
A warning from the cloud.
CISA and FBI detail exploit chains used by Chinese hackers to compromise Ivanti Cloud Service Appliances. Energy systems in Central Europe use unencrypted radio signals. A critical SonicWall vulnerability is under active exploitation. The Nnice ransomware strain isn’t. Cisco discloses a critical vulnerability in its Meeting Management tool. GhostGPT is a new malicious generative AI chatbot. ClamAV patches critical vulnerabilities in the open-source anti-virus engine. A new report questions the effectiveness of paying ransomware demands. DOGE piggybacks on the United States Digital Service. On our Industry Voices segment, we are joined by Joe Gillespie, Senior Vice President at Booz Allen, discussing Cyber AI. Jen Easterly leaves CISA a legacy of resilience and dedication.
Today is Thursday January 23rd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
CISA and FBI detail exploit chains used by Chinese hackers to compromise Ivanti Cloud Service Appliances.
CISA and the FBI have detailed two exploit chains used by Chinese hackers to compromise Ivanti Cloud Service Appliances (CSA). They published IOCs and noted that flaws CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380 are being exploited for espionage. Hackers used these vulnerabilities for remote code execution, credential theft, and webshell deployment, affecting outdated CSA 4.6 versions and earlier 5.0 versions. Ivanti confirmed the latest CSA version 5.0 is unaffected.
Incident reports highlight detection methods, including anomalous user account creation and encoded script alerts, which helped three organizations mitigate attacks. Mandiant has linked these exploits to Chinese APT group UNC5221, known for deploying custom malware like Zipline and Warpwire. Agencies urge defenders to analyze logs, replace compromised systems, and treat affected credentials as compromised.
Energy systems in Central Europe use unencrypted radio signals.
Researchers recently revealed that renewable energy systems in Central Europe use unencrypted radio signals, leaving critical infrastructure vulnerable to exploitation. The Radio Ripple Control system manages power from renewable facilities, controlling up to 60 GW, enough to power Germany. This system, based on outdated protocols, allows anyone with the right tools to intercept and replay commands, potentially disrupting the European power grid.
Fabian Bräunlein and Luca Melette discovered this vulnerability during research on streetlight control in Berlin, realizing the same technology controls energy infrastructure. By reverse-engineering radio receivers, they demonstrated how unauthorized messages could stop energy feeding into the grid. While experts debate whether a 60 GW disruption could cause a blackout, the vulnerability highlights the risks of unencrypted control systems.
The researchers recommend retiring Radio Ripple Control in favor of more secure alternatives, but progress on modernization has been slow.
A critical SonicWall vulnerability is under active exploitation.
A critical security vulnerability, CVE-2025-23006, has been identified in SonicWall’s SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), allowing remote, unauthenticated attackers to execute arbitrary OS commands. With a severity score of 9.8, the flaw arises from improper deserialization of untrusted data. Active exploitation has been confirmed, prompting SonicWall to release a patch (version 12.4.3-02854). Affected organizations should upgrade immediately or restrict AMC and CMC access to trusted sources as a temporary mitigation.
The Nnice ransomware strain isn’t.
CYFIRMA has identified a new ransomware strain, “Nnice,” targeting Windows systems with advanced encryption, persistence, and evasion techniques. It appends “.xdddd” to encrypted files and displays a ransom note, “Readme.txt,” while modifying system wallpapers to alert victims. Using bootkits, DLL side-loading, and registry key manipulations, Nnice ensures persistence while employing obfuscation and rootkits to evade detection. Organizations are urged to block the ransomware’s SHA-256 hash, apply patches, use MFA, adopt zero-trust frameworks, maintain offline backups, and monitor for threat indicators to mitigate risks.
Cisco discloses a critical vulnerability in its Meeting Management tool.
Cisco has disclosed a critical vulnerability, CVE-2025-20156, in its Meeting Management tool that allows remote attackers to escalate privileges and gain administrator access via the REST API. With a CVSS score of 9.9, the flaw stems from improper default permissions and inadequate privilege handling. It affects all versions up to 3.9 but is fixed in version 3.9.1. Cisco urges immediate updates, as no workarounds exist. No active exploitation has been reported, but prompt patching is essential to mitigate risks.
GhostGPT is a new malicious generative AI chatbot.
Researchers at Abnormal Security have identified a new malicious generative AI chatbot, GhostGPT, being sold on Telegram since late 2024. GhostGPT is designed to assist cybercriminals in activities like malware creation, phishing emails, and business email compromise (BEC) attacks. It connects to a jailbroken ChatGPT or open-source language model to deliver uncensored responses. Unlike its predecessor WormGPT, GhostGPT is available as a Telegram bot, eliminating the need for technical setups. Buyers can quickly access the tool for a fee, enabling low-skilled threat actors to execute sophisticated campaigns. The chatbot facilitates tasks such as exploit development, phishing template creation, and malware coding. Tested by researchers, it easily generated a convincing DocuSign phishing email. GhostGPT’s growing popularity among cybercriminals highlights increasing interest in AI tools for illicit purposes, with thousands of views on online forums.
ClamAV patches critical vulnerabilities in the open-source anti-virus engine.
The ClamAV team has released security updates for versions 1.4.2 and 1.0.8, addressing a critical vulnerability (CVE-2025-20128) in the OLE2 file parser that could cause a buffer overflow and denial-of-service (DoS). ClamAV, a widely used open-source antivirus engine, detects malware, viruses, and trojans, serving as a trusted security tool for individuals and enterprises. These updates also fix an infinite loop issue in ClamOnAcc’s directory monitoring tool. Users are strongly encouraged to upgrade via the ClamAV downloads page, GitHub, or Docker Hub.
A new report questions the effectiveness of paying ransomware demands.
A survey by Hiscox reveals that less than 20% of companies who pay ransomware demands recover all their data, with 10% finding their data leaked despite payment. The 2024 Cyber Readiness Report highlights that businesses often pay ransoms to protect reputations or recover data without backups, but “paying up rarely pays off.” Nearly 70% of U.S. companies report increased cyberattacks, averaging 60 incidents annually. Reputational damage is significant, with 47% of businesses struggling to attract clients after an attack. Hiscox advises businesses to bolster defenses through employee training, retiring outdated technology, and maintaining consistent backups. Phishing accounts for 60% of attacks, underscoring the need for awareness. The report warns that inadequate cybersecurity damages trust, deters partners, and attracts regulatory scrutiny, posing greater risks than bankruptcy for many firms.
DOGE piggybacks on the United States Digital Service.
In an article for WIRED, Steven Levy examines Donald Trump’s new executive order which establishes the “President’s Department of Government Efficiency” (DOGE). The EO embeds DOGE into the United States Digital Service (USDS), a small, innovative tech agency that has improved government IT since its Obama-era inception. DOGE aims to streamline government IT systems, promising significant cost savings. However, it shifts USDS’s collaborative approach to a more top-down, Musk-inspired model, focusing on centralizing data and enforcing the DOGE agenda.
While DOGE’s goals, like addressing inefficiencies and hidden budgetary waste, could be transformational, its adversarial approach and political overtones raise concerns. New four-person agency teams, including HR and legal personnel alongside engineers, suggest a shift from building solutions to enforcing policy, potentially undermining USDS’s ethos of innovation.
USDS, which survived previous administrations through deft navigation and bipartisan support, now faces uncertainty. Critics fear DOGE’s disruptive structure could sunset USDS by its scheduled end in 2026, jeopardizing its legacy of impactful public service.
Next up on our Industry Voices segment, I are joined by Joe Gillespie, Senior Vice President at Booz Allen, to discuss Cyber AI. And, former CISA Director Jen Easterly reflects on her tenure. We’ll be right back.
Welcome back.
Jen Easterly leaves CISA a legacy of resilience and dedication.
And finally, Jen Easterly’s tenure as director of the Cybersecurity and Infrastructure Security Agency (CISA) has been marked by a unique blend of leadership, passion, and a hacker’s mindset. Reflecting on her nearly four years at the helm in an interview with WIRED’s Lilly Hay Newman, Easterly described her mission as “solving the most complicated problems out there” while building relationships and fostering a collaborative cyber defense ecosystem. Her Rubik’s Cube motto—“If you are curious, you will find puzzles, and if you are determined, you will solve them”—aptly symbolizes her approach to the complex challenges of cybersecurity.
Easterly’s efforts have helped CISA grow into a vital agency tackling threats like China’s Salt Typhoon espionage campaign and ransomware attacks. She championed public-private collaboration, urging companies to prioritize collective defense over self-preservation. As she noted, “We are America’s cyber defense agency, and the American people are getting an incredible return on investment.”
However, her departure comes as CISA faces uncertainty under the new administration, with potential budget cuts and reorganization looming. Despite the challenges, Easterly remains optimistic about the agency’s legacy, emphasizing the need for continued focus on China’s cyber threats and national infrastructure security.
Easterly’s leadership was driven not just by expertise, but also by a creative spark that made her stand out—whether jamming on her electric guitar, solving Rubik’s Cubes, or donning her iconic dragon-embroidered denim. As she transitions out, Easterly leaves behind a resilient CISA and a legacy of dedication to securing America’s digital future.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.