Podcasts
CyberWire Daily
Ep 2399
The CyberWire Daily Podcast 9.24.25
Ep 2399 | 9.24.25

AI to the rescue.

Show Notes
Transcript

British authorities arrest a man in connection with the Collins Aerospace ransomware attack. CISA says attackers breached a U.S. federal civilian executive branch agency last year. Researchers uncover two high-severity vulnerabilities in Supermicro server motherboards. A Las Vegas casino operator confirms a cyber attack. Analysts track multiple large-scale, automated email phishing campaigns. Libraesva issues an emergency patch for its Email Security Gateway. Our guest is Jason Clark, Chief Strategy Officer (CSO) at Cyera, tackling the security threat of Agentic AI. Robocars get misdirected by mirrors.

Today is Wednesday September 24th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

British authorities arrest a man in connection with the Collins Aerospace ransomware attack. 

British authorities arrested a man in connection with a ransomware attack on Collins Aerospace, a subsidiary of RTX, that disrupted airport check-in systems and caused widespread travel delays across Europe. The National Crime Agency (NCA) said the suspect was detained under the Computer Misuse Act and released on conditional bail, adding the investigation remains in its early stages. No group has yet claimed responsibility, and monitoring sites have not detected related leaks on the dark web.

Meanwhile, the UK government says a new artificial intelligence (AI) tool has helped recover nearly £500 million in fraud over the past year, the largest amount ever reclaimed by anti-fraud teams. About £186 million of that total was linked to Covid-19 schemes, including fraudulent Bounce Back Loans. The Fraud Risk Assessment Accelerator, developed by the Cabinet Office, cross-references departmental data and scans policies for weaknesses before they can be exploited. Officials plan to license the tool internationally, with interest from the US, Canada, Australia, and New Zealand. Ministers say the recovered funds will support frontline services, but critics warn of risks around bias and civil liberties. Campaign groups have previously accused government fraud-detection AI of unfairly targeting vulnerable groups.

CISA says attackers breached a U.S. federal civilian executive branch agency last year. 

CISA disclosed that attackers breached a U.S. federal civilian executive branch agency last year by exploiting an unpatched GeoServer flaw, CVE-2024-36401. The remote code execution bug, patched in June 2024, was later added to CISA’s Known Exploited Vulnerabilities catalog after proof-of-concept exploits emerged online. Shadowserver observed active attacks beginning July 9, with threat actors compromising two agency servers within weeks. They deployed web shells like China Chopper, used brute force to steal passwords, and escalated privileges through compromised service accounts. The intruders went undetected for three weeks until an endpoint detection tool flagged suspicious activity. CISA urged agencies to prioritize patching, closely monitor alerts, and strengthen incident response.

Researchers uncover two high-severity vulnerabilities in Supermicro server motherboards. 

Researchers have uncovered two high-severity vulnerabilities in Supermicro server motherboards that let attackers install malicious firmware which runs before the operating system, making infections extremely persistent and hard to remove.

A security firm, Binarly, says one flaw, CVE-2025-7937, stems from an incomplete January patch for an earlier issue, CVE-2024-10237, and a second critical bug, CVE-2025-6198, was also found. The weaknesses target baseboard management controllers, or BMCs, which can reflash UEFI firmware stored in a soldered SPI chip. Exploits let attackers replace signed firmware images without tripping verification, and they could be deployed after gaining BMC admin access or via compromised update servers.

This matters because implanted firmware survives OS reinstalls and hard drive replacement. That persistence can enable long-term espionage, data destruction, or control of servers including those in AI data centers. Defenders should prioritize verified BMC firmware updates, audit update servers, and assume firmware integrity may be at risk.

A Las Vegas casino operator confirms a cyber attack. 

Boyd Gaming Corp confirmed hackers accessed its internal systems, stealing employee data and information tied to some individuals. The Las Vegas-based operator stressed that hotel and casino operations were not disrupted. In a filing with the U.S. Securities and Exchange Commission, Boyd said it had notified affected parties, regulators, and law enforcement. The company engaged external cybersecurity experts, activated insurance coverage, and stated it does not expect a material financial impact. Boyd operates 11 casinos in Las Vegas and additional sites nationwide.

Analysts track multiple large-scale, automated email phishing campaigns. 

Analysts at Barracuda tracked multiple large-scale, automated email phishing campaigns abusing OAuth flows, cloud platforms, and popular online tools. Kits such as Tycoon and EvilProxy exploit Microsoft OAuth to steal tokens, bypass multifactor authentication, and register malicious apps that request broad scopes. Attackers also host phishing pages on serverless platforms, website builders, and productivity tools — notably LogoKit — and weaponize trusted services like Google Translate to mask malicious domains. Other campaigns target Twilio SendGrid accounts to send authenticated phishing, and abuse Google Classroom and Meet to funnel victims to WhatsApp scams. Barracuda urges organizations to restrict trusted redirect URIs, limit OAuth scopes, validate short-lived tokens, enforce explicit account selection, monitor logs for anomalies, and train users and developers to spot these evolving phishing-as-a-service threats.

Elsewhere, Forescout’s Vedere Labs reports a surge in phishing that pairs Telegram bots with front-end hosting platforms, enabling rapid, low-cost, reputation-shielded campaigns.

Researchers analyzed 9,100 domains between April 2020 and August 2025. Generic TLDs dominated, with .com, .app, and .dev prominent. Hosting clustered on CLOUDFLARENET, FASTLY, and AMAZON-02. Attackers automate site spin-up, embed bot tokens, and reuse them across domains, enabling easy clustering. Campaigns spoof banks, webmail, and enterprise tools, and often target Meta admins and cryptocurrency users. FHP abuse rose steadily since 2021, with recent shifts toward Surge.

This matters because trusted provider domains help phishing bypass filters at scale. Defenders should control Telegram Bot API traffic, monitor FHP access, apply DNS policies, enforce MFA, detect risky sign-ins, and accelerate takedowns using exposed tokens.

A large phishing campaign abused GitHub’s notification system to target developers with cryptocurrency-draining malware disguised as Y Combinator (YC) Winter 2026 invitations. Attackers created hundreds of fake issues in repositories, tagging usernames so GitHub’s automated emails delivered the lure directly to inboxes. Victims were urged to apply for $15 million in YC funding via a fake site using a misspelled domain. The site ran obfuscated JavaScript that tricked users into “verifying” wallets, which instead authorized malicious withdrawals. Reports to GitHub, IC3, and Google Safe Browsing prompted takedowns, though it remains unclear if assets were stolen. Experts advise any developers who connected wallets to migrate funds immediately. The real YC application portal is hosted by Y Combinator and closes November 10.

Libraesva issues an emergency patch for its Email Security Gateway. 

Libraesva [lee-BRAZE-vuh] issued an emergency patch for its Email Security Gateway (ESG) after detecting active exploitation of a command injection flaw, CVE-2025-59689. The medium-severity bug, triggered by malicious compressed attachments, allowed arbitrary command execution from non-privileged accounts. At least one attack, attributed to a suspected state actor, has been confirmed. The vulnerability affects ESG versions 4.5 and later, with fixes deployed automatically across cloud and on-premise systems. Libraesva released the update within 17 hours, adding improved sanitization, compromise scanning, and self-assessment checks.

 

Robocars get misdirected by mirrors. 

Turns out autonomous vehicles may be less “self-driving” and more “easily distracted magpies.” Researchers in France and Germany discovered that mirrors can fool LIDAR, the laser-based navigation tech used in most robo-cars, into either ignoring real obstacles or swerving to avoid ones that don’t exist. In campus parking lot trials, a traffic cone vanished entirely behind strategically placed mirrors—a so-called Object Removal Attack. With a different setup, the car slammed on the brakes for a phantom obstacle conjured by an Object Addition Attack. Two mirrors were enough to fool the system most of the time, and six produced even more convincing illusions. While Tesla famously avoids LIDAR, nearly everyone else relies on it, raising uncomfortable questions about whether $100 in hardware-store mirrors could send your robotaxi into an existential crisis. Researchers suggest thermal imaging as a partial defense, though admit it’s far from a silver bullet.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by Cyera
Sponsored by Cyera

AI is moving fast - can your security keep up? Join the leaders shaping the future of data and AI security at DataSecAI Conference 2025, hosted by Cyera, Nov 12–13 in Dallas. There’s no cost to attend - just bring your perspective and join the conversation. Register today.