Rituals cosmetics breach, FBI iOS flaw fixed, Teams Helpdesk malware impersonation

• Join us LIVE at 1pm ET / 10am PT for Super Cyber Friday, “Hacking Trust in Security”
• Join us LIVE at 4pm ET / 1pm PT for “Department of Know”
• Video: “NIST’s NVD is Playing Triage Now”

The company, based in The Netherlands, says attackers stole “personal information of an undisclosed number of customers from its “My Rituals” membership database, during a breach that was discovered earlier this month. No passwords or payment information was accessed,” company representatives stated. Though the company did not say how many members of its loyalty program had been affected, there are 41 million members connected to this program worldwide. No details about the nature of the cyberattack or the group responsible have been released.

(BleepingComputer)

Apple has released an urgent iOS update to fix a security flaw that was reportedly used by the FBI to recover deleted messages. The issue wasn’t in apps like Signal itself, but in the iPhone’s notification system, which stored message previews even after messages were deleted or the app was removed. Investigators were able to access these remnants through the device’s internal database. Apple patched the vulnerability in its latest updates to prevent this kind of data recovery. The case highlights how system-level data can persist beyond user expectations, raising ongoing concerns about privacy, encryption, and how “deleted” data is actually handled on modern devices.

(ZDNet)

A group named UNC6692 has been using social engineering tactics via Microsoft Teams to deploy a custom malware suite on compromised hosts. Researchers from Mandiant said, “As with many other intrusions in recent years, UNC6692 relied heavily on impersonating IT helpdesk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account outside their organization.” The modus operandi of this group is to conduct a large email campaign designed to overwhelm a target’s inbox with spam emails, creating a false sense of urgency, then approaching the target over Microsoft Teams by sending a message claiming to be from the IT support team to offer assistance with the email bombing problem. Borrowing heavily from Black Basta, the group has been deploying tools from the SNOW malware ecosystem.

(The Hacker News)

Following up on a story we covered on Monday, another problem has emerged from a recent Microsoft Edge browser update, this one featuring a bug that prevents Windows users from joining Teams meetings. According to an incident report, this issue affects only users who try to join scheduled meetings or meetings via links. Microsoft has advised affected users to basically turn the Teams client off and back on again.

(BleepingComputer)

According to sources, Plankey has withdrawn from consideration after “his nomination stalled for more than a year in the Senate.” Thirteen months passed without any clear approval from the Senate. Among the troubles that plagued Plankey during this period was the announcement from Sen. Ron Wyden (D-OR) who said he would “block a vote to confirm Plankey due to CISA’s refusal to publicly release an unclassified report on cyber weaknesses in the U.S. telecom industry.” CISA is “currently being run by Acting Director Nick Andersen, and it is unclear who the current administration will now nominate to lead the agency going forward.”

(The Record)

According to a spokesperson for the UK government speaking yesterday, the data was for sale on e-commerce website Alibaba. The data belonged to the UK Biobank charity and “includes genetic sequences, blood samples, medical scans and lifestyle information.” In its legitimate usage, scientists working at universities or in the private sector can obtain access to this database for research purposes after signing security contracts. Science minister Ian Murray told the House of Commons that the listings were removed before any sales on the ecommerce platform were made. Three research institutions have been identified as the source of the posting, and their access to the data has been revoked. Murray emphasized “This was not a leak. This was a legitimate download by a legitimately accredited organization.”

(The Record)

According to researchers at Socket and StepSecurity, a “self-propagating CanisterWorm-style malware strain hit multiple npm packages tied to Namastex Labs, an agentic AI company.” This worm appears to target specialized developer workflows rather than broad consumer npm usage. It shares significant overlap with the open-source infections attributed to TeamPCP last month, following their Trivy supply chain attack last month.

(The Register)

Researchers at cybersecurity company Symantec state the recently observed Trigona ransomware attacks are “using a custom, command-line tool to steal data from compromised environments faster and more efficiently.” The researchers say that the shift to a custom tool may indicate that the attacker is “investing time and effort in proprietary malware in a bid to maintain a lower profile during a critical phase of their attacks.” It was thought that Ukrainian cyber activists had disrupted the Trigona operation in October 2023, but Symantec’s report suggests that the threat actors resumed operations.

(BleepingComputer)

Spotify, Apple Podcasts, YouTube, RSS link, Amazon Music, add as an Alexa Skill, or search “Cybersecurity Headlines” on your favorite podcast app.