86 reasons to update.

Patch Tuesday. A data leak sheds light on North Korean APT Kimsuky. Apple introduces Memory Integrity Enforcement. Ransomware payments have dropped sharply in the education sector in 2025. A top NCS official warns ICS security lags behind, and a senator calls U.S. cybersecurity a “hellscape”. A Ukrainian national faces federal charges and an $11 million bounty for allegedly running multiple ransomware operations. Our guest is Jake Braun sharing the latest on Project Franklin. WhoFi makes WiFi a new spy.

 

Today is Wednesday September 10th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Patch Tuesday

Microsoft issued fixes for 86 vulnerabilities across Windows and its other products. Several of these carry a “likely exploitation” label, and among them are two publicly disclosed zero-day flaws, including the especially serious CVE-2025-55234, which enables SMB relay attacks and privilege escalation, though mitigations like server signing and Extended Protection for Authentication can help shield systems    .

Adobe also released patches, addressing nearly two dozen vulnerabilities across nine products, including critical flaws in ColdFusion and Commerce  .

In the industrial space, Rockwell Automation led the ICS Patch Tuesday with eight high-severity advisories, joined by updates from Siemens, Schneider Electric, and Phoenix Contact  .

Finally, Fortinet, Ivanti, and Nvidia rolled out security updates tackling high-severity issues that risk remote code execution, privilege escalation, data exposure, and configuration tampering  .

A data leak sheds light on North Korean APT Kimsuky. 

A new analysis of a 9GB leaked dataset has shed light on North Korean APT Kimsuky (APT43). The data reveals development of interactive malware, a Linux rootkit, and phishing infrastructure, along with reconnaissance via OCR commands and logs tied to compromised Taiwanese government and academic IPs. Researchers also linked the group’s operations to Chinese support, targeting South Korea and Taiwan with GPKI and credential theft campaigns. Experts recommend monitoring NASM artifacts, OCR tool use, phishing domains, and PAM/SSH logs for signs of intrusion.

Apple introduces Memory Integrity Enforcement. 

Apple has introduced Memory Integrity Enforcement (MIE) in its new iPhone 17 and iPhone Air, running iOS 26. The always-on security feature is designed to protect against advanced spyware attacks that exploit memory safety flaws, a common tactic of mercenary spyware vendors. These firms, while claiming to serve governments, often sell tools to authoritarian regimes targeting journalists, activists, and dissidents. MIE leverages Arm’s Enhanced Memory Tagging Extension (EMTE), secure memory allocators, and strict confidentiality enforcement to defend the kernel, Safari, and Messages. Apple reports that MIE disrupts exploit chains early, leaving attackers with limited options and fragile strategies. Ivan Krstić, Apple’s head of security engineering, said MIE will raise costs for spyware developers and reshape memory safety defenses. Meanwhile, Google unveiled Advanced Protection mode for Android users.

ChillyHell is a sophisticated modular backdoor targeting macOS. 

ChillyHell is a sophisticated modular backdoor targeting macOS, active since 2021 yet largely undetected by antivirus tools. First noted in a private Mandiant report, the malware resurfaced in 2025 when Jamf Threat Labs uncovered a notarized sample hosted on Dropbox. Written in C++, it masquerades as a legitimate app but functions as a stealthy implant, profiling systems, enumerating users, and persisting via LaunchAgents, LaunchDaemons, or shell profile injection. It uses timestomping to mask activity and supports DNS and HTTP C2 channels. ChillyHell’s modular design allows attackers to deploy reverse shells, update itself, load payloads, and brute-force local accounts. Its persistence, flexibility, and developer-signed notarization highlight growing sophistication in macOS threats. Jamf researchers stress this case as proof that Apple’s notarization checks, while helpful, aren’t infallible — and that macOS users face increasingly Windows-like levels of adversary attention.

Ransomware payments have dropped sharply in the education sector in 2025. 

A new Sophos report shows ransomware demands and payments have dropped sharply in the education sector in 2025, reflecting stronger defenses and faster recovery. Average ransom demands fell 74% in lower education and 80% in higher education, with payments plummeting 88% and 90% respectively. Recovery costs also declined dramatically, from $4.02M to $900K in higher education and from $3.76M to $2.28M in lower education. Institutions are also recovering faster, over half restored operations within a week, compared to just 30% in 2024. Encryption success rates hit a four-year low: only 29% of lower education incidents and 58% in higher education resulted in data encryption. Improved detection meant most attacks were stopped before damage occurred. Phishing was the leading cause in lower education, while vulnerability exploitation dominated in higher education. Researchers note attackers may now favor smaller, quicker payouts over large ransom demands.

A top NCS official warns ICS security lags behind, and a senator calls U.S. cybersecurity a “hellscape”.

At the Billington Cybersecurity Summit, Alexei Bulazel, the top cyber official at the National Security Council, warned that U.S. critical infrastructure lags far behind modern smartphones in security technology. He highlighted the energy sector, which relies heavily on SCADA systems, as particularly vulnerable to disruptions like power outages. Bulazel argued that if infrastructure systems had protections comparable to iPhones or Android devices, only the most advanced threat actors could penetrate them. As a White House policymaker, he stressed that raising the technical baseline would eliminate many security challenges. While the Trump administration supports offensive cyber operations, Bulazel emphasized a stronger focus on defensive strategies and secure-by-design principles. He echoed National Cyber Director Sean Cairncross in urging a shift from viewing organizations as victims to holding adversaries accountable, noting that hackers are intentional actors, not natural disasters.

Meanwhile, at a Washington DC event held by Politico, Sen. Angus King (I-ME) warned that U.S. cybersecurity is a “hellscape” made worse by government cuts, citing staff reductions at the State Department, Justice Department, and especially CISA, which he said has lost 30% of its workforce and key leaders. King argued the U.S. is “unilaterally disarming” as cyberattacks on infrastructure and businesses surge, and criticized the elimination of CISA’s public-private partnerships office. DHS official David Harvilicz pushed back, saying simply hiring more staff isn’t the solution and praised new leadership appointments.

A Ukrainian national faces federal charges and an $11 million bounty for allegedly running multiple ransomware operations. 

Ukrainian national Volodymyr Tymoshchuk, 28, faces federal charges and an $11 million bounty for allegedly running the LockerGoga, MegaCortex, and Nefilim ransomware operations, which caused an estimated $18 billion in global damages. Prosecutors say he targeted over 250 U.S. companies and hundreds more worldwide, including Norsk Hydro’s 2019 attack, which disrupted 35,000 employees across 40 countries and cost $81 million. Tymoshchuk allegedly used tools like Cobalt Strike, Metasploit, and stolen credentials to infiltrate networks, often lying dormant before deploying ransomware. He faces seven counts, including computer fraud and extortion, and could receive life imprisonment if convicted. Nefilim, his later operation, followed an affiliate model targeting large firms with revenues above $100M. While Tymoshchuk remains at large, one affiliate, Artem Stryzhak, was extradited to the U.S. in April 2024.

WhoFi makes WiFi a new spy. 

Italian researchers may have just turned your Wi-Fi into a nosy roommate. A team at La Sapienza University has developed “WhoFi”, a system that can identify and re-identify people based on how their bodies distort wireless signals. No phone in your pocket? No problem, the Wi-Fi waves themselves remember you. Unlike cameras, Wi-Fi doesn’t care about lighting, can see through walls, and is billed as “more privacy-preserving,” which is rather like saying eavesdropping through drywall is more polite than peeking through a window. Using channel state information (CSI) and deep neural networks, WhoFi achieved 95.5% accuracy on test datasets, outperforming earlier efforts.

Who needs face ID or fingerprints when your own body is busy broadcasting its signature through the walls? Privacy may not be dead yet, but it’s definitely buffering.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.