Podcasts
CyberWire Daily
Ep 2397
The CyberWire Daily Podcast 9.22.25
Ep 2397 | 9.22.25

Grounded by ransomware.

Show Notes
Transcript

A major ransomware attack disrupts airport operations across Europe. Congress is on the verge of letting major cyber legislation expire. A critical flaw nearly allowed total compromise of every Entra ID tenant. Automaker Stellantis confirms a data breach. Fortra patches a critical flaw in its GoAnywhere MFT software. Europol leads a major operation against online child sexual exploitation. Three of the cybersecurity industry’s biggest players opt out of MITRE’s 2025 ATT&CK Evaluations. A compromised Steam game drains a cancer patient’s donations. Business Breakdown. Andrzej Olchawa and Milenko Starcik from VisionSpace join Maria Varmazis, host of T-Minus Space on hacking satellites. How one kid got tangled in Scattered Spider’s web.

Today is Monday September 22nd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A major ransomware attack disrupts airport operations across Europe. 

A major ransomware attack has disrupted airport operations across Europe, targeting check-in and boarding software supplied by Collins Aerospace. The European Union Agency for Cybersecurity (ENISA) confirmed that the malware scrambled automated systems, forcing manual workarounds at airports including Heathrow, Berlin, and Brussels. Heathrow warned staff that more than 1,000 computers may be corrupted, with recovery requiring in-person fixes. Although about half of Heathrow’s airlines, including British Airways, restored partial service, Brussels Airport cancelled nearly 140 flights on Monday. Collins, whose “Muse” software was attacked, has issued patches but acknowledged hackers remained inside systems even after a rebuild. Law enforcement is investigating. The incident highlights the growing ransomware threat, with aviation cyberattacks up 600% in the past year, according to Thales, and criminal gangs reaping hundreds of millions annually.

Congress is on the verge of letting major cyber legislation expire. 

Congress is on the verge of letting the 2015 Cybersecurity Information Sharing Act (CISA 2015) expire at the end of this month, and the stakes are high. The law gives companies liability protections when sharing cyber threat intelligence with each other and the government, essential to timely detection and response. While industry, the Trump administration, and many lawmakers favor a “clean” multi-year reauthorization, repeated attempts at both short- and long-term extensions have collapsed. Senator Rand Paul has objected to straightforward renewals, pushing instead for changes that industry and colleagues argue would gut protections and chill sharing. With no clear legislative path and the clock ticking, a lapse could have immediate consequences: hesitation to share critical threat data, heightened exposure to attacks, and amplified political fallout if a major breach occurs during the gap.

A critical flaw nearly allowed total compromise of every Entra ID tenant. 

A critical design flaw in legacy Microsoft components nearly allowed total compromise of every Entra ID tenant. Researcher Dirk-jan Mollema found undocumented, unsigned “actor” tokens, issued by the old Access Control Service and used for internal service-to-service calls, that can impersonate any user for 24 hours and aren’t logged or revocable. Coupled with a defect in the deprecated Azure AD Graph API (CVE-2025-55241), an attacker could craft an actor token, target a tenant (tenant IDs are public), impersonate a Global Admin, and change users, reset passwords, or alter configurations with almost no trace in the victim tenant. Microsoft was notified July 14, 2025; the company fixed the issue within nine days and issued a public patch for CVE-2025-55241 on September 4, 2025. Takeaway: legacy auth paths and deprecated APIs are high-risk, so inventory, remove, and monitor them urgently.

Automaker Stellantis confirms a data breach. 

Stellantis has confirmed a data breach stemming from a third-party vendor supporting its North American customer service operations. The intrusion exposed customer names and email addresses, but no financial or sensitive information. The automaker launched an investigation, alerted law enforcement, and began notifying affected customers, warning them to watch for phishing attempts. Stellantis has not disclosed the vendor or number of victims. 

Fortra patches a critical flaw in its GoAnywhere MFT software. 

Fortra has patched a critical flaw (CVE-2025-10035, CVSS 10) in its GoAnywhere MFT software that could enable remote code execution through command injection. The issue stems from deserialization of untrusted data in the license servlet, exploitable with a forged license signature. Versions 7.8.4 and 7.6.3 include fixes, and Fortra urges customers to block public access to the Admin Console, monitor audit logs, and check for suspicious errors. While no active exploitation is reported, past Cl0p ransomware abuses make this vulnerability a serious risk.

Europol leads a major operation against online child sexual exploitation. 

An international taskforce coordinated by Europol has identified 51 children and launched proceedings against 60 suspects in a major operation against online child sexual exploitation. Bringing together officers from 18 countries, investigators met in The Hague to analyse over 5,000 pieces of material, using both traditional policework and AI-driven forensic tools. The effort produced 276 intelligence packages, leading to arrests across multiple jurisdictions. The cross-border nature of the crimes, servers, platforms, and victims spread across countries, underscored the need for real-time intelligence sharing. Europol says this collaborative model, combining advanced forensics with multinational coordination, will guide future efforts. Authorities stress that while police pursue offenders, parents must also take proactive steps, educating children about online risks, setting clear boundaries, and encouraging safe reporting of suspicious contact.

Three of the cybersecurity industry’s biggest players opt out of MITRE’s 2025 ATT&CK Evaluations. 

Three of the cybersecurity industry’s biggest players, Microsoft, SentinelOne, and Palo Alto Networks, have opted out of MITRE’s 2025 ATT&CK Evaluations: Enterprise test, raising questions about the program’s future relevance. All three cited resource prioritization and innovation as reasons, though experts suggest concerns about the evaluations becoming more promotional than practical also played a role. MITRE admitted the test may have grown too complex, with tougher scenarios including cloud environments and alert volume tracking. Despite the withdrawals, a dozen vendors remain in the 2025 round, and MITRE plans to reboot its vendor forum for 2026 to restore industry engagement and refine testing objectives.

A compromised Steam game drains a cancer patient’s donations. 

A Latvian streamer fighting stage 4 cancer lost $32,000 in life-saving treatment donations after downloading what appeared to be a verified Steam game. During a live fundraiser, Block Blasters, a retro-style platformer with “Very Positive” reviews, silently drained his cryptocurrency wallet. Initially benign, the game was updated with a cryptodrainer on August 30, targeting high-value crypto users. Security researchers later tied it to broader thefts of up to $150,000 across hundreds of accounts, using a dropper script, backdoor, and StealC payload. The loss struck during a GoFundMe campaign, but crypto influencer Alex Becker quickly replaced the stolen funds with a $32,500 donation. The case highlights how trusted platforms like Steam can be weaponized, underscoring the need for caution with lesser-known or lightly reviewed titles.

Business Breakdown. 

Alright, here’s your Monday Business Breakdown in a nutshell. We tracked roughly $390 million flowing into 15 investments, plus six acquisitions, so, a lively week.

On the funding side, Vega popped out of stealth with a hefty $65 million across Seed and Series A, aiming to beef up R&D and build out its U.S. footprint. Right alongside them, Irregular, focused on securing frontier AI models, debuted with an even bigger $80 million raise led by Sequoia, targeting model resilience and misuse prevention.

M&A stayed busy, too. CrowdStrike snapped up Pangea to deepen Falcon’s AI Detection and Response story, think broader coverage across the AI lifecycle. And Accenture picked up Canada’s IAMConcepts to sharpen its identity chops across critical industries north of the border.

That’s this week’s Business Breakdown. If you want the deeper dive on who’s buying whom and why it matters for your roadmap, subscribe to N2K Pro, and swing by thecyberwire.com every Wednesday for the latest.

 

How one kid got tangled in Scattered Spider’s web. 

At 18, most kids worry about finals or first dates. Noah Urban worried about ransom videos of bloodied teenagers begging him for $200,000. By then, he was a rising star in Scattered Spider, the teenage cyber gang that would paralyze MGM’s slot machines and cost Marks & Spencer $400 million. In an interview with Bloomberg, Noah says he wasn’t a coder, just a smooth-talking Floridian who discovered SIM-swapping through Minecraft and found his calling as a “caller,” duping telecom reps with a deep voice and good manners. From bricked houses to stolen unreleased rap tracks, his mischief blurred into menace. The FBI eventually caught up, seizing millions in crypto and a collection of Rolexes. Last month, a judge handed Noah 10 years, more than prosecutors asked, reminding everyone that tricking Fortune 500 firms may look like a game to teens, but it’s still fraud. Noah, ever polite, says he loved the life anyway.

In the end, Noah’s tale is less about a prodigy hacker than a teenager who mistook social engineering for a social life, and learned too late that the house always wins.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.