CyberWire Daily - Grounded by ransomware.
Episode Date: September 22, 2025A major ransomware attack disrupts airport operations across Europe. Congress is on the verge of letting major cyber legislation expire. A critical flaw nearly allowed total compromise of every Entra ...ID tenant. Automaker Stellantis confirms a data breach. Fortra patches a critical flaw in its GoAnywhere MFT software. Europol leads a major operation against online child sexual exploitation. Three of the cybersecurity industry’s biggest players opt out of MITRE’s 2025 ATT&CK Evaluations. A compromised Steam game drains a cancer patient’s donations. Business Breakdown. Andrzej Olchawa and Milenko Starcik from VisionSpace join Maria Varmazis, host of T-Minus Space on hacking satellites. How one kid got tangled in Scattered Spider’s web. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Andrzej Olchawa and Milenko Starcik from VisionSpace are speaking with Maria Varmazis, host of T-Minus Space on hacking satellites. Selected Reading EU cyber agency says airport software held to ransom by criminals (BBC News) Cyber threat information law hurtles toward expiration, with poor prospects for renewal (CyberScoop) Microsoft Entra ID flaw allowed hijacking any company's tenant (Bleeping Computer) Stellantis says a third-party vendor spilled customer data (The Register) Fortra Patches Critical GoAnywhere MFT Vulnerability (SecurityWeek) AI Forensics Help Europol Track 51 Children in Global Online Abuse Case (HackRead) Cyber Threat Detection Vendors Pull Out of MITRE Evaluations Test (Infosecurity Magazine) Verified Steam game steals streamer's cancer treatment donations (Bleeping Computer) CrowdStrike and Check Point intend to acquire AI security firms. (N2K CyberWire Business Briefing) ‘I Was a Weird Kid’: Jailhouse Confessions of a Teen Hacker (Bloomberg) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
AI adoption is exploding, and security teams are under pressure to keep up.
That's why the industry is coming together at the Datasec AI conference,
the premier event for cybersecurity data and AI leaders, hosted by data security leader,
Saira, built for the industry by the industry by the,
the industry, this two-day conference is where real-world insights and bold solutions take
center stage. Datasec AI 25 is happening November 12th and 13th in Dallas. There's no cost to
attend. Just bring your perspective and join the conversation. Register now at Datasek AI
2025.com backslash cyberwire.
A major ransomware attack disrupts airport operations across Europe.
Congress is on the verge of letting major cyber legislation expire.
A critical flaw nearly allowed total compromise of every intra-ID tenant.
Automaker Stalantis confirms the data breach.
Fortra patches a critical flaw in its Go Anywhere MFT software.
Europol leads a major operation against online child sexual.
exploitation. Three of the cybersecurity industry's biggest players opt out of MITERS 2025 attack
evaluations. A compromise steam game drains a cancer patient's donations. We've got our business
breakdown. Andres Olchawa and Melenko Starchick from Vision Space join Maria Vermazas, host of
T-minus Space Daily on hacking satellites. And how one kid got tangled in scattered spiders web.
It's Monday, September 22nd, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
Happy Monday. It's great to have you with us. A major ransomware attack has disrupted airport operations across Europe,
targeting check-in and boarding software supplied by Collins Aerospace. The European Union Agency for Cybersecurity
confirmed that the malware scrambled automated systems forcing manual workarounds at airports,
including Heathrow, Berlin, and Brussels. Heathrow warned staff that more than 1,000 computers
may be corrupted with recovery requiring in-person fixes. Although about half of Heathrow's airlines,
including British Airways, restored partial service, Brussels Airport canceled nearly 140 flights
on Monday. Collins, whose Mews software was attacked, has issued patches but acknowledged hackers
remain inside systems even after a rebuild. Law enforcement is investigating. The incident
highlights the growing ransomware threat with aviation cyber attacks up 600% in the last year,
according to Talas and criminal gangs reaping hundreds of millions annually.
Congress is on the verge of letting the 2015 Cybersecurity Information Sharing Act expire at the end of this month,
and the stakes are high. The law gives companies liability protections when sharing cyber threat
intelligence with each other and the government, essential to timely detection and response.
While industry, the Trump administration, and many lawmakers favor a clean multi-year reauthorization,
repeated attempts at both short and long-term extensions have collapsed.
Senator Rand Paul has objected to straightforward renewals, pushing instead for changes
that industry and colleagues argue would gut protections and chill sharing.
With no clear legislative path and the clock ticking, a lapse could have immediate consequences.
Hesitation to share critical threat data, heightened exposure to attacks, and amplified political fallout if a major breach occurs during the gap.
A critical design flaw in legacy Microsoft components nearly allowed total compromise of every intra-ID tenant.
Researcher Dirk-Jean Molema found undocumented.
un-signed actor tokens issued by the old access control service and used for internal
service-to-service calls that can impersonate any user for 24 hours and aren't logged or revocable.
Coupled with a defect in the deprecated Azure AD Graph API, an attacker could craft an actor
token, target a tenant, impersonate a global admin, and change users, reset passwords, or alter
configurations with almost no trace in the victim tenant. Microsoft was notified July 14th. The company
fixed the issue within nine days and issued a public patch on September 4th. The takeaway here is
legacy off-paths and deprecated APIs are high risk. Inventory, remove, and monitor them
urgently. Automaker Stalantis has confirmed a data breach stemming from a third-party vendor
supporting its North American customer service operations. The intrusion exposed customer names and
email addresses, but no financial or sensitive information. The automaker launched an investigation,
alerted law enforcement, and began notifying affected customers, warning them to watch
for fishing attempts. Stalantis has not disclosed the vendor or number of victims.
Fortra has patched a critical flaw in its Go Anywhere MFT software,
that could enable remote code execution through command injection.
The issue stems from deserialization of untrusted data in the licensed servlet,
exploitable with a forged license signature.
Recent versions include fixes,
and Fortra urges customers to block public access to the admin console,
monitor audit logs, and check for suspicious errors.
While no active exploitation is reported, past Klop ransomware abuses make this
vulnerability a serious risk.
An international task force, coordinated by Europol, has identified 51 children and launched
proceedings against 60 suspects in a major operation against online child sexual exploitation,
bringing together officers from 18 countries.
Investigators met in the Hague to analyze over 5,000 pieces of material using both traditional
police work and AI-driven forensic tools.
The effort produced 276 intelligence packages, leading to arrests across multiple jurisdictions.
The cross-border nature of the crimes, servers, platforms, and victims spread across countries
underscored the need for real-time intelligence sharing.
Europol says this collaborative model, combining advanced forensics with multinational coordination,
will guide future efforts.
Authorities stress that while police pursue offenders, parents must also take proactive steps,
educating children about online risks, setting clear boundaries, and encouraging safe reporting of suspicious contact.
Three of the cybersecurity industry's biggest players, Microsoft, Sentinel One, and Palo Alto networks,
have opted out of Mitre's 2025 attack evaluations enterprise test,
raising questions about the program's future relevance.
All three cited resource prioritization and innovation as reasons,
though experts suggest concerns about the evaluations becoming more promotional than practical,
also played a role.
Miter admitted the test may have grown too complex,
with tougher scenarios including cloud environments and alert volume tracking.
Despite the withdrawals, a dozen vendors remain in the 2025 round,
and MITER plans to reboot its vendor forum for 2026 to restore industry engagement and refine testing objectives.
A Latvian streamer fighting Stage 4 cancer lost $32,000 in life-saving treatment donations after downloading would appear to be a verified Steam game.
During a live fundraiser, Blockblasters, a retro-style platformer with very positive reviews,
silently drained his cryptocurrency wallet. Initially benign, the game was updated with a
crypto-drainer on August 30th, targeting high-value crypto users. Security researchers later tied it
to broader thefts of up to $150,000 across hundreds of accounts using a dropper script,
backdoor, and steel-see payload. The loss struck during a GoFundMe campaign, but crypto-influencer
Alex Becker quickly replaced the stolen funds with a $32,500 donation.
The case highlights how trusted platforms like Steam can be weaponized, underscoring the need
for caution with lesser-known or lightly reviewed titles.
It's Monday, so that means it's time for our Monday business breakdown.
We tracked roughly $390 million flowing into 15 investments plus six acquisitions, so
a lively week. On the funding side, Vega popped out of stealth with a hefty $65 million across
Seed and Series A, aiming to beef up R&D and build out its U.S. footprint. Right alongside them,
irregular, focused on securing frontier AI models, debuted with an even bigger $80 million
raise led by Sequoia, targeting model resilience and misuse prevention. M&A stayed busy too.
Crowdstrike snapped up Pangaea to deepen Falcon's AI detection and response story,
think broader coverage across the AI lifecycle,
and Accenture picked up Canada's IAM concepts to sharpen its identity chops
across critical industries north of the border.
That's this week's business breakdown.
If you want the deeper dive on who's buying whom and why it matters for your roadmap,
subscribe to N2K Pro and swing by the Cyberwonderance.
wire.com every Wednesday for the latest.
Coming up after the break, Maria Vermazes, host of the T-minus Space Daily,
speaks with Andres Olchawa and Melenko Starchick from Vision Space.
They're talking about hacking satellites.
And how one kid got tangled in scattered spiders' web.
Stay with us.
At TALIS, they know cybersecurity can be tough and you can't protect everything.
But with TALIS, you can secure what matters most.
With TALIS's industry-leading platforms, you can protect critical applications, data and identities, anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks, retailers, and health care companies in the world rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALIS.
T-H-A-L-E-S.
Learn more at talusgroup.com slash cyber.
Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast. Is your manual GRC program actually slowing you down? If you're thinking
there has to be something more efficient than spreadsheets, screenshots, and all those manual
processes, you're right. GRC can be so much easier. And it can strengthen your security
posture while actually driving revenue for your business. You know, one of the
things I really like about Vanta is how it takes the heavy lifting out of your GRC program.
Their trust management platform automates those key areas, compliance, internal and third-party
risk, and even customer trust, so you're not buried under spreadsheets and endless manual tasks.
Vanta really streamlines the way you gather and manage information across your entire business.
And this isn't just theoretical. A recent IDC analysis found that compliance teams use
Vanta are 129% more productive.
It's a pretty impressive number.
So what does it mean for you?
It means you get back more time and energy to focus on what actually matters,
like strengthening your security posture and scaling your business.
Vanta, GRC, just imagine how much easier trust can be.
Visit Vanta.com slash cyber to sign up today for a free demo.
That's V-A-N-T-A-com slash.
Cyber.
Maria Vermazis is host of the T-Minus Space Daily podcast.
She recently sat down with Andres Ochoa and Melenko Starchick from Vision Space to discuss
hacking satellites.
So I'm a Midlenko Starchick.
I'm currently leading the...
cybersecurity section at VisionSpace Technologies. We're a company headquartered in Germany
around for I think almost 15 years now. We also have branches now in Portugal and Spain. So
currently serving the European space industry needs. My name is Andre Olgawa. I've been
with the company a couple of years now. I'm working as a cyber security engineer and I'm
mainly focused on offensive security activities for the space system.
So things like penetration testing of some systems, vulnerability to research, find them zero days.
And we are writing a book for most Dutch press, which is called the spacecraft hackers' handbook.
Milanko and Andre, thank you both for joining me today.
I'm thrilled to be speaking to both of you.
And I saw an article on the register, which I read every day, about some research that you all presented at Black Hat.
And I really wanted to talk to you both about what you found, if you want to sort of recap some of that research, especially for my audience, who is predominantly not cybersecurity focus, but they are in the space industry.
And what you would like them to know about what you've been finding, what those key takeaways are.
So our research was a collection of vulnerabilities that we've gathered over the past years, I think, in 2023.
We started doing like systematic review of software systems.
used in a space.
So what we were
most familiar with are mission control systems
just from the background we had from maintaining
and deploying and configuring these
systems. We knew that there's a lot
that could be found potentially.
So we did like a review
of open source mission control systems
and found quite a lot of vulnerabilities
in them, which were
mostly from a cyber security perspective
like low-hanging fruits, but from
the space perspective, the software was doing what it was supposed to do. It didn't do anything
unexpected. It was just that the hardening was not to the standard, which you would expect
from an application used for such a sensitive purpose. And that seems to be like a very common
problem in the space industry, is that the software is not built to withstand modern attacks
and modern attackers who know how to take these systems apart
and that there is still like a thinking,
yet people don't know how to use this application
so they will not be able to do anything without it,
which is very, very dangerous.
So if you say like, oh, no, my software is so complex,
only I can use it, that's definitely not the case.
Attackers will download all your files.
They will read through thousands of pages,
now as large language models,
even millions of pages of documents,
in hours and days and they will go through it and they will figure out how it works.
So I think that's a very risky assumption, is security by obscurity,
which is still very popular in the space industry.
So that's why we did it on open source software so that we could actually go out
and show, okay, like here's like a systematic problem in every single of these mission
control systems. We found issues.
And after that, we went for onboard software frameworks.
So there's two very popular ones
from NASA
core flight system
which is actively used in flying missions
and F prime which was developed
for the mass helicopter
ingenuity
and also in those
we found quite a lot of
vulnerabilities but also some
more general security issues
partially due to the lack of
embedded security in these
frameworks. At this point we have found
a little bit less than 40 CVEs, almost 40, 40, 40, 40, 0 days in those systems.
We just reported a few more on all of the systems we use.
And they range from different severity between 5 or 6 to almost 10.
I think the highest one we have is 9.9 or 9.8, something like that.
And that's out of a scale of 10 for my audience you may not know that that's very severe, yes.
Yeah, and also the impact varies between small information disclosure to actually getting a remote code execution on a platform,
either spacecraft platform or a system that is controlling the spacecraft.
The ones which we have demonstrated at Black Hat, so we try to approach the demonstration from different angles to demonstrate what is
impact on the actual spacecraft by getting access to the mission control system, either directly
or through a fishing campaign.
And also if you are a nation state and you're actually able to communicate with spacecraft directly
because you have capabilities and you are not limited by loss, how you could take over the
control of spacecraft or effectively you could break it.
So that's how we decided to approach the presentation and does how we have.
show those three demos, with that in mind.
It was super fascinating reading through the different potential capabilities
if someone were to exploit these vulnerabilities.
And I don't want to try and do fear and certainty and doubt here and go,
oh, you know, sky is falling.
It is just very interesting to see what the potentials were.
And I know that these vulnerabilities, it sounds like they've already been remediated.
You disclosed them and they've been remediated.
So am I understanding that correctly?
Yes, yes.
So when we discovered those vulnerabilities, we followed the responsive disclosure process
where we first notified vendor.
In most of the cases, it was NASA or the companies that work for NASA.
And then we work with them to fix those issues.
And we also made some effort to actually test it afterwards.
I'm wondering from you both what your thoughts are on takeaways,
especially for the commercial space industry around the world,
given how much it's growing
this is anecdotal
but often in conversations
I've had with people
when I talk to them
about cybersecurity for space systems
there's often an attitude of
a lot of this is handled
by government entities
I don't really need to worry about this as much
and Milenko you mentioned security through obscurity
I just often wonder
I mean that model seems to be very much
failing in the face of scale
I'm just curious your thoughts on that
yeah I would say that
there's a big risk
with going for
strictly compliance.
I think what most people
are referring to
is like,
okay,
like we have to comply
with these things
so we have a checklist,
we have some
threat modeling,
we have some mitigations,
checklist done,
security.
I'm good, right?
Yeah, security done.
At least on a legal perspective.
I mean,
and that's what people are afraid of.
It's like,
on a legal perspective,
you're good.
You can still get hacked.
But it will like not
affect you
on like a legal basis, basically.
And this is usually where it gets,
where people get more careful
is when they are more personally impacted by this.
So what we've seen is like a lack of actual testing.
So that's something that we're trying to push for
is that like your security controls are nice,
but if you still haven't tested the software that is running
on your systems like this custom software,
on systems which are configured and often,
maintained over
sometimes decades
until literally
the server falls apart
and then you hope that you have
a spare box somewhere
in the corner
of the room
these systems
they need to be maintained
and they need to be tested
on a regular basis
and this is something that we see
is definitely missing
that you could maybe
have the software that we had
previously going through
compliance cycles over and over again
no one was ever bothering
to run like a simple code
ecstatic analysis on the code base
to see if there are maybe some low-hanging fruits
in it which they were
so a lot of the issues we found
could have been easily caught early on
and not kept in the software
for many gears
that is interesting
and on the commercial side of things
there are pretty much
two ways companies go about it
one way is to develop their own software
which is closed source and we don't really know what it is.
So it's going to be up to the company to make sure that it's secure.
And unfortunately from our experience, it often happens that security is at the very end of the requirement list.
So sometimes, especially for the new space companies, which are often startups,
they leave security at the end or they don't consider it at all.
And then the other approach is to use some of the
already existing software, which is open source from NASA, for instance,
or other entities developing the open source software and making it public.
And this is the software which companies would easily assume that the software is secure,
because, well, it was developed by NASA, so it must be.
And actually, this is the software we find the most vulnerability to see.
That is fascinating. That is a really interesting takeaway as well.
But I want to make sure that I give you both an opportunity.
if there's anything that you want to mention
as sort of a closing thought?
So I think it's for people in space industry.
It's important to start early
with security design.
And it's never too late.
So even if the mission is flying,
you can still do your risk assessment,
threat modeling and everything.
But the importance is to not stop
with the compliance checklist,
but to actually have verification
of those requirements.
and not to go with some crazy requirements
that just are like, I don't know,
someone grabs my spacecraft and de-orbites it.
Sure, that's a risk.
But maybe you should focus on a bit more realistic requirements
for your case and threats that actually can impact your business severely.
Be sure to check out the T-minus Space Daily
wherever you get your favorite podcasts.
With Amex Platinum,
access to exclusive Amex pre-sale tickets can score you a spot trackside.
So being a fan for life turns into the trip of a lifetime.
That's the powerful backing of Amex.
Pre-sale tickets for future events subject to availability and varied by race.
Terms and conditions apply.
Learn more at mx.ca.ca.
Investigating is
hard enough. Your tools shouldn't make it harder. Maltigo brings all your intelligence into one
platform and gives you curated data, along with a full suite of tools to handle any digital
investigation. Plus, with on-demand courses and live training, your team won't just install the
platform. They'll actually use it and connect the dots so fast, cybercriminals won't realize
they're already in cuffs. Maltigo is trusted by global law enforcement, financial institutions,
and security teams worldwide.
See it in action now at Maltigo.com.
And finally, at 18, most kids worry about finals or first dates.
Noah Urban worried about ransom videos of bloodied teenagers begging him for $200,000.
By then, by then,
he was a rising star in Scattered Spider,
the teenage cyber gang that would paralyze MGM's slot machines
and cost Marks and Spencer $400 million.
In an interview with Bloomberg, Noah says he wasn't a coder,
just a smooth-talking Floridian,
who discovered sim-swapping through Minecraft
and found his calling as a caller,
duping telecom reps with a deep voice and good manners.
From bricked houses to stolen underwriting,
released rap tracks, his mischief blurred into menace. The FBI eventually caught up,
seizing millions in crypto and a collection of Rolexes. Last month, a judge handed Noah 10 years,
more than prosecutors asked, reminding everyone that tricking Fortune 500 firms may look like
a game to teens, but it's still fraud. Noah, ever polite, says he loved the life anyway. In the end,
Noah's tale is less about a prodigy hacker than a teenager
who mistook social engineering for a social life
and learned too late that the house always wins.
And that's the Cyberwire for all of today.
stories, check out our daily briefing at
the cyberwire.com.
Don't forget to check out the grumpy old geeks
podcast where I contribute to a regular
segment on Jason and Brian's show every
week. You can find grumpy old
geeks where all the fine podcasts are
listed. We'd love to know what you think
of this podcast. Your feedback ensures
we deliver the insights that keep you
a step ahead in the rapidly changing world
of cybersecurity. If you like our
show, please share a rating and review
in your favorite podcast app.
Please also fill out the survey and the show notes.
or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ivan.
Peter Kilby is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Cyber Innovation Day is the premier event for cyber startups,
researchers, and top VC firms building trust into tomorrow's digital world.
Kick off the day with unfiltered insights and panels on securing tomorrow's technology,
In the afternoon, the eighth annual Data Tribe Challenge takes center stage as elite startups pitch for exposure, acceleration, and funding.
The Innovation Expo runs all day, connecting founders, investors, and researchers around breakthroughs in cybersecurity.
It all happens November 4th in Washington, D.C.
Discover the startups building the future of cyber.
Learn more at cid.d. datatribe.com.
Thank you.