Podcasts
CyberWire Daily
Ep 2296
The CyberWire Daily Podcast 4.28.25
Ep 2296 | 4.28.25

Lights out, lines down.

Show Notes
Transcript

A massive power outage strikes the Iberian Peninsula. Iran says it repelled a “widespread and complex” cyberattack targeting national infrastructure. Researchers find hundreds of SAP NetWeaver systems vulnerable to a critical zero-day. A British retailer tells warehouse workers to stay home following a cyberattack. VeriSource Services discloses a breach exposing personal data of four million individuals. Global automated scanning surged 16.7% in 2024. CISA discloses several critical vulnerabilities affecting Planet Technology’s industrial switches and network management products. A Greek court upholds a VPN provider’s no-logs policies. Law enforcement dismantles the JokerOTP phishing tool. Our guest is Tim Starks from CyberScoop with developments in the NSO Group trial. How Bad Scans and AI Spread a Scientific Urban Legend.

 

Today is Monday April 28th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

We’re coming to you live and on-location from RSAC 2025, right here in beautiful San Francisco!

The Moscone Center is buzzing with the latest in cybersecurity innovation, critical discussions, and of course, a few caffeine-fueled debates about AI, quantum threats, and how to finally get rid of passwords for good.

We’ve got a packed week ahead, with interviews from industry leaders, quick takes on major announcements, and a look at the trends shaping the future of cyber defense. So whether you’re joining us from the show floor or tuning in from afar, stick around — you won’t want to miss what’s coming next.

Let’s dive in.

A massive power outage strikes the Iberian Peninsula. 

A massive power outage struck the Iberian Peninsula on April 28, 2025, cutting electricity across Spain, Portugal, and parts of southern France and Andorra. The blackout, which began around 12:30 p.m. local time, caused Spain’s power demand to collapse by half within moments — a total grid failure known as a “cero energético.” Sources suggest a cyberattack is the likely cause, though authorities have not confirmed this. Critical infrastructure was severely impacted, including airports, metros, telecommunications, and traffic systems. Spain’s Prime Minister Pedro Sánchez visited Red Eléctrica’s control center as emergency restoration efforts began, focusing on hydroelectric power while gas and nuclear plants remain offline. Internet traffic dropped by nearly 30–37% across the region. The Spanish Cybersecurity Coordination Office is investigating, but officials warn it’s too early to draw conclusions. This outage highlights growing concerns, as cyberattacks on utilities have more than doubled globally in recent years. Recovery is expected to take time.

Iran says it repelled a “widespread and complex” cyberattack targeting national infrastructure. 

Meanwhile, Iran says it repelled a “widespread and complex” cyberattack targeting national infrastructure, according to Behzad Akbari of the government’s Telecommunication Infrastructure Company. Few details were shared, and there is no confirmed link to a deadly explosion at Shahid Rajaei port the previous day, which killed 28 and injured 800. Maritime experts attribute the explosion to mishandled ballistic missile fuel, though Iran denies this. The incident comes amid tense nuclear negotiations between Iran and the U.S. Iran has faced several major cyberattacks in recent years, including ones on its fuel system and steel mills, often blamed on U.S. and Israeli forces without evidence. Groups like Predatory Sparrow have claimed past attacks, raising suspicions of state backing due to the precision involved. Iran’s officials continue to cite cyber threats as key national security concerns.

Researchers find hundreds of SAP NetWeaver systems vulnerable to a critical zero-day. 

Shadow Servers found 454 SAP NetWeaver systems vulnerable to CVE-2025-31324, a critical zero-day flaw allowing unauthenticated file uploads and full system compromise. Discovered by ReliaQuest in April 2025, the bug targets the Metadata Uploader component and has already been weaponized in the wild. Attackers upload webshells via a missing authorization check. SAP issued an emergency patch on April 24. Organizations are urged to patch immediately or apply temporary workarounds, as the flaw poses a severe risk to exposed SAP environments.

A British retailer tells warehouse workers to stay home following a cyberattack. 

British retailer Marks & Spencer (M&S) has told around 200 agency workers not to report to its main warehouses as it manages a growing cyberattack crisis. Online shopping remains paused, with M&S apologizing for the disruption but assuring customers that stores are still open. The incident, first disclosed last week, has already led to an 8% drop in M&S shares. The company says its internal team and external cyber experts are working urgently to restore online and app services.

VeriSource Services discloses a breach exposing personal data of four million individuals. 

VeriSource Services disclosed that a 2024 breach exposed personal data of four million individuals tied to companies using its employee benefits platform. Stolen data includes names, birth dates, addresses, and Social Security numbers. Although discovered quickly, full impact analysis took over a year, with final notifications issued in April 2025. No misuse has been reported yet, but VeriSource is offering free credit monitoring. Security experts stress the prolonged exposure window raises heightened risks of identity theft and fraud.

Global automated scanning surged 16.7% in 2024. 

Global automated scanning surged 16.7% in 2024, exposing major digital vulnerabilities, according to FortiGuard Labs’ 2025 Global Threat Landscape Report. Threat actors now execute 36,000 scans per second, targeting services like SIP, RDP, and IoT protocols. Cybercrime marketplaces, fueled by CaaS models, added 40,000 new vulnerabilities and drove a 500% rise in infostealer malware logs, contributing to 1.7 billion stolen credentials. Critical sectors like manufacturing and business services are increasingly targeted, with the U.S. absorbing 61% of attacks. AI-driven threats such as FraudGPT are intensifying phishing and credential-stuffing campaigns. Fortinet urges organizations to shift to intelligence-led defense strategies, emphasizing attack surface management, real-world adversary simulation, and dark web monitoring. Experts stress that real-time AI-powered security solutions are crucial to countering today’s evolving cyber threats and preventing operational disruptions.

CISA discloses several critical vulnerabilities affecting Planet Technology’s industrial switches and network management products.

Several critical vulnerabilities affecting Planet Technology’s industrial switches and network management products have been disclosed by CISA. The flaws, found in devices like the UNI-NMS-Lite and WGS-804HPT-V2, allow remote, unauthenticated attackers to gain admin access, create accounts, and execute OS commands. Researcher Kevin Breen, who reported the issues, noted hundreds to thousands of exposed devices globally, including in critical manufacturing. Planet Technology patched the vulnerabilities in April 2025, and no active exploitation has been reported so far.

A Greek court upholds a VPN provider’s no-logs policies. 

Windscribe, the privacy-focused VPN and cybersecurity provider, has scored a major legal victory as founder Yegor Sak was acquitted by a Greek court. The case, triggered by a cyber incident involving a Windscribe server, could have set a dangerous global precedent by criminalizing infrastructure ownership. Thanks to Windscribe’s strict no-logs policy, the court found no evidence linking Sak or the company to any wrongdoing. The ruling reaffirms that privacy providers cannot be held responsible for user actions when no data is collected. Windscribe, founded in 2016, remains a fierce defender of online freedom, vowing to resist any pressure to compromise user trust. Sak called the case a critical stand against government overreach, warning, “Today it’s hacking — tomorrow it could be criticizing a dictator.”

Law enforcement dismantles the JokerOTP phishing tool. 

Two men have been arrested in the UK and the Netherlands as part of a major international operation dismantling JokerOTP, a phishing tool used to steal over £7.5 million. The tool tricked victims into revealing two-factor authentication (2FA) codes by impersonating trusted institutions like banks and cryptocurrency platforms. JokerOTP was deployed in over 28,000 phishing attacks across 13 countries. The investigation, led by Cleveland Police’s Cyber Crime Unit and supported by Europol and the Dutch National Police, marks one of the UK’s largest cyber fraud cases. The suspects, operating online as “spit” and “defone123,” face charges including fraud, unauthorized access, money laundering, and blackmail. Authorities have begun shutting down the infrastructure supporting JokerOTP, warning users of the platform that further law enforcement actions are underway.

 

 

How Bad Scans and AI Spread a Scientific Urban Legend. 

And finally, ever heard of “vegetative electron microscopy”? No? Good — because it’s total nonsense. But thanks to a string of scanning errors, translation mix-ups, and a little AI mischief, this completely made-up scientific term has wormed its way into real academic papers! It all started when 1950s research got poorly digitized, blending unrelated words into something that sounded impressive but meant absolutely nothing. Then, a tiny mistranslation in Farsi helped the error spread even further. Now, large AI models, including GPT-3 and GPT-4, faithfully regurgitate the fake term as if it’s a cornerstone of modern science. Researchers are calling it a “digital fossil” — a mistake now permanently trapped in the AI training ecosystem. The real kicker? Fixing it is next to impossible. So the next time someone drops “vegetative electron microscopy” in a paper, just know: science — and AI — sometimes make stuff up too.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’ve got a special edition that explores the benefits of the cyber startup ecosystem with our partners at Microsoft. You can catch details of it in our show notes and find it in your CyberWire Daily podcast feed in your favorite podcast app.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.