CyberWire Daily - CISA sounds the alarm on Cisco flaws.
Episode Date: September 26, 2025CISA gives federal agencies 24 hours to patch a critical Cisco firewall bug. Researchers uncover the first known malicious MCP server used in a supply chain attack. The New York SIM card threat may ha...ve been overblown. Microsoft tags a new variant of the XCSSET macOS malware. An exposed auto insurance claims database puts PII at risk. Amazon will pay $2.5 billion to settle dark pattern allegations. Researchers uncover North Korea’s hybrid playbook of cybercrime and insider threats. An old Hikvision security camera vulnerability rears its ugly head. Dan Trujillo from the Air Force Research Laboratory’s Space Vehicles Directorate joins Maria Varmazis, host of T-Minus Space Daily to discuss how his team is securing satellites and space systems from cyber threats. DOGE delivers dysfunction, disarray, and disappointment. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.CyberWire Guest Dan Trujillo from the Air Force Research Laboratory’s Space Vehicles Directorate joins Maria Varmazis, host of T-Minus Space Daily to discuss how his team is securing satellites and space systems from cyber threats and also shares advice for breaking into the fast-growing field of space cybersecurity Selected Reading Federal agencies given one day to patch exploited Cisco firewall bugs (The Record) First malicious MCP Server discovered, stealing data from AI-Powered email systems (Beyond Machines) Secret Service faces backlash over SIM farm bust as experts challenge threat claims (Metacurity) Microsoft warns of new XCSSET macOS malware variant targeting Xcode devs (Bleeping Computer) Microsoft cuts off cloud services to Israeli military unit after report of storing Palestinians' phone calls (CNBC) Auto Insurance Platform Exposed Over 5 Million Records Including Documents Containing PII (Website Planet) Amazon pays $2.5 billion to settle Prime memberships lawsuit (Bleeping Computer) DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception (We Live Security) Critical 8 years old Hikvision Camera flaw actively exploited again (Beyond Machines) The Story of DOGE, as Told by Federal Workers (WIRED) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
AI adoption is exploding, and security teams are under pressure to keep up.
That's why the industry is coming together at the Datasec AI conference,
the premier event for cybersecurity data and AI leaders, hosted by data security leader,
Saira, built for the industry by the industry by the,
the industry, this two-day conference is where real-world insights and bold solutions take
center stage. Datasec AI 25 is happening November 12th and 13th in Dallas. There's no cost to
attend. Just bring your perspective and join the conversation. Register now at Datasek AI
2025.com backslash cyberwire.
SISA gives federal agencies 24 hours to patch a critical Cisco firewall bug.
Researchers uncover the first known malicious MCP server used in a supply chain attack.
The New York SIM card threat may have been overblown.
Microsoft tags a new variant of the XCS set macOS malware.
An exposed auto insurance claims database puts PII at risk.
Amazon will pay $2.5 billion to settle dark pattern allegations.
Researchers uncover North Korea's hybrid playbook of cybercrime and insider threats.
An old Hick Vision security camera vulnerability rears its ugly head.
Dan Trujillo from the Air Force Research Laboratory Space Vehicles Directorate
joins Maria Vermazas, host of the T-Minus Space Daily,
to discuss how his team is securing satellites and space systems from cyber threats.
and Doge delivers dysfunction, disarray, and disappointment.
It's Friday, September 26, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today. Happy Friday. It is great to have you with us.
Federal civilian agencies have until later today to patch two actively exploited Cisco
firewall vulnerabilities under a new emergency directive from SISA. The flaws affect
Cisco adaptive security appliances widely used by governments and large enterprises.
Cicill warned attackers can exploit the bug with ease, chain them for greater impact, and persist through reboots and upgrades.
Cisco released fixes Thursday and confirmed attacks targeting ASA 5500 X-Series devices.
Agencies must patch, assess for compromise, and decommission unsupported hardware.
Canada and the UK issued parallel alerts, citing risks to critical infrastructure.
Cisco linked the activity to sophisticated actors behind last year's Arcane Door campaign,
previously associated with state-sponsored interests.
Researchers at Coy Security uncovered the first known malicious model context protocol server, or MCP, used in a supply chain attack.
A MCP server is a component of the MCP ecosystem that acts as a bridge between AI assistance or
large language models and external systems, tools, or data sources. In this case, the NPM package
Postmark MCP, once trusted by hundreds of developers, was altered by its maintainer to secretly
exfiltrate emails. A single line of code added a blind carbon copy to every processed email,
sending sensitive data to an attacker-controlled domain. Researchers estimate about 300 organizations were
affected, with thousands of emails stolen daily, including credentials, financial records,
and legal documents. The incident highlights a fundamental weakness in MCP servers. They inherit
full privileges from AI assistance, but lack containment or verification safeguards. Koi
security urges organizations to uninstall compromise versions and rotate exposed credentials.
Earlier this week, we reported the U.S. Secret Service announcement that they dismantled a network
of more than 300 SIM servers and 100,000 SIM cards near New York,
describing it as an imminent threat to protective operations during the UN General Assembly.
Officials warned the infrastructure could disable cell towers and support nation-state communications,
citing links to swatting attacks against members of Congress.
However, experts quickly cast doubt, suggesting the setup was instead a large sim farm used for voiceover IP scams and SMS fraud, a common criminal scheme worldwide.
Commenters noted the described equipment was unlikely to disrupt regional cellular networks.
By day's end, the narrative shifted from nation-state sabotage to overblown claims about an ordinary telecom fraud operation.
soft threat intelligence has identified a new variant of the XCS set macOS malware active in
limited attacks. XCS set, which spreads by infecting Xcode projects, now includes enhanced
browser targeting, updated clipboard hijacking to steal cryptocurrency, and new persistence methods
such as launch Damon entries and fake system settings app. The malware can exfiltrate notes,
crypto wallets, and browser data, redirecting funds to attacker-controlled addresses.
Microsoft has notified Apple and GitHub, urging developments to scrutinize shared X-code projects
carefully.
Elsewhere, Microsoft said it has stopped providing certain cloud and AI services to a division
of Israel's Ministry of Defense, after finding evidence supporting reports that Unit 8200
used Microsoft technology to track Palestinians' phone calls.
The move follows employee protests over Israel's use of Microsoft software during its Gaza invasion.
President Brad Smith confirmed the suspension involved Azure storage in the Netherlands and AI services.
The Guardian reported Israel may shift the surveillance system to Amazon Web Services.
Security researcher Jeremiah Fowler discovered an unprotected.
database containing 5.1 million files, totaling 10 terabytes, linked to Illinois-based
claim picks, a platform used for managing auto insurance claims nationwide. The exposed data
included vehicle registrations, repair invoices, images of damaged cars with visible vins,
and nearly 16,000 signed powers of attorney granting legal authority over vehicles. Sensitive personal
information such as names, addresses, phone numbers, and emails was also visible alongside
internal business documents. Fowler reported the issue and access was restricted soon after.
It remains unclear how long the data was exposed or if it was accessed by others.
Experts warn the leak could enable identity theft insurance fraud or VIN cloning.
Claim Picks confirms the findings and says it updated policies and code to remediate the
law.
Amazon has agreed to pay $2.5 billion to settle Federal Trade Commission claims that it used
deceptive dark patterns to push millions into unwanted prime subscriptions and obstruct
cancellations.
The deal includes a $1 billion civil penalty and $1.5 billion in refunds for 35 million
customers.
The FTC said Amazon knowingly designed a manipulative enrollment fund.
flows and a cancellation system codenamed Iliad to deter users. The settlement follows the FTC's
2023 lawsuit, alleging prime subscription traps violated federal consumer protection laws.
Researchers at ESET have detailed links between deceptive development, a North Korea-aligned
cybercrime group, and wage mole, a cluster of North Korean IT workers. Deceptive development targets
software developers, especially in cryptocurrency and Web 3, using fake recruiter profiles and
social engineering scams, such as trojanized coding challenges, and the click-fix technique.
Its malware arsenal includes Beavertail, Invisible Ferret, Weasel Store, and the complex
tsunami kit toolkit, along with links to Lazarus Group malware like Tropador and Akdor T.
wage mole operators exploit stolen identities and AI-driven tools to pose as remote job seekers,
sometimes using proxy interviews or manipulated video to secure roles abroad.
Their earnings and access provide both financial resources and insider footholds for North Korea.
Together, these groups illustrate a hybrid model that blends financial crime, espionage, and insider risk.
Sands researchers report a sharp increase in exploitation attempts
targeting an eight-year-old critical authentication bypass flaw in Hickvision security cameras
with a CVSS score of 10.
Attackers send crafted HTTP requests, often using weak credentials, to gain access.
Once compromised, cameras can be locked against legitimate users, have configurations altered,
and be leveraged for lateral movement.
Stolen configuration files use weak encryption
and can be decrypted to harvest credentials.
A wide range of HickVision models remain vulnerable
with hundreds of thousands still exposed online.
The risk is compounded by rebranding practices
where HickVision hardware is sold under other names.
Sands urges organizations to patch immediately,
enforce strong passwords,
and restrict management interface actions.
access to trusted networks.
Coming up after the break, Maria Vermazas speaks with Dan Trujillo from the Air Force Research
Laboratory Space Vehicles Directorate, discussing how his team is securing satellites.
And Doge delivers dysfunction, disarray and disappointment.
Stick around.
SISO Perspectives is back with an all-new season.
This season is all about change.
Whether it be emerging technologies like AI,
shifting governmental roles, or evolving threats.
We are sitting down with security experts
and getting their insights to help you make sense of these changes.
We are part of a larger ecosystem.
And if you look at the largest cyber incidents,
they have massive downstream effects.
I'm Ethan Cook, editor of CISO Perspectives at N2K CyberWire.
This week, host Kim Jones with his first guest, Ben Yellen,
to discuss the current state of regulation.
Absolent security, by definition, is an oxymoron.
I can secure you absolutely if you shutter your doors,
wipe your computers, wrap them in Lusite,
and drop them in a maddenas trench.
But then again, you aren't going to make no money.
Sissot Perspectives is an N2K Pro exclusive show.
But for this season, we're sharing the first two episodes free on the CyberWire Daily.
To hear the full season, visit thecyberwire.com and click on subscribe now to become an N2K Pro member.
At Talus, they know cybersecurity can be tough and you can't protect everything.
But with Talas, you can secure what matters most.
With Talas' industry-leading platforms, you can protect critical applications, data and identities.
anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks,
retailers, and health care companies in the world
rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALIS.
T-H-A-L-E-S.
Learn more at talisgroup.com slash cyber.
Compliance regulations, third-party risk, and customer security demands are all growing and changing fast.
Is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right.
GRC can be so much easier.
And it can strengthen your security posture while actually,
driving revenue for your business.
You know, one of the things I really like about Vanta is how it takes the heavy lifting
out of your GRC program.
Their trust management platform automates those key areas, compliance, internal and third-party
risk, and even customer trust, so you're not buried under spreadsheets and endless manual
tasks.
Vanta really streamlines the way you gather and manage information across your entire business.
And this isn't just theoretical.
A recent IDC analysis found that compliance teams using Vanta are 129% more productive.
It's a pretty impressive number.
So what does it mean for you?
It means you get back more time and energy to focus on what actually matters,
like strengthening your security posture and scaling your business.
Vanta, GRC, just imagine how much easier trust can be.
Visit Vanta.com slash cyber to sign up today for a free
demo. That's V-A-N-T-A-com slash cyber.
My N2K colleague Maria Vermazes, host of the T-M-I-N-A-S-Da-Layly podcast, recently sat down with
Dan Trujillo from the Air Force Research Laboratory's Space Vehicles Directorate
to discuss how his team is securing satellites and space systems from cyber threats.
So my name is Joseph D. Trujillo, and my dad was Joseph as well on second.
So I actually go by Dan, my middle name, so people know me by Dan Trujillo.
And so my current job is I lead the space cyber resiliency technical area for the Air Force Research Labs
in the space vehicles directorate.
Now, what's interesting about that is,
I always say Air Force Research Labs,
but I actually work for the U.S. Space Force
because we're a little bit of a carve-out
because of the Space Vehicles Directorate.
So our motto is one lab serving two services,
and that's what we do.
So that's my current job, right?
I lead a team of scientists and engineers,
and we do research and development
into essentially the goal is to secure our space vehicles from cyber attack.
And so we do a lot of research in taking raw technology, visions, concepts, maturing it in the lab.
Because a lot of these are just cyber technologies that we want to bump up or integrate into space systems.
And so we do a lot of that work too, right?
Because these things have to work, you know, especially when you're talking about a space vehicle that's in space.
and it's got to work, and it's got to work in this low-swap environment, right?
So we do things like that.
That is so awesome.
Dan, well, first of all, thank you for joining me.
You have a really fascinating background, and I got to say you also, based on the conversations
I've had with a lot of people in the cyber world, you have a lot of people's dream job.
There's a lot of people who really want to be in space cyber who are in the cyber world right now,
who are like, how do I get there?
So I really hope they're listening to this interview because you've sort of laid out a bunch
of awesome possibilities.
there. And I feel like I maybe should ask, what is your advice to people who want to do what you
do? Even though it's not part of what we were going to talk about today, now I'm like, I got to know.
What do you tell people? Well, first of all, you're right. It is a dream job. You know, like I said,
I started off at writing software in the 90s. And it, you know, I don't want to say it's the Wild West,
but it was because people were just, you know, companies were just starting to implement software.
So it was really cool because all these ideas were flowing. There's a lot of companies being, you know,
created and bought up by Microsoft, and it was just a really cool world.
And so, you know, the job that I'm in now, you know, is R&D.
And so we get to really just think outside the box.
And we get to really just play, you know, with whatever vision or idea that we have.
So that is really, really awesome.
I say, you know, work for the government.
Obviously, you can make a lot more of the commercial roles.
but, you know, you get to really, truly build your vision up here.
And, you know, how you get into something like this?
Well, you know, I think one of the best ways is if you're in high school or you're in
college, come to our internships.
We have the space scholars, you know, AFRL space scholars program.
And that is where, you know, all of our scientists and engineers will actually create
several topics and areas of research that they're working on.
And there's probably 100.
And it's not just at Curtin Air Force Base in New Mexico, but it's in Maui.
We have places in California.
We have a lot of places in Dayton where our headquarters are.
But there's just a whole bunch of technology and topics to be able to work on.
And so you go to this website and you see these topics, and then you can be able to sign up
for them and start working in those.
Now, if you're at high school, you know, a lot of times we get high schoolers and they think,
oh, my God, I got to come in and I have to start solving and producing things, right?
But we work in the lab and it's research and development.
The things that we solve don't take months.
They take years.
So a lot of times the high schoolers were coming and all we want to do is just show them
what the lab environment is.
And so and understand, you know, the freedom to be able to do cool things, right?
And then if they're in college, maybe, you know, bachelors, then, you know, they're getting a little bit more experience.
And if, you know, PhD, they might have something that they're very interested in that's in space cyber, for example, and just bring that project over to AFRL and be able to have all the lab resources in order to be able to do what they want to do with that.
And then, you know, so I think that's a good way to start.
Otherwise, you know, we are always looking for people.
I mean, we have slots available for space cyber at AFRL RV.
And we also have people working CISLNN, SDA, we have people working autonomy.
There's just a whole bunch of opportunities at AFRL to be able to do those things.
That's so cool.
Yeah, I cannot tell you how many, you know, at events or, you know,
HallCon, LobbyCon type conversations I've had with people who are, you know,
either in school, as you've mentioned, people who are trying to figure out how to make this their career,
or people who are looking to make a lateral move,
you know, IT practitioners,
cyber practitioners who are going,
I really love space.
I hear there's a need for space cyber folks.
I just,
I have the cyber side.
I don't know how on earth to get to the space side,
but you've given me,
I hope they,
people are,
again,
I hope people are listening to this
because, like,
you've given a lot of different options there
that are really fascinating.
So, yeah.
Yeah, I mean, space is,
if you look at the dot-com industry in the 90s,
how it exploded,
you know,
Now we move to the space industry, and that's going to explode as well, and probably dwarf.com thing.
So there's a lot of commercial companies getting into space, small startups.
You know, there's the Primes that North of Drummond and Lockheed.
But, yeah, I mean, if you want to work in the government, you can come through AFREL.
If you want to get in through these commercial companies, then, you know, they're looking for people because that industry is just going to explode.
Yeah, absolutely.
So, Dan, thank you so much for all that you do and all that you and the team work on, and I wish you all the best.
That's Dan Trujillo from the Air Force Research Laboratory Space Vehicles Directorate,
speaking with Maria Vermazes, host of the T-Minus Space Daily.
Be sure to check out the T-minus Space Daily wherever you get your favorite podcasts.
investigating is hard enough your tools shouldn't make it harder maltego brings all your
intelligence into one platform and gives you curated data along with a full suite of tools
to handle any digital investigation plus with on-demand courses and live training your team
won't just install the platform they'll actually use it and connect the dots so fast cybercriminals
realize they're already in cuffs. Maltigo is trusted by global law enforcement, financial institutions,
and security teams worldwide. See it in action now at Maltigo.com.
With Amex Platinum, access to exclusive Amex pre-sale tickets can score you a spot trackside.
So being a fan for life turns into the trip of a lifetime. That's the powerful backing of
Amex. Pre-sale tickets for future events subject to availability and varied by race.
Terms and conditions apply. Learn more at amex.ca.com slash Yanex.
And finally, Wired asked federal workers for the inside story of Doge, the Department of Government
Efficiency, which stormed into federal agencies with all the grace of a toddler with a chainsaw.
Ostensibly created to modernize government, it
quickly became a Musk-fueled circus of Silicon Valley interns, asking seasoned civil servants
why AI couldn't just do their jobs. Emails that looked like fishing flooded in boxes,
capped off by the infamous Fork in the Road memo, which read like a parody of Musk's Twitter
ultimatum. Meanwhile, 300,000 workers took Doge's incentives to quit, and those who stayed faced
chaos. Surveillance projects, gutted offices, and managers suggesting gratitude exercises as
child care collapsed. The promised efficiency never materialized, but the damage did,
leaving behind fewer staff, more distrust, and a lingering question, was this modernization
or just government by meme stock?
And that's the Cyberwire for links to all of today's stories.
Check out our daily briefing at the Cyberwire.com.
Be sure to check out this weekend's research Saturday
and my conversation with Martin Zujik, Technical Solutions Director at Bit Defender.
The research we're discussing is titled Curly Comrades,
a new threat actor targeting Geo
political hotbeds. That's Research Saturday. Do check it out. We'd love to know what you think of this
podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity. If you like our show, please share a rating and review in your
favorite podcast app. Please also fill out the survey in the show notes or send an email to
Cyberwire at N2K.com. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week.
Cyber Innovation Day is the premier event for cyber startups, researchers, and top VC firms
building trust into tomorrow's digital world.
Kick off the day with unfiltered insights and panels on securing tomorrow's technology.
In the afternoon, the eighth annual Data Tribe Challenge takes center stage as elite startups
pitch for exposure, acceleration, and funding.
The Innovation Expo runs all day.
Connecting founders, investors, and researchers around breakthroughs in cybersecurity.
It all happens November 4th in Washington, D.C.
Discover the startups building the future of cyber.
Learn more at cid.d. datatribe.com.