Podcasts
CyberWire Daily
Ep 2261
The CyberWire Daily Podcast 3.10.25
Ep 2261 | 3.10.25

PHP flaw sparks global attack wave.

Show Notes
Transcript

PHP exploits are active in the wild. Security researchers discover undocumented commands in a popular Wi-Fi and Bluetooth-enabled microcontroller. The ONCD could gain influence in this second Trump administration. The Akira ransomware gang leverages an unsecured webcam. Mission, Texas declares a state of emergency following a cyberattack. The FBI and Secret Service confirm crypto-heists are linked to the 2022 LastPass breach. A popular home appliance manufacturer suffers a cyberattack. Switzerland updates reporting requirements for critical infrastructure operators. Our guest is Errol Weiss, Chief Security Officer at the Health-ISAC, who warns “the cavalry isn’t coming—why the private sector must take the lead in critical infrastructure cybersecurity.” A termination kill switch leads to potential jail time. 

Today is Monday, March 10th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Happy Monday everyone - it’s great to be back from a restful family vacation. Thanks to Maria Varmazis for filling in on the mic for me, and to our entire production team for making it possible for me to be away without skipping a beat. 

PHP exploits are active in the wild. 

Threat actors are actively exploiting CVE-2024-4577, a critical PHP vulnerability (CVSS 9.8), to execute remote code on Windows servers running Apache and PHP-CGI with specific code page settings. The flaw arises from PHP’s failure to handle Unicode ‘Best-Fit’ conversion properly, allowing attackers to manipulate character sequences into PHP options.

The vulnerability was publicly disclosed in June 2024, with ransomware groups launching attacks within days. Cisco later reported targeted attacks on Japanese organizations across multiple sectors, using Cobalt Strike-based tools for persistence and privilege escalation.

Now, GreyNoise warns that exploitation has gone global, with spikes in the US, UK, Singapore, India, and others. In January 2025 alone, 1,089 unique IPs attempted attacks. Germany and China account for over 43% of malicious IPs.

All PHP versions on Windows are affected, but fixes were released in PHP 8.1.29, 8.2.20, and 8.3.8. Users should update immediately to mitigate risks.

Security researchers discover undocumented commands in a popular Wi-Fi and Bluetooth-enabled microcontroller. 

Security researchers have discovered undocumented commands in the ESP32 microchip, a popular Wi-Fi and Bluetooth-enabled microcontroller used in over 1 billion devices. These hidden commands, found by Tarlogic Security, could allow attackers to spoof trusted devices, access unauthorized data, pivot to other devices, and establish long-term persistence.

The issue, now tracked as CVE-2025-27840, stems from 29 vendor-specific Bluetooth commands that enable memory manipulation, MAC address spoofing, and packet injection. These could be exploited for malicious firmware, supply chain attacks, or advanced Bluetooth-based threats.

Espressif, the chip’s manufacturer, has not publicly documented these commands, leaving questions about whether they were intentional or an oversight. While remote exploitation is possible, physical access poses a greater risk. Researchers warn that compromised ESP32 chips could serve as a launchpad for persistent cyberattacks on IoT devices, mobile phones, and even medical equipment. Espressif has yet to comment.

The ONCD could gain influence in this second Trump administration. 

The Office of the National Cyber Director (ONCD) is expected to gain significant influence in a second Trump administration, fulfilling the leadership role Congress envisioned when it was created in 2021. Sean Cairncross, a Trump loyalist with no cybersecurity background, is expected to lead the office, bringing strong political ties that could enhance its authority over cyber policy across the executive branch.

Experts say ONCD will take a central role, guiding both offensive cyber efforts (NSC) and domestic defense (CISA). The NSC’s cyber team, now focused on offensive cyber operations, will complement ONCD’s leadership in cyber crisis management. Analysts predict deregulation will be a key ONCD initiative.

With reduced cyber staffing at NSC and no Anne Neuberger-like figure, ONCD may finally become the executive branch’s primary cyber authority, a role it struggled to achieve under Biden’s administration.

The Akira ransomware gang leverages an unsecured webcam. 

The Akira ransomware gang leveraged an unsecured webcam to encrypt a victim’s network, bypassing Endpoint Detection and Response (EDR), which had blocked their Windows encryptor. Cybersecurity firm S-RM discovered this unconventional method during an incident response.

Akira initially gained access through an exposed remote access solution, likely via stolen credentials or brute-force attacks. They installed AnyDesk, stole data for double extortion, and used Remote Desktop Protocol (RDP) to spread before deploying ransomware. When EDR blocked their payload, they scanned for alternative attack vectors and found a vulnerable Linux-based webcam.

Since the webcam lacked EDR protection, they used it to mount Windows SMB network shares and launch their Linux encryptor, successfully encrypting network files.

This attack highlights the security risks of IoT devices, emphasizing the need for network segmentation, regular firmware updates, and stronger monitoring of non-traditional endpoints to prevent exploitation.

Mission, Texas declares a state of emergency following a cyberattack. 

The city of Mission, Texas, declared a state of emergency after a cyberattack exposed all city government data and forced systems offline. Officials assured that emergency services remained operational, but reports suggest police lost access to state databases for license and ID checks.

Mayor Norie Gonzalez Garza urged Governor Greg Abbott to declare a statewide emergency to unlock disaster funds. The attack, which began February 28, is under law enforcement investigation.

Texas cities have faced multiple ransomware attacks in recent months, disrupting hospitals, utilities, and local governments. Mission joins Matagorda County, McKinney, Coppell, and Richardson in suffering cyber incidents.

The FBI and Secret Service confirm crypto-heists are linked to the 2022 LastPass breach. 

KrebsOnSecurity first reported in September 2023 that a wave of high-value crypto heists stemmed from the 2022 LastPass breach. Now, U.S. federal investigators confirm that a $150 million cyberheist in January 2024, targeting Ripple co-founder Chris Larsen, was executed using stolen LastPass master passwords.

The FBI and Secret Service support Krebs’ findings, stating attackers cracked poorly secured vaults to steal victims’ cryptocurrency seed phrases stored in LastPass Secure Notes. $24 million in stolen funds have been seized, but thefts continue globally.

Despite mounting evidence, LastPass denies definitive links to the thefts. Experts criticize LastPass for failing to warn users and enforce better security. Cybersecurity experts stress that these attacks could have been prevented, and new thefts show the threat remains active more than two years after the breach.

A popular home appliance manufacturer suffers a cyberattack. 

National Presto Industries, maker of popular home appliances like air fryers, reported a cyberattack disrupting shipping, manufacturing, and back-office functions since March 1. The Wisconsin-based company disclosed the incident in an SEC filing, stating it is working to restore operations and has notified law enforcement.

The attack’s impact on Presto’s military contracting division is unclear. Forensic analysis is ongoing, and no cybercriminal group has claimed responsibility. The company warned that the breach could affect its financial performance but has implemented temporary measures to maintain critical functions.

Switzerland updates reporting requirements for critical infrastructure operators. 

Starting April 1, 2025, Switzerland will require critical infrastructure operators to report cyberattacks to the National Cyber Security Centre (NCSC) within 24 hours. This mandate, part of an amendment to the Information Security Act, applies to energy, water, transport, and government entities if an attack disrupts operations, leaks data, or involves blackmail.

Reports must be completed within 14 days, and fines may apply for non-compliance. A grace period lasts until October 1, 2025. Similar laws exist worldwide, including in the U.S., UK, EU, and Australia.

 

Coming up, we’re joined by Errol Weiss from Health-ISAC to discuss why the private sector must take the reins in protecting critical infrastructure. Plus, stick around—one developer’s making headlines for hitting Ctrl+Alt+Delete in a big way.

Errol Weiss, Chief Security Officer at Health-ISAC, joins us to explain why waiting for rescue isn’t an option—the private sector must take charge of critical infrastructure cybersecurity. Here’s our conversation.

That was Errol Weiss, CSO at Health-ISAC, sharing why the private sector must step up in securing critical infrastructure. 

A termination kill switch leads to potential jail time. 

And finally, the story of Davis Lu, a 55-year-old software developer who took “rage quitting” to a whole new level. After working for Eaton Corporation for 12 years, Lu was demoted in 2019. Apparently, instead of updating his résumé like the rest of us, he wrote a Java-based malware program to grind his employer’s systems to a halt—because, hey, who needs LinkedIn when you have revenge coding?

His masterpiece? An infinite loop that kept spawning threads until the system collapsed. But he didn’t stop there! Lu also coded a “kill switch” charmingly named IsDLEnabledinAD—which locked thousands of employees out of their accounts if he was ever fired (spoiler: he was).

The Feds weren’t amused. After failing to delete evidence and admitting guilt in an interview, Lu still pleaded not guilty—and lost. Now, he faces up to 10 years in prison, proving that revenge is best served… not at all.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.