CyberWire Daily - Critical GoAnywhere bug exposed.
Episode Date: September 25, 2025Fortra flags a critical flaw in its GoAnywhere Managed File Transfer (MFT) solution. Cisco patches a critical vulnerability in its IOS and IOS XE software. Cloudflare thwarts yet another record DDoS a...ttack. Rhysida ransomware gang claims the Maryland Transit cyberattack. The new “Obscura” ransomware strain spreads via domain controllers. Retailers’ use of generative AI expands attack surfaces. Researchers expose GitHub Actions misconfigurations with supply chain risk. Mandiant links the new BRICKSTORM backdoor to a China-based espionage campaign. Kansas students push back against an AI monitoring tool. Ben Yelin speaks with Michele Kellerman, Cybersecurity Engineer for Air and Missile Defense at Johns Hopkins University Applied Physics Lab, discussing Women's health apps and the legal grey zone that they create with HIPAA. Senators push the FTC to regulate your brainwaves. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Ben Yelin, co-host of Caveat, is speaking with Michele Kellerman, Cybersecurity Engineer for Air and Missile Defense at Johns Hopkins University Applied Physics Lab, about Women's health apps and the legal grey zone that they create with HIPAA. If you want to hear the full conversation, check it out on Caveat, here. Selected Reading Critical CVSS 10 Flaw in GoAnywhere File Transfer Threatens 20,000 Systems (HackRead) Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability (Cisco) Cloudflare mitigates new record-breaking 22.2 Tbps DDoS attack (Bleeping Computer) Ransomware gang known for government attacks claims Maryland transit incident (The Record) Obscura, an obscure new ransomware variant (Bleeping Computer) Threat Labs Report: Retail 2025 (Netskope) pull_request_nightmare Part 1: Exploiting GitHub Actions for RCE and Supply Chain Attacks (Orca) China-linked hackers use ‘BRICKSTORM’ backdoor to steal IP (The Record) AI safety tool sparks student backlash after flagging art as porn, deleting emails (The Washington Post) Senators introduce bill directing FTC to establish standards for protecting consumers’ neural data (The Record) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
AI adoption is exploding, and security teams are under pressure to keep up.
That's why the industry is coming together at the Datasec AI conference,
the premier event for cybersecurity data and AI leaders, hosted by data security leader,
Saira, built for the industry by the industry by the,
the industry, this two-day conference is where real-world insights and bold solutions take
center stage. Datasec AI 25 is happening November 12th and 13th in Dallas. There's no cost to
attend. Just bring your perspective and join the conversation. Register now at Datasek AI
2025.com backslash cyberwire.
Fortra flags a critical flaw in its Go Anywhere managed file transfer solution.
Cisco patches a critical vulnerability.
Cloudflare thwarts yet another record DDoS attack.
Rysita Ransomware gang claims the Maryland Transit cyber attack.
The new Obscura ransomware strain spreads via domain controllers.
Retailers' use of generative AI expands attack surfaces.
researchers expose GitHub actions misconfigurations with supply chain risk.
Mandiant links the new Brickstorm Backdoor to a China-based espionage campaign.
Kansas students push back against an AI monitoring tool.
Ben Yellen speaks with Michelle Kellerman,
cybersecurity engineer for air and missile defense at Johns Hopkins University Applied Physics Lab.
They're discussing women's health apps and the legal gray zone they create with HIPAA.
And senators push the FTC to regulate
your brain waves.
It's Thursday, September 25th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today. It's great to have you with us. Fortra has issued an urgent warning about a critical flaw in its Go Anywhere managed file transfer solution. The vulnerability carries a maximum CVSS score of 10 and could allow attackers to seize full system control through command injection in the license servlet. Exploitation involves a forged licensed response signature.
letting malicious code run during deserialization.
Watchtower Labs says over 20,000 instances are exposed online,
calling the bug a playground APT groups dream about.
Experts warn the flaws almost certain to be weaponized soon,
echoing the widespread go-anywhere exploit by the Klop gang in 2023.
Fortra has released fixes and urges immediate upgrades.
Administrators should also restrict public access,
to the admin console and monitor logs for suspicious activity.
Cisco has released fixes for a critical vulnerability
in the simple network management protocol subsystem
of iOS and iOS XE software.
The flaw caused by a stack overflow
could allow an authenticated remote attacker
with low privileges to trigger denial of service
or with higher privileges execute arbitrary code as root.
Exploitation requires valid credentials.
All SNMP versions are affected.
Cisco warns that attackers could exploit the bug by sending crafted SNMP packets over IP4 or IP6,
potentially giving them full control of affected devices.
No workarounds exist, though administrators can mitigate risk by restricting SNMP access
and disabling certain object IDs.
The only complete fix is upgrading.
to patched versions.
Cloudflare says they mitigated the largest distributed denial of service attack ever
recorded, peaking at 22.2 terabits per second and 11.6 billion packets per second.
The 42nd volumetric assault generated traffic equivalent to streaming a million 4K videos at
once, or refreshing every web page on Earth more than once per second.
Such packet floods can overwhelm.
firewalls and routers even when bandwidth is available. The attack follows other record-breaking
incidents in recent months, with researchers linking earlier campaigns to the Isuru Botnet.
The Maryland Transit Administration has confirmed data was stolen during a cyber attack last month,
and the Rysita Ransomware gang is now claiming responsibility. According to cybersecurity firm
Venari X, the group demanded 30 Bitcoin, about 3.5.
million dollars and released samples allegedly showing passports, driver's licenses, and contracts.
While MTA's core, bus, subway, and light rail systems were unaffected, real-time tracking
and the mobility service for disabled riders were disrupted.
An interim call system restored some functionality on August 29th.
Officials have not disclosed how many people were impacted, citing an ongoing investigation.
Maryland's Department of Information Technology is working with law enforcement and cybersecurity experts.
In the meantime, MTA is advising residents to watch for fishing attempts, update software, and enable multi-factor authentication.
Analysts at Huntress have identified a previously unseen ransomware variant, Obscura, after investigating an August 29th incident.
The malware, written in Go, was discovered on a victim's domain controller within the Net Logon folder,
enabling automatic replication across controllers and scheduled execution on multiple hosts.
Obscura disables recovery by deleting shadow copies,
requires administrative privileges to run,
and aggressively terminates security and database processes before encrypting data.
The ransom note claims data theft, demands negotiation,
within 240 hours and threatens public leaks.
Encryption relies on Curve 25-519 key exchange and Chacha 20.
Researchers note Obscura joins a wave of emerging ransomware families like Crux and Cephalus,
reflecting frequent rebranding in the ecosystem.
Huntress advises organizations to closely monitor domain controllers for suspicious file additions
or group policy modifications, and enforce strong detection on endpoints to catch early activity.
NetScope's retail sector threat analysis warns that the rapid adoption of generative AI tools is expanding attack surfaces.
95% of retailers now use Gen.A.I. with increasing reliance on private models and APIs.
Sensitive data leaks are rising as employees upload source code, regulated data leaks.
data and credentials into unapproved cloud services and AI platforms.
Attackers are also exploiting trusted cloud services like OneDrive, GitHub, and Google Drive to host
malware, capitalizing on their credibility.
Personal cloud apps like Facebook, LinkedIn, and Drive are pervasive in workplaces,
creating overlapping vectors of risk.
The report urges retailers to boost visibility, enforce strict data loss prevention and app
policies, review HTTP and HTPS download flows, and adopt solutions like remote browser
isolation.
In short, innovation in retail is outpacing security controls.
The Orca Research Pod has uncovered systemic risks in GitHub actions stemming from misuse of
the pull request target trigger.
Unlike the safer pull request event, this trigger executes workflows.
in the base repositories context, exposing secrets and granting right-enable tokens by default.
Researchers demonstrated that insecure workflows could let attackers escalate from
untrusted forked pull requests to remote code execution on both GitHub-hosted and self-hosted
runners. Exploits included stealing API keys, pushing malicious code to trusted branches,
and abusing overly permissive tokens for package uploads or PR manipulation.
Orca found critical misconfigurations in repositories maintained by Google, Microsoft, and other Fortune 500 firms,
highlighting the supply chain risk when CI-CD pipelines run untrusted code with excessive privileges.
These issues were disclosed responsibly, but the findings underscore how a single forked PR could trigger a full repository compromise.
Mandeant says a China-linked threat group, UNC 5221, is using a new back door called
Brickstorm to infiltrate organizations and steal intellectual property.
Since March of this year, responders have investigated numerous intrusions affecting
law firms, SaaS providers, and technology companies, with attackers targeting the
inboxes of senior executives and individuals tied to U.S. national security and trade.
Brickstorm, primarily deployed on Linux appliances without endpoint detection, enables persistence
and lateral movement into VMware vCenter and ESXI hosts.
Mandiant noted the group adapts quickly, even deploying Brickstorm after incident response had begun.
Evidence suggests the hackers can extract and decrypt administrator credentials and leverage
compromise routers for obfuscation.
Mandiand warns the campaign's value extends beyond espionage,
potentially feeding zero-day development and downstream supply chain compromise.
Students at Lawrence High School in Kansas say the AI-powered monitoring tool, Gaggle, is chilling speech and intruding on privacy.
Adopted in 2023,000 at a cost of $160,000, Gaggle scans emails and documents for signs of self-harm,
violence or abuse. While officials credited with preventing suicides, students report false positives,
art portfolios flagged as child pornography, essays misinterpreted as threats, and even records
requests blocked. Lawsuits now accuse the district of unconstitutional surveillance. A 2024 investigation
found more than 1,200 flagged cases in under a year, most later deemed harmless. Critics warn
the system outs LGBTQ students and undermines journalism, while defenders call it a vital safety net
for overburdened staff. For students, the question remains, who is really watching?
Coming up after the break, Ben Yellen speaks with Michelle Kellerman from the Johns Hopkins University
applied physics lab. They're discussing
women's health apps and the legal gray zone
that they create with HIPAA.
And senators push the FTC
to regulate your brain waves.
Stay with us.
So So Perspectives is back
with an all-new season. This
season is all about change.
Whether it be emerging technologies like
A.I. Shifting governmental roles or evolving threats. We are sitting down with security experts
and getting their insights to help you make sense of these changes. We are part of a larger ecosystem.
And if you look at the largest cyber incidents, they have massive downstream effects.
I'm Ethan Cook, editor of CISO perspectives at N2K CyberWire. This week, post Kim Jones with his first guest,
Ben Yellen, to discuss the current state of regulation.
Absolent security by definition is an oxymoron. I can secure.
hear you absolutely if you shutter your doors, wipe your computers, wrap them in Lusite,
and drop them in a maddenaz trench.
But then again, you aren't going to make no money.
Sissau Perspectives is an N2K Pro exclusive show.
But for this season, we're sharing the first two episodes free on the CyberWire Daily.
To hear the full season, visit thecyberwire.com and click on subscribe now to become an N2K
pro member.
At Talis, they know cybersecurity.
can be tough and you can't protect everything.
But with TALIS, you can secure what matters most.
With TALIS's industry-leading platforms,
you can protect critical applications, data, and identities,
anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks,
retailers, and healthcare companies in the world
rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALIS.
T-H-A.
Learn more at talisgroup.com slash cyber.
Compliance regulations, third-party risk and customer security demands are all growing and changing fast.
Is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right.
GRC can be so much easier, and it can strengthen your security posture while actually driving revenue for your business.
You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program.
Their trust management platform automates those key areas, compliance, internal and third-party risk.
and even customer trust, so you're not buried under spreadsheets and endless manual tasks.
Vanta really streamlines the way you gather and manage information across your entire business.
And this isn't just theoretical.
A recent IDC analysis found that compliance teams using Vanta are 129% more productive.
It's a pretty impressive number.
So what does it mean for you?
It means you get back more time and energy to focus on what actually matters.
like strengthening your security posture and scaling your business.
Vanta, GRC, just imagine how much easier trust can be.
Visit Vanta.com slash cyber to sign up today for a free demo.
That's V-A-N-T-A-com slash cyber.
My caveat podcast co-host Ben Yellen recently sat down with Michelle Kellerman,
cybersecurity engineer for air and missile defense at Johns Hopkins University Applied Physics Lab.
They're discussing women's health apps and the legal gray zone that they create with HIPAA.
So today we're going to be talking about period tracking apps and digital privacy,
especially in the post-Dobs era.
So we are now three years after the Supreme Court's decision.
in Dobbs, which held that Roe v. Wade was overturned.
There's no constitutional right to an abortion.
It's an issue left to the states.
Can you just kind of talk about the context of this issue,
why you became interested in it,
what the implications are of these period tracking apps?
Yeah.
So when the Dobbs decision was made,
women obviously were trying to figure out
what this meant for them.
what this meant for their safety,
but then as the dust settled from the immediate shock,
we were looking into how does this affect our everyday lives
and things other than just wanting as strict access to abortions,
and that includes all reproductive health.
So on the, a lot of women's spaces, on Reddit or, you know, on social media,
people started talking about how you need to delete your period tracking apps.
And the conversation was,
very confusing because we were all under the impression that our health information was safe and protected. We're all raised that your doctor is the only one who has the right to know what's going on in your doctor's office. So this huge shift was really surprising. And to look at period tracking apps, come to find out they're not protected under HIPAA. So yeah, that was going to be my follow-up question. So our listeners are probably thinking like, oh, private health information, that triggers.
HIPAA. Why are period tracking apps not covered under HIPAA?
Health information specifically is a unique case. A lot of times when we talk about tech
law, a lot of the current coverage is co-opted from older laws that we see over the last
three or four decades. But that's because it covers a data type, a type of information. HIPA
is unique. It covers entities. It doesn't matter what type of data it is. It matters who is
only the data. So doctors, clinics, you know, psychologist hospitals, your health plans. It only
covers specific entities, not the type of information as a whole. So it's not covered because an
application is not a doctor. It's not a covered entity. Before this became such a live issue,
was there any effort in Congress or at the state level to amend HIPAA or state level equivalence to
include applications? Like, was this something that was on the radar, or is it just an issue that's
never really come up? It's come up in congressional inquiries. So with Cambridge Analytica and
Facebook selling your data to these data brokers, but it didn't get into health-specific information.
It was just your online privacy as a whole coming up in these bigger inquiries by Congress,
but not an effort specifically still legislated outside of data privacy laws,
but health isn't always covered in data privacy laws.
Actually, only about 50% of them do.
Of course, at the federal level, it's more the absence of a data privacy law anyway.
That's what they're great at.
As we all know.
So can you kind of walk us through how period tracking apps could be used by law enforcement
in a case relating to reproductive rights?
And if there is any case law on what happens in those scenarios.
Before we get to that, there was an effort to amend HIPAA, luckily, by the Biden-Harris administration.
They added a new provision in 24, June of 2024, that prohibits a HIPAA-covered entity from releasing PHI
for the purpose of conducting a criminal, civil, or administrative investigations, and the identification of anybody involved with
reproductive health. It was specific to reproductive health. So HIPAA now covers, has a specific
health provision for reproductive health. So there are amendments to it very recently in wake of
the Dobbs decision. Is that something that the Trump administration has tried to reverse?
I'm kind of surprised they haven't, either through like the Congressional Review Act or just
through promulgating new regulations. So they overturned to Biden-era executive orders that
were about allowing better access to reproductive health and then also protections.
So there were two Biden-era executive orders that have been overturned for access to reproductive
health, including abortion.
Gotcha. Okay. So now we can kind of go back to that original question, just walking us
through what a typical case would look like and then where we are in terms of state case law
or federal case law, for that matter, with these period tracking applications.
When you install a period tracking app, it asks for standard health information about you, your age, your gender, and then it gets into date of last period on the most basic level. And then you have other, you have some applications that get more into it. Your mood swings, how heavy your, how like heavier other your period symptoms are or your symptoms when you're not having your period. Are you tracking fertility? Are you attempting to
have a child, even things like fertility monitors, like Enito, is one of them where you can have
all that information and you can have your body temperature, blood work, you can have any, like,
a wealth of information that go to these applications that are not doctors. Enito and other fertility
monitors and peer tracking apps are completely separate. Can you talk about state laws or state
applications where law enforcement has been trying to use data from either period tracking
apps or otherwise in criminal or civil cases relating to reproductive rights?
We haven't seen any cases at this moment where they specifically name period tracking apps,
but we are seeing a patchwork of laws try to come from the states.
So Virginia in 2023 presented a bill that would have banned political.
least from looking at data in period tracker apps when executing a search warrant. As you know,
search warrants are very broad. It can be on the device in general. And this bill would have barred
period tracking and health apps from the scope of a search warrant. Unfortunately,
Governor Youngkin's administration opposed it and it died in chambers. We're also seeing Massachusetts
just updated their shield law, strengthening protections for providers and patients. And actually,
the law prohibits Massachusetts state and local authorities from cooperating with any federal
or out-of-state investigation. So it's not just up to the local municipality if they want to
get involved in helping an additional, a different state, like Texas, for example, who is attempting
to criminalize out-of-state abortions. This law actually bars the process altogether from
cooperating with other states. So we're starting to see states get involved, but it's very
patchwork and it's very dependent on the political
wins. What is
kind of the horror story that you're
anticipating with period tracking apps?
What is the
data that they're going to pull out
to potentially use in
a prosecution? How would
a prosecutor try and build
a case based on a period tracking app?
And then I think with that context
we can talk about remedies and
potential solutions to this issue.
I would be
concerned about criminalizing
miscarriages and abortion. So somebody that, because we see a lot of times, there's just
an idea of like, oh, we think that she's pregnant. People will make assumptions on a woman's
fertility status constantly for free, just with, even though it's none of their business. That's
just the natural state of how people are. So I'm concerned of people making assumptions about
somebody else. We saw with Texas, they, one of the private entities involved in this released
a website where you could snitch or report other people who were getting out of state abortions.
So we're already in this state of reporting other people based purely on speculation.
And then you would have these apps where you would have a consistent, maybe if your cycle is regular and you have a monthly period.
And then all of a sudden you don't, they can make the assumption that you're pregnant.
And then if you don't have a child, you could be potentially prosecuted for a miscarriage, even if it's a fallacy.
see, it's still a grueling, awful position to be in, even if eventually the evidence comes out
that you were never pregnant or never miscarried or had an abortion, it's still criminalizing
just a woman's body functioning. This is what sort of gets me about this, is obviously in this
country, abortion and reproductive rights generally are a divisive political issue. I wouldn't think
that even for those
who are rabidly pro-life,
there would be a lot of enthusiasm
about obtaining
data from private period-tracking
applications. Like,
I guess, maybe this is an unfair
question, but how is this an issue?
Like, what is, what is,
where is the opposition to
keeping this data private or adding
some type of HIPAA level protection
on these applications?
I think people
are, have gotten
and so used to being in everybody else's business with social media and everything that you do being
somehow available for public comment, we've lost the desire for privacy. And we also have come
to expect that we just don't really have it anymore with every time we get a credit report breach
in monitoring your credit cards. At this point, there's been so many, we don't care anymore.
And it's a given now that your personal information is just out there.
And we still hold the criminalizing a woman's body as this far-fetched ideas if it's not really happening, whereas a baby can be right in front of you.
And you only see what's directly in front of you.
So I think there's just not an appetite for fighting for this amorphous idea of privacy when we already exist in a world where we don't expect it.
That's Michelle Kellerman from the Johns Hopkins University Applied Physics Lab.
Be sure to check out their full conversation.
over on the caveat podcast
wherever you get your favorite podcasts.
Investigating is hard enough.
Your tools shouldn't make it harder.
Maltigo brings all your intelligence into one platform
and gives you curated data,
along with a full suite of tools to handle
any digital investigation.
Plus, with on-demand courses and live training,
your team won't just install the platform.
They'll actually use it and connect the dots so fast,
cybercriminals won't realize they're already in cuffs.
Maltigo is trusted by global law enforcement,
financial institutions, and security teams worldwide.
See it in action now at Maltigo.com.
And finally, on Capitol Hill, lawmakers are turning their attention to a frontier that sounds more like science fiction than policy, your brain.
Senators Schumer, Cantwell, and Markey have introduced the Management of Individuals' Neural Data Act,
tasking the FTC with writing the rulebook for how companies can handle neural data.
The bill aims to prevent tech firms and data brokers from harvesting, bundling, and selling brain signals to nudge you what to buy, or how you feel about it.
With companies like Neurrelink and consumer wearables already dipping into this territory without guardrails,
senators warn of manipulative ads and predatory schemes pitch straight into your neurons.
The FTC would be asked to coordinate with researchers, advocates, and industry to,
design protections. Apparently, privacy now means guarding not just your inbox, but also your
cortex. And that's the Cyberwire. For links to all of today's stories, check out our
daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at
n2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original.
music by Elliot Heltsman.
Our executive producer is Jennifer Ibin.
Peter Kilby is our publisher,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Cyber Innovation.
Cyber Innovation Day is,
is the premier event for cyber startups, researchers, and top VC firms building trust into
tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing
tomorrow's technology. In the afternoon, the eighth annual Data Tribe Challenge takes center stage
as elite startups pitch for exposure, acceleration, and funding. The Innovation Expo runs all day
connecting founders, investors, and researchers around breakthroughs in cybersecurity.
It all happens November 4th in Washington, D.C.
Discover the startups building the future of cyber.
Learn more at cid.d. datatribe.com.