Cybersecurity Today

ShareFile explained, healthcare in critical cyber condition and click fix tops malware charts

14 min
Jul 15, 20263 days ago
Listen to Episode
Summary

This episode covers critical cybersecurity incidents including Progress Software's ShareFile vulnerability requiring emergency patching, a year-long Salesforce breach campaign by Shiny Hunters exploiting OAuth connections, healthcare sector's inability to remediate vulnerabilities faster than they're discovered, and ClickFix malware delivery becoming the dominant attack vector across platforms.

Insights
  • OAuth-based attacks on SaaS platforms bypass traditional security controls by abusing legitimate integrations rather than exploiting code vulnerabilities, making them harder to detect and prevent
  • Healthcare organizations face a critical capacity gap where vulnerability discovery now outpaces remediation ability by 4x, creating systemic risk across interconnected hospital networks
  • ClickFix's success relies on social engineering rather than technical exploits, making it resilient against signature-based defenses but vulnerable to user security awareness training
  • Legacy infrastructure and forgotten credentials pose enterprise-scale risks, as demonstrated by both the Telstra outage and Clue breach, requiring inventory and lifecycle management discipline
  • The two-week CVE embargo period is becoming strategically important as AI can generate working exploits from public advisories in under 15 minutes, creating a narrow patching window
Trends
OAuth token theft and abuse emerging as primary attack vector against SaaS platforms, bypassing traditional vulnerability-based security modelsHealthcare cybersecurity crisis deepening with 60% increase in critical vulnerabilities year-over-year while remediation capacity declinesClickFix malware delivery technique maturing into full commercial ecosystem with subscription-based kits, now dominant malware delivery methodmacOS security posture degrading as attackers adapt techniques to cross-platform delivery, eliminating historical platform differentiationLegacy infrastructure and forgotten credentials becoming critical risk factors in major outages, highlighting asset management gapsThird-party vendor risk in healthcare multiplying 6x year-over-year, creating cascading breach potential across provider networksIdentity and access control vulnerabilities in healthcare reaching crisis levels with 92% of domains having unchanged admin passwords for 3+ yearsAI-assisted exploit generation reducing time-to-weaponization for disclosed vulnerabilities, compressing patching windowsGuest access misconfiguration emerging as overlooked attack surface in SaaS environmentsPhishing simulation data showing ClickFix has lowest click-through rate but highest command execution risk among attack types
Companies
Progress Software
Issued emergency shutdown alert for ShareFile due to critical path traversal vulnerability in storage zone controller...
Microsoft
Published research mapping year-long Shiny Hunters campaign exploiting OAuth connections in Salesforce environments t...
Salesforce
Targeted by Shiny Hunters data extortion crew through OAuth abuse and guest access misconfiguration; shipped new moni...
Google
Affected by Shiny Hunters phone-based OAuth consent attack; estimated 700+ organizations exposed through SalesLoft ve...
Cloudflare
Cybersecurity firm exposed through SalesLoft breach, which compromised OAuth tokens to downstream Salesforce instances
Zscaler
Cybersecurity firm exposed through SalesLoft breach affecting 700+ organizations with OAuth token compromise
Palo Alto Networks
Cybersecurity firm exposed through SalesLoft breach affecting 700+ organizations with OAuth token compromise
SalesLoft
Vendor breach in August compromised OAuth access tokens, enabling attackers to query downstream Salesforce instances ...
Clue
Competitive intelligence platform breached through legacy test credential, exposing customer Salesforce data includin...
Fortified Health Security
Published mid-year report showing healthcare providers fixed only 6% of identified risks while discovering 60% more c...
Change Healthcare
Referenced as example of supply chain breach cascading across healthcare industry, illustrating vendor risk amplifica...
ReversingLabs
Analyzed 4,000+ ClickFix samples, documenting maturation of click-fix criminal ecosystem and payload evolution
ReliaQuest
Identified ClickFix as single most common malware delivery method March-May; tracked cross-platform expansion to macOS
Boeserman Security
Conducted phishing simulations showing ClickFix has 1.5% click rate but highest command execution risk among attack t...
Telstra
Australian telecommunications provider suffered major outage from 20-year-old GPS rollover bug in discontinued Symmet...
Apple
Added terminal command scanning feature; attackers adapted ClickFix to use Script Editor instead, demonstrating cross...
Chanel
Major brand affected by Shiny Hunters phone-based OAuth consent attack posing as IT support
Pandora
Major brand affected by Shiny Hunters phone-based OAuth consent attack posing as IT support
People
David Shipley
Hosted the episode covering major cybersecurity incidents and industry trends
Vicki Brady
Admitted Telstra knew about GPS rollover bug in discontinued server that caused national telecommunications outage
Quotes
"Researchers demonstrated last year that threat actors can feed a CVE advisory into an AI system and get working proof-of-concept exploit code back in under 15 minutes and for less than a dollar."
David Shipley~3:30
"Probability doesn't change responsibility, and nor does it change the massive impact of a healthcare attack."
David Shipley~15:00
"ClickFix is optimized to beat machines and as shown by the prior research it clearly does. But the human layer can be a different story."
David Shipley~18:30
"Hospital systems under attack or shut down to prevent an attack reduce capacity by up to 90%, and that can have dramatic impacts on patient outcomes."
David Shipley~14:45
"The technique that can slip by antivirus doesn't slip by a well-trained person."
David Shipley~19:30
Full Transcript
Cyber Security Today is brought to you by NordLayer. Teams today work across multiple tools and devices, but security often remains fragmented. And this is exactly what NordLayer can help you address. NordLayer gives your company centralized control over access by individuals and teams and keeps connection secure from anywhere with no additional hardware required. Visit nordlayer.com slash cybersecurity today and use the discount code NLSUMMER26 for a special discount on your purchase. The share file shutdown gets an explanation. A year of Salesforce break-ins, hospitals are finding far more security holes than they can close. The scam that talks you into hacking yourself is now the number one way malware gets in. And in Australia, a 20-year-old server takes down a national telecommunications network. This is Cybersecurity Today, and I'm your host, David Shipley. Let's get started. The emergency share file shutdown was the result of a previously unknown critical vulnerability. And the good news is, there's now a patch out. Progress Software has confirmed the trigger for their alert. A new, previously unknown, high-severity path traversal flaw affecting every 5.x and 6.x version of their storage zone controller. Customers need to apply that fix before bringing the sharefile storage zone controller back online. On Monday, we covered the initial news. Progress telling their customers to power down the servers, citing a credible external threat. with no known CVE associated and no timeline provided. The read at the time was that that kind of shutdown order usually means there's no patch immediately available or worse, there might be a problem that couldn't be solved. Progress has now provided the answer and the good news is it can be fixed. According to reporting by Bleeping Computer, an authenticated administrative user could read arbitrary files, write attacker-controlled content into arbitrary directories, or map out the server's file system. The fixes are out for versions 5.12.5 and 6.0.2. Install them, and the controllers can come back online. There's other good news here. Progress says it has no evidence that the flaw was used by criminals before its alert went out, and no sign of unauthorized access to any customer accounts or data, Bleeping Computer asked Progress whether the flaw was discovered internally or by an outside security researcher. So far, they haven't heard back. A CVE has been reserved, but Progress won't publish the details for at least a few weeks. And that may be wise. As we've reported, researchers demonstrated last year that threat actors can feed a CVE advisory into an AI system and get working proof-of-concept exploit code back in under 15 minutes and for less than a dollar. A two-week window before the technical details go live and public can give organizations much needed room to patch before criminal exploits arrive Microsoft has published a map of how attackers spent the past year walking into corporate Salesforce environments without exploiting a single flaw in Salesforce itself The research looks at a year of activity by the data extortion crew known as shiny hunters, and it sorts their activities into three major techniques. What all of these techniques share is that none of them required anything to be broken into from a code perspective. They abused trust that organizations had already extended, usually in the form of OAuth connections linking Salesforce to the apps and vendors around it. When the access comes from a real user who approved a genuine connected app, sign-in monitoring barely registered it. Path number one was a phone call. Attackers posing as IT support and they walked employees through Salesforce OAuth consent screen and got them to authorize a malicious app dressed up as Salesforce's own data loader. No malware, no stolen password, just a call and a few clicks. That wave hit Google's own Salesforce instance along with other major brands like Chanel and Pandora. Path number two skips the employee. It's about compromising a vendor whose app already holds OAuth access, steal those tokens, and then you query every downstream instance all at once, and you've got a ton of data. The sales loft drift breach last August is the clearest case of path number two. Google estimated it potentially exposed more than 700 organizations, including cybersecurity and IT firms like Cloudflare, Zscaler, and Palo Alto Networks. Pass number three didn't need stolen credentials. It abused guest access that was left misconfigured on Salesforce instances. Microsoft and Salesforce say they've shipped new tooling to catch what their logs previously may have missed. Connected app attribution, OAuth scope visibility, and a new risk score for integrations that people previously hadn't been paying enough attention to. In the most recent case in June, attackers got into competitive intelligence platform Clue through a legacy test credential that someone had left active and forgotten. Then they used it to read the Salesforce data of some of Clue's customers, including another batch of cybersecurity firms. We'll see how Shiny Hunters and others evolve as these new monitoring tools are rolled out. Healthcare providers fixed just 6% of their identified cybersecurity risks in the first half of 2026. Over the same time last year, they managed to deal with about 23%. That's the key finding from a new mid-year report by Fortified Health Security, and it describes a sector falling critically behind. The problem here isn't just about a catastrophic breach. It's the volume of security issues. Healthcare organizations logged 60% more critical and high-severity vulnerabilities this year than the year before, finding far more than they can keep up with from a remediation perspective. The report calls it visibility outpacing capacity. Two areas hurt healthcare the most. The first is the supply chain. Providers identified six times as many third risks as last year and nearly two of those third risks were critical or high Hospitals lean on dozens of vendors and as the change healthcare attack showed one supplier's breach can cascade across the entire industry. The second major area is identity. Providers found four times more access control vulnerabilities than a year ago, and 92% of healthcare network domains had at least one administrative account whose password hasn't changed in three years. Fortified's core recommendation is that hospitals and healthcare facilities have to drill for cyber attacks the way fire departments have to drill for fires, building the muscle memory and what to do before an emergency, not during it. The medical drama TV show The Pit gives a great example of what a cyber attack can look like and do to an ER in a major hospital. While these attacks don't happen every day, thankfully, hospitals and healthcare organizations have to train and equip for them anyway. As the report puts it, probability doesn't change responsibility, and nor does it change the massive impact of a healthcare attack. Hospital systems under attack or shut down to prevent an attack reduce capacity by up to 90%, and that can have dramatic impacts on patient outcomes as well as healthcare facilities in the surrounding area. ClickFix, the technique that talks users into infecting their own machines, has grown into a full criminal ecosystem, and it's slipping past technology defenses. That's the new picture from reversing labs research that analyzed more than 4,000 ClickFix samples. The mechanics behind a click-fix attack are becoming, sadly, all too familiar. A landing page mimics a CAPTCHA check or a critical software update, telling a victim to copy a command and paste it into the Windows Run box or the macOS terminal. There's no file download, no obvious vulnerability, and because it rides in using legitimate tools, each step can look like ordinary computer use, which is why some signature-based antivirus and endpoint detect and response keep missing this attack. Behind the click-fix technique is a maturing business model. Full click-fix kits are selling on underground forums from $250 a month up to $1,800 for a lifetime license. Luma Steeler is still the most common payload delivered by click-fix, but researchers are seeing more remote-access Trojans like Darkgate and Xworm that hand attackers live keyboard access. The scale of these attacks is rising. ReliaQuest, studying attacks from March through May, found that ClickFix was the single most common way criminals delivered malware during that time. It also watched the technique cross-platforms, delivering Atomic Stealer to Macs for the very first time. And when Apple added a feature that scans commands pasted into Terminal, the attacker simply rerouted to Trigger's script editor instead. ReliaQuest's advice here for enterprises? macOS can no longer be treated as lower risk than Windows. Data from Boeseran Security also adds to this picture ClickFix is optimized to beat machines and as shown by the prior research it clearly does But the human layer can be a different story Across roughly 7 million phishing simulations sent over the past year, click fix was the least clicked lure that was sent. About 1.5% click rate, well under the 5.7% click rate for credential capture phishing. And click fix was the most reported phish by our clients. When people did click, they ran the command line less often than they would fill out a login page and give up their credentials. And the users who consistently passed earlier phishing tests were the least likely to fall for click fix. The technique that can slip by antivirus doesn't slip by a well-trained person. Finally, we turn to Australia, where a 20-year-old server took down a national telecommunications network. Last Wednesday, Telstra suffered an outage that knocked out mobile connections, payment terminals, and train services. It also blocked 000, their emergency call line. More than 600 emergency callers couldn't get through. The cause, according to reporting by Information Age, a single obsolete time server, a Symmetricom sync server S300, discontinued back in 2016. It manages time across a network, and it hit a well-known GPS rollover bug. The internal weak counter maxes out roughly every 20 years and resets. This one rolled back to 2006, and that caused the network to lose sync. The server can be replaced for under $30,000. The outage could cost Telstra up to $30 million in fines under tougher rules brought in after last year's Optus breach. And Telstra CEO Vicki Brady has admitted the company knew about the flaw. Telstra executives will be in front of a Senate committee Friday to explain how a known problem in a discontinued server took down emergency calling. And that's Cybersecurity Today for Wednesday, July 15th. I've been your host, David Shipley. Thanks for listening. We appreciate all of your feedback. Feel free to drop by technewsday.com or .ca, or you can leave a comment under the YouTube video. We'll be back on Friday, July 17th with the latest headlines. Until then, stay safe. Once again, we'd like to thank NordLayer for their support in sponsoring this show. Teams today work across multiple tools and devices, but security often remains fragmented. This is exactly what NordLayer can help you address. It provides a network security platform with easy-to-manage network access monitoring and control, and without additional hardware or complex infrastructure. NordLayer helps businesses of all sizes manage and secure access to company resources going beyond what traditional VPNs can offer. And it provides encrypted connectivity with visibility across your entire network environment. And did we mention no new hardware required? Visit nordlayer.com slash cybersecurity today and use the code NLSUMMER26 for a special discount during their summer sale.