China’s cyberstorm goes global.

Salt Typhoon marks China’s most ambitious campaign yet. A major Google outage hit Southeastern Europe. A critical zero-day flaw in FreePBX gets patched. Scattered Lapsus$ Hunters claim the Jaguar Land Rover hack. Researchers uncover a major evolution in the XWorm backdoor campaign. GhostRedirector is a new China-aligned threat actor. CISA adds a pair of TP-Link router flaws to its Known Exploited Vulnerabilities (KEV) catalog. The feds put a $10 million bounty on three Russian FSB officers. Experts warn sweeping cuts to ODNI could cripple U.S. cyber defense. Our guest is Rick Kaun, Global Director of Cybersecurity Services at Rockwell Automation, discussing IT/OT convergence in securing critical water and wastewater systems. Google says rumors of Gmail’s breach are greatly exaggerated. 

Today is Thursday September 4th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Salt Typhoon marks China’s most ambitious campaign yet. 

The New York Times weighs in on Salt Typhoon, reminding us that for decades, China has targeted U.S. companies and infrastructure through hacking. But the Salt Typhoon cyberattack marks its most ambitious campaign yet. Investigators say the state-backed operation, uncovered last year, infiltrated telecommunications and other sectors in over 80 countries, potentially affecting nearly every American. Unlike past hacks aimed at specific targets, Salt Typhoon was broad and indiscriminate, sweeping up vast amounts of data that could let Chinese intelligence track politicians, spies, and activists worldwide. Western allies, including the U.S., U.K., Germany, Japan, and others, issued a rare joint statement condemning the attack, calling it “unrestrained.” Experts say the campaign reflects China’s growing cyber sophistication, shifting from theft of trade secrets to deep, long-term infiltration of global communication networks to gain strategic advantage.

A major Google outage hit Southeastern Europe. 

A major Google outage hit Southeastern Europe and parts of the Caucasus on September 4, 2025, disrupting daily life and work across several countries including Bulgaria, Turkey, and Greece. Reports flooded social media and Downdetector as users struggled with core Google services. YouTube, Google Maps, Search, Gmail, and Drive all experienced significant failures, with YouTube and Maps hardest hit. Error messages showed “5xx server errors,” pointing to issues on Google’s end rather than local connections. The outage remains ongoing.

A critical zero-day flaw in FreePBX gets patched. 

Sangoma has issued emergency patches for a critical zero-day flaw in FreePBX, tracked as CVE-2025-57819 with a CVSS score of 10. The bug, caused by poor sanitization of user input, allows attackers to access the administrator panel, manipulate databases, and execute remote code. Exploited in the wild since at least August 21, the flaw impacts FreePBX versions 15–17. Sangoma advises restricting admin access, updating immediately, and applying firewall protections. CISA added the bug to its Known Exploited Vulnerabilities list, mandating federal fixes by September 19.

Scattered Lapsus$ Hunters claim the Jaguar Land Rover hack. 

We reported yesterday that Jaguar Land Rover (JLR) suffered a major cyberattack that halted production at multiple plants. A group of young hackers, calling themselves Scattered Lapsus$ Hunters, claimed responsibility on Telegram, sharing screenshots allegedly from JLR’s internal IT systems. The gang, linked to past attacks on UK retailers and tied to the youth cyber-crime network “The Com,” is reportedly attempting to extort JLR. While the company has not confirmed data theft, it shut down systems to contain the incident and is working to restore operations. Security experts believe the hackers accessed sensitive internal systems. The Information Commissioner’s Office is assessing JLR’s report, while authorities remain concerned about rising threats from youth-led cyber gangs.

Researchers uncover a major evolution in the XWorm backdoor campaign. 

Researchers at Trellix have uncovered a major evolution in the XWorm backdoor campaign, signaling a strategic shift in its deployment tactics. Once reliant on predictable phishing and email vectors, XWorm now employs deceptive methods such as disguised executables (discord.exe, system32.exe) and multi-stage infection chains to evade detection. The malware disables firewalls, bypasses PowerShell protections, and establishes persistence through registry edits and scheduled tasks. Using Rijndael encryption combined with Base64 encoding, it conceals critical command-and-control data while evading analysis with sandbox checks and mutex creation. Beyond persistence, XWorm offers extensive backdoor capabilities, including system shutdowns, data theft, DDoS attacks, and remote file execution. Security experts warn its growing sophistication and prevalence highlight the urgent need for layered defenses and proactive detection strategies.

GhostRedirector is a new China-aligned threat actor. 

ESET Research has uncovered a new China-aligned threat actor, dubbed GhostRedirector, which compromised at least 65 Windows servers, primarily in Brazil, Thailand, and Vietnam, between December 2024 and June 2025   . Its toolkit includes Rungan, a passive C++ backdoor for remote command execution, and Gamshen, a malicious IIS module engineered to manipulate Google search results for SEO fraud, serving altered content only to Googlebot, promoting gambling websites  . Attackers leverage public exploits like EfsPotato and BadPotato to escalate privileges, install web shells, create administrator accounts, and maintain persistence  . The group’s favored entry point appears to be SQL injection followed by PowerShell downloads. Comprising custom tools and fallback mechanisms, GhostRedirector demonstrates significant operational resilience, impacting diverse sectors including healthcare, education, insurance, transportation, and retail.

CISA adds a pair of TP-Link router flaws to its Known Exploited Vulnerabilities (KEV) catalog. 

CISA has added two TP-Link router flaws to its Known Exploited Vulnerabilities (KEV) catalog after evidence of in-the-wild attacks. The bugs include CVE-2023-50224, an authentication bypass exposing credentials, and CVE-2025-9377, a command injection flaw enabling remote code execution. Impacted models include TL-WR841N/ND and Archer C7, many of which are end-of-life. Though no public exploitation reports exist, TP-Link linked activity to the Quad7 botnet, tied to China-linked Storm-0940. Federal agencies must patch or mitigate by September 24, 2025.

The feds put a $10 million bounty on three Russian FSB officers. 

The U.S. State Department is offering up to $10 million for information on three Russian FSB officers, Marat Tyukov, Mikhail Gavrilov, and Pavel Akulov, linked to cyberattacks against U.S. critical infrastructure. Members of FSB’s Center 16 (also known as Berserk Bear, Dragonfly, and Koala Team), the trio was charged in 2022 for a campaign (2012–2017) that targeted agencies like the Nuclear Regulatory Commission and energy firms including Wolf Creek Nuclear. More recently, they exploited CVE-2018-0171 in Cisco devices to infiltrate infrastructure, telecom, education, and manufacturing networks worldwide. The group has also targeted over 500 energy companies in 135 countries. Rewards for Justice is accepting anonymous tips, offering potential relocation. This follows June’s similar bounty for Russian hackers tied to the RedLine infostealer.

Experts warn sweeping cuts to ODNI could cripple U.S. cyber defense. 

In an editorial titled “Cutting Cyber Intelligence Undermines National Security,” Sophie McDowall and Rear Adm. (Ret.) Mark Montgomery warn that sweeping reductions to the Office of the Director of National Intelligence (ODNI) are crippling the U.S.’s cyber defense amid rising threats from Russia, China, and Iran. The downsizing, part of the “ODNI 2.0” plan, includes slashing over 40% of staff and shutting down key units like the Cyber Threat Intelligence Integration Center (CTIIC) and the Foreign Malign Influence Center (FMIC), both critical to coordinating threat intelligence and countering foreign influence operations. The authors argue these cuts will fragment intelligence sharing and leave the nation vulnerable, calling for continued support of these capabilities rather than discontinuing them.

 

Google says rumors of Gmail’s breach are greatly exaggerated. 

Reports of a catastrophic Gmail breach had the internet clutching its digital pearls this week, with headlines warning all 2.5 billion users to reset their passwords immediately. Some cybersecurity firms even joined the chorus, amplifying what seemed like an “urgent warning” from Google. We reported the story here. One problem: Google never said that. In a politely exasperated blog post, the company clarified that Gmail wasn’t hacked, the password reset alert never existed, and, contrary to rumor, the sky remains firmly in place. Google reminded everyone that Gmail blocks over 99.9% of phishing and malware, and suggested passkeys for extra safety. The incident is a good reminder that it’s easy to get caught up in the hype of a breathless story, and it would do us well to pause, take a breath, and do some fact checking. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.