CyberWire Daily - One flaw to rule the root.
Episode Date: September 30, 2025CISA issues an urgent warning about active exploitation of a critical vulnerability in the sudo utility. Broadcom patches two high-severity vulnerabilities in VMware NSX. South Korea raises its nation...al cyber threat level after a datacenter fire. Formbricks patches a critical token validation flaw. Microsoft blocks a credential phishing campaign that made use of malicious SVG files. Landlords are accused of scraping sensitive payroll data. Cybercriminals lay the groundwork for large-scale FIFA fraud. Burnout takes a heavy toll on cybersecurity professionals. On our Threat Vector segment, host David Moulton is joined by Kyle Wilhoit talking about the evolution of hacker culture and cybersecurity. London police bag the biggest bitcoin bust. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On this Threat Vector segment, host David Moulton is joined by Kyle Wilhoit of Unit 42 talking about the evolution of hacker culture and cybersecurity. You can listen to the full conversation here, and catch new episodes of Threat Vector each Thursday in your podcast app of choice. Selected Reading CISA Issues Alert on Active Exploitation of Linux and Unix Sudo Flaw (GB Hackers) Broadcom fixes high-severity VMware NSX bugs reported by NSA (Bleeping Computer) South Korea raises cyber threat level after huge data centre fire sparks hacking fears (The Guardian) JWT signature verification bypass enables account takeover in Formbricks (Beyond Machines) Microsoft Flags AI Phishing Attack Hiding in SVG Files (Hackread) Landlords Demand Tenants’ Workplace Logins to Scrape Their Paystubs (404 Media) Playing Offside: How Threat Actors Are Warming Up for FIFA 2026 (Check Point Blog) Why burnout is a growing problem in cybersecurity (BBC) Chinese woman convicted after 'world's biggest' bitcoin seizure (BBC) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
At TALIS, they know cybersecurity can be tough and you can't protect everything,
but with TALIS, you can secure what matters most.
With TALIS's industry-leading platforms, you can protect critical applications,
data and identities, anywhere and at scale with the highest RR.
That's why the most trusted brands and largest banks, retailers, and health care companies in the world rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALIS.
T-H-A-L-E-S.
Learn more at talusgroup.com slash cyber.
Cicill warns of active exploitation of a critical vulnerability in the pseudo-utility.
Broadcom patches two high-severity vulnerabilities in VMware NSX.
South Korea raises its national cyber threat level after a data center fire.
Form bricks patches a critical token validation flaw.
Microsoft blocks a credential fishing campaign that made use of malicious SVG files.
Landlords are accused of scraping sensitive payroll data.
Cybercriminals lay the groundwork for large-scale FIFA fraud.
Burnout takes a heavy toll on cybersecurity professionals.
On our threat vector segment, David Moulton is joined by Kyle Wilhoite,
talking about the evolution of hacker culture and cybersecurity.
And London police bag the biggest Bitcoin bust.
It's Tuesday, September 30th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here once again.
It's great as always to have you with us.
The cybersecurity and infrastructure security
agency has issued an urgent warning about active exploitation of a critical vulnerability in the
pseudo-utility, a core Linux and Unix tool. The flaw affects pseudo's dash-r option, allowing
attackers with limited pseudo-rights to bypass restrictions and gain full route access. CISA warns
that successful exploitation could result in complete system compromise, enabling data theft,
service disruption or malware installation.
The agency urges administrators to identify vulnerable systems,
apply vendor patches, or disable the CH route option until fixes are available.
The flaw was added to SISA's known exploited vulnerabilities catalog
with mitigations required by October 20th.
Sessa stresses proactive patching as essential defense.
Broadcom has issued security updates
addressing two high-severity vulnerabilities in VMware NSX. Both were reported by the U.S. National Security
Agency. VMware NSX, part of VMware Cloud Foundation, supports networking virtualization
for private and hybrid clouds. The flaws allow unauthenticated attackers to enumerate valid
usernames, potentially enabling brute force or unauthorized access attempts. Broadcom also patched
a separate high-severity SMTP header injection flaw in VMware vCenter
and disclosed three vulnerabilities in VMware ARIA operations and VMware tools
that could permit privilege escalation, credential theft, and cross-VM access.
These updates follow earlier fixes to zero days exploited at Pone to Own Berlin 2025
and by attackers in the wild.
VMware products remain frequent targets for state-sponsored.
groups and cybercrime gangs.
South Korea has raised its national cyber threat level after a fire at a government data
center crippled critical digital infrastructure. The blaze, caused by ignited lithium ion batteries
during replacement work, shut down 647 government systems, halting email, internet, banking,
tax, real estate, and health care services. As of Tuesday, 89 systems were restored. As of Tuesday, 89 systems
were restored, but 96 were destroyed and will require weeks to rebuild, leaving disruptions
expected through upcoming holidays. The intelligence service warned hackers may exploit the weakened
systems during recovery. President Li Jé Myung apologized, criticizing the lack of backup protocols
as foreseeable. With the upcoming APEC summit, concerns about resilience and preparedness have
intensified, while political leaders face growing criticism over South Korea's digital reliability.
Formbricks, an open-source experience management platform, has patched a critical flaw that could
let attackers hijack accounts with forged authentication tokens. The issue stemmed from improper JSON
web token validation, where the software decoded tokens instead of verifying them.
Exploitation required only a victim's predictable user identifier, enabling password resets and full account takeover.
Users should upgrade immediately to the latest version.
It comes as no surprise that cybercriminals are leveraging artificial intelligence to create highly sophisticated fishing attacks that evade traditional defenses.
Microsoft threat intelligence recently blocked a credential fishing campaign on August 18th that,
primarily targeted U.S. organizations. The attack used a compromised business email account to send
what looked like a PDF file, but was actually an SVG file laced with disguised malicious code.
The payload redirected victims to a fake sign-in page, with its code structure suggesting
large language model involvement. Microsoft's security co-pilot determined to the complexity
was unlikely from a human author.
Microsoft Defender for Office 365
ultimately stopped the campaign
by detecting behavioral anomalies.
Experts warn that AI-assisted fishing
represents a major shift,
urging organizations to focus on identity observability
and behavioral detection
to counter AI-scaled deception.
Some U.S. landlords are requiring prospective tenants
to use screening tools
that log directly into employer systems and scrape sensitive payroll data, according to 404 media.
One renter in Atlanta said Approved Shield, powered by a service called Argyle, harvested far more than the requested four pay stubs,
downloading every pay slip and W-4 from Workday going back to 2024.
The renter described the process as credential harvesting since Argyle required corporate HR logins,
raising concerns about potential violations of U.S. hacking laws.
Approved Shield allegedly knew the 60-day requirement but still mined excessive data.
Critics warn that refusing to participate effectively bars tenants from housing.
Similar practices reportedly involve other companies, including pay score, Nova Credit, and SNAPT.
Neither Approve Shield nor Argyle responded to requests for comment.
With the 2026 FIFA World Cup still months away, cybercriminals are already laying groundwork for large-scale fraud.
Researchers at Checkpoint identified more than 4,300 suspicious domains registered since August 2025,
many in synchronized bursts and clustered around a few registrars.
These domains mimic official branding to push counterfeit tickets, fake merchandise, and malware-laced streams.
Evidence also suggests botnets are being prepared to flood ticket queues, distort prices, and enable
large-scale resales. Fraudulent activity extends beyond domains into telegram, dark web markets,
and social media channels, forming a multi-platform ecosystem. Experts warn this isn't random opportunism,
but coordinated infrastructure designed well in advance. Defensees must begin now, including registrar
cooperation, anti-Bot protections, and public awareness campaigns to prevent scams from
overshadowing the tournament.
Burnout is taking a heavy toll on cybersecurity professionals, who often pour their passion
into protecting organizations while facing relentless pressure, the BBC reports.
Tony, who left his role at a major UK e-commerce firm, described sleepless nights,
overwhelming workloads and the strain of non-stop incident response.
Others, like former U.K. Health Security Agency leader Andrew Tillman,
called cybersecurity the best job in the world, but also a dangerous place when stress mounts unchecked.
Studies show declining job satisfaction with professionals asked to do more with less while remaining on-call around the clock.
Experts warn that constant alerts, nation-state threats, and blame culture fuel exhaustion, especially for younger workers.
Initiatives like cyber minds advocate treating burnout with the seriousness of other frontline professions,
urging proactive support and early recognition of warning signs.
Up after the break on our Threat Vector segment, David Moulton is joined by Kyle Wilhoit,
talk about the evolution of hacker culture.
And London Police bag the biggest Bitcoin bust.
Stick around.
Compliance regulations, third-party risk, and customer service.
security demands are all growing and changing fast. Is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those
manual processes, you're right. GRC can be so much easier. And it can strengthen your security
posture while actually driving revenue for your business. You know, one of the things I really like
about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management
platform automates those key areas, compliance, internal and third-party risk, and even
customer trust, so you're not buried under spreadsheets and endless manual tasks. Vanta really
streamlines the way you gather and manage information across your entire business. And this isn't
just theoretical. A recent IDC analysis found that compliance teams using Vanta,
are 129% more productive.
It's a pretty impressive number.
So what does it mean for you?
It means you get back more time and energy
to focus on what actually matters,
like strengthening your security posture
and scaling your business.
Vanta, GRC, just imagine how much easier trust can be.
Visit vanta.com slash cyber
to sign up today for a free demo.
That's V-A-N-T-A-com slash cyber.
AI adoption is exploding, and security teams are under pressure to keep up.
That's why the industry is coming together at the Datasek AI conference,
the premier event for cybersecurity data and AI leaders, hosted by data security leader,
Saira. Built for the industry, by the industry, this two-day conference is where,
real-world insights and bold solutions take center stage. Datasec AI 25 is happening November 12th and 13th
in Dallas. There's no cost to attend. Just bring your perspective and join the conversation.
Register now at Datasek AI 2025.com backslash cyberwire.
On this week's Threat Vector segment, David Moulton is joined by Kyle Wilhoit to talk about the evolution of hacker culture.
Hi, I'm David Moulton, host of the Threat Vector podcast, where we break down cybersecurity threats, resilience and the industry trends that matter most.
Here's a quick preview of my interview with Kyle Wilhoit, technical director of threat research at Unit 42.
We rewind the clock and ask if we've lost something essential in cybersecurity's evolution.
Cal shared how as a 14-year-old kid reading The Hacker Quarterly and building his beige box, he felt like he belonged.
We explore how that same mindset is being challenged today by automation, AI, and billion-dollar enterprises.
If you've ever wrestled with imposter syndrome, wondered how to stay curious in a high-pressure role,
or felt a tension between purity and pragmatism, this episode is for you.
How is the rise of new tech, AI, automation, changed hacker identity and culture?
I think the number one factor or the number one thing that I see is lower barrier to entry for these types of criminals and these types of nation-state adversaries.
What I mean is automation, generative AI, whatever you want to call it, is facilitating and fueling cybercrime at a rate that we haven't seen, as well as fueling,
nation-state espionage rate we haven't seen in the past.
I think that that type of technology is only going to continue to increase speed
in which these attackers are coming to scale and how fast they're coming to go out
and actually perform initial attacks, et cetera.
So I think that that's the number one thing that we're seeing,
is just the lower barrier to entry.
I think the other thing is, is outside of having that lower barrier to entry for these attackers,
I think also what we're starting to see is the evolution of attackers
starting to use things like LLMs and generative AI to do.
do more advanced techniques. I mean, heck, we just saw a blog recently written that
Russian state sponsor group was actually using an LLM, Gemini, if I'm not mistaken, to go out
and actually assist it in writing actual malware that functioned. So what that really leads to
is, again, that lower barrier to entry. Attackers are able to use and manipulate LLMs,
jailbreak them in some capacity, manipulate the guardrails, whatever that is, and ultimately
get the LLM to do things that it wants, that the attacker wants, rather. I think
Those are the kind of two big shifts that I'm seeing.
You've seen the industry shift from hobbyist forums to billion-dollar enterprises.
What do you think has been lost in the professionalization of cybersecurity?
It's funny you ask this, because I can actually kind of think of myself to some degree, right?
because I was kind of a quote-unquote hacker in the old school sense of the word and then migrated
over into the corporate world. So I kind of can look at this from my own perspective. And I think one of
those areas is the loss of just open and free information sharing, right? I think that's one of the
reasons that I pursued intelligence because a lot of intelligence work is ultimately sharing information.
And I truly believe that I think the power, you know, threat intelligence is sharing. But I think that
the concepts and, you know, kind of migrating more to, you know, that professionalization of
cybersecurity, I think that that's directly related to, you know, some of the decline of
open information sharing. I think also the focus for many in the cybersecurity industry has
shifted from inherent curiosity, what it used to be back, you know, early, early on, to marketable
skills. And I'm not saying that's wrong and I'm not saying that's right. I think that's just
part of what we're starting to see kind of change in the industry, right?
I think there are some benefits, though, right?
With every downside, there is a benefit, meaning, you know, with that professionalization,
you also see innovation and development that you likely wouldn't have seen in the past,
meaning we're seeing rapid growth in innovation across all industries.
I think also professionalization and quality control on software and hardware that's being produced
is also something that's directly, you know, a benefit of that professionalization.
So I don't want to make it sound like it's all doom and gloom because it's not.
It's just the maturation of the field, the professionalization of that field,
and there's good and bads with everything, right?
And that's the way I view.
That's just a couple positives, a couple negatives, I guess.
Yeah, I think that that maturation has been required because of the landscape,
because of the changes
and the opportunity for
profit or espionage
and the hobbyists can't keep up with that
no it's hard for me to keep up with it
and I'm a professional
right
but I think that there is a sense
of like maybe looking back
at a simpler time
and maybe longing for it
yeah you know some of the pieces of it
we're there
but you know you can't unring the bell
that's where we're going
that's true
I want to talk about you for a second.
Okay.
How do you maintain your sense of curiosity,
make time for experimentation in a high-pressure role like you have here at Unit 42?
The first is that question that I said early on, what if?
I literally asked myself that multiple times daily still in my current role.
And that was as a people leader, as a technical leader, as everything in
as a researcher. I still ask that question. So the what-if question applies across the board.
In a perfect example is what if, as an example, what if I automate this task, right?
That right there can speak volumes in terms of being able to get time back, which leads me to the
next thing, which is schedule curiosity. I know that sounds weird, but schedule time for that
what-if question. Schedule time to hypothesize research and then execute on that research. I still do
that. Even 15 years doing research, I still do that. Because at the end of the day, you have to be
constrained in your time and you have to understand that you only have a certain amount of time
to do those things. So the what-if question will ultimately, hopefully lead you to that
capability of scheduling that curiosity. And then the final piece is embrace intellectual humility.
This is something that I think a lot of folks in our industry are not great at doing in some
cases and embracing being when you don't know something.
It readily admit that.
Say, I don't know, but I'm committed to finding out what that answer is, and I'll have an
answer back to you within 24 hours.
That says a lot about someone versus just making up an answer.
Thanks for sticking around to hear what's coming next on Threat Vector.
If we piqued your interest, the full conversation is available in your ThreatFector feed now.
Trust me, you'll walk away seeing Hacker Culture in a whole new light.
New episodes every week.
Subscribe now to stay ahead.
Be sure to check out the Complete Threat Vector Show wherever you get your favorite podcasts.
Think your certificate security is covered.
By March 26, TLS certificate lifespans will be cut in half, meaning double today's renewals.
And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal
volume. That's exponential complexity, operational workload, and risk, unless you modernize your
strategy. CyberArk, proven in identity security, is your partner in certificate security.
CyberArc simplifies life cycle management with visibility, automation, and control at scale.
Master the 47-day shift with CyberArk. Scan for vulnerabilities, streamline operations, scale security.
visit cyber arc.com slash 47 day.
That's cyberark.com slash the numbers 47DAY.
And now a word from our sponsor, Threat Locker,
the powerful zero-trust enterprise solution that stops ransomware in its tracks.
Allow listing is a deny-by-default software that
makes application control simple and fast.
Ring fencing is an application containment strategy,
ensuring apps can only access the files, registry keys,
network resources, and other applications they truly need to function.
Shut out cybercriminals with world-class endpoint protection from threat locker.
And finally, it's a new point protection from threat locker.
It's not every day the police stumble across five billion pounds in Bitcoin, but that's exactly
what London's Metropolitan Police bagged in the world's largest crypto seizure.
At the center of it all is Jimin Chang, also known as Yadhi Zhang, who pled guilty to running
a scam in China that duped 128,000 victims between 2014 and 2017.
She fled to the UK with false documents, tried.
laundering her digital fortune into property and instead earned herself a court date.
Along the way, her accomplice went from takeaway worker to mansion dweller before being jailed, too.
Prosecutors note that criminals love crypto's cloak of invisibility, but this seven-year
investigation proves the blockchain isn't always the perfect hiding place.
Chan's sentencing is still pending.
And that's the Cyberwire.
For links to all of today's stories,
check out our daily briefing at the Cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes
or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Cyber Innovation Day is the premier event for cyber startups,
researchers and top VC firms building trust into tomorrow's digital world.
Kick off the day with unfiltered insights and panels on
securing tomorrow's technology. In the afternoon, the eighth annual Data Tribe Challenge
takes center stage as elite startups pitch for exposure, acceleration, and funding. The Innovation
Expo runs all day connecting founders, investors, and researchers around breakthroughs in cybersecurity.
It all happens November 4th in Washington, D.C. Discover the startups building the future of cyber.
Learn more at cid. datatribe.com.