Podcasts
CyberWire Daily
Ep 2362
The CyberWire Daily Podcast 8.1.25
Ep 2362 | 8.1.25

SUSE flaw found hiding in plain port.

Show Notes
Transcript

A critical vulnerability in SUSE [SOO-suh] Manager allows attackers to run commands with root privilege. A joint CISA and U.S. Coast Guard threat hunt at a critical infrastructure site reveals serious cybersecurity issues. Healthcare providers across the U.S. report recent data breaches. Cybercriminals infiltrate a bank by physically planting a Raspberry Pi on a network switch. Russian state-backed hackers target Moscow diplomats to deploy ApolloShadow malware. Luxembourg investigates a major telecom outage tied to Huawei equipment. China’s cyberspace regulator summons Nvidia over alleged security risks linked to its H20 AI chips. A new report examines early indicators of system compromise. Today we are joined by Ryan Whelan, Managing Director and Global Head of Accenture Cyber Intelligence, with their analysis of Scattered Spider. Pwn2Own puts a million dollar bounty on WhatsApp zero-clicks.

Today is Friday August 1st 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A critical vulnerability in SUSE [SOO-suh] Manager allows attackers to run commands with root privilege. 

A critical vulnerability (CVE-2025-46811, CVSS 9.8) in SUSE [SOO-suh] Manager allows attackers to run commands with root privileges—without authentication—through an exposed websocket endpoint on port 443. This flaw, found during a customer security audit, affects multiple SUSE Manager versions, including recent container and cloud deployments. Attackers only need network access to exploit it. A proof-of-concept confirmed the risk using a simple HTML page. Immediate action is needed: block port 443 or isolate vulnerable systems from untrusted networks, then patch them using the updates SUSE has released. Until fully patched, organizations should enforce strict network controls to limit exposure. 

A joint CISA and U.S. Coast Guard threat hunt at a critical infrastructure site reveals serious cybersecurity issues. 

A joint CISA and U.S. Coast Guard threat hunt at a critical infrastructure site revealed serious cybersecurity issues, though no active threat actors were found. Key risks included shared admin accounts with plaintext passwords, weak IT-OT segmentation, and insufficient logging. Misconfigured systems allowed IT users direct access to SCADA networks, raising concerns about potential real-world safety impacts. Admin credentials were stored in scripts and reused across many devices, increasing the risk of lateral movement and persistence by attackers. Inadequate network controls and missing bastion hosts further weakened defenses. CISA urges critical infrastructure operators to fix misconfigurations, enforce unique credentials, use MFA, segment IT/OT environments, and adopt bastion hosts and VPNs. The advisory stresses urgency in addressing these gaps to prevent potential cyber-physical impacts.

Additionally, yesterday CISA issued two high-severity ICS advisories warning of major vulnerabilities in Güralp seismic devices and Rockwell Automation systems using VMware. The Güralp flaw (CVE-2025-8286) allows unauthenticated remote access via Telnet, risking manipulation of seismic monitoring equipment. Rockwell systems face four critical VMware-related bugs enabling code execution and full system compromise. No exploitation has been reported, but CISA urges immediate isolation of affected systems, network segmentation, and patching. 

Healthcare providers across the U.S. report recent data breaches. 

Several healthcare providers across the U.S. have reported recent hacking-related data breaches. Mid Florida Primary Care disclosed a breach affecting sensitive patient data accessed between November and December 2024. Northwest Denture Center in Washington confirmed the exposure of protected health information for over 12,000 individuals in May 2025. Equilibria Mental Health Services in Massachusetts was hit by a phishing attack compromising up to 2,000 individuals. Forward, the National Databank for Rheumatic Diseases, reported unauthorized access in March affecting personal and medical data. Meanwhile, Inc Ransom claims to have targeted the West Virginia Primary Care Association, allegedly stealing 296 GB of data. However, WVPCA has not confirmed any breach. Impacted organizations are offering credit monitoring and enhancing security protocols in response to these incidents.

Cybercriminals infiltrate a bank by physically planting a Raspberry Pi on a network switch. 

Cybercriminal group UNC2891 infiltrated an Indonesian bank in early 2024 by physically planting a Raspberry Pi on a network switch linked to an ATM, GroupIB reports. Equipped with a 4G modem, the device allowed remote access to the bank’s internal systems. The attackers used a backdoor called Tinyshell, disguised as a Linux display manager, to evade detection and maintain persistent access via the bank’s mail server. Though they successfully stole cash, the attack was mitigated days later. Forensics teams struggled due to the group’s advanced obfuscation tactics, including the use of Linux bind mounts—now documented as MITRE ATT&CK technique T1564.013. While the attackers aimed to deploy the Caketap rootkit for further withdrawals, defenders ultimately blocked their goal. The incident highlights the need for advanced memory and network forensics beyond standard response measures.

Russian state-backed hackers target Moscow diplomats to deploy ApolloShadow malware. 

Russian state-backed hackers from the APT group Secret Blizzard (aka Turla, Krypton) are targeting diplomatic personnel in Moscow using adversary-in-the-middle (AitM) attacks to deploy custom malware called ApolloShadow, Microsoft reports. The group, active since 2006 and linked to Russia’s FSB, uses access at the ISP level—via domestic surveillance systems like SORM—to intercept traffic and deliver malware. Victims are redirected through a fake captive portal where ApolloShadow installs a fake Kaspersky certificate to gain system control. The malware modifies system settings, installs root certificates via certutil, and creates a persistent admin account. Microsoft warns that diplomats using Russian ISPs are likely targets and urges use of VPNs, least privilege policies, MFA, and script-blocking to reduce risk. This is the first confirmed case of ISP-level AitM malware deployment inside Russia.

Luxembourg investigates a major telecom outage tied to Huawei equipment. 

Luxembourg is investigating a major telecom outage on July 23 caused by a cyberattack that disrupted 4G and 5G services for over three hours. The attack, reportedly targeting Huawei equipment, also disrupted emergency calls, internet access, and banking services. Officials believe it was a deliberate, sophisticated denial-of-service attack exploiting a software flaw in POST Luxembourg’s infrastructure. A full forensic probe is underway. The incident has prompted a review of national resilience and may lead to regulatory changes for network redundancy during outages.

China’s cyberspace regulator summons Nvidia over alleged security risks linked to its H20 AI chips. 

China’s cyberspace regulator has summoned Nvidia over alleged security risks linked to its H20 AI chips sold in China. The Cyberspace Administration of China (CAC) requested explanations and supporting evidence, citing national laws on data and network security. This follows growing concerns about U.S.-made AI chips containing tracking and remote shutdown features. U.S. lawmakers, including Senator Tom Cotton, have proposed laws to require such features for exported chips. The CAC claims Nvidia’s chips may already include this technology, prompting further scrutiny.

A new report examines early indicators of system compromise. 

A new report from GreyNoise reveals that attackers often begin exploiting vulnerabilities in edge devices up to six weeks before they’re publicly disclosed or assigned a CVE. In 80% of cases, pre-disclosure activity—like scanning, brute forcing, and zero-day exploit attempts—spikes before the CVE is announced. This trend is especially common for eight major vendors: Cisco, Citrix, Fortinet, Ivanti, Juniper, MikroTik, Palo Alto Networks, and SonicWall. GreyNoise identified 216 such pre-disclosure spikes, urging defenders to treat them as early warnings. Security teams should enhance monitoring during these spikes, harden systems, and block malicious IPs to prevent compromise. These early indicators provide a window for proactive defense, especially against nation-state actors like Typhoons targeting enterprise edge devices for surveillance and long-term access.

 

Pwn2Own puts a million dollar bounty on WhatsApp zero-clicks. 

The Zero Day Initiative is dangling a cool $1 million carrot in front of hackers who can crack WhatsApp with a zero-click exploit at this year’s Pwn2Own Ireland contest. That’s right—no taps, no swipes, no “oops, I shouldn’t have clicked that.” Just code execution on a platform used by over 3 billion people. The challenge runs October 21–24 in Cork, and Meta is all in—as co-sponsor and enthusiastic target.

After last year’s WhatsApp category saw zero takers, ZDI seems to think seven figures might change some minds. Contestants can also go after everything from smart glasses and smartphones to surveillance gear and printers—because who doesn’t want to hack a Ray-Ban? Bonus points (and prizes) for breaking in via USB on a locked phone. As always, vendors get 90 days to patch up before ZDI spills the beans.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.