Podcasts
CyberWire Daily
Ep 2368
The CyberWire Daily Podcast 8.11.25
Ep 2368 | 8.11.25

Deadlines in the cloud.

Show Notes
Transcript

CISA issues an Emergency Directive to urgently patch a critical vulnerability in Microsoft Exchange hybrid configurations. SoupDealer malware proves highly evasive. Google patches a Gemini calendar flaw. A North Korean espionage group pivots to financial crime. Russia’s RomCom exploits a WinRAR zero-day. Researchers turn Linux-based webcams into persistent threats. The Franklin Project enlists volunteer hackers to strengthen cybersecurity at U.S. water utilities. DoD announces the winner of DARPA’s two-year AI Cyber Challenge. The U.S. extradites Ghanaian nationals for their roles in a massive fraud ring. Our guest is Steve Deitz, President of MANTECH's Federal Civilian Sector, with a look at cell-based Security Operations Centers (SOC). AI advice turns dinner into a medical mystery.

Today is Monday August 11th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

CISA issues an Emergency Directive to urgently patch a critical vulnerability in Microsoft Exchange hybrid configurations. 

On August 7, 2025, CISA issued an Emergency Directive requiring federal agencies to urgently patch CVE-2025-53786, a critical vulnerability in Microsoft Exchange hybrid configurations. The flaw allows attackers with existing admin access to on-premises Exchange servers to escalate into Microsoft 365 cloud environments. Agencies must act by August 11, 2025, including assessing servers with Microsoft’s Health Checker script, disconnecting unsupported systems, and updating Exchange 2019 to CU14/15 or Exchange 2016 to CU23. They must apply the April 2025 hotfix, transition from legacy shared service principals to dedicated hybrid applications in Entra ID, and clean credentials. Agencies must also prepare for Microsoft Graph API adoption as EWS deprecation begins in October 2025. Compliance reports are due to CISA by August 11, and the directive remains active until all security measures are verified.

SoupDealer malware proves highly evasive. 

SoupDealer is a highly evasive malware that bypasses most public sandboxes, antivirus tools, and EDR/XDR systems—except Threat.Zone—while targeting Windows systems in Türkiye via a geo-specific phishing campaign. Distributed through malicious JAR files, it uses a three-stage loader with heavy obfuscation, AES and RC4 encryption, and TOR-based command-and-control to hide its activity. The malware checks language and location settings to ensure it runs only in Türkiye, then exfiltrates data, grants remote control, and spreads via victims’ email accounts. Capable of privilege escalation, antivirus evasion, file management, screenshot capture, DDoS attacks, and worm-like propagation, SoupDealer underscores the weakness of cloud sandboxes. Researchers stress the need for on-premises, localized dynamic analysis to protect critical infrastructure against such advanced, region-targeted threats.

Google patches a Gemini calendar flaw. 

Google patched a flaw in Gemini, its AI assistant integrated into Android, Workspace, and Google web services, that allowed malicious Google Calendar invites to trigger remote takeover and data theft. The attack used prompt injection hidden in event titles, which Gemini read when summarizing a user’s schedule. This gave attackers access to Gmail, Calendar, Google Home, and device controls, enabling actions like wiping events, extracting emails, tracking location, controlling smart devices, and joining Zoom calls. The exploit required no special model access, bypassed prompt filtering, and could be staged with up to six invites to stay hidden. Discovered by SafeBreach researchers, the bug was fixed before exploitation. Google credited responsible disclosure for accelerating new defenses against such adversarial AI attacks.

A North Korean espionage group pivots to financial crime. 

North Korean hacking group ScarCruft, known for espionage, is now deploying VCD ransomware in attacks targeting South Korea, marking a shift toward financial motives. In July, its ChinopuNK subgroup used phishing emails disguised as postal code updates to deliver over nine types of malware, including ChillyChino variants, data stealers, and the NubSpy backdoor, which hides traffic via PubNub. The campaign combined spying tools with ransomware, reflecting a growing trend of nation-state actors blending espionage and cybercrime to generate revenue under economic sanctions.

Russia’s RomCom exploits a WinRAR zero-day. 

Russian threat group RomCom (aka Storm-0978) exploited a WinRAR zero-day, CVE-2025-8088, in cyberespionage attacks on organizations in Europe and Canada. The path traversal flaw, involving alternate data streams, let attackers craft archives that extract files to attacker-defined locations. Discovered by ESET, the bug was patched July 30, with a beta fix released July 25. First seen July 18, the campaign used spearphishing emails with malicious archives posing as resumes, targeting financial, defense, manufacturing, and logistics firms. No compromises occurred, but intended payloads included SnipBot, RustyClaw, and Mythic Agent backdoors.

Researchers turn Linux-based webcams into persistent threats. 

Eclypsium researchers demonstrated how Linux-based webcams can be turned into persistent threats using a technique dubbed BadCam, a variant of the well-known BadUSB attack. Tested on Lenovo 510 FHD and Lenovo Performance FHD Web cameras—both using SigmaStar SoCs—the method exploits a missing firmware signature validation flaw (CVE-2025-4371) to reflash the webcam’s firmware. Unlike traditional BadUSB, BadCam doesn’t require physical access; attackers with remote code execution on a host can weaponize an attached webcam to re-infect the system even after a full OS reinstall. The flaw can be paired with Linux kernel vulnerability CVE-2024-53104 for host compromise. Lenovo patched the issue in firmware version 4.8.0. Eclypsium warns other Linux-based cameras and USB peripherals may also be at risk.

The Franklin Project enlists volunteer hackers to strengthen cybersecurity at U.S. water utilities. 

The Franklin Project, launched at DEF CON 2023, enlists volunteer hackers to strengthen cybersecurity at U.S. water utilities, especially small, resource-strapped ones. Founded by Jake Braun, the initiative drew overwhelming interest, with 350 volunteers aiding five utilities in Indiana, Oregon, Utah, and Vermont at no cost. Tasks included changing default passwords, enabling MFA, asset inventories, OT assessments, and network mapping. Volunteers also educate utilities on nation-state threats, noting incidents like China’s Volt Typhoon breaching small systems tied to critical infrastructure. With 50,000 U.S. water utilities and rising attacks from China and Iran, the project is rapidly scaling with partners like Dragos and funding from Craig Newmark Philanthropies to deploy free cybersecurity tools nationwide. In many cases, it’s the only protection these utilities have.

DoD announces the winner of DARPA’s two-year AI Cyber Challenge. 

At DEF CON, the U.S. Defense Department announced Team Atlanta—a collaboration between Georgia Tech, Samsung Research, KAIST, and POSTECH—as the winner of DARPA’s two-year AI Cyber Challenge (AIxCC). The competition tasked dozens of teams with building AI systems to automatically detect and patch vulnerabilities in massive codebases, with finalists working on 54 million lines of synthetic code. Team Atlanta earned $4 million for excelling at finding and fixing bugs, blending traditional threat-hunting tools with AI. Trail of Bits and Theori placed second and third. Overall, competitors patched 77% of synthetic vulnerabilities, a significant improvement from last year’s 37%. DARPA will release most winning tools publicly, with HHS aiming to use them to protect healthcare systems from ransomware. Officials believe these AI-powered methods could transform vulnerability management across critical infrastructure.

The U.S. extradites Ghanaian nationals for their roles in a massive fraud ring. 

(Three were extradited, one remains at large) Three Ghanaian nationals — Isaac Oduro Boateng, Inusah Ahmed, Derrick Van Yeboah, and Patrick Kwame Asare — have been extradited to the U.S. and charged for their roles in a massive fraud ring that stole over $100 million through romance scams and business email compromise (BEC) attacks from 2016 to May 2023. Operating as high-ranking members of a Ghana-based network, they targeted vulnerable older Americans and U.S. businesses, laundering stolen funds through stateside middlemen. Romance scams involved posing as romantic partners to solicit money, while BEC schemes spoofed company emails to authorize fraudulent wire transfers. Boateng and Ahmed allegedly acted as “chairmen” overseeing operations. Charges include conspiracy to commit wire fraud, wire fraud, money laundering, and receiving stolen money, with potential sentences of up to 20 years per major count.

AI advice turns dinner into a medical mystery. 

In a medical misadventure equal parts tragic and absurd, a 60-year-old man landed in the ER with hallucinations, convinced his neighbor was poisoning him. The culprit? Himself — courtesy of dietary advice he’d half-understood from ChatGPT. Determined to “eliminate chloride” from his diet, he swapped table salt for sodium bromide, a fine choice if you’re an epileptic dog or a swimming pool, but less so for humans. Three months later, he had full-blown bromism, a disorder so vintage it peaked in the 1800s. The AI had technically suggested bromide as a “replacement” but failed to shout “Don’t eat this!” in bold letters. The man recovered after three hospital-bound weeks, and OpenAI now promises “safe completions” to prevent such culinary chemistry experiments from ending in 19th-century diseases.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.