U.S. braces for Iranian cyber intrusions.

CISA warns organizations of potential cyber threats from Iranian state-sponsored actors.Scattered Spider targets aviation and transportation. Workforce cuts at the State Department raise concerns about weakened cyber diplomacy. Canada bans Chinese security camera vendor Hikvision over national security concerns.Cisco Talos reports a rise in cybercriminals abusing Large Language Models. MacOS malware Poseidon Stealer rebrands.Researchers discover multiple vulnerabilities in Bluetooth chips used in headphones and earbuds. The FDA issues new guidance on medical device cybersecurity. Our guest is Debbie Gordon, Co-Founder of Cloud Range, looking “Beyond the Stack - Why Cyber Readiness Starts with People.” An IT worker’s revenge plan backfires.

Today is Monday June 30th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

CISA warns organizations of potential cyber threats from Iranian state-sponsored actors.

CISA, along with the FBI, NSA, and Department of Defense Cyber Crime Center, has issued a Fact Sheet warning organizations about potential cyber threats from Iranian state-sponsored or affiliated actors. While there is no current evidence of a coordinated Iranian cyber campaign targeting the U.S., officials note increasing activity from Iranian hackers and hacktivists in recent months, expected to escalate amid current geopolitical tensions. These actors often exploit unpatched software, known vulnerabilities, and weak or default passwords on internet-connected devices. The agencies urge critical infrastructure operators to take immediate precautions, including disconnecting operational technology from public internet access, enforcing strong unique passwords, applying all software patches, and using phishing-resistant multifactor authentication. These steps aim to strengthen defenses and reduce exposure to opportunistic or targeted Iranian cyber operations.

Scattered Spider targets aviation and transportation. 

The Scattered Spider hacking gang is now targeting the aviation and transportation sectors, cybersecurity firms warned. This mostly Western, English-speaking group has attacked grocery suppliers, retailers, and insurance companies in the U.S. and U.K. Hawaiian Airlines recently reported a cybersecurity incident affecting its IT systems, while Canadian airline WestJet faced similar issues last week. Though WestJet didn’t confirm Scattered Spider’s involvement, sources suggest they were behind it. Google’s Mandiant Consulting and Palo Alto Networks warned that the group’s attacks resemble past operations and urged airlines to harden systems immediately. Scattered Spider is known for combining social engineering with exploiting known security vulnerabilities. Despite arrests last fall, U.S. law enforcement has struggled to curb their activities.

Workforce cuts at the State Department raise concerns about weakened cyber diplomacy. 

Planned workforce cuts and a reorganization at the U.S. State Department are raising concerns about weakened cyber diplomacy. Secretary of State Marco Rubio aims to cut up to 2,000 employees and restructure the Bureau of Cyberspace and Digital Policy. This comes despite a federal court injunction blocking broad layoffs across agencies. Staff were told to update resumes by June 13, and managers reviewed personnel files in preparation.

Critics warn the cuts could fracture the cyber bureau’s mission, reducing its ability to coordinate with allies and agencies like Cyber Command, especially as cyber threats rise from adversaries such as Iran and China. Analysts say breaking up the bureau’s cybersecurity and economic portfolios will undermine efficiency and direct leadership reporting. House Democrats argue this threatens U.S. international cyber policy coordination. Even if layoffs are blocked, Rubio may proceed with reorganization under a separate directive, leaving the bureau’s future uncertain.

Canada bans Chinese security camera vendor Hikvision over national security concerns.

Canada has banned Chinese CCTV vendor Hikvision from operating in the country and selling to federal institutions due to national security concerns. Industry Minister Mélanie Joly ordered Hikvision Canada Inc. to cease operations following a security review under the Investment Canada Act. The government is investigating to ensure no federal agencies still use Hikvision products. While the ban does not cover private businesses or individuals, Canadians are urged to reconsider purchases. Hikvision faces global scrutiny for alleged human rights abuses and security risks, including bans or removals in the U.S., U.K., Australia, India, and Europe. In the U.S., Hikvision was banned from government contracts and placed on the Entity List for its role in surveillance of Uyghurs in Xinjiang, accusations the company denies. This Canadian ban follows Quebec’s 2023 prohibition on Hikvision products in government settings.

Cisco Talos reports a rise in cybercriminals abusing Large Language Models. 

Cisco Talos reports a rise in cybercriminals abusing Large Language Models (LLMs) to enhance attacks. Criminals use three main methods: uncensored models like OnionGPT and WhiteRabbitNeo that generate phishing emails or hacking tools; custom-built malicious LLMs such as WormGPT, DarkGPT, and FraudGPT, advertised on the dark web to create malware and phishing content; and jailbreaking legitimate LLMs like ChatGPT through prompt injection techniques to bypass safety guardrails. Criminals use LLMs for programming ransomware, creating phishing pages, verifying stolen credit cards, and scanning for vulnerabilities. Some distribute backdoored models on platforms like Hugging Face to infect users. Cisco warns that LLMs are becoming a “force multiplier” for cybercrime, making attacks more efficient rather than inventing new cyber weapons. Interestingly, Talos found some dark web sellers, like FraudGPT’s alleged developer, scamming buyers with non-existent malicious AI products.

MacOS malware Poseidon Stealer rebrands.

CYFIRMA reports that Poseidon Stealer, a macOS-targeting malware-as-a-service (MaaS), has been rebranded as Odyssey Stealer. Odyssey spreads via ClickFix campaigns on spoofed finance, crypto news, and fake Apple App Store sites. Users are tricked into running a Base64 command in Terminal, which executes malicious AppleScript to steal device passwords and Keychain credentials. Odyssey targets cryptocurrency wallets like Electrum, Coinomi, and Exodus, as well as browsers including Safari, Chrome, and Firefox, harvesting passwords, payment info, session cookies, and autofill data. It also steals files from Desktop and Documents folders, archiving them into out.zip for exfiltration. The control panel, mostly hosted in Russia, offers features like cookie-based session hijacking and guest demos for buyers. CYFIRMA advises blocking osascript execution, using app whitelisting, and only downloading apps from official or verified sources to mitigate this growing macOS threat.

Researchers discover multiple vulnerabilities in Bluetooth chips used in headphones and earbuds. 

Researchers at German security firm ERNW have discovered multiple vulnerabilities in Airoha Bluetooth chips used in headphones and earbuds from brands like Sony, Marshall, and Beyerdynamic. The flaws stem from a custom protocol in Airoha’s SDK that allows attackers to read or write RAM and flash storage without authentication. Exploitation is possible over both Bluetooth Low Energy (BLE) and Bluetooth Classic (BR/EDR), even without pairing. Attackers within Bluetooth range could hijack headphones, eavesdrop on audio, read media data, extract phone numbers, or rewrite firmware for full code execution, enabling wormable exploits. These attacks are likely to target high-value individuals such as journalists or diplomats. Airoha has fixed the vulnerabilities in its latest SDK, but ERNW warns no vendors have released firmware updates yet, leaving many devices exposed.

The FDA issues new guidance on medical device cybersecurity. 

The FDA has issued new final guidance on medical device cybersecurity, replacing its 2023 version. The updated document reflects expanded authority under Section 524B of the Food, Drug, and Cosmetic Act, requiring that any internet-connected “cyber device” include cybersecurity details in premarket submissions. The guidance mandates elements like software bills of materials, vulnerability management plans, and demonstration of “reasonable assurance of cybersecurity.” Experts note this merges previous guidance with statutory updates into one cohesive document, clarifying that cybersecurity is integral to safety and effectiveness determinations. It explicitly covers debug ports, wireless modules, and access controls, widening regulatory scope. While the FDA aims to enhance device security amid rising healthcare cyber threats, experts warn that recent budget cuts and staffing losses could slow reviews. Researchers emphasize that manufacturers must prioritize security in design and documentation to avoid delays and reduce post-market risks, as nearly all modern devices now qualify as cyber devices.

On today’s Industry Voices segment, Debbie Gordon, Co-Founder of Cloud Range, joins me to share insights on looking “Beyond the Stack - Why Cyber Readiness Starts with People.” We’ll be right back.

Welcome back. You can find a link in our show notes to a blog which shares more detail about Debbie’s topic.

An IT worker’s revenge plan backfires.

In a cautionary tale for managers everywhere, a British IT worker decided suspension wasn’t enough drama for the week. Mohammed Umar Taj, clearly displeased with his July 2022 suspension, swiftly launched a cyberattack against his employer, altering login credentials and sabotaging daily operations. The firm, with clients in the UK, Germany, and Bahrain, reported at least £200,000 in losses – plus the general inconvenience of having their systems turned into Taj’s personal revenge sandbox. Police found he even kept recordings of his exploits, presumably for his villain highlight reel. Taj pleaded guilty and was sentenced to just over seven months in jail. West Yorkshire Police noted his antics rippled far beyond the UK. The moral? Don’t anger your IT guy, or at least revoke his admin privileges before HR breaks bad news.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.