Podcasts
CyberWire Daily
Ep 2400
The CyberWire Daily Podcast 9.25.25
Ep 2400 | 9.25.25

Critical GoAnywhere bug exposed.

Show Notes
Transcript

Fortra flags a critical flaw in its GoAnywhere Managed File Transfer (MFT) solution. Cisco patches a critical vulnerability in its IOS and IOS XE software. Cloudflare thwarts yet another record DDoS attack. Rhysida ransomware gang claims the Maryland Transit cyberattack. The new “Obscura” ransomware strain spreads via domain controllers. Retailers’ use of generative AI expands attack surfaces. Researchers expose GitHub Actions misconfigurations with supply chain risk. Mandiant links the new BRICKSTORM backdoor to a China-based espionage campaign. Kansas students push back against an AI monitoring tool. Ben Yelin speaks with Michele Kellerman, Cybersecurity Engineer for Air and Missile Defense at Johns Hopkins University Applied Physics Lab, discussing Women's health apps and the legal grey zone that they create with HIPAA. Senators push the FTC to regulate your brainwaves.

Today is Thursday September 25th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Fortra flags a critical flaw in its GoAnywhere Managed File Transfer (MFT) solution. 

Fortra has issued an urgent warning about a critical flaw in its GoAnywhere Managed File Transfer (MFT) solution. The vulnerability, CVE-2025-10035, carries a maximum CVSS score of 10.0 and could allow attackers to seize full system control through command injection in the License Servlet. Exploitation involves a forged license response signature, letting malicious code run during deserialization. WatchTowr Labs says over 20,000 instances are exposed online, calling the bug “a playground APT groups dream about.” Experts warn the flaw is almost certain to be weaponized soon, echoing the widespread GoAnywhere exploit by the cl0p gang in 2023. Fortra has released fixes in versions 7.8.4 and 7.6.3, urging immediate upgrades. Administrators should also restrict public access to the Admin Console and monitor logs for suspicious activity.

Cisco patches a critical vulnerability in its IOS and IOS XE software. 

Cisco has released fixes for a critical vulnerability in the Simple Network Management Protocol (SNMP) subsystem of IOS and IOS XE software. The flaw, caused by a stack overflow, could allow an authenticated remote attacker with low privileges to trigger denial-of-service or, with higher privileges, execute arbitrary code as root. Exploitation requires valid SNMPv1, v2c, or v3 credentials. All SNMP versions are affected, including Meraki MS390 and Cisco Catalyst 9300 switches running earlier releases. Cisco warns that attackers could exploit the bug by sending crafted SNMP packets over IPv4 or IPv6, potentially giving them full control of affected devices. No workarounds exist, though administrators can mitigate risk by restricting SNMP access and disabling certain object IDs. The only complete fix is upgrading to patched versions, such as IOS XE Release 17.15.4a.

Cloudflare thwarts yet another record DDoS attack. 

Cloudflare mitigated the largest distributed denial-of-service attack ever recorded, peaking at 22.2 terabits per second and 10.6 billion packets per second. The 40-second volumetric assault generated traffic equivalent to streaming a million 4K videos at once, or refreshing every web page on Earth more than once per second. Such packet floods can overwhelm firewalls and routers even when bandwidth is available. The attack follows other record-breaking incidents in recent months, with researchers linking earlier campaigns to the AISURU botnet.

Rhysida ransomware gang claims the Maryland Transit cyberattack. 

The Maryland Transit Administration (MTA) has confirmed data was stolen during a cyberattack last month, and the Rhysida ransomware gang is now claiming responsibility. According to cybersecurity firm VenariX, the group demanded 30 bitcoin—about $3.4 million—and released samples allegedly showing passports, driver’s licenses, and contracts. While MTA’s core bus, subway, and light rail systems were unaffected, real-time tracking and the Mobility service for disabled riders were disrupted. An interim call system restored some functionality on August 29. Officials have not disclosed how many people were impacted, citing an ongoing investigation. Maryland’s Department of Information Technology is working with law enforcement and cybersecurity experts. In the meantime, MTA is advising residents to watch for phishing attempts, update software, and enable multifactor authentication.

The new “Obscura” ransomware strain spreads via domain controllers. 

Huntress analysts have identified a previously unseen ransomware variant, “Obscura,” after investigating an August 29 incident. The malware, written in Go, was discovered on a victim’s domain controller within the NETLOGON folder, enabling automatic replication across controllers and scheduled execution on multiple hosts. Obscura disables recovery by deleting shadow copies, requires administrative privileges to run, and aggressively terminates security and database processes before encrypting data. The ransom note claims data theft, demands negotiation within 240 hours, and threatens public leaks. Encryption relies on Curve25519 key exchange and ChaCha20. Researchers note Obscura joins a wave of emerging ransomware families like Crux and Cephalus, reflecting frequent rebranding in the ecosystem. Huntress advises organizations to closely monitor domain controllers for suspicious file additions or group policy modifications and enforce strong detection on endpoints to catch early activity.

Retailers’ use of generative AI expands attack surfaces. 

Netskope’s retail-sector threat analysis warns that the rapid adoption of generative AI (genAI) tools is expanding attack surfaces: 95 % of retailers now use genAI, with increasing reliance on private models and APIs. Sensitive data leaks are rising as employees upload source code, regulated data, and credentials into unapproved cloud services and AI platforms. Attackers are also exploiting trusted cloud services—OneDrive, GitHub, Google Drive—to host malware, capitalizing on their credibility. Personal cloud apps like Facebook, LinkedIn, and Drive are pervasive in workplaces, creating overlapping vectors of risk. The report urges retailers to boost visibility, enforce strict data loss prevention (DLP) and app policies, review HTTP/HTTPS download flows, and adopt solutions like Remote Browser Isolation. In short: innovation in retail is outpacing security controls.

Researchers expose GitHub Actions misconfigurations with supply chain risk. 

The Orca Research Pod has uncovered systemic risks in GitHub Actions stemming from misuse of the pull_request_target trigger. Unlike the safer pull_request event, this trigger executes workflows in the base repository’s context, exposing secrets and granting write-enabled tokens by default. Researchers demonstrated that insecure workflows could let attackers escalate from untrusted forked pull requests to remote code execution on both GitHub-hosted and self-hosted runners. Exploits included stealing API keys, pushing malicious code to trusted branches, and abusing overly permissive tokens for package uploads or PR manipulation. Orca found critical misconfigurations in repositories maintained by Google, Microsoft, and other Fortune 500 firms, highlighting the supply chain risk when CI/CD pipelines run untrusted code with excessive privileges. These issues were disclosed responsibly, but the findings underscore how a single forked PR could trigger a full repository compromise.

Mandiant links the new BRICKSTORM backdoor to a China-based espionage campaign. 

Mandiant says a China-linked threat group, UNC5221, is using a new backdoor called BRICKSTORM to infiltrate organizations and steal intellectual property. Since March 2025, responders have investigated numerous intrusions affecting law firms, SaaS providers, and technology companies, with attackers targeting the inboxes of senior executives and individuals tied to U.S. national security and trade. BRICKSTORM, primarily deployed on Linux appliances without endpoint detection, enables persistence and lateral movement into VMware vCenter and ESXi hosts. Mandiant noted the group adapts quickly, even deploying BRICKSTORM after incident response had begun. Evidence suggests the hackers can extract and decrypt administrator credentials and leverage compromised routers for obfuscation. Mandiant warns the campaign’s value extends beyond espionage, potentially feeding zero-day development and downstream supply-chain compromise.

Kansas students push back against an AI monitoring tool.

Students at Lawrence High School in Kansas say the AI-powered monitoring tool Gaggle is chilling speech and intruding on privacy. Adopted in 2023 at a cost of $160,000, Gaggle scans emails and documents for signs of self-harm, violence, or abuse. While officials credit it with preventing suicides, students report false positives: art portfolios flagged as child pornography, essays misinterpreted as threats, and even records requests blocked. Lawsuits now accuse the district of unconstitutional surveillance. A 2024 investigation found more than 1,200 flagged cases in under a year, most later deemed harmless. Critics warn the system outs LGBTQ students and undermines journalism, while defenders call it a vital safety net for overburdened staff. For students, the question remains: who is really watching?

 

Senators push the FTC to regulate your brainwaves. 

On Capitol Hill, lawmakers are turning their attention to a frontier that sounds more like science fiction than policy: your brain. Senators Schumer, Cantwell, and Markey have introduced the Management of Individuals’ Neural Data Act, tasking the FTC with writing the rulebook for how companies can handle neural data. The bill aims to prevent tech firms and data brokers from harvesting, bundling, and selling brain signals to nudge what you buy—or how you feel about it. With companies like Neuralink and consumer wearables already dipping into this territory “without guardrails,” senators warn of manipulative ads and predatory schemes pitched straight into your neurons. The FTC would be asked to coordinate with researchers, advocates, and industry to design protections. Apparently, privacy now means guarding not just your inbox, but also your cortex.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.