Podcasts
CyberWire Daily
Ep 2384
The CyberWire Daily Podcast 9.3.25
Ep 2384 | 9.3.25

Ransomware in the rearview.

Show Notes
Transcript

Jaguar Land Rover suffers a major cyberattack. ICE gains access to a powerful spyware tool. Researchers find Fancy Bear snuffling around a new Outlook backdoor. Cloudflare and Palo Alto Networks confirm compromised Salesforce data. A researcher discovers an unsecured Navy Federal Credit Union (NFCU) server. A new ClickFix scam spreads MetaStealer malware. Specialty healthcare providers struggle to protect sensitive patient data.  CISA appoints a new Executive Assistant Director for Cybersecurity. On Afternoon Cyber Tea, Ann Johnson and Harvard’s Amy Edmondson discuss how psychological safety helps cybersecurity teams speak up, spot risks, and learn from failure. Our guest today is Tim Starks from CyberScoop discussing China’s reliance on domestic firms for hacking. Hackers threaten to feed stolen art to the machines. 

Today is Wednesday September 3rd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Jaguar Land Rover suffers a major cyberattack. 

Jaguar Land Rover (JLR), the UK’s leading luxury automaker, has confirmed a major cyberattack that forced the shutdown of its global IT systems. The incident has halted production lines in the UK and abroad, disrupted supply chains, and temporarily closed some retail outlets and online services. While JLR says there is no evidence of customer data theft, operations have been severely impacted. The attack comes amid financial strain: JLR recently reported a 49% drop in pre-tax profits, delayed its new electric models to 2026, and announced 500 UK job cuts. This is the second breach in a year, following a March 2025 ransomware attack linked to the HELLCAT group. JLR joins other UK companies, like Marks & Spencer and Harrods, recently hit by cybercriminals.

ICE gains access to a powerful spyware tool. 

US Immigration and Customs Enforcement (ICE) will gain access to Paragon Solutions’ spyware tool, Graphite, after the Trump administration lifted a hold on a $2 million contract first signed under Biden. Graphite allegedly can hack any phone, including encrypted apps like WhatsApp and Signal, and even turn devices into listening tools. Civil rights advocates warn the move hands invasive surveillance powers to an agency already accused of due process violations. While Paragon claims it only works with democracies and cuts ties with abusive clients, its spyware has previously been misused in Italy against journalists and activists. Experts argue such tools pose security risks, as multiple governments share access to the same tech. Critics say this raises threats to privacy, free speech, and democratic accountability.

Researchers find Fancy Bear snuffling around a new Outlook backdoor. 

Researchers at Spanish cybersecurity firm S2 Grupo have discovered a new Outlook backdoor, dubbed NotDoor, linked to Russia-backed APT28 (aka Fancy Bear). The malware uses Visual Basic for Applications (VBA) macros in Microsoft Outlook to monitor incoming emails for trigger words, then exfiltrate data, upload files, or execute commands. NotDoor hides in Outlook’s event-driven processes, abuses DLL side-loading with OneDrive.exe, and disables security warnings to maintain persistence. It communicates via attacker-controlled email accounts and covert callbacks, deleting traces after exfiltration. Its modular design allows dynamic updates, making detection difficult. APT28, tied to Russia’s GRU, has a long record of high-profile cyberattacks, including the 2016 U.S. election breaches. Researchers at LAB52 warn NotDoor reflects the group’s evolving tactics and recommends disabling macros and monitoring Outlook activity.

Cloudflare and Palo Alto Networks confirm compromised Salesforce data via the Salesloft Drift app. 

Cloudflare and Palo Alto Networks have confirmed that threat actors accessed their Salesforce data via a compromised Salesloft Drift app. Cloudflare said attackers exfiltrated Salesforce case data, including customer contact details and support ticket text, between August 12–17, 2025. While no attachments were stolen, sensitive information like keys or logs pasted into tickets may be compromised. Palo Alto reported exposure of sales and case data. Hundreds of organizations are affected, with experts warning attackers may leverage stolen data for targeted campaigns.

A researcher discovers an unsecured Navy Federal Credit Union (NFCU) server. 

Researcher Jeremiah Fowler discovered an unsecured Navy Federal Credit Union (NFCU) server exposing 378 GB of internal files. While no member data was found, the trove included usernames, emails, possibly hashed passwords, and Tableau workbooks with database connections and financial formulas. Fowler warned this information could give attackers a “blueprint” of NFCU’s systems, enabling phishing or deeper breaches. The database was quickly secured after disclosure, but it’s unclear how long it was exposed. 

A new ClickFix scam spreads MetaStealer malware using a fake AnyDesk installer. 

Researchers at Huntress have uncovered a new ClickFix scam that spreads MetaStealer malware using a fake AnyDesk installer. Traditionally, ClickFix tricks users into copying malicious commands into Windows Run, but this campaign adds a twist called FileFix, which abuses Windows File Explorer searches. Victims searching for AnyDesk may land on a fake site with a counterfeit Cloudflare verification prompt. Clicking “verify” triggers File Explorer to fetch a disguised file named Readme Anydesk.pdf. While it installs the real AnyDesk to avoid suspicion, it also secretly loads MetaStealer, which can steal credentials, files, and crypto wallet data. This scam blends legitimate software behavior with social engineering, making it harder to detect. Experts stress user awareness and caution when downloading tools online.

Specialty healthcare providers struggle to protect sensitive patient data. 

Specialty healthcare providers, while skilled in treating patients, often lack strong cybersecurity defenses, making them prime targets for ransomware and data theft. Three recent breaches illustrate the risks: Excelsior Orthopedics in New York disclosed nearly 395,000 patients and employees were impacted by a 2024 ransomware attack; Florida-based Vital Imaging reported 260,000 individuals affected by a February 2025 hack; and the University of Iowa Community HomeCare breach exposed data for 211,000 people. Together, nearly 900,000 individuals were impacted. Experts warn that specialty practices, with limited budgets and outdated systems, struggle to protect sensitive data like medical histories and insurance details. Cybercriminals exploit these weaknesses for fraud and extortion, often pressuring providers to pay ransoms quickly to avoid care disruptions.

A new Python-based infostealer proves capable of harvesting a wide range of sensitive data. 

Researchers at Cyfirma have detailed a new Python-based malware, Inf0s3c, an advanced infostealer capable of harvesting a wide range of sensitive data. Distributed as a compressed 64-bit executable packed with PyInstaller, it evades detection through obfuscation, runtime code unpacking, VM checks, and self-deletion. Its main component, Build.exe, collects system info, IP data, credentials, cookies, Wi-Fi passwords, browsing history, crypto wallets, and even webcam images. It also targets popular gaming accounts like Roblox, Steam, and Minecraft. Stolen data is archived into a password-protected RAR file and exfiltrated via Discord. Persistence is achieved by copying itself to the Windows Startup folder. Cyfirma noted similarities to grabbers like Blank Grabber and Umbral-Stealer, suggesting shared origins. The findings highlight how easily criminals can access sophisticated, automated infostealing tools.

CISA appoints a new Executive Assistant Director for Cybersecurity. 

The Cybersecurity and Infrastructure Security Agency (CISA) has appointed Nicholas Andersen as Executive Assistant Director for Cybersecurity, effective September 2, 2025. A decorated Marine veteran and national security leader, Andersen brings extensive experience from both government and private sectors. He previously served as CISO at Lumen Technologies, COO at Invictus, and senior official at the Department of Energy, where he directed cyber and energy security efforts. Recognized as Intelligence Executive of the Year, Andersen has overseen initiatives defending against state-sponsored threats and major crises. At CISA, he will lead efforts to protect critical infrastructure amid escalating cyber risks. His arrival marks a leadership transition, with Chris Butera becoming Acting Deputy Executive Assistant Director. Andersen’s appointment underscores CISA’s push to strengthen resilience and deepen collaboration with industry partners.

Hackers threaten to feed stolen art to the machines. 

Ransomware gangs usually stick to the classics: steal data, lock it up, and demand cash. But LunaLock has added an avant-garde twist, threatening to feed stolen artwork and personal data from Artists&Clients, an art commission site, straight into AI training datasets. The ransom note, demanding $50,000 in Bitcoin or Monero, warned that if unpaid, not only would files be leaked, but artists’ creations might end up teaching chatbots to doodle. For artists already wary of AI swallowing their work, it’s a particularly cruel jab. As researcher Tammy Harper dryly noted, this is the first time criminals have explicitly dangled AI contamination as leverage. Whether LunaLock really has a plan, or just hopes AI crawlers are very hungry, the threat has struck a nerve in the digital art world.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.