Cyber Hub Podcast Summary: CitrixBleed 2 Nightmare Returns as British Hacker IntelBroker Gets Charged and Iran Weaponizes AI for Cyber Warfare
Good Morning Security Gang!
Welcome back to another explosive Thursday episode of the Cyber Hub podcast, broadcasting live from the bunker on June 26th, 2025 - this is episode 935! Your host and CISO James Azar is back with his trusty double espresso, and boy do we have an episode for y'all today. If you thought CitrixBleed 1 was bad, CitrixBleed 2 has arrived like the sequel we never wanted but absolutely deserve.
It's like trying to pick between John Wick 1 and John Wick 2 - can you really say which one was better? It's not every day in cybersecurity we get sequels, so when we do, we cherish them, take a moment to reflect upon the greatness of sequels, and talk about them extensively. That's exactly what's on today's show, along with the arrest of notorious hacker IntelBroker, a massive AT&T settlement that'll make you question what PII really means, and vulnerabilities that need immediate attention.
CitrixBleed 2: The Sequel Nobody Asked For But Everyone Got
The Story: After 24 hours of industry reaction, what was initially reported as NetScaler vulnerabilities is now officially being called CitrixBleed 2. CVE-2025-57777 is a critical flaw caused by an out-of-bounds memory read, allowing unauthenticated attackers to access portions of memory they should not have access to. This flaw impacts NetScaler devices configured as gateways including VPN virtual servers, ICA proxy, clientless VPN, RDP proxy, or AAA virtual servers. Kevin Beaumont characterizes this as echoing the infamous CitrixBleed vulnerability (CVE-2023-49666) that was extensively exploited by threat actors. The flaw could allow attackers to access session tokens, credentials, and other sensitive data from public-facing gateways. A second high-severity flaw, CVE-2025-55349, affects the NetScaler Management Interface. To address both vulnerabilities, users need to install NetScaler ADC and Gateway versions 14.1-43.56, 13.1-58.32 and later releases.
Host Take: James Azar didn't mince words about this development: "If you thought CitrixBleed 1 was kind of bad, CitrixBleed 2 - the sequel - be like kind of John Wick 1 and John Wick 2. Can you really say which one was better? It's not every day in cybersecurity we get sequels, so when we do, we cherish them." He was particularly blunt about the exploitation reality: "Citrix has not stated whether these laws are being actively exploited, but I guarantee you they are. I guarantee you they are. It's a zero day. Whenever there's a zero day, there's exploits. Just because the vendor doesn't say there are doesn't mean they don't exist. They're there. They're available. We're going to hear all about them. They're going to give us plenty of content on the show for the next several months, but they're there." His experience with the original CitrixBleed clearly shapes his concern: "Last time I had Citrix bleed, we were all locked in our homes for a while."
IntelBroker Unmasked: 25-Year-Old Kai West Arrested in France
The Story: The notorious hacker known as IntelBroker has been identified as 25-year-old Kai West, who was arrested in France in February and is currently awaiting extradition to the United States where he could face up to 20 years in prison. The DOJ says West and his co-conspirators tried to sell stolen data for more than $2 million on illicit forums. West infiltrated networks of U.S.-based telecom firms, healthcare providers, ISPs, and more than 40 other victims, accessing and selling customer data, corporate materials, and patient health records. Authorities connected West to IntelBroker through a controlled purchase of stolen data, traced crypto payments to a Coinbase account registered under his real identity, and found he used the same IP address for both personal accounts and IntelBroker profiles. The arrest was part of a broader takedown of Breach Forums administrators.
Host Take: Azar couldn't help but comment on the amateur operational security: "According to the indictment, investigators also found that West used the same IP address to log into both his personal account and Intel broker profiles. Rookie." But he quickly added context about the broader lesson: "You can obviously see that crime does not pay. You may get some limelight, but eventually you're tracked because eventually you need to spend that money. And so when you spend that money, it always gets traced back to you. That's the case here for Kai West, who is awaiting extradition to these United States." His analysis highlights the inevitable downfall of cybercriminals who need to monetize their activities.
Iranian APT35 Targets Israeli Tech Professionals
The Story: APT35 published a report detailing campaigns where Israeli technology and cybersecurity professionals were approached by attackers posing as fictitious technology executives or researchers through emails and WhatsApp messages. The threat actors directed victims who engaged with them to fake Gmail login pages or Google Meet invitations. The company attributed this activity to Charming Kitten (APT-35), which has a long history of orchestrating social engineering attacks. Checkpoint reports that since the onset of the 12-day war between Iran and Israel, cyber activities have increased with Iranians targeting specific Israeli consumers as well as normal people within the population.
Host Take: Azar provided straightforward context: "The apt has a long history of orchestrating social engineering attack checkpoint says that since the onslaught of the twelve day war between iran and israel cyber activities were increased by the iranians targeting specific israeli consumers as well as just normal people within the population." His commentary emphasizes how geopolitical conflicts directly drive targeted cyber operations against civilian populations and critical infrastructure professionals.
Columbia University Cyber Incident Under Investigation
The Story: Columbia University officials are investigating a potential cybersecurity incident after students reported widespread technology outages and strange images appearing on screens across campus. The school's website and other systems have been intermittently offline since Tuesday morning. Columbia officials confirmed that the NYPD is now involved in the response. According to a university spokesperson, Columbia University's IT system experienced an outage affecting systems on the Morningside campus, with the IT team working to restore services and having notified law enforcement. No clinical operations at Columbia University Irving Medical Center were impacted.
Host Take: Azar remained cautious about jumping to conclusions: "It's unknown whether this was a cyber attack or not or if it's just an IT outage there but either way that happened there as well." His measured response reflects the importance of not immediately attributing every IT incident to malicious activity, while acknowledging that the involvement of law enforcement and reports of strange images suggest this may be more than a simple technical failure.
AT&T's $177 Million Settlement: Time to Redefine PII?
The Story: AT&T reached a $177 million settlement with plaintiffs who sued over a massive data security breach impacting millions of customers. The settlement includes $149 million to resolve class action claims related to the breach, with the remaining $28 million for a separate AT&T data breach. The judge scheduled a December 3rd hearing for final approval. The FBI IC3 Center received 859,532 complaints of suspected internet crimes in 2024 with losses exceeding $16 billion. The settlement represents one of the largest data breach penalties in recent history.
Host Take: This story triggered one of Azar's most passionate rants of the episode:
"One hundred and seventy seven million dollars, folks. No insurance covers that. That's coming out straight EBITDA."
He then launched into a fundamental critique of current PII definitions:
"I don't understand what PII is anymore. And I think we need to redefine PII. Before the internet, we had phone booth. Y'all remember phone booth? If you're young, let me know. We had a phone booth. In every phone booth in America and in every business in America, that's something called the Yellow Pages. And you know what the Yellow Pages had? Your name, your address, and your phone number. Readily available. There was no breach then."
His frustration was palpable:
"My question is if that information is and always has been readily available why is it pii now social security numbers I get driver's license numbers I get healthcare information I get but name email phone number address spare us really spare us."
He concluded with a broader economic concern:
"That hundred and seventy seven million dollars is coming out of somewhere and it's likely going to come at the expense of something else and no one suffered hundred and seventy seven million dollars worth of damage from the at t breach no one has can we be frank about it for just a minute can we be honest with ourselves for just a minute maybe it's time we change our approach with regulators."
ConnectWise Hijacking: MSP World Under Threat
The Story: ConnectWise remote access applications are being hijacked by threat actors to hide malicious code and compromise systems, according to GData. The vulnerability is particularly significant in the MSP (Managed Service Provider) world where ConnectWise is extensively deployed. The threat involves attackers exploiting the remote access capabilities to establish persistent access to target networks. The issue represents a continuation of supply chain and remote access tool compromises that have become increasingly common.
Host Take: Azar emphasized the particular risk to the MSP ecosystem: "ConnectWise is just so... it's everywhere especially within the msp world and so that's really significant because in the msp where the help desk really does rotate so introduces that ability for someone to really fool someone to connect to connect wise and then allow this to happen." He stressed the need for continuous vigilance: "The threat of connectwise is at the msp level is that your and and that's where you want to really address it." His concern reflects the cascading impact when MSP tools are compromised, affecting multiple downstream clients.
CISA Adds Critical AMI BMC Vulnerability to KEV Catalog
The Story: CISA added a critical AMI BMC vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2024-54085 has a CVSS score of 10.0 and is an AMI BMC authentication bypass issue confirmed to impact HPE, ASUS, ASRock, and Lenovo products affecting the Redfish management interface. This defect could allow attackers to take control of target machines, deploy malware, modify firmware, and even damage motherboards. Additionally, CVE-2019-6693 with a CVSS score of 6.5 involves a cryptographic key used to encrypt sensitive data that's hard-coded in the software.
Host Take: Azar was clear about the implications of KEV catalog inclusion: "If they're adding it to the kev catalog it means there's active exploits that's the rule of thumb from everyone I've ever spoken with ssa if we add it to cav it's because we're seeing it exploited please please make sure you get it patched up please." His understanding of CISA's processes provides valuable context for security teams about the urgency level when vulnerabilities are added to the KEV catalog.
Cisco ISE Perfect 10 Vulnerabilities Demand Immediate Action
The Story: Critical vulnerabilities in Cisco ISC and Cisco ISC Passive Identity Connector could lead to remote code execution. CVEs 2025-20281 and 2025-20282 have been given perfect scores of 10 on the CVSS scale. CVE-2025-20281 exists because user-supplied input is insufficiently validated, allowing remote unauthenticated attackers to submit crafted API requests and execute arbitrary code with root privileges. CVE-2025-20282 exists due to lack of file validation checks allowing attackers to place arbitrary files in privileged directories. The first affects ISC releases 3.3 and later, fixed in 3.3 Patch 6 and 3.4 Patch 2, while the second only affects release 3.4.
Host Take: Azar couldn't emphasize the urgency enough: "It's a perfect ten it's a real threat patch this up immediately put this at the top of your list because the moment they're able to do this it's an unauthenticated attacker it's not very complex it's a specially crafted api request I can pull up cloud right now and do this with you live on cloud and we'll get the code we'll get the api request." His technical understanding and willingness to demonstrate the simplicity of exploitation underscores why these perfect 10 scores demand immediate attention from security teams.
DOD Seeks New Risk Management Framework
The Story: The Department of Defense issued a Request for Information (RFI) regarding risk management frameworks, specifically trying to revamp them around NIST under a slimmer approach focusing on design, building, testing, onboarding, and operations. Katie Errington, DOD's acting chief information officer, said reworking the framework would reduce redundancies that slow down the department's cyber processes. The DOD has a CIO nominee, and the direction of this initiative may depend on the new leadership's priorities.
Host Take: Azar provided context about the leadership transition: "The dod has a cio that's now been nominated and so we'll see how the new cio takes this there with kirsten if she'll keep katie's move or take it out but it's there now and they're gonna get feedback on it either way." His commentary reflects the reality that major policy initiatives often depend on political appointments and leadership changes, making timing critical for implementation.
Capitol Hill Quantum Computing Urgency
The Story: In a hearing titled "Preparing for a Quantum Age When Cryptography Breaks," U.S. officials warned that the federal government must urgently modernize its cybersecurity infrastructure to prepare for quantum computing threats. The hearing was held by the Subcommittee on Cybersecurity, Information Technology, and Government Innovation. The assessment came from the U.S. Government Accountability Office and industry organizations like IBM, emphasizing that standards exist and bipartisan support is needed. Subcommittee Chairwoman Nancy Mace said the threat posed by quantum computing is not hypothetical and legislative action is needed to accelerate post-quantum cryptography adoption.
Host Take: Azar summarized the broad consensus: "The idea here in general was quantum is coming that came from the us government of government accountability office that's come from industry as well and from places like ibm and and other organizations as well saying that the standards are there and there needs to be bipartisan support." He noted the political reality: "Subcommittee chairwoman nancy mace said that the threat posed by quantum computing is not hypothetical she said there's a need for legislative action and appropriations to accelerate the adoption of post-quantum cryptography and modernize federal i.t systems so likely the subcommittee will try to get something in play we'll see if it actually happens there." His pragmatic view reflects skepticism about whether congressional action will match the urgency of the technical threat.
Summary and Key Takeaways
Today's episode demonstrates how cybersecurity threats continue evolving with both new sophisticated attacks and the return of familiar vulnerabilities in new forms. CitrixBleed 2 proves that successful attack vectors often get recycled and improved by threat actors, requiring organizations to maintain vigilance even against "solved" problems.
The IntelBroker arrest shows that cybercriminals eventually get caught when they need to monetize their activities, as financial transactions create digital trails that law enforcement can follow. Meanwhile, Iranian APT groups continue targeting Israeli tech professionals through sophisticated social engineering, demonstrating how geopolitical conflicts drive targeted.
Action Items for Security Teams
Immediate CitrixBleed 2 patching: Update all NetScaler ADC and Gateway systems to versions 14.1-43.56, 13.1-58.32, 13.1-37.235, or 12.1-55.328
Cisco ISE emergency updates: Patch CVE-2025-20281 and CVE-2025-20282 immediately due to perfect CVSS 10.0 scores and unauthenticated RCE capabilities
AMI BMC vulnerability remediation: Address CVE-2024-54085 on all HPE, ASUS, ASRock, and Lenovo systems with BMC interfaces
ConnectWise security review: Implement enhanced monitoring and access controls for all ConnectWise remote access deployments, especially in MSP environments
Iranian APT35 awareness: Brief Israeli tech professionals and partners on current social engineering campaigns using fake Gmail and Google Meet invitations
IntelBroker IOC hunting: Search for indicators of compromise related to Kai West's operations and Breach Forums activities
PII classification review: Evaluate current data classification policies to distinguish between historically public information and truly sensitive data
Quantum cryptography planning: Begin assessment of post-quantum cryptography requirements and implementation timelines
Third-party risk assessment: Review all managed service provider relationships for potential ConnectWise-related exposure
Incident response testing: Conduct tabletop exercises simulating CitrixBleed 2-style attacks on gateway infrastructure
Social engineering training: Update security awareness programs to cover LinkedIn/WhatsApp-based targeting of technical professionals
Breach notification procedures: Review current data breach response plans in light of AT&T settlement implications
Hardware security inventory: Audit all systems with management interfaces for authentication bypass vulnerabilities
API security validation: Implement enhanced input validation and authentication for all public-facing APIs
✅ Story Links:
https://therecord.media/british-hacker-intelbroker-spree-breaches
https://thehackernews.com/2025/06/iranian-apt35-hackers-targeting-israeli.html
https://therecord.media/columbia-university-technology-outages
https://www.securityweek.com/hackers-abuse-connectwise-to-hide-malware/
https://www.securityweek.com/cisa-warns-ami-bmc-vulnerability-exploited-in-the-wild/
https://www.securityweek.com/critical-cisco-ise-vulnerabilities-allow-remote-code-execution/
https://www.cybersecuritydive.com/news/judge-att-177m-settlement-data-breach/751486/
🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1
🚨 Important Links to Follow:
👉Website:
👉Listen here: https://linktr.ee/cyberhubpodcast
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/
👉Twitter (X): https://twitter.com/cyberhubpodcast
👉Instagram: https://www.instagram.com/cyberhubpodcast
🤝 For Business Inquiries: info@cyberhubpodcast.com
=============================
🚀 About The CyberHub Podcast.
The Hub of the Infosec Community.
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.
Share this post