Daily Cyber Briefing
The Daily Cyber Briefing delivers concise, no-fluff updates on the latest cybersecurity threats, breaches, and regulatory changes. Each episode equips listeners with actionable insights to stay ahead of emerging risks in today’s fast-moving digital landscape.
Daily Cyber Briefing
Apple's $2 Million Bounty, Payroll Pirates, and the Takedown of GXC Team
Host Mike Housch dissects Apple's massive $2 million bug bounty expansion, focusing on incentives for finding zero-click RCEs, and analyzes the high-stakes Salesforce customer data leaks claimed by the Scattered LAPSUS$ Hunters extortion group. We also cover critical warnings about the "Payroll Pirate" university salary attacks and the dismantling of the global GXC Team Crime-as-a-Service operation.
Welcome back to Cyber Scoops & Digital Shenanigans, the podcast that keeps you ahead of the digital chaos. I’m your host, Mike Housch, and we have a jam-packed show today, covering everything from unprecedented bug bounties to targeted university payroll attacks and a major organized crime bust.
Segment 1: Apple’s $2 Million RCE Bounty
Let’s kick things off with a massive number out of Cupertino. Apple is announcing a major expansion and redesign of its bug bounty program, including doubling the maximum payouts and introducing a more transparent reward structure. Since the program launched in 2020, Apple has reportedly awarded $35 million to 800 security researchers.
But here is the headline: The highest reward has been doubled to $2 million. That massive payday is reserved for reporting vulnerabilities that can lead to zero-click remote compromise. We're talking about flaws similar to those used in mercenary spyware attacks, where no user interaction is required. And get this—payouts can go even higher, potentially reaching $5 million through their bonus system.
Apple stated that this is an "unprecedented amount in the industry" and the largest payout offered by any bounty program they are aware of. That bonus system provides additional rewards for Lockdown Mode bypasses and vulnerabilities discovered in beta software, which can more than double the base reward.
What else is paying big? A one-click remote attack is worth $1,000,000, as is a wireless proximity attack. That wireless proximity award was upped from $250,000 previously. Other seven-figure payouts are offered for broad unauthorized iCloud access or a WebKit exploit chain leading to unsigned arbitrary code execution.
Interestingly, Apple noted that they have never received a report demonstrating a complete Gatekeeper bypass with no user interaction or broad unauthorized iCloud access. So those are clearly high-challenge targets for bug bounty hunters.
Apple expects these increased awards to have a significant impact on the development of sophisticated attack chains from spyware vendors, incentivizing researchers to report issues rather than selling them privately. To further support this effort, for 2026, Apple plans to distribute a thousand secured iPhone 17 devices to members of civil society organizations at higher risk of being targeted by mercenary spyware.
Segment 2: Salesforce Customer Data Leak
Moving now to a major incident involving third-party risk. The Scattered LAPSUS$ Hunters extortion group has leaked millions of records allegedly stolen in a recent campaign targeting Salesforce customers. This leak occurred shortly after the group—an offshoot of the notorious Lapsus$, Scattered Spider, and ShinyHunters—claimed they stole data from 39 Salesforce customers and threatened a leak unless the CRM provider paid a ransom.
Salesforce, for their part, refused to pay the ransom, stating the attempt was related to "past or unsubstantiated incidents".
The hackers then published data on their Tor-based leak site allegedly pertaining to major companies, including Albertsons, Engie Resources, Fujifilm, GAP, Qantas, and Vietnam Airlines. The Australian airline Qantas confirmed they are analyzing the leak with cybersecurity experts, having previously stated in July that roughly 6 million customers might have been affected. This breach stemmed from the attackers hitting a third-party platform used by one of Qantas’s contact centers, leading to the exfiltration of names, email addresses, phone numbers, dates of birth, and frequent flyer numbers.
We also saw specific numbers emerge for Vietnam Airlines: the leak includes data associated with roughly 7.3 million accounts, covering names, email addresses, phone numbers, dates of birth, and loyalty program details. This information was reportedly stolen from the company’s Salesforce instance back in June of this year.
While the hackers named 39 victims initially, they only leaked the data of six organizations. When questioned about the remaining data, Scattered LAPSUS$ Hunters reportedly said they "can’t leak" any more data. This highlights the ongoing complexities of verifying attacker claims.
(6:18) Segment 3: Payroll Pirates Hit Universities
Next up, let's talk about a highly effective and financially devastating attack hitting the education sector. Microsoft’s Threat Intelligence team has sounded the alarm over a financially-motivated cybercrime spree they track as Storm-2657, which has been looting US university salaries since March 2025. Microsoft has dubbed this operation the "payroll pirate".
The core of the attack is leveraging compromised HR and email accounts to quietly change payroll settings, redirecting paychecks into attacker-controlled bank accounts. It’s a classic move: compromise the victim, not the system itself.
Storm-2657 initiates the campaign with phishing emails designed to harvest multi-factor authentication, or MFA, codes using Adversary-in-the-Middle, or AiTM, techniques. Once inside Exchange Online accounts, they insert malicious inbox rules designed to hide or delete HR messages. Then, they use the stolen credentials and Single Sign-On, or SSO, integrations to access HR software like Workday and tweak the direct deposit information. Microsoft is stressing that this doesn't exploit a flaw in Workday; the weak points are poor MFA hygiene and sloppy configurations.
Since March 2025, Microsoft has observed 11 successfully compromised accounts at three universities, which were then used to send phishing emails to nearly 6,000 email accounts across 25 universities. These phishing lures were crafted with chilling academic precision, mimicking fake HR updates, faculty misconduct reports, or notes about illness clusters.
The key defense here, according to Microsoft, is to ditch passwords altogether and adopt phishing-resistant methods such as FIDO2 keys or passkeys. For CISOs listening, detecting this requires cross-system visibility, correlating telemetry between Exchange Online and Workday, and watching for suspicious MFA enrollments and new inbox rules referencing "@myworkday.com". It’s a crucial reminder that payday is a prime target.
Segment 4: Malware and Cybercrime Busts
We have a quick roundup of malware threats.
First, meet ChaosBot, a new Rust-based backdoor that allows threat actors to conduct reconnaissance and execute arbitrary commands on compromised PCs. What makes ChaosBot interesting is its abuse of Discord for command-and-control (C2). The operator, known by the online moniker "chaos_00019," issues commands like shell, scr (for screenshots), download, and upload through a Discord channel created with the victim’s computer name. ChaosBot is distributed either through compromised VPN/Active Directory credentials or via phishing messages using malicious LNK files. Relatedly, a new C++ variant of Chaos Ransomware has emerged, introducing destructive capabilities to irrevocably delete large files (over 1.3 GB) and manipulate clipboard content to steal cryptocurrency.
Second, we have ClayRat, new Android spyware that is luring potential victims by posing as popular apps like WhatsApp, TikTok, Google Photos, and YouTube. This malware is largely targeting Russian users via Telegram channels and malicious websites. Once active, ClayRat is highly invasive, capable of stealing SMS messages and call logs, capturing notifications, taking front-camera pictures, and even making phone calls. It also achieves mass propagation by automatically harvesting contacts and sending SMS messages to every contact.
Finally, a win for law enforcement: Spanish authorities have dismantled the 'GXC Team' Crime-as-a-Service (CaaS) operation. They arrested 25-year-old Brazilian national GoogleXcoder, the alleged administrator. This operation provided complete phishing services to cybercriminals, including phishing kits targeting banks and governments, an SMS-stealing Android trojan, and tools for AI-supported voice scams. Authorities noted that one of the group’s Telegram channels was brazenly named ‘Steal everything from grandmas,’ reflecting their ruthless approach.
Segment 5: Browser and OS Hygiene
Now, a couple of crucial notes on digital hygiene and platform security.
Microsoft revamped the Internet Explorer mode in Edge after receiving credible reports that threat actors were abusing this legacy feature as a backdoor. Attackers were using social engineering alongside unpatched zero-day exploits in IE’s JavaScript engine, Chakra, to trick users into reloading a page in IE mode. This allowed them to execute remote code, elevate privileges, and break out of the browser’s security confines to deploy malware or exfiltrate data. Microsoft has now locked this down by removing the dedicated toolbar buttons and context menu items. Users must now explicitly enable IE mode via settings on a case-by-case basis, ensuring the decision to use legacy technology is "significantly more intentional".
In browser news, Google is updating Chrome to automatically revoke notification permissions for websites that haven't been visited recently. This is an attempt to reduce "alert overload," as they found less than 1% of the high volume of notifications generated any user engagement. If you haven't been to a site, Chrome might turn off its alerts, though you can re-grant permission easily.
And a critical reminder for Windows users: Microsoft warned that Windows 11 23H2 Home and Pro editions will reach end of servicing on November 11, 2025. That means the November 2025 monthly security update will be the last one available. If you're running these versions, you need to upgrade to Windows 11 24H2 immediately to maintain protection against the latest threats.
Finally, a quick warning about a nasty smishing campaign: Fake 'Inflation Refund' texts are targeting New Yorkers. These texts pose as the Department of Taxation and Finance, urging recipients to click a link to provide payment information for a supposed "Inflation Refund". Governor Kathy Hochul’s office clarified that New Yorkers do not need to apply or provide any personal information to receive the legitimate refund checks. If you get one of these texts, report it and definitely do not click the link.
Segment 6: Wrap Up and CISO Insights
What do these stories tell us? They underscore the high stakes we're seeing across the industry, whether it's Apple paying unprecedented amounts to secure against zero-click RCEs, or threat actors like Storm-2657 demonstrating how easily they can pivot from MFA phishing to financial fraud.
If you are a senior cybersecurity leader, remember that security validation is key. We saw several references in the sources to events like the Picus Breach and Attack Simulation Summit focusing on how AI-powered BAS is transforming security validation. This continuous validation is crucial for managing the complex threats we discussed, especially supply chain risks like the Salesforce breach or system integrity risks like the exploited IE Mode.
That’s all the time we have for this week. Thank you for tuning into Cyber Scoops & Digital Shenanigans. Stay vigilant, stay patched, and we'll catch you next time.