Podcasts
CyberWire Daily
Ep 2427
The CyberWire Daily Podcast 11.4.25
Ep 2427 | 11.4.25

A storm brews behind the firewall.

Show Notes
Transcript

China-Linked hackers target Cisco firewalls. MIT Sloan withdraws controversial “AI-Driven Ransomware” paper. A new study questions the value of cybersecurity training. Hackers exploit OpenAI’s API as a malware command channel. Apple patches over 100 Security flaws across devices. A Florida-based operator of mental health and addiction treatment centers exposes sensitive patient information. OPM plans a “mass deferment” for Cybercorps scholars affected by the government shutdown. Lawmakers urge the FTC to investigate Flock Safety’s cybersecurity gaps. Cybercriminals team with organized crime for high-tech cargo thefts. Ben Yelin from University of Maryland Center for Cyber Health and Hazard Strategies discussing ICE’s controversial facial scanning initiative. A priceless theft meets a worthless password.

Today is Tuesday November 4th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

China-Linked hackers target Cisco firewalls. 

China-affiliated threat group Storm-1849, also tracked as UAT4356, has been exploiting Cisco Adaptive Security Appliance (ASA) firewalls used by governments and major firms worldwide, according to Palo Alto Networks’ Unit 42. The hackers leveraged two known Cisco vulnerabilities—CVE-2025-30333 and CVE-2025-20362—to gain persistent control over critical network gateways. Targets included U.S. federal and state agencies, defense contractors, and financial institutions, as well as organizations in Europe, Asia, Africa, and the Middle East.

Despite CISA’s emergency patch directive, attacks persisted through October, pausing briefly during China’s Golden Week. Experts warn that affected entities must not only patch but also reset configurations and credentials to fully remove intrusions.

MIT Sloan withdraws controversial “AI-Driven Ransomware” paper. 

MIT Sloan has retracted a working paper that falsely claimed over 80 percent of ransomware attacks in 2024 involved artificial intelligence. The study, co-authored with cybersecurity firm Safe Security, faced strong backlash from independent researchers, including Kevin Beaumont and Marcus Hutchins, who called the report “ridiculous” and “nonsense,” citing its lack of evidence and inclusion of long-defunct malware like Emotet. Even Google’s AI Overview disputed the statistic.

Following the criticism, MIT removed the paper and said it is revising the work after “recent reviews.” Co-author Michael Siegel acknowledged that an updated version is forthcoming, emphasizing the paper’s intent to explore AI’s growing role in ransomware rather than assert a precise figure. Beaumont later accused MIT Sloan and Safe Security of spreading “cyberslop,” or baseless AI claims for profit, warning that such hype misleads security leaders and undermines trust in cybersecurity research.

A new study questions the value of cybersecurity training. 

A UC San Diego Health study of nearly 20,000 employees found that cybersecurity training had little impact on phishing susceptibility. Trained workers were about as likely to click phishing links as untrained ones, regardless of when they last took training. Popular lures included fake HR and vacation policy updates. Researcher Ariana Mirian said results show users eventually fall for a lure, suggesting organizations should emphasize technical defenses like multifactor authentication and spam filtering instead of relying on training alone.

Hackers exploit OpenAI’s API as a malware command channel. 

Microsoft has uncovered a stealthy backdoor, dubbed SesameOp, that hijacks OpenAI’s Assistants API to control infected systems. Instead of using the API for normal chatbot interactions, attackers use it as a covert command-and-control (C2) channel, blending malicious traffic with legitimate AI activity. The backdoor, first detected in July, employs .NET AppDomainManager injection, layered encryption, and heavy obfuscation to execute and exfiltrate commands invisibly.

By routing through OpenAI’s trusted infrastructure, SesameOp avoids traditional detection methods like suspicious IPs or domains. Microsoft emphasized that this is not an OpenAI vulnerability but a misuse of legitimate capabilities. The company shared indicators and hunting queries to help defenders flag unusual API activity. OpenAI has since disabled a compromised account linked to the attack. Experts warn that as AI integration expands, trusted cloud services will increasingly be repurposed for stealth operations.

Apple patches over 100 Security flaws across devices. 

Apple has released major security updates for iOS, iPadOS, and macOS, addressing more than 100 vulnerabilities. iOS and iPadOS 26.1 fix 56 issues, including 19 in the WebKit browser engine, while macOS Tahoe 26.1 patches 105 flaws. The bugs could allow data theft, memory corruption, or sandbox escapes. Many were discovered by Google’s Big Sleep AI, which identifies exploitable weaknesses before attackers can act. Apple also issued fixes for macOS Sequoia, Sonoma, tvOS, watchOS, visionOS, and Safari.

A Florida-based operator of mental health and addiction treatment centers exposes sensitive patient information. 

Oglethorpe Inc., a Florida-based operator of mental health and addiction treatment centers, is notifying over 92,000 patients of a data breach discovered in June. The company reported the incident to the Maine attorney general, saying attackers accessed its IT systems and stole personal data including names, Social Security numbers, and medical information. While no misuse has been confirmed, Oglethorpe is offering affected individuals 12 months of credit monitoring.

The firm, which runs facilities in Florida, Ohio, and Louisiana, has rebuilt compromised systems, notified the FBI, and strengthened network defenses. Experts say breaches involving behavioral health data carry heightened risks of emotional and social harm. Security consultant Dave Bailey emphasized that such incidents erode patient trust and urged healthcare providers to go beyond compliance by prioritizing risk-based protections for sensitive health information.

OPM plans a “mass deferment” for Cybercorps scholars affected by the government shutdown.

The U.S. Office of Personnel Management (OPM) says it will coordinate a “mass deferment” for participants in the federal CyberCorps: Scholarship-for-Service (SFS) program once the government shutdown ends. The program, run by the National Science Foundation (NSF) with OPM and DHS, funds cybersecurity students’ tuition in exchange for post-graduation federal service. Scholars unable to find qualifying jobs must normally repay their awards.

Due to hiring freezes and budget cuts, many current and recent graduates fear they’ll owe as much as $100,000 amid limited federal openings. OPM spokesperson McLaurine Pinover said the deferment will grant more time for job placement and added that no participants have yet been sent to repayment. OPM Director Scott Kupor emphasized that recruiting cybersecurity and AI specialists remains a national priority and that new guidance will urge agencies to fully leverage the SFS program once operations resume.

Lawmakers urge the FTC to investigate Flock Safety’s cybersecurity gaps. 

Sen. Ron Wyden (D-OR) and Rep. Raja Krishnamoorthi (D-IL) have asked the Federal Trade Commission to probe police surveillance firm Flock Safety over alleged weak cybersecurity. Their letter cites at least 35 hacked customer accounts and criticizes Flock for not requiring multi-factor authentication (MFA) or supporting phishing-resistant MFA. The lawmakers warn that poor security could expose location data on millions of Americans. Flock’s license plate reader network spans over 8,000 communities nationwide. Both the FTC and Flock declined to comment.

Cybercriminals team with organized crime for high-tech cargo thefts. 

Proofpoint researchers warn that cybercriminals are teaming with organized crime groups to carry out a modern wave of cargo thefts targeting U.S. logistics firms. The attackers infiltrate freight brokers’ load boards, post fake shipping jobs, and use malicious remote monitoring and management (RMM) tools—such as N-able or ScreenConnect—to gain network access. Once inside, they steal credentials and impersonate brokers to redirect legitimate shipments to criminal-controlled addresses.

Goods stolen range from electronics to energy drinks, with losses totaling millions of dollars. Proofpoint says the criminals are opportunistic, targeting carriers of all sizes. CargoNet’s latest data supports the trend, reporting $111.8 million in losses across 772 thefts in Q3 2025, with an average stolen shipment worth $336,787. Experts expect these cyber-enabled social engineering schemes to grow more sophisticated as attackers exploit public load board data to identify high-value shipments.

A priceless theft meets a worthless password. 

The recent jewel heist at the Louvre museum in Paris looked like something out of a Hollywood script: broad daylight, the Apollo Gallery, and a team of thieves coolly lifting crown jewels worth nearly €90 million before vanishing on a motorbike into Paris traffic. Two weeks later, investigators have suspects in custody, but no trace of the treasure—only questions about how the world’s most famous museum could be robbed so easily.

Enter the punchline: documents now reveal that the Louvre’s surveillance server once required the password “LOUVRE.” Yes, the museum guarding centuries of priceless art apparently thought security should rhyme with simplicity. Prosecutor Laure Beccuau says the culprits aren’t criminal masterminds, just lucky opportunists aided by “a chronic underestimation of risk.”

So while the thieves remain at large, the true embarrassment hangs in the network logs—a password so weak it could’ve been guessed by a tourist in line for tickets.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.