Podcasts
CyberWire Daily
Ep 2347
The CyberWire Daily Podcast 7.11.25
Ep 2347 | 7.11.25

Behind the firewall, trouble brews.

Show Notes
Transcript

Fortinet patches a critical flaw in its FortiWeb web application firewall. Hackers are exploiting a critical vulnerability in Wing FTP Server. U.S. Cyber Command’s fiscal 2026 budget includes a new AI project.  Czechia’s cybersecurity agency has issued a formal warning about Chinese AI company DeepSeek. The DoNot APT group targets Italy’s Ministry of Foreign Affairs. Mexico’s former president is under investigation for alleged bribes to secure spyware contracts. The FBI seizes a major Nintendo Switch piracy site. CISA releases 13 ICS advisories.  A retired US Army lieutenant colonel pleads guilty to oversharing classified information on a dating app. Our guest is Catherine Woneis, VP of Product at Fingerprint, to discuss how bots are being used to facilitate music royalty fraud. A federal judge is not impressed with a crypto-thief’s lack of restitution.

Today is Friday July 11th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Fortinet patches a critical flaw in its FortiWeb web application firewall.  

Fortinet has patched a critical flaw in its FortiWeb web application firewall affecting multiple versions. Tracked as CVE-2025-25257 with a CVSS score of 9.6, the vulnerability allows unauthenticated attackers to run unauthorized SQL commands and potentially achieve remote code execution via the GUI component. If you run FortiWeb, isolate its web admin interface from the internet and plan to patch quickly. If patching will be delayed for weeks, consider disabling the web admin interface entirely, though this blocks normal admin access. Disabling the admin interface is only a temporary mitigation, not a permanent fix. Patching remains the safest and easiest solution.

Hackers are exploiting a critical vulnerability in Wing FTP Server. 

Hackers are exploiting a critical vulnerability (CVE-2025-47812) in Wing FTP Server to execute arbitrary code remotely. The flaw, affecting versions up to 7.4.3, stems from mishandling null bytes, allowing attackers to inject Lua code into user session files and gain root or system privileges. While authentication is required, the exploit works with anonymous FTP accounts if enabled. Wing FTP patched this in version 7.4.4 released on May 14. However, after technical details and a proof-of-concept exploit were published on June 30, attacks began immediately. Huntress reports exploitation attempts including fetching files, system fingerprinting, and deploying remote access tools. Around 8,100 Wing FTP servers are internet-accessible, with over 5,000 exposing web interfaces, increasing their risk of compromise.

U.S. Cyber Command’s fiscal 2026 budget includes a new AI project.  

U.S. Cyber Command’s fiscal 2026 budget includes $5 million to launch a new AI project under its $1.3 billion R&D plan, DefenseScoop reports.  This initiative follows a 2023 congressional mandate requiring Cybercom and other defense agencies to create a five-year roadmap for rapidly adopting AI in cyber operations. The project, called Artificial Intelligence for Cyberspace Operations, focuses on developing core data standards to curate and tag data for AI and machine learning integration. Housed within the Cyber National Mission Force (CNMF), it will pilot AI technologies using agile 90-day cycles for rapid testing and validation. Efforts include improving threat detection, automating data analysis, and enhancing decision-making. The budget also outlines five AI application categories: vulnerabilities and exploits, network security and monitoring, modeling and predictive analytics, persona and identity, and infrastructure and transport. This reflects Cybercom’s broader push to operationalize AI for evolving cyber threats efficiently and effectively.

Czechia’s cybersecurity agency has issued a formal warning about Chinese AI company DeepSeek. 

Czechia’s cybersecurity agency has issued a formal warning about Chinese AI company DeepSeek, calling it a national security threat and banning its software from government devices. DeepSeek, known for its low-cost large language model released in January, has faced bans in several countries over privacy concerns. The Czech agency NÚKIB found DeepSeek’s app collects and stores user data in ways accessible to Chinese authorities under laws like China’s National Intelligence Law. It also warned the company’s founder has ties to dual-use military technologies. DeepSeek stores user data on servers in China and Russia, raising further security risks. This follows similar warnings from countries including Australia, India, and the Netherlands. U.S. lawmakers are also considering banning its use in government. DeepSeek has not commented on the ban.

The DoNot APT group targets Italy’s Ministry of Foreign Affairs. 

The DoNot APT group, believed linked to India, has targeted Italy’s Ministry of Foreign Affairs in a recent cyber espionage campaign, Trellix reports. Known for South Asian espionage, DoNot APT is expanding to European diplomatic targets. Attackers sent spear-phishing emails impersonating European defense officials discussing an Italian defense attaché visit to Bangladesh. The emails contained malicious Google Drive links leading to a RAR archive deploying malware. This infection chain used notflog.exe and a scheduled task called “PerformTaskMaintain” for persistent access. The payload was linked to LoptikMod malware, used exclusively by DoNot APT since 2018. The operation aimed to exfiltrate sensitive diplomatic data while evading detection. Trellix warns this sophisticated attack underscores the group’s growing interest in European intelligence and highlights the need for enhanced cyber defenses.

Mexico’s former president is under investigation for alleged bribes to secure spyware contracts. 

Mexico’s Attorney General has launched an investigation into claims that former President Enrique Peña Nieto took up to $25 million in bribes from Israeli businessmen to secure spyware contracts, including the Pegasus spyware from NSO Group. The allegations stem from an Israeli business publication, TheMarker, citing arbitration documents between businessmen Uri Ansbacher and Avishai Neriah. These documents reportedly describe bribes paid to Peña Nieto in exchange for lucrative government security contracts. Peña Nieto denied the claims, calling them baseless. During his presidency (2012-2018), Pegasus spyware was used to target journalists, scientists, and activists in Mexico. The investigation seeks international legal assistance to access documents from Israeli courts. NSO Group did not comment on the allegations. Peña Nieto has faced previous corruption probes but has never been charged.

The FBI seizes a major Nintendo Switch piracy site. 

The FBI has seized Nsw2u, a major Nintendo Switch piracy site, as part of a law enforcement operation with Dutch financial crime agency FIOD. Nsw2u hosted Switch game ROMs for use on hacked consoles and emulators. The takedown follows Nintendo’s ongoing crackdown on piracy, including lawsuits against emulator creators and ROM sites. Nsw2u was added to the EU piracy watchlist in May. Users reported downloading games shortly before its seizure. Nintendo aims to tighten security further with the recent Switch 2 launch.

CISA releases 13 ICS advisories.  

Yesterday, CISA released 13 advisories detailing vulnerabilities in industrial control systems (ICS), affecting products from Siemens, Delta, Advantech, KUNBUS, and others  . The flaws range from issues in Siemens TIA components and SIMATIC hardware to KUNBUS’s RevPi, Delta’s DTM Soft, and Advantech’s iView, among others  . CISA urges organizations using ICS equipment to review these advisories promptly and implement recommended mitigations to secure critical infrastructure.

A retired US Army lieutenant colonel pleads guilty to oversharing classified information on a dating app. 

David Franklin Slater, a 64-year-old retired US Army lieutenant colonel and civilian Air Force employee, has pleaded guilty to sharing national defense secrets with a woman he met on a dating app. From February to April 2022, Slater, who held Top Secret clearance at Strategic Command in Nebraska, shared classified details about Russia’s war in Ukraine, including military targets and Russian capabilities. The woman, identified only as “co-conspirator 1,” called him her “secret informant love” and repeatedly requested sensitive information. Despite signing non-disclosure agreements acknowledging potential harm to US security, Slater shared these secrets via email and online messages. He faces up to 10 years in prison, supervised release, and a $250,000 fine. Sentencing is set for October 8.

 

Stick around after the break to hear my conversation with Catherine Woneis, VP of Product at Fingerprint, as we discuss how bots are being used to operate music royalty fraud and 18 months is the new 12 years. 

That was Catherine Woneis from Fingerprint discussing how bots are being used to operate music royalty fraud. 

A federal judge is not impressed with a crypto-thief’s lack of restitution.

And finally, our “Eff around and find out desk” tells us the tale of one Nicholas Truglia, who once thought 18 months in prison was a steep price for stealing $22 million in crypto. Turns out, not paying back your victim can make life much steeper. A US judge just bumped his sentence to 12 years after Truglia “willfully failed” to return nearly $20.4 million. Truglia, part of a crew dubbed “evil computer geniuses,” helped hijack blockchain mogul Michael Terpin’s SIM card to drain his crypto. Ironically, court records revealed Truglia had $53 million in assets, from Bitcoin to fine art. His lawyer insisted he surrendered everything accessible. Apparently, he just couldn’t access enough to avoid learning that while crypto can be volatile, so can sentencing when you keep the loot.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

Be sure to tune into Research Saturday tomorrow where I sit down with Selena Larson, Threat Researcher at Proofpoint, and co-host of Only Malware in the Building, as we discuss their work on "Amatera Stealer - Rebranded ACR Stealer With Improved Evasion, Sophistication"

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.