Dialysis down, data out.

A ransomware attack exposes personal medical records of VA patients. New joint guidance from CISA and the NSA emphasizes asset inventory and OT taxonomy. The UK government reportedly spent millions to cover up a data breach. Researchers identified two critical flaws in a widely used print orchestration platform. Phishing attacks increasingly rely on personalization. Rooting and jailbreaking frameworks pose serious enterprise risks. Fortinet warns of a critical command injection flaw in FortiSIEM. Estonian nationals are sentenced in a crypto Ponzi scheme. Michele Campobasso from Forescout joins us to unpack new research separating the hype from reality around “vibe hacking.” Meet the Blockchain Bandits of Pyongyang. 

Today is Thursday August 14th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A ransomware attack exposes personal medical records of VA patients. 

A ransomware attack on DaVita, a major dialysis provider contracting with the Department of Veterans Affairs (VA), exposed about 1 million medical records, including veterans’ Social Security numbers, lab results, and insurance details. The breach affected VA patients receiving dialysis and lab services through the Veteran Community Care Program. Additional data, such as names, check images, and tax IDs, may have been compromised. The VA paid DaVita $206 million in early 2025 for services, but its internal systems were not impacted. Forensic teams and the FBI are investigating. DaVita has restored affected systems and will offer 12 months of free credit monitoring to victims. Kidney disease is more prevalent among veterans, with the VA caring for about 600,000 affected individuals nationwide.

New joint guidance from CISA and the NSA emphasizes asset inventory and OT taxonomy. 

New joint guidance from agencies including CISA, NSA, EPA, and international partners emphasizes that building a modern, defensible architecture for operational technology (OT) relies on a well‑maintained asset inventory and OT taxonomy. Titled, “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators”,  it outlines a structured, multi-step process: define governance, scope, and roles; identify OT assets and collect key attributes (like IP address, manufacturer, criticality); create a taxonomy, classifying assets by function or criticality and organizing them using Zones and Conduits per ISA/IEC 62443 standards; manage inventory data centrally; and apply lifecycle management. Beyond inventory, it guides organizations in improving cybersecurity through vulnerability tracking, performance monitoring, training, and continuous improvement. Appendix examples include conceptual taxonomies for oil & gas, electricity, and water infrastructure. While voluntary and not prescriptive, this guide aids asset owners in enhancing information clarity, security posture, and operational resilience for critical OT environments. 

Separately, CISA warned that attackers are actively exploiting two vulnerabilities in N-able’s N-central remote monitoring and management platform (CVE-2025-8875, CVE-2025-8876). The flaws, which require authentication, could allow command execution and input injection. N-able patched them in version 2025.3.1 and urged immediate upgrades. Around 2,000 instances are exposed online, mostly in the U.S., Australia, and Germany. CISA added the bugs to its Known Exploited Vulnerabilities Catalog, giving U.S. federal agencies until August 20 to patch, and advised all organizations to secure systems promptly to reduce exploitation risk.

The UK government reportedly spent millions to cover up a data breach. 

In 2022, a British military error exposed the personal details of 18,700 Afghans who had worked with UK forces, risking Taliban reprisals. According to the New York Times, the Conservative government sought a rare “contra mundum” super injunction, barring disclosure even to victims, spending $3.2 million in legal costs. The breach wasn’t discovered until August 2023, when part of the data appeared on Facebook. Journalists who inquired were served with secrecy orders. The injunction lasted 18 months until Labour’s 2024 review prompted its lifting. Critics argue the order increasingly served to avoid political embarrassment. The breach triggered a £400 million secret relocation program for 4,500 Afghans. The case, unprecedented in scope, has sparked debate over press freedom in Britain, with legal experts noting such gag orders would be impossible under U.S. First Amendment protections.

Researchers identified two critical flaws in a widely used print orchestration platform.  

Researchers at Horizon3.ai have identified two critical flaws in Xerox FreeFlow Core, a print orchestration platform widely used by commercial print shops, universities, and government agencies. The XXE Injection vulnerability (CVE-2025-8355) and Path Traversal flaw (CVE-2025-8356) allow unauthenticated remote attackers to execute arbitrary code on affected systems. CVE-2025-8355, found in the JMF Client service on port 4004, enables server-side request forgery via improperly handled XML entities. CVE-2025-8356 allows attackers to upload files to arbitrary locations, enabling webshell deployment and remote execution. Both vulnerabilities are patched in FreeFlow Core version 8.0.5, and immediate upgrading is advised. The flaws were discovered during an investigation into unusual exploit callbacks and disclosed under Horizon3.ai’s vulnerability policy.

Phishing attacks increasingly rely on personalization. 

Cofense Intelligence reports that subject customization, personalizing email subjects, attachments, and links, is a key phishing tactic for delivering malware, especially Remote Access Trojans (RATs) and information stealers. From Q3 2023 to Q3 2024, the top malware-delivery themes with customized subjects were Travel Assistance, Response, Finance, Taxes, and Notification. Travel Assistance most often delivered Vidar Stealer; Response used PikaBot; Finance commonly used jRAT; Taxes targeted with Remcos RAT; Notification varied between WSH RAT and jRAT. Customized file names often contained PII, particularly with jRAT and Remcos RAT in Finance or Taxes-themed emails. Such personalization increases engagement, aiding attackers in stealing credentials or enabling brokered access for ransomware operations.

Rooting and jailbreaking frameworks pose serious enterprise risks. 

Zimperium’s zLabs warns that modern rooting and jailbreaking frameworks, often developed without security oversight, pose serious enterprise risks by enabling malware infections, app compromise, and full system takeover. Many use Android kernel patching, as in KernelSU, APatch, and SKRoot, hooking kernel functions to gain root access. Weak authentication between user apps and kernel interfaces creates exploitable flaws. A KernelSU 0.5.7 vulnerability let attackers spoof the manager app via file descriptor manipulation, bypassing signature checks to gain root before the legitimate manager launched. Similar weaknesses, such as APatch’s past weak password protection and Magisk’s impersonation bug (CVE-2024-48336), show these risks are common. zLabs stresses continuous monitoring, as improper authentication, insecure communication, and poor privilege isolation in rooting tools create persistent, real-world exploitation opportunities.

Fortinet warns of a critical command injection flaw in FortiSIEM. 

Fortinet warns of a critical remote unauthenticated command injection flaw (CVE-2025-25256, CVSS 9.8) in FortiSIEM, a security monitoring platform used by governments, enterprises, and MSSPs. Exploit code is already active in the wild, allowing attackers to execute unauthorized commands via crafted CLI requests, with no distinctive IOCs for detection. Versions 5.4–7.3 are affected; only supported releases will receive patches. Admins should upgrade immediately to fixed versions or restrict access to phMonitor on port 7900. Older, unsupported versions remain permanently vulnerable.

Estonian nationals are sentenced in a crypto Ponzi scheme. 

Estonians Sergei Potapenko and Ivan Turõgin were sentenced in Washington state to time served, 16 months, for running a $500M cryptocurrency Ponzi scheme. Starting in 2013, they sold bitcoin mining equipment via HashCoins but never had adequate inventory. They later launched HashFlare, offering “remote” mining contracts, showing fake profits to investors while operating only a fraction of the claimed capacity. Assets worth over $450M were seized for victim compensation. Prosecutors sought 10 years, and the DOJ may appeal the sentence.

 

Meet the Blockchain Bandits of Pyongyang. 

In the latest installment of “North Korea Does Remote Work,” crypto sleuth ZachXBT has outed a six-person DPRK IT squad ,  tied to a $680K June crypto hack ,  moonlighting as blockchain developers under 31 fake identities. Their CVs boasted “experience” at OpenSea and Chainlink, and one even interviewed at Polygon Labs. Screenshots from a compromised device show them coordinating scams via Google Drive, AnyDesk, VPNs, and Google Translate, all on a $1,489.80 monthly expense budget. The crew, also linked to a $1.4B Bitbit hack, secured freelance roles to siphon millions more. ZachXBT warns the scams aren’t high-tech, just high-volume ,  and sloppy hiring keeps the DPRK’s most committed “remote workers” employed.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.