Cybersecurity Headlines
Cybersecurity Headlines

Rituals cosmetics breach, FBI iOS flaw fixed, Teams Helpdesk impersonation

8 min
Apr 24, 20264 days ago
Listen to Episode
Summary

This episode covers major cybersecurity incidents including a Rituals cosmetics data breach affecting millions of loyalty program members, Apple's patch for an iOS flaw exploited by the FBI, and a sophisticated social engineering campaign by hacker group UNC6692 impersonating IT helpdesk staff via Microsoft Teams to deploy malware.

Insights
  • System-level data persistence on devices creates privacy risks beyond user expectations, as demonstrated by Apple's iOS notification preview vulnerability
  • Social engineering via trusted communication platforms (Microsoft Teams) remains highly effective for initial access and malware deployment
  • Supply chain attacks continue evolving with self-propagating worms targeting specialized developer workflows rather than broad consumer usage
  • Ransomware operators are investing in custom proprietary tools to maintain lower profiles during critical attack phases
  • Data breaches at scale (41M+ members) often lack transparency about attack vectors and responsible parties, limiting defensive learning
Trends
Increased sophistication in social engineering tactics leveraging internal communication toolsPersistent data recovery vulnerabilities in consumer devices despite encryption claimsSupply chain attacks shifting from broad targets to specialized developer ecosystemsRansomware operators developing custom exfiltration tools for operational securityGeopolitical data theft targeting sensitive research and medical informationRegulatory gridlock affecting cybersecurity leadership appointments and policy implementationNPM ecosystem vulnerability to self-propagating malware strainsThreat actor resurgence after perceived disruption (Trigona ransomware)
Topics
Data Breach Response and TransparencyiOS Security VulnerabilitiesSocial Engineering via Microsoft TeamsMalware Deployment TacticsSupply Chain Security in NPM EcosystemRansomware Exfiltration ToolsMedical Data ProtectionZero Trust Network AccessCISA Leadership ConfirmationDeleted Data Recovery MethodsIT Helpdesk ImpersonationBrowser Update Security IssuesGenetic Data ProtectionCustom Malware Development
Companies
Rituals
Netherlands-based cosmetics company disclosed breach of MyRituals loyalty database affecting 41M members
Apple
Released urgent iOS update to patch security flaw used by FBI to recover deleted messages from notification system
Microsoft
Microsoft Teams platform exploited by UNC6692 for social engineering; Edge browser update caused Teams meeting access...
Mandiant
Security research firm that identified UNC6692 hacker group's social engineering tactics via Microsoft Teams
FBI
Used iOS notification system vulnerability to recover deleted messages; prompted Apple's security patch
Alibaba
E-commerce platform where UK Biobank medical data for 500,000 British citizens was listed for sale
UK Biobank
Charity whose genetic sequences, blood samples, and medical scans data was illegally posted on Alibaba
Namastex Labs
Agentic AI company whose NPM packages were targeted by self-propagating canister worm malware
Socket
Security research firm that identified NPM supply chain worm targeting Namastex Labs packages
Step Security
Security research firm that identified NPM supply chain worm targeting Namastex Labs packages
Symantec
Cybersecurity company that reported Trigona ransomware using custom command-line exfiltration tool
CISA
Cybersecurity agency whose director nomination (Sean Plancky) stalled over telecom vulnerability report disclosure
People
Steve Prentice
Host and reporter for Cybersecurity Headlines episode
Sean Plancky
Withdrew from consideration for CISA director position after Senate confirmation stalled for 13 months
Ron Wyden
Oregon Senator who blocked confirmation vote for CISA director nominee over telecom vulnerability report
Nick Anderson
Currently serving as acting director of CISA following Plancky's withdrawal
Ian Murray
Addressed House of Commons regarding UK Biobank data posted on Alibaba; confirmed no sales occurred
Quotes
"as with many other intrusions in recent years UNC-6692 relied heavily on impersonating IT help desk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account outside their organization"
Mandiant Researchers
"a custom command line tool to steal data from compromised environments faster and more efficiently"
Symantec Researchers
"investing time and effort in proprietary malware in a bid to maintain a lower profile during a critical phase of their attacks"
Symantec Researchers
"this was not a leak, this was a legitimate download by a legitimately accredited organization"
Ian Murray, UK Science Minister
"The issue was not in the apps like Signal itself, but in the iPhone's notification system, which stored message previews even after messages were deleted or even if the app was removed"
Steve Prentice
Full Transcript
From the CISO series, it's Cybersecurity Headlines. These are the Cybersecurity Headlines for Friday, April 24th, 2026. I'm Steve Prentice. Cosmetics giant Rituals discloses data breach. The company, based in the Netherlands, said attackers stole personal information of an undisclosed number of customers from its MyRituals membership database during a breach that was discovered earlier this month. No passwords or payment information was accessed, company representatives stated. Though the company did not say how many members of its loyalty program had been affected, there are 41 million members connected to it worldwide. No details about the nature of the cyber attack or the group responsible have yet been released. Apple fixes iOS flaw exploited by the FBI Apple has released an urgent iOS update to fix a security flaw that was reportedly used by the FBI to recover deleted messages. The issue was not in the apps like Signal itself, but in the iPhone's notification system, which stored message previews even after messages were deleted or even if the app was removed. Investigators were able to access these remnants through the device's internal database. Apple has patched the vulnerability in its latest updates to prevent this kind of data recovery from happening again. The case highlights how system-level data can persist beyond user expectations, raising ongoing concerns about privacy, encryption, and how deleted data is actually handled on modern devices. Hacker Group impersonates IT Helpdesk via Microsoft Teams to deploy malware A group named UNC6692 has been using social engineering tactics via Microsoft Teams to deploy a custom malware suite on compromised hosts Researchers from Mandiant said quote as with many other intrusions in recent years UNC-6692 relied heavily on impersonating IT help desk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account outside their organization. The modus operandi of this group was to conduct a large email campaign designed to overwhelm a target's inbox with spam emails, creating a false sense of urgency and then approaching the target over Microsoft Teams by sending a message claiming to be from the IT support team to offer assistance with the email bombing problem. Borrowing heavily from BlackBasta, this group has been using this technique to deploy tools from the Snow malware ecosystem. Some Microsoft Teams users blocked from meetings following Edge update. Following up on a story we covered on Monday regarding right-click-paste problems, another problem has now emerged from a recent Microsoft Edge browser update, this one featuring a bug that prevents Windows users from joining Teams meetings. According to an incident report, this issue affects only users who try to join scheduled meetings or meetings via links. Microsoft has advised affected users to basically turn the team's client off and then back on again. Huge thanks to our sponsor, ThreatLocker. ThreatLocker is extending zero trust beyond endpoint control. With their recent release of zero trust network access and zero trust cloud access, access is limited to exactly what's needed. Learn more and start your free trial today at threatlocker.com. Sean Plancky withdraws from consideration for CISA director position According to sources Plancky has withdrawn from consideration after his nomination stalled for more than a year in the Senate Thirteen months passed without any clear approval from the Senate, and among the troubles that plagued Plancky during this period was the announcement from Senator Ron Wyden of Oregon, who said, quote, he would block a vote to confirm Plancky due to CISA's refusal to publicly release an unclassified report on cyber weaknesses in the US telecom industry. CISA is currently being run by acting director Nick Anderson, and it is unclear who the current administration will now nominate to lead the agency going forward. Medical data of 500,000 British citizens for sale on Chinese website. According to a spokesperson for the UK government speaking yesterday, Thursday, the data was for sale on e-commerce website Alibaba. The data belongs to the UK Biobank charity and includes genetic sequences, blood samples, medical scans and lifestyle information. In its legitimate usage, scientists working at universities or in the private sector can obtain access to this database for research purposes after signing security contracts. Science Minister Ian Murray told the House of Commons that the listings were removed before any sales on the e-commerce platform were made. Three research institutions have been identified as the source of the posting and their access to the data has been revoked. Murray emphasized, this was not a leak, this was a legitimate download by a legitimately accredited organization. Another NPM supply chain worm leaves its mark. According to researchers at Socket and Step security, a self-propagating canister worm-style malware strain hit multiple NPM packages tied to Namastex Labs which is an agentic AI company This worm appears to target specialized developer workflows rather than broad consumer NPM usage It shares significant overlap with the open infections attributed to Team PCP last month following their Trivi supply chain attack of March. Trigona ransomware uses a custom exfiltration tool to steal data. Researchers at cybersecurity company Symantec state the recently observed Trigona ransomware attacks, that is T-R-I-G-O-N-A, are using, quote, a custom command line tool to steal data from compromised environments faster and more efficiently, end quote. These researchers say that the shift to a custom tool may indicate that the attacker is, quote, investing time and effort in proprietary malware in a bid to maintain a lower profile during a critical phase of their attacks, end quote. It was thought that Ukrainian cyber activists had disrupted the Trigona operation in October of 2023, but Semantic's report suggests that the threat actors resumed operations. It's Friday, and that means you have to join us for the Department of Know livestream. We are live every Friday at 4pm Eastern on our YouTube channel. If you have never joined us, each week we have two security experts on, helping you to understand how the news of the week will impact your security program. So set a calendar reminder and join us for the fun later today at 4 p.m. And if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us at feedback at CISOseries.com. We would love to hear from you. I'm Steve Prentiss, reporting for the CISO Series. Head to CISOseries.com for the full stories behind the headlines.