CyberWire Daily - 86 reasons to update.
Episode Date: September 10, 2025Patch Tuesday. A data leak sheds light on North Korean APT Kimsuky. Apple introduces Memory Integrity Enforcement. Ransomware payments have dropped sharply in the education sector in 2025. A top NCS o...fficial warns ICS security lags behind, and a senator calls U.S. cybersecurity a “hellscape”. A Ukrainian national faces federal charges and an $11 million bounty for allegedly running multiple ransomware operations. Our guest is Jake Braun sharing the latest on Project Franklin. WhoFi makes WiFi a new spy. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Jake Braun, longtime DEF CON organizer, former White House official, and lead on DEF CON Franklin, sharing the latest on Project Franklin. Selected Reading Two Zero-Days Among Patch Tuesday CVEs This Month (Infosecurity Magazine) Fortinet, Ivanti, Nvidia Release Security Updates (SecurityWeek) ICS Patch Tuesday: Rockwell Automation Leads With 8 Security Advisories (SecurityWeek) SAP 'wins' Patch Tuesday with worse flaws than Microsoft (The Register) Adobe Patches Critical ColdFusion and Commerce Vulnerabilities (SecurityWeek) Data leak sheds light on Kimsuky operations (SC Media) Apple Unveils iPhone Memory Protections to Combat Sophisticated Attacks (SecurityWeek) Learn about ChillyHell, a modular Mac backdoor (jamf) Ransomware Payments Plummet in Education Amid Enhanced Resiliency (Infosecurity Magazine) Critical infrastructure security tech needs to be as good as our smartphones, top NSC cyber official says (CyberScoop) Sen. King: Cyber domain is a ‘hellscape’ that will be made worse by cuts (The Record) US indicts alleged ransomware boss tied to $18B in damages (The Register)Jeremy Clarkson's pub has been 'swindled' out of £27,000 by hackers (Manchester Evening News) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
The DMV has established itself as a top-tier player in the global cyber industry.
DMV rising is the premier event for cyber leaders and innovators
to engage in meaningful discussions and celebrate the innovation happening in and around the Washington
D.C. area. Join us on Thursday, September 18th, to connect with the leading minds shaping
our field and experience firsthand why the Washington, D.C. region is the beating heart of
cyber innovation. Visit DMVRising.com to secure your spot.
At TALIS, they know cybersecurity can be tough, and you can't protect every.
thing. But with TALIS, you can secure what matters most. With TALIS's industry leading platforms,
you can protect critical applications, data and identities, anywhere and at scale with the highest
ROI. That's why the most trusted brands and largest banks, retailers, and health care
companies in the world rely on TALIS to protect what matters most. Applications, data, and
identity. That's TALIS. T-H-A-L-E-S. Learn more.
at talusgroup.com slash cyber.
We've got your patch Tuesday update.
A data leak sheds light on North Korean APT Kemsuki.
Apple introduces memory integrity enforcement.
Ransomware payments have dropped sharply in the educational
sector this year. A top NCS official warns ICS security lags behind, and a senator calls
U.S. cybersecurity a hellscape. A Ukrainian national faces federal charges and an $11 million
bounty for allegedly running multiple ransomware operations. Our guest is Jake Braun,
sharing the latest on Project Franklin. And Hufi makes Wi-Fi a new spy.
It's Wednesday, September 10th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today. It's great as always to have you with us.
Yesterday was Patch Tuesday. Microsoft issued fixes for 86 vulnerabilities across Windows and its other products.
Several of these carry a likely exploitation label, and among them are two publicly disclosed
zero-day flaws, including the especially serious one, which enables SMB relay attacks and
privilege escalation, though mitigations like server signing and extended protection for
authentication can help shield systems. Adobe also released patches, addressing nearly two dozen
vulnerabilities across nine products, including critical flaws in cold fusion and commerce.
In the industrial space, Rockwell Automation led the ICS Patch Tuesday with eight high-security
advisory advisories, joined by updates from Siemens, Schneider Electric, and Phoenix contact.
Finally, Fortinette, Avanti, and NVIDIA rolled out security updates, tackling high-severity
issues that risk remote code execution, privilege escalation, data exposure, and configuration
tampering.
A new analysis of a 9-gigabyte leaked data set has shed light on North Korean APT Kimsuki,
also known as APT-43.
The data reveals development of interactive malware,
a Linux root kit, and fishing infrastructure,
along with reconnaissance via OCR commands and logs
tied to compromise Taiwanese government and academic IPs.
Researchers also linked the group's operations to Chinese support,
targeting South Korea and Taiwan with GPKI and credential theft campaigns.
Experts recommend monitoring,
Nassam artifacts, OCR tool use, fishing domains, and PAMSSH logs for signs of intrusion.
Apple has introduced memory integrity enforcement in its new iPhone 17 and iPhone Air, running iOS 26.
The always-on security feature is designed to protect against advanced spyware attacks that exploit memory safety flaws,
a common tactic of mercenary spyware vendors.
These firms, while claiming to serve governments, often sell tools to authoritarian regimes targeting journalists, activists, and dissidents.
MIE leverages arms advanced memory tagging extension, secure memory allocators, and strict confidentiality enforcement to defend the colonel, safari, and messages.
Apple reports that MIE disrupts exploit chains early, leaving attackers with limited options in France.
agile strategies.
Yvonne Kirstik, Apple's head of security engineering, said MIE will raise costs for spyware
developers and reshape memory safety defenses.
Meanwhile, Google unveiled advanced protection mode for Android users.
Chili Hell is a sophisticated modular backdoor targeting MacOS, active since 2021, yet largely
undetected by antivirus tools.
first noted in a private mandiant report, the malware resurfaced this year when
JAMPF threat labs uncovered a notarized sample hosted on Dropbox.
Written in C++, it masquerades as a legitimate app but functions as a stealthy implant,
profiling systems, enumerating users, and persisting via launch agents, launch damans, or shell
profile injection.
It uses time stomping to mask activity and supports
DNS and HTTP C2 channels.
Chili Hell's modular design allows attackers to deploy reverse shells, update itself,
load payloads, and brute force local accounts.
Its persistence, flexibility, and developer-side notarization highlights growing sophistication
and macOS threats.
JAMP researchers stress this case as proof that Apple's notarization checks, while helpful,
aren't infallible.
and that macOS users face increasingly Windows-like levels of adversary attention.
A new report from Sophos shows ransomware demands and payments have dropped sharply in the education sector in 2025,
reflecting stronger defenses and faster recovery.
Average ransom demands fell 74% in lower education and 80% in higher education,
with payments plummeting 88 and 90% percent.
respectively. Recovery costs also declined dramatically. Institutions are also recovering faster,
over half-restored operations within a week compared to just 30% in 2024. Incription success rates
hit a four-year low, only 29% of lower education incidents and 58% in higher education resulted in
data encryption. Improved detection meant most attacks were stopped before the damage occurred. Fishing was
the leading cause in lower education, while vulnerability exploitation dominated in higher education.
Researchers note attackers may now favor smaller, quicker payouts over large ransom demands.
At this week's Billington Cybersecurity Summit, Alexei Bulazel, the top cyber official at the National
Security Council, warned that U.S. critical infrastructure lags far behind modern smartphones in
security technology. He highlighted the energy sector, which relies heavily on SCADA systems as
particularly vulnerable to disruptions like power outages. Bulazel argued that if infrastructure
systems had protections comparable to iPhones or Android devices, only the most advanced
threat actors could penetrate them. As a White House policymaker, he stressed that raising the
technical baseline would eliminate many security challenges. While the Trump administration supports
offensive cyber operations, Bulazel emphasized a stronger focus on defensive strategies and secure
by design principles. He echoed National Cyber Director Sean Cairncross in urging a shift from
viewing organizations as victims to holding adversaries accountable, noting that hackers are
intentional actors, not natural disasters. Meanwhile, at a Washington, D.C. event held by Politico,
Senator Angus King warned that U.S. cybersecurity is a hellscape, made worse by government cuts,
citing staff reductions at the State Department, Justice Department, and especially SISA,
which he said has lost 30 percent of its workforce and key leaders.
King argued the U.S. is unilaterally disarming as cyber attacks on infrastructure and businesses surge
and criticized the elimination of Sissa's public-private partnerships office.
DHS official David Harvich pushed back, saying simply hiring more staff isn't the solution
and praised new leadership appointments.
Ukrainian national Voldemir Timoschuk, age 28, faces federal charges and an $11 million bounty
for allegedly running the Locker Gogh, Megacortex, and Nephilim ransomware operations,
which caused an estimated $18 billion in global damages.
Prosecutors say he targeted over 250 U.S. companies
and hundreds more worldwide, including Norse-Hydro's 2019 attack,
which disrupted 35,000 employees across 40 countries and cost $81 million.
Timoshoek allegedly used tools like cobalt strike,
metasploit, and stolen credentials to infiltrate networks,
often lying dormant before deploying ransomware.
He faces seven counts, including computer fraud and extortion,
and could receive life imprisonment if convicted.
Nephilim, his later operation, followed an affiliate model
targeting large firms with revenues above $100 million.
While Timosuch remains at large,
one of his affiliates, Artem Stryuk,
was extradited to the U.S. back in April 2024.
Coming up after the break, our guest, Jake Braun, shares the latest on Project Franklin
and whofi makes Wi-Fi a new spy. Stick around.
Compliance regulations, third-party risk, and customer security demands are all growing and changing fast.
Is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right.
GRC can be so much easier.
and it can strengthen your security posture while actually driving revenue for your business.
You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program.
Their trust management platform automates those key areas, compliance, internal and third-party risk, and even customer trust,
so you're not buried under spreadsheets and endless manual tasks.
Vanta really streamlines the way you gather and manage information across your entire business.
business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. It's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta, GRC. Just imagine how much easier trust can be. Visit Vanta.com
to sign up today for a free demo.
That's V-A-N-T-A-com slash cyber.
You know.
Did you lock the front door?
Check.
Close the garage door?
Yep.
Installed window sensors, smoke sensors, and HD cameras with night vision?
No.
And you set up credit card transaction alerts,
a secure VPN for a private connection,
and continuous monitoring for our personal info on the drive.
Mark Webb?
Uh, I'm looking into it.
Stress less about security.
Choose security solutions from TELUS for peace of mind at home and online.
Visit tellus.com slash total security to learn more.
Conditions apply.
Jake Braun is a longtime DefCon organizer and former White House official.
I recently sat down with him to discuss the latest on Project Franklin.
First off, thanks for having me.
I love your podcast. It's super interesting.
And I think the way you boil stuff down for the average person is really helpful for me and many others.
So thanks for everything you're doing to get the word out here.
Project Franklin was started by myself and Jeff Moss, the founder of DefCon.
Actually, over dinner in Munich on the margins of the Munich National Security Conference a couple years ago right before I left the White House.
And we talked about how we wanted to create opportunities in a platform for the DeafCon community
to get more engaged and more engaged in civil society issues.
And so as we were thinking about this, we were thinking about, gee,
what would be a name for something that would evoke this idea of both a commitment to scientific inquiry,
like, of course, the DeafCon community has,
but also an aspiration towards more civic engagement.
And of course, we thought of one of the founders of America, Benjamin Franklin, who, as we all know, was a great scientist in his work that he did on electricity and bifocals and musical instruments and so many, many other things that you've never even heard of.
But the litany of his scientific contributions are legend.
And then also, obviously, you know, incredibly civically minded.
He was, you know, one of the signers of the Declaration of Independence was the U.S. represented to London for you.
years. He was the head of the abolitionist movement in Pennsylvania in the twilight of his career.
And so we thought, what better name to evoke both this commitment to science and civic engagement
than Franklin? And that's why we call it Project Franklin. Well, and your goal, or certainly one of
your outlined goals here, is to help defend U.S. water systems. Could you describe to us what's the
specific challenges that water systems face here in the U.S.? This was something.
again that I was tipped off to while I was at the White House and worked on extensively.
The initial volley to kind of understand how insecure the sector is was Voltaifu,
where we know that the Chinese are pre-positioning on critical infrastructure that supports
military installations around the country, so water, power, etc., so that in the event of war
over Taiwan, they can shut off the water or the power for military installations that need to work
that moment in time of conflict over Taiwan. And so they want to slow our response. So I wound up
working on this extensively while I was at the White House and realize that on top of the utilities,
the civilian utilities and support military installations, there's tens of thousands of others
that the federal government does not spend most of its time and energy trying to secure.
And without a civil society response, meaning hackers at DefCon volunteering their time
to provide free support to water utilities, they would have no cybersecurity support but for these
volunteers. So Jeff and I set out to recruit volunteers from DefCon to provide
free cyber support for water utilities around the country. We got money from a couple different
areas to help pay for people to organize the volunteers and so on. Craig Newmark, that's Craig's from
Craigslist, was one of the main ones, provided support for it. So we hired a few staff to
recruit and deploy volunteers to these water utilities. We had so many people sign up, I think
350 over the course of just a couple of weeks that we had to shut down sign-ups because we had
so many people sign up we couldn't even take in all the people who were offering to help and then
we partnered with the national rural water association and forget the word rural really they're
really support most of the small water utilities even if they're not in rural areas and they
started to identify water utilities that wanted to be guinea pigs and take our free help and so
So we started out with five utilities, and over the course of about nine, ten months had assigned volunteers to them and started working on improving their cybersecurity, everything from the real basics, like change in default passwords and turning on multi-factor authentication to more advanced stuff, like helping them identify how to do asset inventory and create incident response plans and things like that.
So that's major kind of piece of volunteerism we have for DefCon Franklin's supporting water utilities.
We also create or produce the Hacker's Almanac now every year, just like Benjamin Franklin produced poor Richard's Almanac,
where we identify the best and brightest innovations or findings from DefCon and produce it into an annual report.
So anyway, I'll pause there.
Well, for the members of our audience who might be interested in volunteering,
what are the expectations or what sort of types of expertise are you looking to have join the program?
So we're generally taking people with a good amount of experience.
You don't have to have a lot of experience to sign up, but the level of qualifications of those who have signed up is so great that we're generally taking people with, you know, 10 years or more experience.
basic network security, in particular, O.T. and IT is of a huge interest. Again, well, we've
wound up taking people with other types of qualifications and so on, but particularly those
with IT and OT are of keen interest to us because, of course, all water utilities have, both
IT and OT. Where do you hope that this goes? What's your vision for the future here?
Well, a couple different things.
One is we're trying to find ways to scale this.
So we've had some vendors like Dragos and others that have offered to give us free tools that we could provide to the water utilities that can help them scale, help us scale from not a handful, but hundreds and thousands more quickly.
So we're hoping to do that.
And then, too, in terms of volunteers down the road where I would love to get us to appoint to is, you know, we have a volunteer from Alan McKee,
County, Iowa, which is a town, which is a county of like 10,000 people in the northeastern
most county in Iowa, I don't think that they likely have a person who's a cyber expert
who lives there, because if that person does, they probably left to go get a job in Chicago
or San Francisco or New York or wherever. There's a big tech hub. But I bet there's somebody
from Alamakee County, Iowa, who lives in Chicago or San Francisco or New York, who would
happily be our volunteer for that county to provide support.
for them, do some conference calls, maybe when they're home for the holidays, stop it in person.
And so down the road, years from now, I'd love to have us assigned people who are from their
community to these water utilities, because I think that'll be how we have long-term,
kind of durable and during effect on the industry.
Do you think that a volunteer program is sustainable over the long haul?
I believe so. I think the DefCon community certainly has an interest in this. I know we did something similar when I was a co-founder of the Voting Machine Hacking Village. We did something similar back then where we got volunteers to support election jurisdictions. And so, and we had same thing. We had so many people sign up. We didn't know what to do with them. So we know the interest is there from the DefCon community. Hopefully the interest will continue to be there from philanthropy to support.
these efforts because you have to have pay staff to organize the volunteers and work with the utilities and so on.
And I think what we've seen from the water utility industry so far is there's only increasing interest in this type of support,
and they have no money. So it's not like their options are either higher crowd strike to come in and do this or take a Franklin volunteer.
Their options are take a Franklin volunteer or do nothing. And so,
we think that we will be able to provide support,
hopefully a long time into the future.
Yeah.
It's interesting to me that I think for a lot of folks,
when they imagine some sort of threat to critical infrastructure,
the first thing that comes to mind is electricity and the lights going out.
But water is certainly as critical, if not even more so,
but it seems to be unrepresented or underrepresented in the popular imagination.
Yeah, I think that water is kind of where power was about a decade or so ago.
I remember, maybe a little more than a decade.
I remember when I was in the Obama administration, I was talking to a buddy of mine who worked
at the Council on Environmental Quality in the White House, and they were talking about this thing
called the smart grid and how they were trying to facilitate expansion of the smart grid
because it's more efficient, uses less energy, blah, blah, blah.
And I was like, great, are you guys talking about cybersecurity for the smart grid?
And the guy was like, it hasn't come up in one meeting or one conversation ever at all.
Now, that's, of course, not the case anymore.
The energy industry has taken the cyber threat very much to heart.
It's probably one of the most robust sectors next to only beaten by probably finance
and the defense industrial base
in terms of what they're doing
in terms of cybersecurity for their sector.
Water's kind of having that awakening right now.
It's just, it's been analog for so long
and this kind of digitization
of their infrastructure has creeped up on them.
And so it's not like folks are dumb
and didn't think of this.
It's that the threat wasn't as prevalent as it is today
because so much of their stuff was analog.
And so now that things have become more,
more digitized, the threat's more real, and we're seeing foreign actors exploit the threat.
And so, you know, water's kind of, I think, starting to take up the mantle the way energy did about 10, 15 years ago.
That's Jake Braun. We'll have a link to Project Franklin in the show notes.
With Amex Platinum, access to exclusive Amex pre-sale tickets can score you a spot trackside.
So being a fan for life turns into the trip of a lifetime.
That's the powerful backing of Amex.
Pre-sale tickets for future events subject to availability and varied by race.
Turns and conditions apply.
Learn more at amex.ca.
slash Yannex.
Wait, I didn't get charged for my donut.
It was free with his Tim's rewards points.
I think I just stole it.
I'm a donut stealer.
Ooh.
Earn points so fast.
It'll seem too good to be true.
Plus, join Tim's rewards today and get enough points for a free donut, drink, or timbits.
With 800 points after registration, activation, and first purchase of a dollar or more,
see the Tim's app for details at participating in restaurants in Canada for a limited time.
And finally, Italian researchers have just turned your Wi-Fi into a nosy roommate,
A team at La Sapienza University has developed Hufai, a system that can identify and re-identify people based on how their bodies distort wireless signals.
No phone in your pocket? No problem. The Wi-Fi waves themselves remember you.
Unlike cameras, Wi-Fi doesn't care about lighting, can see through walls, and is billed as more privacy preserving, which is kind of like saying eavesdropping through drywall, is more
polite than peeking through a window.
Using channel state information and deep neural networks,
Hufi achieved a 95.5% accuracy on test datasets,
outperforming earlier efforts.
So who needs face ID or fingerprints when your own body is busy broadcasting its signature
through the walls?
Privacy may not be dead yet, but it's definitely buffering.
And that's the Cyberwire.
For links to all of today's stories,
check out our daily briefing at the Cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at
N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
I don't know.
Thank you.