CyberWire Daily - China’s cyberstorm goes global.
Episode Date: September 4, 2025Salt Typhoon marks China’s most ambitious campaign yet. A major Google outage hit Southeastern Europe. A critical zero-day flaw in FreePBX gets patched. Scattered Lapsus$ Hunters claim the Jaguar ...Land Rover hack. Researchers uncover a major evolution in the XWorm backdoor campaign. GhostRedirector is a new China-aligned threat actor. CISA adds a pair of TP-Link router flaws to its Known Exploited Vulnerabilities (KEV) catalog. The feds put a $10 million bounty on three Russian FSB officers. Experts warn sweeping cuts to ODNI could cripple U.S. cyber defense. Our guest is Rick Kaun, Global Director of Cybersecurity Services at Rockwell Automation, discussing IT/OT convergence in securing critical water and wastewater systems. Google says rumors of Gmail’s breach are greatly exaggerated. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.CyberWire Guest Today our guest is Rick Kaun, Global Director of Cybersecurity Services at Rockwell Automation, who is talking about "IT/OT Convergence for Critical Water & Wastewater Security." Selected Reading ‘Unrestrained’ Chinese Cyberattackers May Have Stolen Data From Almost Every American (The New York Times) Google Down in Eastern Europe (UPDATED) (Novinite Sofia News Agency) Sangoma Patches Critical Zero-Day Exploited to Hack FreePBX Servers (SecurityWeek) M&S hackers claim to be behind Jaguar Land Rover cyber attack (BBC) XWorm’s Evolving Infection Chain: From Predictable to Deceptive (Trellix) GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes (welivesecurity by ESET) CISA Flags TP-Link Router Flaws CVE-2023-50224 and CVE-2025-9377 as Actively Exploited (The Cyber Security News) US offers $10 million bounty for info on Russian FSB hackers (Bleeping Computer) Cutting Cyber Intelligence Undermines National Security (FDD) No, Google did not warn 2.5 billion Gmail users to reset passwords (Bleeping Computer) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
The DMV has established itself as a top-tier player in the global cyber industry.
DMV rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington.
D.C. area. Join us on Thursday, September 18th, to connect with the leading minds shaping
our field and experience firsthand why the Washington, D.C. region is the beating heart of cyber
innovation. Visit DMVRising.com to secure your spot.
Think your certificate security is covered. By March 26, TLS Certificate,
lifespans will be cut in half, meaning double today's renewals.
And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal volume.
That's exponential complexity, operational workload, and risk, unless you modernize your strategy.
CyberArk, proven in identity security, is your partner in certificate security.
CyberArc simplifies life cycle management with visibility, automation, and control at scale.
Master the 47-day shift with CyberArk. Scan for vulnerabilities, streamline operations, scale security.
Visit cyberark.com slash 47-day. That's cyberark.com slash the numbers 47-D-A-Y.
Salt Typhoon marks China's most ambitious campaign yet.
A major Google outage hits southeastern Europe.
A critical zero-day flaw in free PBX gets patched.
Scattered Lapsis hunters claim the Jaguar Land Rover hack.
Researchers uncover a major evolution in the X-Worm backdoor campaign.
Ghost redirector is a new China-aligned threat actor.
Sisa adds a pair of TP-link router flaws to its known exploited vulnerabilities catalog.
The feds put a $10 million bounty on three Russian FSB officers.
Experts warns sweeping cuts to ODNI could cripple U.S. cyber defense.
Our guest is Rick Kahn, Global Director of Cybersecurity Services at Rockwell Automation,
discussing the OT-IT convergence in securing critical water and wastewater systems.
And Google says rumors of Gmail's breach are great.
exaggerated.
It's Thursday, September 4th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here.
Today, it's great as always to have you with us.
The New York Times weighs in on Salt Typhoon, reminding us that for decades, China has targeted
U.S. companies and infrastructure through hacking.
But the Salt Typhoon cyber attack marks its most ambitious campaign yet.
Investigators say the state-backed operation uncovered last year, infiltrated telecommunications
and other sectors in over 80 countries, potentially affecting nearly every American.
Unlike past hacks aimed at specific targets,
Salt Typhoon was broad and indiscriminate,
sweeping up vast amounts of data
that could let Chinese intelligence track politicians,
spies, and activists worldwide.
Western allies, including the U.S., UK, Germany, Japan, and others,
issued a rare joint statement condemning the attack,
calling it unrestrained.
Experts say the campaign reflects China's growing cyber-sophistication,
shifting from theft of trade secrets to deep long-term infiltration of global communication networks to gain strategic advantage.
A major Google outage hit southeastern Europe and parts of the Caucasus earlier today, disrupting daily life and work across several countries, including Bulgaria, Turkey, and Greece, reports flooded social media and down-detector as users struggled with core Google services.
YouTube, Google Maps, search, Gmail, and Drive all experienced significant failures
with YouTube and Maps hardest hit.
Error messages showed 5XX server errors pointing to issues on Google's end rather than local connections.
San Goma has issued emergency patches for a critical zero-day flaw in free PBX with a CVS score of 10.
The bug, caused by poor sanitation of user input, allows attackers to access the administrator
panel, manipulate databases, and execute remote code.
Exploited in the wild, since at least August 21st, the flaw impacts multiple versions.
Sangoma advises restricting admin access, updating immediately, and applying firewall protections.
Sisa added the bug to its known exploited vulnerabilities list, mandating federal fix.
by September 19th.
We reported yesterday that
Jaguar Land Rover suffered a major
cyber attack that halted production
at multiple plants.
A group of young hackers
calling themselves scattered lapsis hunters
claimed responsibility on telegram,
sharing screenshots allegedly
from JLR's internal IT systems.
The gang linked to past attacks
on UK retailers and tied to the youth
cybercrime network TheCom is reportedly attempting to extort JLR. While the company has not
confirmed data theft, it shut down systems to contain the incident and is working to restore
operations. Security experts believe the hackers accessed sensitive internal systems. The
information commissioner's office is assessing JLR's report, while authorities remain concerned
about rising threats from youth-led cyber gangs.
Researchers at Trellix have uncovered a major evolution in the X-Worm Back Door campaign,
signaling a strategic shift in its deployment tactics.
Once reliant on predictable fishing and email vectors,
XWorm now employs deceptive methods such as disguised executables
and multi-stage infection chains to evade detection.
The malware disables firewalls, bypasses.
power shell protections, and establishes persistence through registry edits and scheduled
tasks.
Using Rindale encryption combined with base 64 encoding, it conceals critical command and control
data while evading analysis with sandbox checks and mutex creation.
Beyond persistence, Xworm offers extensive backdoor capabilities, including system shutdowns,
data theft, DDoS attacks, and remote file execution.
Security experts warn its growing sophistication and prevalence
highlight the urgent need for layered defenses and proactive detection strategies.
ESET research has uncovered a new China-aligned threat actor dubbed Ghost Redirector,
which compromised at least 65 Windows servers primarily in Brazil, Thailand, and Vietnam,
between December 24 and June of this year.
Its toolkit includes Rungen, a passive C++ backdoor for remote code execution, and Gamshen, a malicious IIS module engineered to manipulate Google search results for SEO fraud, serving altered content only to Googlebot promoting gambling websites.
Attackers leverage public exploits like EFS potato and bad potato to escalate privileges, install web shells, create administrator,
accounts and maintain persistence.
The group's favored entry point appears to be SQL injection, followed by PowerShell downloads.
Comprising custom tools and fallback mechanisms, Ghost Redirector demonstrates significant
operational resilience, impacting diverse sectors, including health care, education,
insurance, transportation, and retail.
SISA has added two TP-link router flaws to
its known exploited vulnerabilities catalog after evidence of in the wild attacks. The bugs
include an authentication bypass exposing credentials and a command injection flaw enabling remote
code execution. Multiple models are impacted, many of which are end of life. Though no public
exploitation reports exist, TP-link linked activity to the Quad-7 botnet tied to China-linked Storm 0940.
agencies must patch or mitigate by September 24th.
The U.S. State Department is offering up to $10 million for information on three Russian
FSB officers, Marat Chukov, Mikhail Gavrlov, and Pavel Akulov, linked to cyber attacks
against U.S. critical infrastructure.
Members of FSB's Center 16, also known as Berserk Bear, Dragonfly, and Koala team,
The trio was charged in 2022 for a campaign that targeted agencies like the Nuclear Regulatory Commission
and energy firms, including Wolf Creek Nuclear.
More recently, they exploited a vulnerability in Cisco devices to infiltrate infrastructure,
telecom, education, and manufacturing networks worldwide.
The group is also targeted over 500 energy companies in 135 countries.
Rewards for Justice is accepting anonymous.
tips, offering potential relocation.
This follows June's similar bounty for Russian hackers tied to the Red Line Info-Stealer.
In an editorial titled Cutting Cyber Intelligence undermines National Security,
Sophie McDowell and retired Rear Admiral Mark Montgomery warn that sweeping reductions to the Office
of the Director of National Intelligence are crippling the U.S.'s cyber defense amid rising threats
from Russia, China, and Iran.
The downsizing part of the ODNI 2.0 plan includes slashing over 40% of staff and shutting
down key units like the Cyber Threat Intelligence Integration Center and the Foreign Malign
Influence Center, both critical to coordinating threat intelligence and countering foreign
influence operations.
The authors argue these cuts will fragment intelligence sharing and leave the nation vulnerable,
calling for continued support of these capabilities rather than discontinuing them.
Coming up after the break, my conversation with Rick Kahn,
Global Director of Cybersecurity Services at Rockwell Automation.
We're discussing securing critical water and wastewater systems.
And Google says rumors of Gmail's breach are great,
exaggerated. Stay with us.
At Talas, they know cybersecurity can be tough and you can't protect everything, but with
Talas, you can secure what matters most. With Talas's industry-leading platforms, you can
protect critical applications, data and identities, anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks, retailers, and healthcare companies in the world
rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALIS.
T-H-A-L-E-S.
Learn more at TALIS Group.com slash cyber.
And now a word from our sponsor, Threat Locker,
the powerful zero-trust enterprise solution that stops ransomware in its tracks.
Allow listing is a deny-by-default software that makes application control simple and fast.
Ring fencing is an application containment strategy,
ensuring apps can only access the files, registry keys, network resources,
and other applications they truly need to function.
Shut out cybercriminals with world-class endpoint protection from Threat Locker.
Rick Kahn is Global Director of Cybersecurity Services at Rockwell Automation.
I recently caught up with him to discuss IT and OT convergence
in securing critical water and wastewater systems.
So convergence is actually,
unfortunately and not unique to a particular industry.
I think in the case of water and wastewater,
it's maybe even more acutely difficult,
simply because water and wastewater are typically much smaller,
municipally funded,
don't necessarily have the deep end strength and budgets and wallets
to have both IT and OT practitioners,
each for the expertise in their own areas.
The general notion of IT-OG convergence is,
when we have an OT environment,
it kind of looks and feels like IT,
but it's not.
There's the antiquated nature of some of the systems.
There's the fragility and the potential environmental or safety impacts of knocking something offline.
There's, of course, the whole third rail we call, which is the non-traditional IT equipment, like PLCs and controllers that are also in that environment, but are ether enabled.
And so the notion of IT-O-T convergence is how do we effectively take IT practice into an O-T environment safely?
Because we have to do things differently.
And that's where the magic comes from is when I can find a way to blend those two skill sets to solve.
problems, we start to win with water and wastewater, you know, and budget and access to
resources, it becomes even more unique of a challenge to try and figure out how to do it.
Well, the folks who are finding success here, what are the common elements?
Well, in any industry with the convergence, you have to start with data.
So many, and I've been doing this for 25 years, and I joke that when people start to figure
out this, I keep saying the same things for 25 years, I won't have a job any longer,
is because it boils down to the same challenges
and the same reason
to the same side of that fence,
if you will, the IT, the OT side.
It boils down to data,
but not just a list, it's contextual data.
What I mean by that,
and I think it's important to delineate
is that contextual data means
I can't just have a list of assets.
I can't just have a list of bones.
I need to know much more about that asset
to make an informed decision,
i.e. I need to know what that asset
particular function in this facility.
So for water and wastewater, you know,
is it a venting or an emergency release or is it something to do with my chemicals for
treatment and is it something to do with the way that we're moving product from place
to place, verification and various sensors for levels and measures, et cetera,
because when you look at the risk, that's one thing, that's the IT site, but the OT can tell
you, yeah, but that's a really key component to this process or it only goes down or can
have this happen to it or whatever, and that's where you then start to find the magic of,
okay, I can't go with Plan A, which is make everything Windows 11 and Patch on Tuesday,
what do I need to do, Lexton? So the short answer is when you get people from either side of
that fence and you're looking at something in its native environment and its actual impact
and function, you start to have a way more informed and more intelligent discussion and can
come up with reasonable paths forward as opposed to just either giving up or trying to,
to force-fit things.
Who typically bears the burden of having to learn what's on the other side of that fence between
IT and OT?
Yeah, that's a great question.
One of our webinars that was very successful a few years ago was IT's from Mars and OTs from
Venus, right?
I play on the men and women thing.
Because of that in every single organization, different people, different politics,
different budgets, usually sort of dictate that before we get there.
We are seeing IT being expected from the board and more consistently being forced to try and figure out what's on that other side.
And in the past, when IT was trying to do that, they'd often put up a firewall and just say, well, whatever is on the other side is not a problem.
But boards and insurers aren't accepting that disclaimer as much anymore.
So we're seeing the decision making for what to do and how to do it, who to bring in like a trust of park or like Rockwell or something, more coming from.
from an IT source, but at the end of the day,
what you do and how you do it is still,
operations are always king.
I mean, we went into a facility that IT
didn't bother telling you were coming.
And we had to step back and pause the program
while we stepped away and let the parents have
their battle royal sort of thing and figure out who's who
in the zoo before we came back a couple weeks later
and re-engaged, right?
So it's not always clear.
We get called from both sides.
And in a lot of cases, it's not entirely decided.
And they kind of figured it as they go sometimes,
unfortunately.
But short answer is it's both.
And it depends on the organ and how senior the practice is.
Typically, you get pulls in from the OT side if OT is leading and being mature and proactive.
But if not, and it's being forced from above, it usually comes from the IT said.
Help me understand the difference between, let's say, a new facility that is starting from square one.
I'll put air quotes around in modern times and a legacy system.
that may have been around for decades.
I mean, I imagine we have water systems in some cities that go back over 100 years.
Yes, and we even have some that we still see Windows 95 and 98 at.
Unfortunately, true.
I love the question, and it gets to some of the crux here.
It's twofold.
Typically, the old school, you know, Brownfield, if you will, 50, 60, 100-year-old facility,
there's a lot of complexity in there.
it needs to be even more so of that context
to be able to make intelligent informed decisions.
And those are very, very difficult.
But when you have the context, you can do it.
We have clients that everything in OT isn't
about first past reproduction.
It's about second and third and fourth
in layers of digital twin and redundancy on HMI's
and microsegmentation.
So you need in a existing facility with complex systems
or older systems and maybe a blend of different types
of systems, much more of that because it's much more useful.
Now, on the greenfield side, you can typically build something new and exciting.
I've seen a few plans recently for some new factories and groundbreaking things.
Everybody's going after the factory of the future and visual 4.0 and all this other stuff
where you have not only process optimization and minimal footprint, but you also have it done
securely because you're relying on multiple other external sources to help you get faster,
better, more secure, et cetera.
The reality, though, is that in a lot of the new green fields, and this is going away,
but it's not universal, is that when you write a spec for a process, you usually write for what
your throughput is, your temperature, your geographic, or your floor space footprint, etc., and operating
temperatures and whatnot, very mechanical and physical and engineering type of requirements.
What often doesn't get put in there, and by the way, you shall follow these security standards
and expectations to put it in.
What I worse is that Honeywell, albeit 15 years ago, we would always put the cybersecurity,
portion as an optional line item with a separate cost.
So when we went against other OEMs,
we were at least minimum compliant bid head-to-head.
And when they bought the spinning equipment,
that we were at least competitive,
but when you wanted the ad on,
the feature after it was usually tacked on at the end
or maybe not even adopted, unfortunately.
It's a better level of adoption and awareness and expectation now,
but I still go to many trade shows and say,
how many of you have cybersecurity language in your procurement specs
and only about half the room puts their hands up?
Wow. So what are your recommendations then for folks to have best practices? Given the reality of limited budgets, limited time, limited resources, what are your words of wisdom here?
So everybody's doing something a little bit here, there, and wherever day in and day. It's not like these facilities are doing nothing.
What I would really challenge people to do, especially when they're struggling, is, you know, always look towards the problem as part of a program, right?
I know that sounds very contrite, but the reality is if I decide on what I need for an inventory today, and I'm very immature, I'm primarily looking at inventory so that I can see how many systems do I have, how many do I need to track vulnerabilities and patches against, how many do I need to go and look up, you know, for Rockwell, any product notices or what have you.
But that's a very first phase, if I'm not looking while I'm looking at that inventory towards step two, three, and four, which is wanting to work on lifecycle management and capital replacement of old antiquated equipment that can't handle or manage modern security controls.
Or if I want to know how to do a backup and restoration plan, I'm not going to back up everything fully and store off site daily because not every system is created equal.
They have different levels of impact and different levels of repercussion.
So start to build your any step you make today, a decision to make today, needs to be in support of what your ultimate goal is.
And then once you start to get that inventory and that context and a much more granular view, you've not only got a better understanding what you need to do, you've got a better chance of making a business case to go to management and say, look, here's the risk we think we have.
We're not trying to build the ocean.
We're not trying to make everything without risk,
but now that we've got an idea is to the context of how many assets I have
and what their end-of-life status is and how many volumes and expectations
and how well they'll be able to back them up,
and by the way, four or five of these are mission-critical.
You now have the ability to potentially get some more budget
or municipal funding to start to put in maybe a managed service
or some of these boutique sort of offerings that are helping to come in
and we'll have the expertise and we'll give it to a periodic phase that you need
and then we'll get out of the way so you don't have to onboard people,
but you're right-sizing your program by understanding the context.
I mean, nobody goes to zero risk in an operational environment.
The challenge is how much do I have and how far do I need to go and how much will that cost me?
And that context helps you decide where to spend the day.
It also helps you go to business case.
That's Rick Kahn from Rockwell Automation.
With Amex Platinum, access to exclusive Amex pre-sale tickets can score you a spot trackside.
So being a fan for life turns into the trip of a lifetime.
That's the powerful backing of Amex.
Pre-sale tickets for future events subject to availability and varied by race.
Terms and conditions apply.
Learn more at amex.ca.
You can get protein at home or a protein latte at Tim's.
No powders, no shakers.
Starting at 17 grams per medium latte,
Tim's new protein lattes,
Protein Without All the Work,
at participating restaurants in Canada.
And finally, reports of a catastrophic Gmail breach
had the Internet clutching its digital pearls this week,
with headlines warning all 2.5 billion users
to reset their passwords immediately.
Some cybersecurity firms even joined the chorus,
amplifying what seemed like an urgent warning from Google.
We reported the story here.
There's one problem.
Google never said that.
In a politely exasperated blog post,
the company clarified that Gmail wasn't hacked,
the password reset alert never existed,
and contrary to rumor,
the sky remains firmly in place.
Google reminded everyone that Gmail blocks over 99.9% of phishing and malware
and suggested pass keys for extra safety.
The incident is a good reminder
that it's easy to get caught up
in the hype of a breathless story
and it would do us all well
to pause, take a breath,
and do some fact-checking.
And that's the CyberWire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes
or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilby is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you.