CyberWire Daily - A storm brews behind the firewall.
Episode Date: November 4, 2025China-Linked hackers target Cisco firewalls. MIT Sloan withdraws controversial “AI-Driven Ransomware” paper. A new study questions the value of cybersecurity training. Hackers exploit OpenAI’s A...PI as a malware command channel. Apple patches over 100 Security flaws across devices. A Florida-based operator of mental health and addiction treatment centers exposes sensitive patient information. OPM plans a “mass deferment” for Cybercorps scholars affected by the government shutdown. Lawmakers urge the FTC to investigate Flock Safety’s cybersecurity gaps. Cybercriminals team with organized crime for high-tech cargo thefts. Ben Yelin from University of Maryland Center for Cyber Health and Hazard Strategies discussing ICE’s controversial facial scanning initiative. A priceless theft meets a worthless password. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We are joined by Ben Yelin from University of Maryland Center for Cyber Health and Hazard Strategies discussing ICE’s controversial facial scanning initiative. You can read more about Ben’s topic from 404 Media: You Can't Refuse To Be Scanned by ICE's Facial Recognition App, DHS Document Says. Selected Reading China-Linked Hackers Target Cisco Firewalls in Global Campaign (Hackread) MIT Sloan shelves paper about AI-driven ransomware (The Register) CyberSlop — meet the new threat actor, MIT and Safe Security (DoublePulsar) Study concludes cybersecurity training doesn’t work (KPBS Public Media) Microsoft: OpenAI API moonlights as malware HQ (The Register) Apple Patches 19 WebKit Vulnerabilities (SecurityWeek) Data Theft Hits Behavioral Health Network in 3 States (Bank Infosecurity) OPM plans to give CyberCorps members more time to find jobs after shutdown ends (CyberScoop) Lawmakers ask FTC to probe Flock Safety’s cybersecurity practices (The Record) Cybercriminals, OCGs team up on lucrative cargo thefts (The Register) Louvre Robbery: Security Flaws: The (Obviously) Password Was "Louvre" (L’Unione Sarda) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Risk and compliance shouldn't slow your business down.
Hyperproof helps you automate controls, integrate real-time risk workflows,
and build a centralized system of trust so your teams can focus on growth, not spreadsheets.
From faster audits to stronger stakeholder confidence,
hyperproof gives you the business advantage of smarter compliance.
Visit www.hyperproof.io to see how leading teams are transforming their GRC programs.
At TALIS, they know cybersecurity can be tough and you can't protect everything.
But with TALIS, you can secure what matters most.
With Talis's industry-leading platforms, you can protect critical applications, data, and
identities, anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks, retailers, and healthcare companies in the world
rely on Talis to protect what matters most.
Applications, data, and identity.
That's Talas.
T-H-A-L-E-S.
Learn more at Talisgroup.com slash cyber.
China
China linked hackers target Cisco firewalls.
MIT Sloan withdraws a controversial AI-driven ransomware paper.
A new study questions the value of cybersecurity training.
Hackers exploit open AI's API's API as a malware command channel,
Apple patches over 100 security flaws across devices.
A Florida-based operator of mental health and addiction treatment centers
exposes sensitive patient information.
OPM plans a mass deferment for CyberCore scholars affected by the government shutdown.
Lawmakers urged the FTC to investigate flock safety's cybersecurity gaps.
Cybercriminals team with organized crime for high-tech cargo thefts.
Ben Yellen from the University of Maryland Center for Cyber Health and Hazard Strategies
discusses ICE's controversial facial scanning initiative.
And a priceless theft meets a worthless password.
It's Tuesday, November 4th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great as always to have you with us.
China-affiliated threat group Storm 1849, also tracked as UAT 4356, has been exploiting
Cisco adaptive security appliance firewalls used by governments and major
firms worldwide, according to Palo Alto Network's Unit 42. The hackers leverage two known
Cisco vulnerabilities to gain persistent control over critical network gateways. Targets include
U.S. federal and state agencies, defense contractors, and financial institutions, as well as
organizations in Europe, Asia, Africa, and the Middle East. Despite SISA's emergency patch directive,
attacks persisted through October, pausing briefly during China's Golden Week.
Experts warn that affected entities must not only patch but also reset configurations and credentials
to fully remove intrusions.
MIT Sloan has retracted a working paper that falsely claimed over 80% of ransomware attacks in
2024 involved artificial intelligence.
The study, co-authored with cybersecurity firm Safe Security, faced strong backlash from
independent researchers, including Kevin Beaumont and Marcus Hutchins, who called the report
ridiculous and nonsense, citing its lack of evidence and inclusion of long-defunct malware like
Emotet. Even Google's AI overview disputed the statistic. Following the criticism, MIT removed
the paper and said it is revising the work after Reuters.
recent reviews. Co-author Michael Siegel acknowledged that an updated version is forthcoming,
emphasizing the paper's intent to explore AI's growing role in ransomware rather than assert
a precise figure. Beaumont later accused MIT Sloan and safe security of spreading
cyber-slop or baseless AI claims for profit, warning that such hype misleads security
leaders and undermines trust in cybersecurity research.
A UC San Diego Health study of nearly 20,000 employees found that cybersecurity training had
little impact on fishing susceptibility.
Trained workers were about as likely to click fishing links as untrained ones, regardless
of when they last took training.
Popular lures included fake HR and vacation policy updates.
researcher Ariana Mirian said results showed users eventually fall for a lure, suggesting organizations should emphasize technical defenses like multifactor authentication and spam filtering instead of relying on training alone.
Microsoft has uncovered a stealthy back door dubbed Sesame Op that hijacks OpenAI's assistance API to control infected systems.
Instead of using the API for normal chatbot interactions,
attackers use it as a covert command and control channel,
blending malicious traffic with legitimate AI activity.
The backdoor, first detected in July,
employs dot-net app domain manager injection,
layered encryption, and heavy obfuscation
to execute and exfiltrate commands invisibly.
By routing through OpenAI's trusted infrastructure,
Sesame Op avoids traditional detection methods like suspicious IPs or domains.
Microsoft emphasized that this is not an open AI vulnerability, but a misuse of legitimate
capabilities.
The company shared indicators and hunting queries to help defenders flag unusual API activity.
OpenAI has since disabled a compromised account linked to the attack.
Experts warn that as AI integration expands, trusted cloud services will include,
increasingly be repurposed for stealth operations.
Apple has released major security updates for iOS, iPadOS, and MacOS, addressing more than
100 vulnerabilities.
iOS and iPadOS 26.1 fix 56 issues, including 19 in the WebKit browser engine, while MacOS
Tahoe 26.1, patches 105 flaws. The bugs could allow data theft, memory,
corruption, or sandbox escapes.
Many were discovered by Google's Big Sleep AI, which identifies exploitable weaknesses before
attackers can act.
Apple also issued fixes for MacOS, Sequoia, Sonoma, TVOS, WatchOS, VisionOS, and Safari.
Oglethorpe Incorporated, a Florida-based operator of mental health and addiction treatment centers,
is notifying over 92,000 patients of a data breach discovered in June.
The company reported the incident to the main attorney general,
saying attackers accessed its IT systems and stole personal data,
including names, social security numbers, and medical information.
While no misuse has been confirmed,
Oglethorpe is offering affected individuals 12 months of credit monitoring.
The firm, which runs facilities in Florida, Ohio, and Louisiana,
has rebuilt compromised systems, notified the FBI, and strengthened network defenses.
Experts say breaches involving behavioral health data carry heightened risks of emotional and social harm.
Security consultant Dave Bailey emphasized that such incidents erode patient trust
and urged health care providers to go beyond compliance by prioritizing risk-based protections
for sensitive health information.
The U.S. Office of Personnel Management says it will coordinate a mass deferment for participants in the Federal CyberCore Scholarship for Service Program once the government shutdown ends.
The program, run by the National Science Foundation with OPM and DHS, funds cybersecurity students' tuition in exchange for post-graduation federal service.
scholars unable to find qualifying jobs must normally repay their awards.
Due to hiring freezes and budget cuts, many current and recent graduates fear they'll owe
as much as $100,000 amid limited federal openings.
OPM spokesperson McLaurin Pinover said the deferment will grant more time for job placement
and added that no participants have yet been sent to repayment.
OPM director Scott Kupor emphasized that recruiting cybersecurity and AI specialists remain a national priority
and that new guidance will urge agencies to fully leverage the SFS program once operations resume.
Senator Ron Wyden, Democrat from Oregon, and Representative Raha Krishnamorthy, Democrat from Illinois,
have asked the Federal Trade Commission to probe police surveillance firm flock safety
over alleged weak cyber security.
Their letter cites at least 35 hacked customer accounts
and criticizes Flock for not requiring multi-factor authentication
or supporting fishing-resistant MFA.
The lawmakers warn that poor security could expose location data on millions of Americans.
Flock's license plate reader network spans over 8,000 communities nationwide.
Both the FTC and Flock declined to comment.
Researchers at ProofPoint warn that cybercriminals are teeming with organized crime groups
to carry out a modern wave of cargo thefts targeting U.S. logistics firms.
The attackers infiltrate freight brokers' load boards, post-fake shipping jobs,
and use malicious remote monitoring and management tools such as enable or screen connect to gain network access.
Once inside, they steal credentials and impersonate brokers to redirect legitimate shipments
to criminal-controlled addresses.
Good stolen range from electronics to energy drinks,
with losses totaling millions of dollars.
ProofPoint says the criminals are opportunistic
targeting carriers of all sizes.
CargoNet's latest data supports the trend,
reporting over $11 million in losses
across 772 thefts in the third quarter of 2025,
with an average stolen shipment worth 336,000.
dollars. Experts expect these cyber-enabled social engineering schemes to grow more sophisticated
as attackers exploit public load board data to identify high-value shipments.
Coming up after the break, my caveat co-host Ben Yellen discusses ICE's controversial facial scanning initiative
and a priceless theft meets a worthless password.
Stay with us.
What happens when cyber crime becomes as easy as shopping online?
SpyCloud's Trevor Hilligas joined Dave Bittner on the Cyberwire Daily
to explain how a way.
wave of cybercrime enablement services are lowering the barrier to entry and making sophisticated
attacks available to anyone. I think it's a pretty good general term that describes kind of an
umbrella of tools and services that I would kind of tag as criminal or criminal adjacent.
Instead of having sort of the smaller pool of high sophistication actors that are able to kind of
carry out these really vast and costly cyber attacks, you know, we see that being given to
much lower sophistication, lower tech folks that are, you know, a much lower barrier to entry
to get into this field. The person that's buying access to this, they basically need a phone
and a Bitcoin wallet. Make sure you hear this full conversation and learn how the
underground economy is reshaping cyber risk. Visit explore.
thecyberwire.com slash spy cloud.
That's explore.
Thecyberwire.com slash spy cloud.
What's your 2am security worry?
Is it, do I have the right controls in place?
Maybe are my vendors secure?
or the one that really keeps you up at night,
how do I get out from under these old tools and manual processes?
That's where Vanta comes in.
Vanta automates the manual works,
so you can stop sweating over spreadsheets,
chasing audit evidence,
and filling out endless questionnaires.
Their trust management platform continuously monitors your systems,
centralizes your data,
and simplifies your security at scale.
And it fits right into your workflows,
using AI to streamline evidence collection,
flag risks and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster, scale confidently, and finally, get back to sleep.
Get started at Vanta.com slash cyber.
That's V-A-N-T-A dot com slash cyber.
Get no frills delivered.
Shop the same in-store prices online and enjoy unlimited delivery.
with PC Express Pass.
Get your first year for $2.50 a month.
Learn more at p.c.express.ca.
It is always my pleasure to welcome back to the show.
Ben Yellen.
He is my co-host over on the caveat podcast,
and he is from the University of Maryland Center
for Cyber Health and Hazard Strategies.
Ben, welcome back.
Good to be with you again, Dave.
We had a discussion for this week's Caviote show.
Which you should listen to.
Which you should totally listen to.
About some facial recognition software that ICE is using here.
Can you unpack this, Ben?
What's going on?
Sure.
So this comes from a story from 404 Media,
which is some really interesting work in this space.
And it's about an ICE application originally developed by Customs and Border Protection
called Mobile Fortify.
And under that application, ICE uses facial...
recognition scans in order to determine if a person is either a U.S. citizen or a lawful legal
resident. And if they are not, they are eligible for detention and potential deportation.
Data that's collected through the use of this app, this biometric data can be stored for
15 years. So generally how it works in practice, agents will take a photo on one of their
issued mobile devices. It's checked against the Customs and Border Protection's
traveler verification system, which has a database of roughly 200 million faces, and the system
returns relevant details, name, date of birth, nationality, et cetera, but is also capable of
capturing fingerprints and GPS locations from this encounter. What's particularly controversial is
that DHS has stated as a policy that you cannot refuse to be scanned by this facial recognition
application. So this obviously has Fourth Amendment implications.
Almost by definition, these types of searches are taking place among people for whom ICE
is not sure if they're U.S. citizens or proper U.S. residents. So it's going to implicate
the rights of U.S. persons. And I think the concern here is given that this is a pretty
invasive use of technology, it's data that can be collected and used against you for up to
15 years. If you're ever arrested for a crime, even if you have never committed a crime in the
past, your face could be in national facial recognition databases, and that could be used as
evidence to convict you. So given those implications, you can understand, I think, why this is
particularly controversial. For their part, DHS has not responded to that story for comment.
I think in their minds
this is a tool
that will shorten ID verification time
compared to other manual methods
and most notably they believe
at least according to this article
that the use of these biometric tools
is more reliable even than things
like actual passports, birth certificates,
etc.
So they are using
the results of their facial recognition search
as the definitive word
as to whether a person is here.
here legally.
So this is certainly something that's rankled people who believe in civil liberties and
Fourth Amendment rights.
I saw this in this article.
It got the attention of Congressman Benny Thompson, who's a Democrat from Mississippi.
He said that this practice is frightening, repugnant, and unconstitutional.
You know, we've seen concerns, justified concerns, that facial recognition is less
reliable when dealing with people of color. And of course, no small irony that that's who ICE is
targeting here, right? Right. So there's very well-established research that facial recognition
frequently fails, as you say, when we're viewing faces of people of color. And so I think that's
one of the concerns that Representative Thompson has brought up and many others. We know that the
Supreme Court, in one of its decisions on ICE's tactics, said that the use of race
isn't acceptable, at least as an initial matter, impetus for attempting to question somebody's
citizenship as kind of a common sense if most of the undocumented immigrants in this country are
from Central South and Central America and parts of South America, then by necessity, at least
according to a concurrence by Justice Kavanaugh, we should be able to take the person's race
into consideration. So when you combine that constitutional finding with the fact that this app is
being used widely and facial recognition does poorly in circumstances with faces of people of
color. I think you have the recipe for a real civil liberties disaster here. So what could people
do to push back on this? We have Congressman Benny Thompson who's against it. I'm sure he has
colleagues who agree with them. Would it be up to Congress to push back? Would someone be able
to bring a case against this if they were wrongly accused? Yes, so somebody could certainly
bring a case. I can't say I would be super optimistic of a person trying to bring a constitutional
Fourth Amendment case, given that it's unclear whether facial recognition of people, at least
in public thoroughfares, qualifies as a constitutional search. It doesn't neatly meet the definition
of search or seizure under the Fourth Amendment. And then the government could always claim
that they're doing this in the interest of national security, which always weighs favorably.
toward the government
in terms of an analysis
of whether the search is reasonable.
So if somebody could bring that legal challenge,
they'd have to have standing,
which means they would have had to have been
unlawfully detained
and they could challenge the circumstances
around their detention.
Short of that, it would be Congress
who could intervene
and could prevent the use of this technology
or the use of this technology
without proper safeguards,
like giving people the right to opt out.
But I certainly do not see
the current Congress agreeing to something like that.
So at the very least, we'd have to wait a year
until there is a different Congress in place
that isn't as supportive of the president's immigration policies.
So just to be crystal clear here,
I'm walking down the street and I cross paths with the folks from ICE.
They say, hey there, sir, we need you to stop to get your face scanned.
And I say, no, I'm good and try to keep walking.
what likely happens next?
They will tell you that you have to do it
and they're the ones with the guns
and the handcuffs.
So they could probably make you comply
with the use of physical force.
We don't know exactly what would happen
because DHS didn't comment for this article,
but I think the implication is
they could use any means necessary.
If they feel this is the definitive word
on somebody's right to be in this country,
I think they could compel through force,
to the threat of physical force somebody into complying, and they will put your face in front of a
camera. All right. Well, again, this is from the folks over at 404 Media, who, as you say, Ben,
are doing some really good work with these sorts of things. We'll have a link to that in the show notes.
Ben Yellen, thanks so much for joining us. Thank you, Dave.
And finally, the recent jewel heist at the Louvre Museum in Paris looked like something
out of a Hollywood script. Broad daylight, the Apollo Gallery, and a team of thieves,
coolly lifting crown jewels worth nearly 90 million euros before vanishing on a motorbike into Paris
traffic. Two weeks later, investigators have suspects in custody, but no trace of the treasure,
only questions about how the world's most famous museum could be robbed so easily.
Well, documents now reveal that the Louvre's surveillance server once required a password.
Louvre. Yes, the museum guarding centuries of priceless art
apparently thought security should rhyme with simplicity.
Prosecutor Laura Bacow says the culprits aren't criminal masterminds,
just lucky opportunists aided by what she says.
said was the Louvre's chronic underestimation of risk. So while the thieves remain at large,
the true embarrassment hangs in the network logs, a password so weak it could have been guessed
by a tourist in line for tickets.
And that's the CyberWire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey and the show notes
or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth,
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
POMAYOR.