TLDR Information Security 2025-06-27

Gartner IAM Report: 5 Questions CISOs Should be Asking (Sponsor)

Many CISOs fail to align IAM with broader security initiatives — and IAM metrics are often overly technical, performance-oriented, and inward-looking.

Check out what analysts at Gartner are saying about IAM:

📘 Get the free Gartner report: Learn about the 5 essential questions you need to answer in order to bridge the gap between security and IAM in this complimentary report.

🤝 Join Gartner IAM Summit 2025 in Grapevine, TX: Meet Gartner experts and other top security executives, and learn to prepare your IAM program for the age of AI agents. Register for Gartner Identity & Access Management Summit 2025

🔓

Attacks & Vulnerabilities

Critical Cisco ISE Vulnerabilities Allow Remote Code Execution (2 minute read)

Cisco announced fixes for two critical (CVSS 10/10) vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector, which could allow unauthenticated remote code execution (RCE). The first vulnerability is caused by a lack of input validation, which allows unauthenticated attackers to submit crafted API requests and execute arbitrary code with root privileges. The second vulnerability is caused by a lack of file validation, which could allow an attacker to store malicious files in arbitrary directories on the device.

Hackers Turn ScreenConnect Into Malware Using Authenticode Stuffing (2 minute read)

Cybersecurity firm G DATA is warning users of ConnectWise's ScreenConnect remote monitoring and management (RMM) software about a new malware campaign that utilizes ScreenConnect installers with a malicious configuration embedded in the authenticode certificate. The malicious installer is configured to have the title “Windows Update,” change the background to a Windows Update image, and connect to an attacker-controlled server. ConnectWise has revoked the certificates used in these binaries.

Glasgow Council services remain offline a week after cyber attack (2 minute read)

Glasgow City Council suffered a cyberattack on June 19 via IT supplier CGI's third-party servers, disrupting online services including planning applications, payments, and pension portals. Customer data may have been stolen, but the confirmation has not yet been made.

🧠

Strategies & Tactics

Cybercriminals Abuse Open-Source Tools To Target Africa's Financial Sector (7 minute read)

Threat actor CL-CRI-1014 has been targeting African financial institutions since July 2023. The attackers use open-source tools (PoshC2, Chisel, and Classroom Spy) and forge file signatures to establish network access. The group operates as initial access brokers, selling compromised financial institution access on darknet markets.

Marketplace Takeover: How We Could've Taken Over Every Developer Using a VSCode Fork; Putting Millions at Risk (7 minute read)

Security researchers have discovered a critical vulnerability in open-vsx.org, the open-source VS Code extensions marketplace used by over 8 million developers across popular editors such as Cursor, Windsurf, and VSCodium. The flaw allowed attackers to steal admin credentials through a CI pipeline issue, enabling them to publish malicious updates to every extension on the marketplace and potentially compromise millions of developer machines. The vulnerability was responsibly disclosed in May and patched after multiple iterations over several weeks.

5 Years, 160 Comments, and the Vulnerability That Refused to Die (8 minute read)

Jonathan Leitschuh discovered an old vulnerability in SnakeYAML that could enable remote code execution through unsafe deserialization. The maintainer initially closed the report as “Won't Fix,” claiming a safe constructor made the code safe. After a lengthy discussion, PoCs, data, and a nearly hour-long call, Leitschuh convinced the maintainer to use the secure constructor by default and make insecure behavior opt-in, marking a win for secure defaults in SnakeYAML 2.0.

🧑‍💻

Launches & Tools

Your data trained Gemini — and now you need to pay for it? Get Proton Drive for just $5.99/month (Sponsor)

Google just raised Workspace prices. You're paying extra for Gemini AI, even if your data helped train it. Think this is unfair? Proton Drive gives you cloud storage, file sharing, and online collaboration — all E2E encrypted, so no human or AI can access. Exclusive for TLDR readers: Get 40% OFF for a (very) limited time.

Bonfy (Product Launch)

Bonfy provides AI governance solutions that detect and prevent risks in enterprise content, ensuring secure and compliant use of generative AI across organizations.

Obfusk8 (GitHub Repo)

Obfusk8 is a C++17 header-only library designed to obfuscate binaries through a complex set of compile-time and runtime techniques.

YARA-X is Stable (2 minute read)

The YARA team has officially announced the first stable release of YARA-X and moved the original YARA project into maintenance mode.

🎁

Miscellaneous

Iranian Hackers are Trying to Create a Psychological War in Cyberspace (2 minute read)

A new report by cybersecurity agency DomainTools alleges that the Iranian-backed CyberAv3ngers group is shifting its operations to focus on misinformation and psychological warfare. The CyberAv3ngers have been active since 2023, and while they have been tied to confirmed intrusions, they have also claimed targets that have been debunked. According to the report, the group has refined cyber activity “into a fully realized propaganda apparatus” with the goal of not just breaching systems but “to control the narrative surrounding those breaches.”

Qilin ransomware attack on NHS supplier contributed to patient fatality (4 minute read)

The NHS confirmed a patient died following Qilin's ransomware attack on pathology provider Synnovis. A delayed blood test result due to disrupted services contributed to the death. The attack affected multiple London NHS trusts, harming 170 patients in total. This represents a rare confirmed link between ransomware and patient mortality.

Windows killed the Blue Screen of Death (2 minute read)

Microsoft is replacing Windows' iconic Blue Screen of Death with a Black Screen of Death nearly 40 years after its introduction. The change is part of the Windows Resiliency Initiative following the CrowdStrike outage that affected 8.5 million devices. Microsoft calls it a "simplified UI" but hasn't acknowledged the significance of ending this computing era.

⚡

Quick Links

Ex-student charged over hacking university for cheap parking, data breaches (2 minute read)

Birdie Kingston, a 27-year-old former Western Sydney University student, was arrested for hacking the university since 2021, stealing over 100GB of data, altering academic records, and demanding $40,000 in cryptocurrency ransom.

Microsoft confirms Family Safety blocks Google Chrome from launching (2 minute read)

Microsoft Family Safety has a bug that temporarily prevents some Windows devices from opening browsers like Google Chrome after updates, with Microsoft recommending enabling 'Activity reporting' as a workaround until a fix is released.

Man Who Hacked Organizations to Advertise Security Services Pleads Guilty (2 minute read)

Nicholas Kloster, a Kansas City man, admitted to hacking multiple organizations to promote his cybersecurity services and faces up to five years in prison and a $250,000 fine.

Love TLDR? Tell your friends and get rewards!

Share your referral link below with friends to get free TLDR swag!

https://refer.tldr.tech/82c59482/8

Track your referrals here.

Want to advertise in TLDR? 📰

If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us.

Want to work at TLDR? 💼

Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them!

If you have any comments or feedback, just respond to this email!

Thanks for reading,
Prasanna Gautam, Eric Fernandez & Sammy Tbeile

Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.