Brief #123: $800K Pay Cut for Data Breach, Microsoft Azure Tokens Expose All Tenants, Steam Game Steals $150K

Happy Sunday! 

The Qantas CEO taking an $800K pay cut for a data breach feels like a turning point - finally seeing real accountability at the top instead of security teams taking all the heat.

In this week's brief:

• A critical Azure flaw that could have given attackers silent access to any Microsoft tenant worldwide - thankfully patched quickly
• Deepfake losses hit $347M this quarter alone, with incidents doubling every six months
• Industry veterans are calling out the cybersecurity job shortage myth, saying most openings are just backfills

A quick note before we dive in.

Industry News

Verified Steam Game Steals Streamer's Cancer Treatment Donations

• A verified Steam game called BlockBlasters was updated with a cryptodrainer component that stole $32,000 from a cancer patient's wallet during a fundraising livestream for his treatment.

• Security researchers report the malware affected approximately 261-478 Steam users, stealing a total of $150,000, with victims being specifically targeted based on their cryptocurrency holdings.

• The game contained sophisticated malware components including a Python backdoor and StealC payload that collected Steam login information and uploaded it to command and control servers.

Actor Tokens Vulnerability Allowed Complete Access to Every Entra ID Tenant

• A critical vulnerability in the Azure AD Graph API failed to properly validate tenant origins when processing undocumented impersonation "Actor tokens" used by Microsoft for service-to-service communication, allowing attackers to access any Entra ID tenant globally with no logs or evidence.

• The impact was catastrophic – an attacker could impersonate any user (including Global Admins) in any tenant, bypass Conditional Access policies, and make any modification to the directory without generating logs in the victim's tenant, effectively allowing complete Microsoft 365 and Azure resource compromise.

• Microsoft fixed the issue within days of receiving the report on July 14, 2025, rolled out additional mitigations preventing applications from requesting these tokens, and issued CVE-2025-55241 to address this flaw that Microsoft's telemetry indicates was not exploited in the wild.

State-Sponsored Threat Actor Exploits Multiple Zero-Day Vulnerabilities in Cisco ASA and FTD Software

• Cisco identified a state-sponsored threat actor actively exploiting multiple zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software for data exfiltration from government networks.

• The three critical vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363) allow attackers to execute arbitrary code, with the first two already under active exploitation in the wild and the third at high risk of imminent exploitation.

• The U.K.'s NCSC identified RayInitiator (multi-stage bootkit) and LINE VIPER (shellcode loader) malware families being used in these attacks, with the malware designed to survive reboots and firmware upgrades.