CyberWire Daily - Ransomware in the rearview.
Episode Date: September 3, 2025Jaguar Land Rover suffers a major cyberattack. ICE gains access to a powerful spyware tool. Researchers find Fancy Bear snuffling around a new Outlook backdoor. Cloudflare and Palo Alto Networks confi...rm compromised Salesforce data. A researcher discovers an unsecured Navy Federal Credit Union (NFCU) server. A new ClickFix scam spreads MetaStealer malware. Specialty healthcare providers struggle to protect sensitive patient data. CISA appoints a new Executive Assistant Director for Cybersecurity. On Afternoon Cyber Tea, Ann Johnson and Harvard’s Amy Edmondson discuss how psychological safety helps cybersecurity teams speak up, spot risks, and learn from failure. Our guest today is Tim Starks from CyberScoop discussing China’s reliance on domestic firms for hacking. Hackers threaten to feed stolen art to the machines. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Afternoon Cyber Tea On our Afternoon Cyber Tea segment, host Ann Johnson is joined by Amy Edmondson, Harvard Business School professor and psychological safety pioneer. Together they discuss how creating psychologically safe environments allows teams, especially in high-pressure fields like cybersecurity, to speak up about early warnings, embrace the red, and learn from failure. You can listen to Ann and Amy's full conversation here and don't miss new episodes of Afternoon Cyber Tea every other Tuesday on your favorite podcast app. CyberWire Guest Our guest today is Tim Starks from CyberScoop discussing Top FBI official says Chinese reliance on domestic firms for hacking is a weakness. Selected Reading Jaguar Land Rover Operations ‘Severely Disrupted’ by Cyberattack (Security Week) Ice obtains access to Israeli-made spyware that can hack phones and encrypted apps (The Guardian) Russian APT28 Expands Arsenal with 'NotDoor' Outlook Backdoor (Infosecurity Magazine) Cloudflare and Palo Alto Networks Victimized in Salesloft Drift Breach (Infosecurity Magazine) Misconfigured Server Leaks 378GB of Navy Federal Credit Union Files (Hack Read) Fake AnyDesk Installer Spreads MetaStealer Through ClickFix Scam (Hack Read) Hacks on Specialty Health Entities Affect Nearly 900,000 (Bank Infosecurity) Python-based infostealer ‘Inf0s3c’ combines stealth with broad data theft (SC Media) CISA Names Nicholas Andersen as Executive Assistant Director for Cybersecurity (The Cyber Express) Hackers Threaten to Submit Artists' Data to AI Models If Art Site Doesn't Pay Up (404 Media) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
The DMV has established itself as a top-tier player in the global cyber industry.
DMV rising is the premier event for cyber leaders and innovators
to engage in meaningful discussions and celebrate the innovation happening in and around the Washington
D.C. area. Join us on Thursday, September 18th, to connect with the leading minds shaping
our field and experience firsthand why the Washington, D.C. region is the beating heart of cyber
innovation. Visit DMV Rising.com to secure your spot.
certificates lifespans will be cut in half, meaning double today's renewals.
And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal
volume.
That's exponential complexity, operational workload, and risk, unless you modernize your strategy.
CyberArk, proven in identity security, is your partner in certificate security.
CyberArc simplifies life cycle management with visibility, automation, and control at scale.
Master the 47-day shift with CyberArk.
Scan for vulnerabilities, streamline operations, scale security.
Visit cyberark.com slash 47-day.
That's cyberark.com slash the numbers 47-D-A-Y.
Jaguar Land Rover suffers a major cyber attack.
Ice gains access to a powerful spyware tool.
Researchers find fancy bears snuffling around a new outlook back door.
Cloudflare and Palo Alto networks confirm compromised Salesforce data.
A researcher discovers an unsecured Navy federal credit union server.
A new click-fix scam spreads.
meta-stealer malware. Specialty health care providers struggle to protect sensitive patient data.
Sisa appoints a new executive assistant director for cybersecurity. On afternoon, CyberTee,
Anne Johnson, and Harvard's Amy Edmondson discuss how psychological safety helps cybersecurity teams speak up,
spot risks, and learn from failure. Our guest today is Tim Starks from CyberScoop,
discussing China's reliance on domestic firms for hacking, and hackers threaten to feed stole
and art to the machines.
It's Wednesday, September 3, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Jaguar Land Rover, the UK's leading luxury automaker,
has confirmed a major cyber attack that forced the shutdown of its global IT systems.
The incident has halted production lines in the UK and abroad,
disrupted supply chains, and temporarily closed some retail outlets and online services.
While JLR says there's no evidence of customer data theft,
operations have been severely impacted. The attack comes amid financial strain. Jaguar Land Rover
recently reported a 49% drop in pre-tax profits, delayed its new electric models to 2026, and
announced 500 UK job cuts. This is the second breach in a year following a March 2025 ransomware
attack linked to the Hellcat Group. Jaguar Land Rover joins other UK companies like Mark
and Spencer and Herods, recently hit by cybercriminals.
U.S. Immigration and Customs Enforcement will gain access to Paragon Solutions spyware tool,
graphite, after the Trump administration lifted a hold on a $2 million contract first signed under
President Biden.
Graphite allegedly can hack any phone, including encrypted apps like WhatsApp and signal,
and even turn devices into listening tools.
Civil rights advocates warn the move hands invasive surveillance powers to an agency already accused of due process violations.
While Paragon claims it only works with democracies and cuts ties with abusive clients,
its spyware has previously been misused in Italy against journalists and activists.
Experts argue such tools pose security risks as multiple governments share access to the same tech.
Critics say this raises threats to price.
privacy, free speech, and democratic accountability.
Researchers at Spanish cybersecurity firm S2 Grupo have discovered a new Outlook backdoor,
dubbed Not Door, linked to Russia-backed APT-28, also known as Fancy Bear.
The malware uses Visual Basic for Applications Macros in Microsoft Outlook to monitor incoming
emails for trigger words, then exfiltrate data, upload files, or
execute commands. Not Door hides and Outlooks event-driven processes, abuses DLLL side-loading
with OneDrive, and disables security warnings to maintain persistence. It communicates via
attacker-controlled email accounts and covert callbacks, deleting traces after exfiltration.
Its modular design allows dynamic updates, making detection difficult. APT-28, tied to Russia's GRU,
has a long record of high-profile cyber attacks, including the 2016 U.S. election breaches.
Researchers at Lab 52, Warren Not Door reflects the groups evolving tactics
and recommends disabling macros and monitoring outlook activity.
Cloudflare and Palo Alto networks have confirmed that threat actors access their Salesforce data
via a compromised sales loft drift app.
Cloudflare said attackers' exfiltrated Salesforce case data, including customer contact details and support ticket text between August 12th and 17th of this year.
While no attachments were stolen, sensitive information like keys or logs pasted into tickets may be compromised.
Palo Alto reported exposure of sales and case data.
Hundreds of organizations are affected, with experts' warning.
attackers may leverage stolen data for targeted campaigns.
Researcher Jeremiah Fowler discovered an unsecured Navy Federal Credit Union server,
exposing 378 gigabytes of internal files.
While no member data was found, the trove included usernames, emails,
possibly hashed passwords, and tableau workbooks with database connections and financial formulas.
Fowler warned this information could give it.
attackers a blueprint of Navy Federal systems, enabling fishing or deeper breaches.
The database was quickly secured after disclosure, but it's unclear how long it was exposed.
Researchers at Huntress have uncovered a new ClickFix scam that spreads meta-stealer malware
using a fake-any-desk installer.
Traditionally, ClickFix tricks users into copying malicious commands into Windows Run, but this campaign
adds a twist called FileFix, which abuses Windows File Explorer searches.
Victim searching for Any Desk may land on a fake site with a counterfeit Cloudflare verification
prompt.
Clicking Verify triggers File Explorer to fetch a disguised file named ReadMe Anydesk.
.pdif.
While it installs the real Anydesk to avoid suspicion, it also secretly loads Metastieler,
which can steal credentials, files, and crypto-wallet data.
The scam blends legitimate software behavior with social engineering, making it harder to detect.
Experts stress user awareness and caution while downloading tools online.
Specialty health care providers, while skilled in treating patients, often lack strong cybersecurity defenses,
making them prime targets for ransomware and data theft.
Three recent breaches illustrate the risks. Excelsior orthopedics in New York disclosed nearly
395,000 patients and employees were impacted by a 2024 ransomware attack.
Florida-based vital imaging reported 260,000 individuals affected by a February 2025 hack,
and the University of Iowa Community Home Care breach exposed data for 211,000 people.
Together, nearly 900,000 individuals were impacted.
Experts warn that specialty practices with limited budgets and sometimes outdated systems
struggle to protect sensitive data like medical histories and insurance details.
Cybercriminals exploit these weaknesses for fraud and extortion,
often pressuring providers to pay ransoms quickly to avoid care disruptions.
Researchers at Cyphirma have detailed a new Python,
based malware called Infosec with a zero for the O and a three for the E because, of course, it does.
It's an advanced info stealer capable of harvesting a wide range of sensitive data,
distributed as a compressed 64-bit executable packed with Pi installer.
It evades detection through obfuscation, runtime code unpacking, VM checks, and self-deletion.
Its main component collects system info, IP data, credential.
cookies, Wi-Fi passwords, browsing history, crypto wallets, and even webcam images.
It also targets popular gaming accounts like Roblox, Steam, and Minecraft.
Stolen data is archived into a password-protected RAR file and exfiltrated via Discord.
Persistence is achieved by copying itself to the Windows startup folder.
SciFerma noted similarities to grabbers like Blank Grabber and Umbral Steeler,
suggesting shared origins.
The findings highlight how easily criminals can access sophisticated automated info-stealing tools.
SISA has appointed Nicholas Anderson as Executive Assistant Director for Cybersecurity,
a decorated Marine veteran and national security leader, Anderson brings extensive experience
from both government and private sectors.
He previously served as SISO at Lumen Technologies,
COO at Invictus and senior official at the Department of Energy, where he directed cyber and energy
security efforts. Recognized as intelligence executive of the year, Anderson has overseen initiatives
defending against state-sponsored threats and major crises. At Sisa, he'll lead efforts to protect
critical infrastructure amid escalating cyber risks. His arrival marks a leadership transition with Chris
Boutera, becoming acting deputy executive assistant director.
Anderson's appointment underscores Sissas push to strengthen resilience and deepen collaboration
with industry partners.
Coming up after the break, Ann Johnson and Harvard's Amy Edmondson discuss how psychological
safety helps cybersecurity teams speak up, spot risks, and learn from
failure. Tim Starks from CyberScoop discusses China's reliance on domestic firms for hacking,
and hackers threaten to feed stolen art to the machines. Stay with us.
At TALIS, they know cybersecurity can be tough and you can't protect everything, but
But with TALIS, you can secure what matters most.
With TALIS's industry-leading platforms,
you can protect critical applications, data, and identities,
anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks,
retailers, and healthcare companies in the world
rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALIS.
T-H-A-L-E-S.
Learn more at T-L-S-R-R-E-S-R-E-E-S.
dot com slash cyber
and now a word from our sponsor threat locker the powerful zero trust enterprise solution that
stops ransomware in its tracks allow listing is a deny-by default software that makes
application control simple and fast ring fencing is an application containment strategy
ensuring apps can only access the files, registry keys, network resources, and other applications they truly need to function.
Shut out cybercriminals with world-class endpoint protection from Threat Locker.
And it's always my pleasure to welcome Tim Starks back to the show.
He is a senior reporter at CyberScoop.
Tim, good to talk to you here, my friend.
Same here, my friend.
So, interesting story you published on CyberScoop.
This is about an FBI official talking about Chinese reliance on domestic firms for hacking.
Unpacked this for us here, Tim.
Yeah, so you might have seen the story about the FBI announcing in a couple different news outlets that something like 80 countries have been victimized by Chinese hackers in the Salt Typhoon campaign,
more than 200 American companies have been affected by it.
So they put out this alert, the FBI, a variety of U.S. agencies, a variety of world cyber agencies.
And that said, this campaign is larger than we've been talking about.
And when they say campaign, it turns out they were actually talking about just Chinese cyber espionage in general,
but just kind of all kind of part of this overall indiscriminate targeting and said,
okay, look, it's affecting all these sectors too.
It's affecting lodging.
It's affecting not just telecoms, but it's affecting.
the military, it's affecting transportation. And, you know, I did a follow-up interview to see what I
could find out about what didn't make it into that report or what didn't make it into those
stories. And the part that I was drawn to by what the deputy assistant director that I spoke to
in the cyber division said was this gave investigators an opening. The report mentioned three
specific companies that are sort of tech infrastructure kind of companies in China that have been
assisting with this cyber espionage. And what Jason Blanowski told me was that these companies made
mistakes. And the Chinese reliance on these companies creates risk for them to be exposed by
investigators. And that's what happened here. Well, help us understand this relationship between
these firms and the Chinese government. Yeah. So they're, I mean, they're there are companies that are
essentially just kind of tech backbone kind of companies in the ISP.
kind of related space. But because of China's national security laws, there is a great deal
more control by the Chinese government over the handling of data and sensitive information
that affects domestic companies, companies that are doing business in China. And so while the
story that I wrote doesn't make an explicit connection between those two things, and while
that wasn't something Jason said explicitly either, it's easy to read between the lines that
China as an authoritarian government with a great deal of legal written leverage, not just the
sort of general authoritarian, we can do what we want. Over these companies, it stands to reason that
the combination thereof was pretty good for China saying, hey, we need your help. You know,
you're the companies through which we're going to be able to do this. Come help us probably or else.
Right. So the story here is in the process of providing that help, these companies made some
errors that our government was able to take advantage of.
Exactly.
Yeah.
I mean, certainly, when you think of the PLA, at least, you know, in the early days of sort
of nation-state hacking, you thought of a particularly careful organization, an organization
that was very surgical.
And perhaps in the reach for broader reach, China has had to go outside those sorts of
sort of regimented literal military organizations to reach out further, to expand who they can
target and how that created vulnerabilities for them that they did not have before, as explained
by the deputy assistant director.
What do you suppose this indicates sort of for the broader ecosystem here?
I mean, I think that obviously, you know, the U.S. government makes use of many contractors
for many of the things that they need to do, the government, the military, all that sort of thing.
So why does this deserve any attention at all?
It's a very good question.
Just as from the standpoint of a cybersecurity reporter,
I like knowing how we find things out.
It's interesting to me.
Right.
And I think we, I think, you know, perhaps other countries can learn from it,
say, oh, this, you know, these are things that we were able to identify as weaknesses.
I think there might have been some messaging here.
And I'm speculating a little bit.
I don't want to put any words in anybody's mouth.
But it seemed that the Justice Department, the FBI wanted this to be known.
This is how we found you out.
Maybe that creates some sort of counterpressure on Chinese companies saying, hey, cooperate, if you will, but you're going to put yourself at risk.
And I think that's some of the potential value, you know, outside of just my general nerdiness of liking cybersecurity, is that sort of political gamesmanship.
As far as how it pertains to U.S. companies, I think that's interesting.
seeing a few developments in this administration that are that are fascinating. One, of course,
as we saw the U.S. government essentially obtain a stake in a U.S. company, Intel, which, you know,
that's fascinating. We do hear sometimes Trump say things about China like, oh, for them, they don't
even have to do much. They just say it, and it gets done. So you can look at that as some maybe
harbingers. I mean, Trump has actually been almost outwardly dismissive about the idea that there's
something wrong with what China is doing when it hacks U.S. companies. He said, whatever, we do it too.
He said the same thing about Russia. You don't think we don't do that? So, and I think also,
this might be a little bit of a response to China also trying to put some pressure on us.
There's a little bit of an escalation of, hey, we're the United States. We say you bad guys,
China did this. And China has been over the years, and especially in the last calendar year,
been saying more and more, hey, America, we know you did this. We know you exploited Microsoft.
We know that you got aid from a university, whether these things are true or not, these are the things they're messaging.
And we have also seen China accusing U.S. companies of creating back doors for the U.S. government.
So these geopolitical elements and they sort of like where the fight is going, I think those are interesting ramifications for U.S. companies, for the federal government, and for Chinese companies and Chinese government.
how would you rate your level of surprise at hearing these revelations i mean i was a little surprised
because well i wasn't surprised i guess we were talking about the original revelations of the
alert that they put out um you know it does seem like it takes time for investigators to go oh
hey we we found some hacking and then to find out just how far it went so that wasn't particularly
surprising to me it was a little surprised to me the degree to which they were willing to talk about
this and that's where I start getting into the whole, you know, where they wanting to,
were they wanting to get a message out through me?
Where they wanting to say to an audience, hey, we're watching you.
Because that can be a deterrent.
So I was a little surprised, but then the more I thought about it, the more I thought
it made a little bit of sense.
And again, Dave, I'm speculating irresponsibly.
Here I am, I'm speculating irresponsibly on the streamed cyber security blog and
podcast, and it's out of control.
I need to run in before I get too crazy.
Yeah, yeah.
Well, if you say, they're messaging through you and now they're messaging through us.
Oh, here we are.
From the propaganda arm of the United States.
That's right.
That's right.
But no, look, I mean, those, I'm, we're joking about those things, but I often am thinking
about the degree to which the U.S. government might be trying to use me or any messenger,
really.
Sure.
Everybody has a reason to want to talk to us.
It's not, they don't talk to reporters.
all the goodness of their hearts.
The important thing is, is the story accurate?
And did we give something valuable to the reader?
And I think whatever the attempted message was here,
I think that the story was valuable to publish for that reason.
Yeah, I agree.
We'll have a link to that story in the show notes.
Tim Starks is senior reporter at CyberScoop.
Tim, thanks so much for joining us.
Thank you, Dave.
On our latest afternoon CyberT segment,
Ann Johnson and Harvard's Amy Edmondson
discuss how psychological safety
helped cybersecurity teams speak up,
spot risks, and learn from failure.
Today I am joined by Professor Amy Edmondson,
the Novartis Professor of Leadership and Management
at Harvard Business School.
Amy is not just an expert in psychological,
safety in the workforce. She is the expert. So can we start just by talking about psychological
safety? Because it's a word that's used a lot in organizational development. The term itself
has a kind of implication of comfortable and cozy and nice. And that's just not what it is. So let me first
give you my formal definition of psychological safety. It describes a climate in which people believe
their voices welcome, where they believe they can take the interpersonal risks of speaking up
with an idea, a question, a concern, a mistake, a dissenting view. And not that will be easy
and fun all the time, it usually isn't, but that they believe it's welcome. They believe it's
what we do around here. Many of the case studies that I have done, you know, gone into great
detail on, say, the Columbia launch failure of 2003 or, you know, many other sort of real disasters
were literally avoidable, had people spoken up in a timely way. So it's, I can't tell you how much
I think about and value the speaking up about early warning signs. They're not worried about,
oh, how do I look? They're like, this could be a nothing, but I'm going to raise it. I'm not
going to be afraid of being called Chicken Little. The sky is falling when, of course, it isn't.
So I'm much more interested in that topic, right, that people can speak up about early warning
signs of a potential breakdown or failure. But early warning signs about psychological safety,
you know, and whether or not it's present, I don't think about that quite as much, but to freewheel
a little, it's basically, I think, in today's, you know, complex, turbulent world. And
early warning sign is a sign that doesn't happen. It's the bad news, the questions, the
dissent, the mistakes, the failures that you're not hearing about. So if you are a leader of a
team and you're hearing an awful lot of good news, you know, everything seems to be green and
nothing seems to be read, that is probably a warning sign that you don't have enough
psychological safety. Because it just can't be the case that things aren't going wrong or that
people don't see things differently, but it can be the case that you're not hearing about it.
Because this is, in fact, the kind of environment where psychological safety is most important.
And, you know, maybe ironically, when leaders call attention to the fragility, the complexity,
the ever-present potential for breakdown, that makes it more psychologically safe, not less.
Because fundamentally, it makes it discussable.
It makes the reality of the situation discussable.
And when leaders don't do that, people will naturally assume or think of the situation in the old-fashioned way, the conception of the work environment where people are supposed to hit their targets and always do a good job and expect certainty and be perfect.
Like that is not the world that cybersecurity professionals live in.
So when leaders call attention to that reality, so what's at stake and how much very real uncertainty and complexity and interdependence there is,
that gives permission for people to speak up about it.
Like you're saying, we should expect things to go wrong.
The only real question is, will we hear about it?
Will we hear about it in a timely way?
Things are going to happen.
There will be breakdowns.
There will be coordination and communication breakdowns.
But by naming it, and by naming it early and often,
it gives people permission to be part of the catch-and-correct system.
Be sure to check out the complete afternoon,
CyberT Podcast, wherever you get your favorite podcasts.
Wait, I didn't get charged for my donut.
It was free with this Tim's Rewards points.
I think I just stole it.
I'm a donut stealer.
Oof.
Earn points so fast, it'll seem too good to be true.
Plus, join Tim's Rewards today and get enough points for a free donut, drink, or timbits.
With 800 points after registration, activation, and first purchase of a dollar or more,
see the Tim's app for details at participating in restaurants in Canada for a limited time.
And finally, ransomware gangs usually stick to the classics, steal data, lock it up, and demand cash.
But Luna Lock has added an avant-garde twist, threatening to feed stolen artwork and personal data
from online platform artists and clients, an art commission site, straight into AI training
data sets. The ransom note, demanding $50,000 in Bitcoin or Manero, warned that if unpaid,
not only would files be leaked, but artists' creations might end up teaching chatbots to doodle.
For artists already wary of AI swallowing their work, it's a particularly cruel jab.
As researcher Tammy Harper dryly noted, this is the first time criminals have explicitly
dangled AI contamination as leverage.
Whether Lunalock really has a plan or just hopes AI crawlers are very hungry,
the threat has struck a nerve in the digital art world.
And that's the Cyberwire for links to all of today's stories.
our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at
N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilby is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you.