Podcasts
CyberWire Daily
Ep 2417
The CyberWire Daily Podcast 10.21.25
Ep 2417 | 10.21.25

The SMB slip-up.

Show Notes
Transcript

CISA warns a Windows SMB privilege escalation flaw is under Active exploitation. Microsoft issues an out of band fix for a WinRE USB input failure. Nation state hackers had long term access to F5. Envoy Air confirms it was hit by the zero-day in Oracle’s E-Business Suite. A nonprofit hospital system in Massachusetts suffers a cyberattack. Russian’s COLDRiver group rapidly retools its malware arsenal. GlassWorm malware hides malicious logic with invisible Unicode characters. European authorities dismantle a large-scale Latvian SIM farm operation. Myanmar’s military raids a notorious cybercrime hub. Josh Kamdjou, from Sublime Security discusses how teams should get ahead of Scattered Spider's next move. Eagle Scouts are soaring into cyberspace.

Today is Tuesday October 21st 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

CISA warns a Windows SMB privilege escalation flaw is under Active exploitation.

CISA warns attackers are exploiting a Windows Server Message Block flaw to gain SYSTEM privileges on unpatched Windows systems.

Tracked as CVE-2025-33073 with a CVSS score of 8.8, the vulnerability affects Windows Server, Windows 10, and Windows 11 through 24H2. Microsoft addressed it in June 2025 Patch Tuesday. An attacker could trick users to connect to a malicious application server, such as an SMB server, then compromise the protocol.

Attackers could gain SYSTEM-level privileges, raising risk of serious compromise. CISA requires Federal Civilian Executive Branch, or FCEB, agencies to secure affected systems by November 10, 2025, under Binding Operational Directive 22-01. Organizations should apply Microsoft’s June 2025 security updates.

Microsoft issues an out of band fix for a WinRE USB input failure. 

Microsoft shipped an out of band update that revives WinRE on systems where USB input went silent.

The company acknowledged the bug on Friday. It blocked navigation inside Windows Recovery Environment, while mice and keyboards still worked after login. On Tuesday Microsoft began rolling out KB5070773, dated October 20, 2025. Rollout came one week after the buggy update. The fix addresses issues introduced by KB5066835 on Windows 11 24H2, 25H2, and Windows Server 2025.

Obviously, recovery is rescue for responders, and Microsoft recommends users install the update immediately. If you cannot boot, use a touch keyboard, a PS/2 device, or a USB recovery drive. Enterprises can deploy via PXE or use Windows ADK and WinPE.

Nation state hackers had long term access to F5. 

F5 says nation state hackers maintained long term access, stealing BIG IP code and vulnerability data, prompting urgent government warnings.

According to Bloomberg, access began in late 2023 and was discovered August 9, per F5’s filing. People briefed say attackers exploited exposed F5 software after staff ignored company guidelines. Intruders downloaded BIG IP files, including source code and data on undisclosed flaws. F5 reports no code modification or known active exploitation.

Stolen code and vulnerability details raise the risk of silent surveillance, manipulation, or disruption of BIG IP traffic. CISA issued an emergency directive requiring federal agencies to identify and update F5 products by October 22. The UK National Cyber Security Centre also warned customers.

Envoy Air confirms it was hit by the zero-day in Oracle’s E-Business Suite. 

Envoy Air has confirmed it was hit in a coordinated wave of attacks exploiting a zero-day in Oracle’s E-Business Suite (CVE-2025-61882), a system critical to global enterprise operations. The CL0P ransomware group, long associated with large-scale extortion, leveraged the flaw for remote takeover without credentials. The same campaign hit Harvard earlier this month and may extend to American Airlines. The vulnerability remained unpatched for nearly three months, underscoring the danger of lagging vendor response times in supply-chain software dependencies.

A nonprofit hospital system in Massachusetts suffers a cyberattack. 

Heywood Healthcare, a nonprofit system in north-central Massachusetts, has taken its IT network offline after a cyberattack disrupted operations at its two hospitals. The outage has forced ambulance diversions, halted CT imaging, and affected radiology, lab, phone, and email systems. While inpatient and outpatient care continues, digital systems are severely limited. Experts warn the attack reflects the healthcare sector’s growing vulnerability to ransomware and extortion schemes—where operational disruption, not just data theft, is the goal. Analysts from Lumifi, Rapid7, and Clearwater note that weak vendor security, delayed patching, and poor segmentation remain systemic risks. They urge hospitals to prioritize zero-trust architectures, faster patch management, segmentation of medical devices, and continuous risk analysis to build resilience against the accelerating wave of financially motivated, AI-assisted attacks targeting patient care infrastructure.

Russian’s COLDRiver group rapidly retools its malware arsenal. 

Russian-linked COLDRiver has rapidly retooled its malware arsenal, replacing the publicly exposed LOSTKEYS with a chained suite GTIG calls NoRobot, YesRobot and MaybeRobot — and has used it more aggressively than prior campaigns.   The attack begins with a “ClickFix” CAPTCHA lure (ColdCopy) that tricks victims into running a malicious DLL via rundll32 (NoRobot), which then fetches staged components — initially a Python-based backdoor (YesRobot) and later a lighter, more flexible PowerShell backdoor (MaybeRobot).   GTIG notes Coldriver alternated noisy and stealthy delivery chains, rotated infrastructure and tweaked components to frustrate analysis, signaling a higher development and operations tempo aimed at credential theft and espionage against NGOs, former intel officers and NATO-aligned targets. Defenders should prioritize phishing-resistant controls, robust detonation and DLL/executable monitoring, and rapid capture of multi-component chains. 

GlassWorm malware hides malicious logic with invisible Unicode characters. 

A developer-focused supply-chain campaign named GlassWorm has infected roughly 35,800 marketplace installs across OpenVSX and Microsoft Visual Studio by hiding malicious logic with invisible Unicode characters. Once deployed it steals GitHub/npm/OpenVSX credentials and crypto-wallet data, self-propagates using compromised accounts to backdoor more extensions, and installs a SOCKS proxy plus HVNC for covert remote access. Its final payload, ZOMBI, massively obfuscated JavaScript that turns workstations into criminal nodes, is fetched via links embedded in Solana blockchain transactions (with Google Calendar and a fallback IP as backups), making takedown and attribution difficult. Key defensive actions: treat extensions as supply-chain risk (restrict and isolate developer build environments), enforce MFA and least privilege for developer accounts, scan repos for invisible/unusual characters, monitor outbound traffic for proxies/HVNC, and validate third-party code before inclusion.

European authorities dismantle a large-scale Latvian SIM farm operation. 

European authorities dismantled a large-scale SIM farm operation in Latvia known as Simcartel, which provided millions of fake mobile numbers used in phishing, smishing, and fraud across 80 countries. Coordinated by Europol and Eurojust, the raid resulted in seven arrests, the seizure of 1,200 SIM boxes operating 40,000 SIMs, cryptocurrency worth $835,000, and the takedown of domains gogetsms.com and apisim.com. The group’s infrastructure enabled the creation of 49 million fraudulent online accounts, supporting scams that impersonated police, ran fake marketplaces, and stole financial credentials. Victim losses exceed $5.2 million. Investigators say the service’s bulk SIM access masked identities, fueled transnational cybercrime, and exposed the blurred boundary between telecom misuse and organized fraud—highlighting the need for stricter SIM registration and cross-border digital forensics collaboration.

Myanmar’s military raids a notorious cybercrime hub. 

Myanmar’s military has raided KK Park, a notorious cybercrime hub near the Thai border, detaining over 2,000 people and seizing 30 Starlink terminals used to power global online scam operations. The crackdown, launched in September, targeted networks behind romance and investment fraud schemes that trafficked foreign workers and forced them into criminal labor. KK Park, near Myawaddy in Kayin state, lies in a contested region partly controlled by ethnic militias. The junta accused the Karen National Union of complicity, which the group denies. The raid follows international sanctions against similar scam syndicates in Cambodia and reflects mounting regional pressure—especially from China and Thailand—to dismantle Southeast Asia’s human-trafficking-linked cybercrime compounds exploiting unlicensed Starlink connectivity to evade surveillance and fuel transnational fraud.

Eagle Scouts are soaring into cyberspace. 

Scouting America—formerly the Boy Scouts—is boldly venturing into the digital wilderness with new AI and cybersecurity merit badges. Once the domain of knots, compasses, and campfires, the scouts are now learning about deepfakes, phishing, and machine learning models. CEO Roger Krone says the goal is to stay relevant “in an increasingly digital world,” though one imagines Baden-Powell never envisioned a troop meeting about prompt engineering. The AI badge asks scouts to explore ethical impacts and build tech-savvy projects, while the cybersecurity badge arms them with tools to stay safe online—no neckerchief required. Early adopters like brothers Charles and Wydell Hendricks already earned theirs; Wydell plans a cyber career in the Air Force, noting the badge also teaches “ethics,” proving that even in the age of algorithms, honor codes still matter.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com. 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.