-wiping code that recursively deletes files on a developer's computers.

Two malicious NPM packages currently available in the registry target WhatsApp developers with destructive data-wiping code. They masquerade as WhatsApp socket libraries and have been downloaded over 1,100 times since their publication last month.

Despite Socket having filed takedown requests and flagging the publisher, nayflore, both remain available at the time of writing.

The names of the two malicious packages are naya-flore and nvlore-hsc, though the same publisher has submitted more on NPM, like nouku-search, very-nay, naya-clone, node-smsk, and @veryflore/disc.

Separately, Socket also discovered 11 malicious Go packages that use string-array obfuscation to execute remote payloads at runtime silently. (Bill Toulas / Bleeping Computer)

Related: Socket, Socket, Techzine

Researchers at Sophos say they spotted in attacks by eight different ransomware gangs a new Endpoint Detection and Response (EDR) killer that is considered to be the evolution of 'EDRKillShifter,' developed by RansomHub.

According to Sophos security researchers, the new tool, which wasn't given a specific name, is used by RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC.

The new EDR killer tool uses a heavily obfuscated binary that is self-decoded at runtime and injected into legitimate applications.

The tool searches for a digitally signed (stolen or expired certificate) driver with a random five-character name, which is hardcoded into the executable.

If found, the malicious driver is loaded into the kernel, as required to perform a 'bring your own vulnerable driver' (BYOVD) attack and achieve kernel privileges necessary to turn off security products.

Apart from EDRKillShifter, Sophos also discovered another tool called AuKill, which Medusa Locker and LockBit used in attacks. (Bill Toulas / Bleeping Computer)

Related: Sophos

Best Thing of the Day: Musk's Grok Is Such a Loser

ChatGPT-maker OpenAI beat Elon Musk's Grok in the final of a tournament to crown the best artificial intelligence (AI) chess player.

Worst Thing of the Day: Now the Goons Are Wearing Smart Glasses?

A Customs and Border Protection (CBP) agent wore Meta’s AI smart glasses to a June 30 immigration raid outside a Home Depot in Cypress Park, Los Angeles.

Bonus Worst Thing of the Day: The Irony Is Not Lost on Us

Someone who called themselves simply "Anonymous" published an essay in The Critic arguing for encryption backdoors because "free speech and privacy aren't the only things that matter."

Closing Thought