Podcasts
CyberWire Daily
Ep 2378
The CyberWire Daily Podcast 8.25.25
Ep 2378 | 8.25.25

A farmers market of stolen data.

Show Notes
Transcript

Farmers Insurance discloses a data breach affecting over a million people. Agentic AI tools fall for common scams. A new bill in Congress looks to revive letters of marque for the digital age. Cybercriminals target macOS users with the Shamos infostealer. New Android spyware masquerades as antivirus to target Russian business executives. CISA seeks public comments on SBOM updates. A major third party electronics manufacturer reports a ransomware attack. Salesforce patches multiple vulnerabilities in its Tableau products. Over 370,000 user Grok conversations were accidentally indexed by Google. Ben Yelin examines the UK’s decision to drop digital backdoor requirements. WIRED gets duped by an AI author.

Today is Monday August 25th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Farmers Insurance discloses a data breach affecting over a million people. 

Farmers Insurance disclosed a data breach affecting more than 1 million people after a third-party vendor reported unauthorized access to its database on May 30. The company, which serves about 10 million U.S. households, confirmed that attackers stole customer data including names, addresses, dates of birth, driver’s license numbers, and partial Social Security numbers. Farmers New World Life Insurance reported 40,000 impacted individuals, while Farmers Group and affiliates reported over 1.07 million. The insurer clarified it was not directly targeted, but was affected through its vendor. Farmers, a subsidiary of Zurich Insurance Group, has not disclosed the vendor’s identity or whether ransomware was involved. The investigation is ongoing, and the company has filed breach notifications with state regulators.

Agentic AI tools fall for common scams. 

AI-powered browsers are moving from concept to reality, with “Agentic AI” tools going beyond search and automation, performing tasks like shopping and handling emails autonomously. But convenience comes with major risks. AI browsers inherit AI’s weaknesses: they act without skepticism, trust too easily, and can be manipulated. Tests by Guardio Labs on Comet showed it falling for basic scams, buying from a fake Walmart site and clicking phishing links from bogus bank emails, sometimes even autofilling payment data. More advanced risks stem from prompt injection attacks like “PromptFix,” where hidden instructions trick the AI into harmful actions such as downloads or data leaks. The threat is clear: scammers no longer need to fool people, only their AI. Without built-in guardrails, AI browsing turns everyday convenience into a new scam surface.

A new bill in Congress looks to revive letters of marque for the digital age. 

A new bill in Congress could revive an old naval practice for the digital age. Arizona Republican David Schweikert introduced the Scam Farms Marque and Reprisal Authorization Act of 2025, which would let the President issue letters of marque to commission U.S. cyber privateers. Once used during the War of 1812 to authorize private ships against British vessels, these letters would now target cybercriminals and even foreign governments behind online attacks. Schweikert argues current defenses lag behind fast-growing cybercrime, which cost Americans $16.6 billion last year, the highest in 25 years. His office says sanctioned hackers could seize assets, defend infrastructure, and deter future attacks. Critics caution foreign governments may see this as escalation. The bill’s future is uncertain, but it raises a provocative question: can 19th-century tactics work against 21st-century digital predators?

Cybercriminals target macOS users with the Shamos infostealer. 

Cybercriminals are targeting macOS users with the Shamos infostealer, disguised as technical help. According to CrowdStrike, attackers ran a campaign from June to August 2025 using malvertising and fake support sites like mac-safer[.]com and rescue-mac[.]com. Victims searching for fixes were tricked into running a one-line Terminal command, a ClickFix technique that bypasses Apple’s Gatekeeper protections. Once installed, Shamos collects credentials, Apple Notes, Keychain data, browser info, and cryptocurrency wallets, exfiltrating them in a ZIP archive. It also installs a spoofed Ledger wallet, a botnet module, and persistence mechanisms. In a parallel campaign, Shamos was spread via a fake GitHub page offering iTerm2. ClickFix, first seen in late 2024, has surged in popularity across macOS, Windows, and Linux due to its simplicity and reliability, making it a favored tool for both cybercriminals and APT groups.

New Android spyware masquerades as antivirus to target Russian business executives. 

A new Android spyware, Android.Backdoor.916.origin, is masquerading as an antivirus app to target Russian business executives, according to Dr. Web. Active since January 2025, the malware mimics tools branded as “GuardCB” or “SECURITY_FSB,” falsely linked to Russia’s FSB. Once installed, it requests extensive permissions, enabling it to exfiltrate SMS, contacts, and files, log keystrokes, activate the camera or mic, and stream the screen. The fake app simulates scans to appear legitimate. Researchers note continuous development, with multiple versions designed exclusively for Russian-speaking victims.

CISA seeks public comments on SBOM updates. 

CISA has released draft guidance updating the minimum elements for a Software Bill of Materials (SBOM) and is seeking public comment until October 3, 2025. Building on the 2021 NTIA framework, the update reflects advances in software supply chain security and transparency. SBOMs list software components, enabling organizations to spot vulnerabilities and manage risks. The guidance defines three key areas, data fields, automation support, and practices/processes, and emphasizes machine-readable formats like SPDX and CycloneDX. It also covers SBOM use in cloud and AI software and stresses integrating SBOMs into development lifecycles.

A major third party electronics manufacturer reports a ransomware attack. 

Data I/O, a Redmond-based electronics manufacturer, reported a ransomware attack that began August 16, disrupting shipping, manufacturing, and production systems. The company, which supplies tech for vehicles, charging stations, and consumer devices, serving clients like Tesla, Panasonic, Amazon, and Microsoft, filed notice with the SEC, warning of potential material financial impact. Containment steps include taking systems offline while a third-party investigates. No restoration timeline has been set. Data I/O is the second firm this week to disclose ransomware to the SEC, amid rising attacks on the manufacturing sector.

Salesforce patches multiple vulnerabilities in its Tableau products. 

Salesforce has patched multiple vulnerabilities in Tableau Server and Tableau Desktop, including a critical type confusion flaw (CVE-2025-26496, CVSS 9.6) that could let attackers execute malicious code. Other flaws (CVEs 2025-52450, 52451, 26497, 26498) allow path traversal and arbitrary file writes, potentially leading to full compromise of Tableau instances. Affected versions include Tableau Server before 2025.1.4, 2024.2.13, and 2023.3.20, and corresponding Desktop versions. Salesforce urges all customers, especially those with external-facing servers, to upgrade immediately to protect against account hijacking, insider threats, and malware-driven attacks.

Over 370,000 user Grok conversations were accidentally indexed by Google. 

Forbes reports that 370,000 user conversations were accidentally indexed by Google and made publicly searchable due to the “share” feature in xAI’s Grok. The feature was intended for private sharing via link but did not warn users their content could be exposed to search engines like Google or Bing. Some conversations contained personal data such as names, files, spreadsheets, and even a password. Others included prohibited requests, from drug recipes to malware coding. Google clarified that publishers, not search engines, control indexation. xAI prohibits using Grok for harmful purposes, though violations were evident. The issue mirrors similar incidents, including ChatGPT conversations and Google Drive documents becoming searchable through public link-sharing, highlighting ongoing risks in how “share” features handle user data.

 

WIRED gets duped by an AI author. 

As we often say over on the Hacking Humans podcast, no one is immune from the occasional scam. Even WIRED, the tech magazine that prides itself on dissecting AI’s every flaw, got duped by it. Back in April, an editor received what looked like a pitch tailor-made for the publication: “Do You Take This Discord Server?, The Rise of Hyper-Niche Internet Weddings.” It ticked all the WIRED boxes, quirky subculture, smart cultural angle, and internet weirdness to spare. The editor assigned it, the writer played along, and by May 7 the piece was live on WIRED’s site.

Then things unraveled. The “writer” couldn’t clear WIRED’s payments system, insisting on PayPal or a paper check instead. That raised eyebrows. A deeper look confirmed the worst: the article was AI-generated, the byline a fabrication. WIRED retracted the story and published an editor’s note, admitting lapses in fact-checking and editorial review.

The irony was hard to miss: a leading watchdog of AI misinformation fell victim to the very thing it warns about. Again, it could happen to any of us, so an empathetic tip of the hat to Wired for owning up to the mistake so others may learn from it. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.