Podcasts
CyberWire Daily
Ep 2405
The CyberWire Daily Podcast 10.2.25
Ep 2405 | 10.2.25

CISA furlough sparks fears.

Show Notes
Transcript

CISA furloughs most of its workforce due to the government shutdown. The U.S. Air Force confirms it is investigating a SharePoint related breach. Google warns of a large-scale extortion campaign targeting executives. Researchers uncover Android spyware campaigns disguised as popular messaging apps. An extortion group claims to have breached Red Hat’s private GitHub repositories. A software provider for recreational vehicle and power sport dealers suffers a ransomware breach. Patchwork APT deploys a new Powershell loader using scheduled tasks for persistence. A Tennessee Senator urges aggressive U.S. action to prepare for a post-quantum future. Cynthia Kaiser, SVP of Halcyon’s Ransomware Research Center and former Deputy Assistant Director at the FBI’s Cyber Division, joins us with insights on the government shutdown. A Malaysian man pleads guilty to supporting a massive crypto fraud. Protected health info is not a marketing tool. 

Today is Thursday October 2nd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

CISA furloughs most of its workforce due to the government shutdown. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), responsible for safeguarding the electric grid, water, and other vital services, has furloughed most of its workforce due to the government shutdown. Only 35 percent of staff remain active, though more may be recalled for emergencies, according to the Department of Homeland Security. The disruption coincides with the expiration of CISA 2015, a law shielding companies from liability when sharing cyber threat information. Without reauthorization, some corporations are pulling back from industry security groups, raising fears of weakened “collective defense.” Experts warn this could hamper efforts against ransomware and Chinese state-linked hacking campaigns. The timing is especially awkward, arriving during Cybersecurity Awareness Month, when collaboration and vigilance are traditionally emphasized.

The U.S. Air Force confirms it is investigating a SharePoint related breach. 

The U.S. Air Force has confirmed it is investigating a “privacy-related issue” after reports surfaced of a Microsoft SharePoint breach that may have exposed personally identifiable and health information. An alleged breach notice, shared online, warned that all Air Force SharePoint systems would be shut down service-wide, potentially disabling Teams and Power BI dashboards for up to two weeks. The Air Force has not confirmed which services, if any, are offline, with some personnel reporting continued access. Microsoft declined to comment on any link to earlier SharePoint vulnerabilities that Chinese hackers, data thieves, and ransomware gangs exploited this summer, compromising hundreds of organizations worldwide. The timing has raised concerns about operational disruptions and sensitive data exposure within the military.

Google warns of a large-scale extortion campaign targeting executives.

Google has warned of a large-scale extortion campaign targeting executives after attackers claimed to have stolen data from Oracle’s E-Business Suite. Since late September, victims have received emails demanding ransoms ranging from millions to as much as $50 million. The campaign appears linked to FIN11, a group affiliated with the Cl0p ransomware gang, though Google says it cannot yet verify the breach claims. Mandiant confirmed the extortion emails are being sent from hundreds of compromised accounts, with contact details tied to Cl0p’s leak site. Security firm Halcyon suggested attackers may be exploiting password resets in Oracle systems. With Oracle silent so far, Google advises companies receiving these emails to investigate for signs of compromise.

Researchers uncover Android spyware campaigns disguised as popular messaging apps. 

Researchers at ESET uncovered two Android spyware campaigns, ProSpy and ToSpy, disguised as popular messaging apps Signal and ToTok to target users in the UAE. Spread through fake websites and app stores, the spyware steals contacts, chat backups, media, and other sensitive data while reinstalling legitimate apps to avoid detection. ToSpy appears active since 2022, while ProSpy emerged in 2024. Both require manual installation via third-party sites, including one impersonating Samsung’s app store, and are designed for persistent, regionally focused operations.

An extortion group claims to have breached Red Hat’s private GitHub repositories. 

An extortion group calling itself Crimson Collective claims to have stolen 570GB of data from Red Hat’s private GitHub repositories, including 28,000 internal projects and around 800 Customer Engagement Reports (CERs). CERs often contain detailed client infrastructure information, configuration data, and authentication tokens that could be exploited to breach networks. Red Hat confirmed a security incident affecting its consulting business but did not validate claims about the stolen repositories or CERs, stressing that its software supply chain remains intact. The attackers, who say the breach occurred two weeks ago, published repository listings and CER directories naming major corporations and U.S. government entities. Crimson Collective alleges Red Hat ignored their extortion demands, responding only with automated support instructions.

A software provider for recreational vehicle and power sport dealers suffers a ransomware breach. 

Motility Software Solutions, which provides dealership software for recreational vehicle and power sport dealers, is notifying 766,670 people of a ransomware breach. Hackers accessed business servers on August 19, encrypted files, and stole personal data including names, contact details, dates of birth, Social Security numbers, and driver’s license numbers. Motility says there’s no evidence of misuse, has restored systems from backups, and is offering 12 months of identity protection. The Pear ransomware gang later claimed 4.3TB of stolen data, likely from Motility.

Patchwork APT deploys a new Powershell loader using scheduled tasks for persistence. 

Patchwork, also known as Dropping Elephant, Monsoon, and Hangover Group, an advanced persistent threat active since at least 2015, is deploying a new multi-stage PowerShell loader that abuses Windows Scheduled Tasks to persist and run its final payload. Infection begins with a malicious Office macro that drops a shortcut and runs a PowerShell script. The script installs a faux vlc.exe and libvlc.dll into C:\Windows\Tasks\lama, places a decoy PDF, and creates a scheduled task named WindowsErrorReport to launch the loader. The loader establishes an encrypted command-and-control channel, fingerprints hosts (IP, OS, MAC, installed apps, AV products), and uses layered obfuscation (XOR, Base64, custom Protean) for communications. Capabilities include in-memory payload execution, chunked resumable exfiltration, and screenshot capture. Defenses: enable macros only from trusted sources, monitor for suspicious scheduled tasks, enforce application whitelisting, and run up-to-date endpoint protections.

A Tennessee Senator urges aggressive U.S. action to prepare for a post-quantum future. 

Sen. Marsha Blackburn (R-Tenn.) is urging aggressive U.S. action to prepare for a post-quantum future where current encryption may be broken. Speaking at a Politico event, she confirmed elements of a White House quantum initiative while promoting her own legislative push. Blackburn co-sponsored the National Quantum Cybersecurity Migration Strategy Act, requiring agencies to move at least one high-risk system to quantum-resistant encryption by 2027. She emphasized the need to counter Chinese ambitions in emerging technologies, while praising White House officials leading federal quantum strategy. Blackburn highlighted workforce development, commercial involvement, and stronger encryption as priorities. She is also backing bills to accelerate Defense Department quantum planning, create a quantum sandbox at NIST, and establish a federal institute for quantum manufacturing.

A Malaysian man pleads guilty to supporting a massive crypto fraud. 

A Malaysian man pleaded guilty in a London court to supporting a massive crypto fraud tied to Chinese national Zhimin Qian, also known as Yadi Zhang. Prosecutors say Hok Seng Ling, 46, acted as a fixer for Qian, who ran a Ponzi-style scheme in China that stole $6.2 billion from 128,000 victims. Ling admitted to transferring criminal property in cryptocurrency and helping Qian evade capture by arranging accommodations across the U.K. Police surveillance led to their arrests in York in April 2024, seizing $15 million in assets. Authorities are now pursuing confiscation of 61,000 bitcoins—valued at $7.1 billion—linked to Qian. Both face sentencing in November. The case could set precedent for compensating overseas victims in cross-border crypto fraud.

Protected health info is not a marketing tool. 

Cadia Healthcare thought it had found a clever marketing angle: a “Success Stories” campaign showcasing patients’ recoveries on social media. Unfortunately, regulators saw it less as inspiration and more as a HIPAA violation. The Office for Civil Rights says the Delaware nursing home chain posted names, photos, and medical details of about 150 patients—without the legally required consent forms. One complaint in 2021 unraveled the entire program, leading to a $182,000 fine and a two-year corrective action plan. Cadia has since pulled the campaign and now faces the less glamorous task of rewriting policies, training staff, and sending belated breach notices. As OCR dryly noted, marketing is important, but “valid, written authorization” tends to be even more so when dealing with protected health information.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

DMA nomination: 

One quick note before we wrap up: I’ve been nominated for the SANS Difference Maker Award in the Media Creator of the Year category. I’m honored to be recognized and would appreciate your support. You’ll find the link to vote in our show notes, and voting is open until Wednesday, October 8th at 11:59 p.m. Eastern. Thanks for listening, and for being part of the N2K CyberWire community.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.