Episource Breach Affects 5.4M 🏥, Salt Typhoon Attacks Viasat 🛰️, Facebook Rolls Out Passkey 🔑

Episource is warning impacted patients of a data breach that it suffered in January. The breached data may have included full names and addresses ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

Sign Up |Advertise|View Online TLDR Together With TLDR Information Security 2025-06-20 [Gartner Report] 5 Questions All CISOs Should Ask About IAM (Sponsor) Remote work, digital transformation and the rise of AI are all placing increased focus on identity management. However, many CISOs fail to align IAM with broader security initiatives; while IAM metrics are often overly technical, performance-oriented, and inward-looking. → The experts at Gartner have identified 5 essential questions you need to answer in order to bridge the gap between security and IAM. Read their findings in this complimentary report → Want to dive deeper into these issues and prepare your IAM program for the age of AI agents? Register for Gartner Identity & Access Management Summit 2025 🔓 Attacks & Vulnerabilities Healthcare SaaS Firm Says Data Breach Impacts 5.4M Patients (2 minute read) Episource, a healthcare services company that provides risk adjustment, medical coding, data analytics, and technology solutions to health plans and providers, is warning impacted patients of a data breach that it suffered in January. The breached data may have included full names, physical addresses, email addresses, phone numbers, insurance plan and Medicaid information, medical records, dates of birth, and SSNs. Episource has stated that no banking or payment card information was stolen. North Korea Targeting Indian Crypto Job Applicants With Malware (2 minute read) Cisco Talos is warning potential crypto job seekers in India of a malware campaign by the North Korean Famous Chollima group. Fake employers are approaching software engineers, marketing employees, and designers with skill-testing pages to apply for positions at cryptocurrency companies like Coinbase, Archblock, and Robinhood. These pages feature ClickFix attacks, which prompt victims to run malicious code to fix errors. The code eventually downloads infostealer malware to steal browser credentials and session tokens. China-linked group Salt Typhoon breached satellite firm Viasat (4 minute read) The China-linked hacking group Salt Typhoon breached the satellite company Viasat and other global telecom providers. They exploited security flaws in network devices to conduct espionage across multiple countries. Officials confirmed that customer data remained secure and the vulnerabilities were addressed. 🧠 Strategies & Tactics Dangerous By Default: Insecure GitHub Actions Found in MITRE, Splunk, and Other Open Source Repositories (5 minute read) The `pull_request_target` event is infamous because it opens up room for abuse by running in the context of the base repo with full secrets access and write permissions to the GITHUB_TOKEN. Sysdig found repositories belonging to MITRE, Splunk, and a popular open-source Spotify client that could be hijacked via `pull_request_target` abuse. Sysdig recommends using the `pull_request` event instead, along with workflow splitting and restricting GITHUB_TOKEN permissions to avoid these issues. Digging Tunnels: Hunting Adversarial Cloudflared Instances (10 minute read) Cloudflared is a popular tunneling service offered by Cloudflare that legitimate organizations or adversaries can utilize to establish persistence. Cloudflared authenticates using tokens that contain the account ID, tunnel ID, and a secret. Ransomware groups often do not vary their Cloudflare accounts, so detecting anomalous tokens or renamed processes can be effective for threat hunting. 🧑‍💻 Launches & Tools From Audit Chaos to Continuous Compliance (Sponsor) As your business evolves, so do risk & compliance challenges. Drata's AI-Native Trust Management platform simplifies oversight, keeps you ahead of regulations, and ensures you never miss a requirement. Scale faster. Stay compliant. Sleep better. Get a personalized demo of Drata's Trust Management Platform today. Get started Loris (GitHub Repo) Loris is a stateful fuzz testing framework designed to explore and analyze baseband firmware. Frida 17.2.0 Released (3 minute read) Frida is a dynamic toolkit for reverse engineering, security research, and runtime analysis across various platforms and languages. Version 17.2.0 focuses on simplifying package discovery with the `frida-pm` CLI tool. The release features a streamlined package manager for easily searching and installing Frida-specific packages using `frida-pm search` and `frida-pm install`, even without Node.js. pycti-mcp (GitHub Repo) This is an MCP (Model Context Protocol) server for pycti that provides a front-end interface to OpenCTI threat intelligence data. The server condenses and normalizes OpenCTI data into JSON format for LLMs, making field names more verbose and resolving GraphQL-linked entities to provide better response context. It includes three main tools for looking up observables, adversaries, and reports in OpenCTI, and can run either as a TCP server or STDIO server. 🎁 Miscellaneous 5 Lessons Learned as Incident Commander of the Biggest Security Incident of My Career (7 minute read) Ryan Cox shares lessons from leading the incident response for a high-stakes incident that stretched about a month. Cox stresses the importance of proactively establishing interdepartmental relationships so that during an incident, you have SMEs that you can rely upon. Cox also reminds incident commanders to avoid diving too deeply into tasks and losing the big picture. Lastly, Cox stresses the importance of having scalable processes around documentation and other often forgotten topics and conducting post-mortem root-cause analysis. Banana Squad Hides Data-Stealing Malware in Fake GitHub Repositories (2 minute read) A hacker group called Banana Squad hid malware in fake GitHub projects that looked like real tools. Their attacks stole sensitive data from thousands of computers before being discovered. Even though malware in open-source software dropped in 2024, attacks are getting smarter, so users need to be careful. No, the 16 billion credentials leak is not a new data breach (4 minute read) A huge leak of 16 billion credentials was reported, but it is just a collection of old stolen data, not a new breach. These credentials were taken by malware or past hacks and have been shared online for years. ⚡ Quick Links Facebook Rolls Out Passkey Support to Fight Phishing Attacks (2 minute read) Meta has announced plans to roll out passkey support to its Facebook apps "soon" with Messenger and other apps to follow. Predatory Sparrow Burns $90 Million on Iranian Crypto Exchange in Cyber Shadow War (3 minute read) Hackers linked to Israel's Predatory Sparrow group stole and destroyed over $90 million in cryptocurrency from Iran's largest exchange, Nobitex. Scammers Insert Fake Support Numbers on Real Apple, Netflix, PayPal Pages (2 minute read) Scammers are placing fraudulent customer support numbers on legitimate websites such as Apple, Netflix, and PayPal, using deceptive web addresses to make them look like they're part of the official help pages. Love TLDR? Tell your friends and get rewards! Share your referral link below with friends to get free TLDR swag! https://refer.tldr.tech/dc263000/8 Track your referrals here. Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us. Want to work at TLDR? 💼 Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them! If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.