Good Morning Security Gang!
Welcome to your Thursday edition of the CyberHub Podcast, live(ish) from Hacker Summer Camp in Las Vegas, August 7, 2025. I’ve got a monster of a show for all y’all this morning. Europe is under siege in cyberspace, Akira’s found a new way to disable Defender, and vulnerabilities are stacking up faster than conference RSVPs. We’re covering data breaches at Air France-KLM and Google, high-severity Exchange and Android exploits, remote code execution in CyberArk, and AI hijacks through Gemini and Cursor.

So pour that espresso (you know I’ll have mine back Monday in the studio), and let’s dive into today’s top stories.

✈ Air France-KLM Breach Compromises Loyalty Program IDs

Air France-KLM disclosed a breach affecting their Flying Blue loyalty program. Threat actors accessed a third-party CRM platform, stealing names, contact info, email subject lines, and frequent flyer numbers. While credit card details and mileage balances weren't leaked, the program IDs could still be abused for phishing or reward fraud. This breach is part of a growing pattern in Europe and likely linked to weak Salesforce access management—just like recent cases with Adidas, Allianz Life, and Dior.

📶 France’s Third-Largest Telecom Suffers Data Breach

Bouygues Telecom, the third-largest French mobile operator, confirmed a breach affecting 6.4 million customer accounts. The company said the issue was “resolved quickly” but didn’t disclose the attack vector. With Orange and other French telcos recently targeted, this may be part of a state-backed campaign like the U.S. Soul Typhoon attack. The breached data was described as “personnel data,” though the specific contents remain vague.

"What necessary measures did you put in place that weren't there before this happened? And how fast did you put them in? If that was the case, then why didn't you put them in before?" - James Azar questioning We Telecom's post-breach security response claims

🧠 Google Confirms Salesforce Compromise Tied to ShinyHunters

Google joined the Salesforce breach victim list, confirming its Salesforce environment was compromised in June. Threat actors exfiltrated SMB contact info and notes. Attribution points to UNC6040 and ShinyHunters. The attack was short-lived but effective, with ShinyHunters reportedly planning to ramp up extortion tactics using a new data leak site. The threat actor is calling victims and demanding Bitcoin payments within 72 hours. Companies impacted include Pandora, Cisco, Dior, and now Google.

🔐 Microsoft Exchange Hybrid Vulnerability Enables Undetectable Privilege Escalation

Microsoft warned of a high-severity flaw (CVE-2025-53786) in Exchange Hybrid setups that allows attackers to manipulate tokens and API calls from on-prem servers that the cloud blindly trusts. These shared service principals aren’t logged in M365 Purview or audit logs, so attackers could remain undetected. If you're using a hybrid configuration, patch immediately and reset your service principal credentials.

🤖 Zenity Reveals AI Assistant Hijacking in Gemini, GPT, and Copilot

Zenity researchers showed how prompt injection vulnerabilities in Gemini, Copilot, ChatGPT, and Salesforce Einstein can be exploited to execute malicious commands without user interaction. In one example, sharing a specially crafted Google Drive file caused ChatGPT to follow embedded instructions. Thousands of vulnerable Copilot instances were identified. This highlights the need for governance and sandboxing in AI assistant environments.

📱 Android August Patch Fixes Critical GPU Bugs

Google released its August 2025 Android bulletin, patching multiple high-risk vulnerabilities. Two key flaws (CVE-2025-42147 and 27038) in the graphics component allow unauthorized command execution and memory corruption. If you’re managing mobile fleets or BYOD environments, push the updates now.

🛡 Akira Ransomware Uses Legit Driver to Kill Defender

Akira ransomware is abusing Intel’s RWDRV.sys to disable Microsoft Defender and EDRs. The driver is signed and registered to gain kernel-level access, then used to load a second malicious driver that disables endpoint protection. This bring-your-own-vulnerable-driver (BYOVD) method has allowed Akira to quietly escalate ransomware payloads—especially in SMBs. GuidePoint and SonicWall users are urged to be on high alert.

🔓 CyberArk Conjur Vulnerabilities Allow RCE, Auth Bypass

CyberArk’s open-source Conjur secret manager, popular in DevOps environments, was found to have five critical vulnerabilities including unauthenticated RCE (CVE-2025-49828) and path traversal (CVE-2025-49830). These flaws impact enterprises managing machine and AI identities. Conjur users should patch immediately—especially following CyberArk’s recent $25B acquisition by Palo Alto.

🧬 Cursor IDE Flaw Allows Hidden Code Execution via Trust Model Abuse

Checkpoint researchers discovered that a configuration file approved in Cursor IDE can be modified after approval to include malicious commands, which are then executed without further prompt. Dubbed MCP Poison, the flaw highlights a fundamental trust model failure in collaborative AI coding tools. Cursor has issued a patch in version 1.3.

🧠 James Azar’s CISO Take

What we’re seeing now is a major shift in adversary behavior. Instead of long dwell times and full ransomware deployment, attackers are poking around CRMs, stealing low-value data, and hoping to monetize it through fast extortion. It’s not about destroying your system—it’s about knowing just enough to demand money. That’s why identity governance, MFA, and strict session monitoring are more important than ever.

At the same time, the risks posed by AI integrations and poor DevSecOps hygiene are exploding. From Gemini to Copilot to Cursor, we’re watching the same mistakes made in SaaS security get repeated in AI-powered workflows. If we don’t design with adversarial thinking in mind, these assistants will become liabilities. You need controls at every layer—from prompt input to execution pipeline.

✅ Action Items

• 🔐 Patch Exchange Hybrid environments and reset service principal credentials

• 💾 Apply Android August 2025 patch across mobile fleets

• 🧠 Audit AI assistant usage (Gemini, GPT, Copilot) for prompt injection risks

• 🖥 Patch CyberArk Conjur immediately for RCE vulnerabilities

• 🚨 Monitor for BYOVD tactics like Akira’s abuse of RWDRV.sys

• 🛡 Revalidate CRM access controls (Salesforce, HubSpot, etc.) and enforce MFA

• 📁 Ensure collaborative IDEs like Cursor are on version 1.3+ and properly sandboxed

• 📢 Train help desk staff on social engineering and phishing-resistant identity protocols

Stay Cyber Safe.

✅ Story Links:

https://www.securityweek.com/air-france-klm-say-hackers-accessed-customer-data/

https://therecord.media/bouygues-telecom-france-cyberattack-data-breach

https://www.securityweek.com/google-discloses-salesforce-hack/

https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-high-severity-flaw-in-hybrid-exchange-deployments/

https://www.securityweek.com/major-enterprise-ai-assistants-abused-for-data-theft-manipulation/

https://thecyberexpress.com/august-2025-android-security-bulletin/

https://www.bleepingcomputer.com/news/security/akira-ransomware-abuses-cpu-tuning-tool-to-disable-microsoft-defender/

https://www.securityweek.com/enterprise-secrets-exposed-by-cyberark-conjur-vulnerabilities/

https://www.bankinfosecurity.com/mcp-protocol-bug-let-attackers-execute-code-in-cursor-a-29140

🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1

🚨 Important Links to Follow:

👉Website:

CISO Talk by James Azar

The latest news and topics from a cybersecurity practitioners discussing Cybersecurity, Privacy, Technology & Geo-Politics. I am a two times Founder and Chief Information Security Officer. All opinions are my own

👉Listen here: https://linktr.ee/cyberhubpodcast

✅ Stay Connected With Us.

👉Facebook: https://www.facebook.com/CyberHubpodcast/

👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/

👉Twitter (X): https://twitter.com/cyberhubpodcast

👉Instagram: https://www.instagram.com/cyberhubpodcast

🤝 For Business Inquiries: info@cyberhubpodcast.com

=============================

🚀 About The CyberHub Podcast.

The Hub of the Infosec Community.

Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.