CyberWire Daily - Stomping out critical bugs.
Episode Date: November 6, 2025Cisco patches critical vulnerabilities in its Unified Contact Center Express (UCCX) software. CISA lays off 54 employees despite a federal court order halting workforce reductions. Gootloader malware ...returns. A South Korean telecom is accused of concealing a major malware breach. Russia’s Sandworm launches multiple wiper attacks against Ukraine. China hands out death sentences to scam compound kingpins. My guest is Dr. Sasha O'Connell, Senior Director for Cybersecurity Programs at Aspen Digital. Meta’s moral compass points to profit. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Dr. Sasha O'Connell, Senior Director for Cybersecurity Programs at Aspen Digital, joins us to preview her Caveat podcast interview about "10 Years of Cybersecurity Progress & What Comes Next." Listen to Sasha and Dave’s full conversation on this week’s Caveat episode. Selected Reading Critical Cisco UCCX flaw lets attackers run commands as root (Bleeping Computer) CISA plans to fire 54 employees despite court injunction (Metacurity) CISA reports active exploitation of critical vulnerability in CentOS Web Panel (Beyond Machines) Gootloader malware is back with new tricks after 7-month break (Bleeping Computer) KT accused of concealing major malware infection, faces probe over customer data breach (The Korea Times) Sandworm hackers use data wipers to disrupt Ukraine's grain sector (Bleeping Computer) China sentences 5 Myanmar scam kingpins to death (The Record) “Hackers” rig elections to IAN executive committee (Mumbai News) Meta is earning a fortune on a deluge of fraudulent ads, documents show (Reuters) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
At TALIS, they know cybersecurity can be tough and you can't protect everything,
but with TALIS, you can secure what matters most.
With TALIS's industry-leading platforms, you can protect critical applications,
data and identities, anywhere and at scale with the highest RR.
That's why the most trusted brands and largest banks, retailers, and health care companies in the world rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALIS.
T-H-A-L-E-S.
Learn more at talusgroup.com slash cyber.
Cisco patches critical vulnerabilities in its unified contact center express software.
Sisa lays off 54 employees despite a federal court order halting workforce reductions.
Goatloader malware returns.
A South Korean telecom is accused of concealing a major malware breach.
Russia's sandworm launches multiple wiper attacks against Ukraine.
China hands out death sentences to scam.
pound kingpins. My guest is Dr. Sasha O'Connell, senior director for cyber security programs at
Aspen Digital. And Mehta's moral compass points to profit.
It's Thursday, November 6, 2025. I'm Dan.
Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today. It's great to have you with us.
Cisco has issued patches for two critical vulnerabilities in its unified contact center express software that could allow remote attackers to gain full
control of affected systems. The most severe flaw was found in the platform's Java remote
method invocation process and enables unauthenticated command execution with root privileges.
Researcher Jamel Harris discovered the issue, which Cisco attributed to improper authentication
mechanisms. A separate critical flaw in the UCCX editor app could let attackers bypass
authentication and run arbitrary scripts with admin permissions by directing login request to a
malicious server. Cisco urges customers to upgrade immediately, though it reports no active exploitation.
The company also patched a related high-severity denial of service bug in Cisco Identity Services
Engine. The Department of Homeland Security is moving forward with layoffs at SISA,
despite a federal court order temporarily halting some government-wide workforce reductions during
the shutdown. In a legal filing, acting director Madhu Gatumukala said
54 employees in Sisa's stakeholder engagement division received reduction in force notices on
October 11th before the injunction was issued. Sisa says they maintain compliance with the
order, arguing the affected employees are not represented by unions covered under
the ruling. The cuts impact staff in partnership, international, and academic outreach roles.
While the injunction bars layoffs in competitive areas with union members, Sisa contends its
planned reductions fall outside that scope. The agency declined to comment further, citing ongoing
litigation. Unrelated, Sisa is warning that attackers are actively exploiting a critical
command injection flaw in control web panel, a popular Linux server management tool,
formerly known as the CentOS web panel. With a CVSS score of 9.0, the vulnerability allows
unauthenticated remote attackers to execute arbitrary shell commands if they know a valid
non-route username. Researcher Maxime Renaudo found the issue in CWP's file manager
change perm endpoint, which improperly processes unsanitized input through the CHMOD commands.
Exploits enable full system compromise, including reverse shells and data exfiltration.
Multiple versions are affected with over 220,000 CWP instances internet-facing.
SISA urges immediate patching or restricting access to trusted networks and conducting compromise assessments.
The goot-loader malware operation has resurfaced after a seven-month hiatus,
once again using search engine optimization poisoning to lure victims to fake sites offering free legal document templates.
These sites distribute malicious JavaScript files disguised as templates like non-disclosure agreements,
which install additional payloads such as Cobalt Strike and backdoors, often leading to ransomware.
Researchers from Huntress Labs and the DFIR report note that Goatloader's new campaign uses sophisticated evasion tactics,
including custom web fonts that disguise malicious code and malformed zip archives that extract different files depending on the tool used.
The campaign also deploys the Supper Sox Five backdoor linked to the Vanilla Tempest ransomware affiliate.
Security experts warn users to avoid downloading templates.
from unverified websites.
South Korean telecom giant KT is under investigation
for allegedly concealing a major malware breach
that infected 43 servers with BPF door
and other malicious code between March and July 24.
Investigators say the compromised systems contained customer data,
including names, phone numbers, and device identifiers.
The probe also found severe flaws in KTHA,
FEM-to-Sel management system, enabling hackers to intercept payment data.
Authorities are reviewing legal action and compensation,
while KT faces potential obstruction and data protection penalties.
Russian state-sponsored hacking group Sandworm, also known as APT-44,
has launched multiple destructive data-wiping attacks on Ukraine's government,
education, logistics, energy, and grain sectors, according to cybersecurity firm ESET.
The campaigns in June and September of this year used several wiper variants
designed to irreversibly erase data and disrupt operations.
ESET says the inclusion of Ukraine's grain industry, a vital source of national revenue,
suggests an intent to damage the country's wartime economy.
Some attacks involve the zero-lot and sting wipers,
deployed via scheduled Windows tasks after access was gained by threat actor UACO-O-N-99.
ESED also noted parallel Iranian-linked wiper activity targeting Israel's energy and engineering sectors.
Experts recommend offline backups and robust endpoint protection to mitigate such destructive threats.
A Chinese court has sentenced five members of a Myanmar-based crime syndicate to death
for operating massive online fraud and scamming compounds near the China-Myanmar border.
The Shenzhen Intermediate People's Court identified the ringleader
Bai Sao Shang, his son Bai Ying Kang, and three others as key figures behind the network
which defrauded victims of more than $4 billion.
The Bai family, formerly leading the Kokang Border Guard force,
ran 41 criminal industrial parks tied to fraud, kidnapping, and forced prostitution.
Beijing launched its crackdown in 2023 after Chinese citizens were targeted,
arresting tens of thousands linked to such syndicates.
The scam operations also caused at least six deaths,
underscoring Myanmar's central role in global online fraud networks.
Coming up after the break, my conversation with Dr. Sasha O'Connell, Senior Director of
Cybersecurity programs at Aspen Digital, and META's moral compass points to profit.
Stick around.
What happens when cybercrime becomes as easy as shopping online?
SpyCloud's Trevor Hillagos joined Dave Bittner on the CyberWire Daily
to explain how a wave of cybercrime enablement services
are lowering the barrier to entry
and making sophisticated attacks available to anyone.
I think it's a pretty good general term that describes
kind of an umbrella of tools and services
that I would kind of tag as criminal or criminal agenda.
Jason. Instead of having, you know, sort of the smaller pool of high sophistication actors that are able to kind of carry out these really vast and costly cyber attacks, you know, we see that being given to much lower sophistication, lower tech folks that are, you know, a much lower barrier to entry to get into this field. The person that's buying access to this, they basically need a phone and a Bitcoin wallet.
Make sure you hear this full conversation and learn how the underground economy is reshaping cyber risk.
Visit explore.thecyberwire.com slash spy cloud.
That's explore.
Thecyberwire.com slash spy cloud.
What's your 2 a.m. security worry? Is it, do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work, so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simple,
amplifies your security at scale, and it fits right into your workflows, using AI to streamline
evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get
everything you need to move faster, scale confidently, and finally get back to sleep. Get started at vanta.com
slash cyber. That's V-A-N-T-A-com slash cyber.
It's the Nissan Black Friday event where you can, wait, wait, wait, isn't it like a month long now?
Nissan Black Friday Month?
Does that work?
It's the Nissan Black Friday Month event.
On remaining 2025 Rogan Centra, get zero percent financing.
Plus, get $1,000 Nissan bonus on kicks models.
This Black Friday, you've got a whole month to catch all the exclusive offers waiting for you.
See your local Nissan dealer or Nissan.com.
Details. Conditions apply.
Dr. Sasha O'Connell is Senior Director for Cybersecurity Programs and Aspen Digital.
I caught up with her for this week's caveat podcast to discuss 10 years of cybersecurity progress and what comes next.
So I would love to start off with a little information about the Aspen Cemetery.
Cyber Summit. You all are celebrating 10 years, which is quite a quite a milestone. Can you take us through
a little bit of the history of the summit itself and what's led you to where you are today?
Sure. So yes, I've only been at Aspen for just over a year, but I really stand on the shoulders of
really great folks who have come before me and built a really strong foundation and growing program
that has been focused on convening leaders in this space for, as you mentioned, just about a decade now.
You know, in cyber, we always talk about public-private partnerships being at the core of our ability to address the threat.
And at Aspen Cyber, that was sort of the nascent idea is to create that space to make sure that's happening in a trusted environment.
And, you know, my predecessors here at the program really laid an amazing foundation, and the program has been growing there ever since.
You mentioned the summit is one part of that work.
We also run a U.S. cyber group and a global cyber group.
Those are a mixture of public and private leaders that meet Chatham House.
So those private conversations that go on two, three times a year on a cycle.
And that creates that opportunity for folks to not only meet each other and discuss issues of the day, build trust, and then do work and projects that spin off of that.
And then the summit, as you mentioned, coming up November.
18th here in D.C. We're super excited. That's our time we really get to open our doors to the public
as well and have all those public-private partnerships, all that teamwork that's been built,
that great thought leadership. We get to put that on the main stage and include a broader audience
in that conversation. Our event has been called the Coachella of the cyber policy world,
and we really lean into that moniker. We cover a lot of sort of heady policy cyber security
ground, but we also try and have a good time. Well, you mentioned foundations and your own background
comes from a place in public service as well. Can you tell us a little bit about that?
Sure. So I spent just shy of 15 years at the FBI. I was neither an agent nor an Intel analyst.
I was kind of the non-traditional, what we called at the FBI at the time MAPA or management
and program analyst. I had an opportunity to work over that 15 years.
on strategy and policy and performance management,
a lot of time on a lot of different programs,
but I spent the last really five, six years at the Bureau
focused on the cyber program inside the FBI
and then ultimately on interagency policy
as it relates to many things,
but what came to the top was tech policy and cyber policy.
I see. Well, let's talk about Aspen Digital
and some of the policy priorities
that you and your colleagues have there.
What is top of mind for you these days?
We just started rolling out a whole series,
a special project series on offensive cyber operations.
So the Trump administration has been forward-leading in this area
and expressed an interest in beefing up both capabilities
and activities as it relates to going on the offense in cyber.
So we picked up that nod, that head nod, and said,
okay, what do the folks in our network, both public, a lot of former public sector leaders as well
of private sector leaders, civil society and academics, you know, what advice do folks have? What have
they seen in this area? Where do they see this going? So about four weeks ago, we launched this
series. So that is one priority for us. Additional priority that does come as a response to the priorities
of this administration is the focus on what it means to move responsibility for cyber to the
state and local level. So after the administration issued an executive order to this effect back in
March, we've done a series of convenings that then again have resulted in a series of
felt leadership publications we've put out sort of discussing and interrogating this idea.
What does it mean to move responsibility back to the states, if you will, what are best
practices there, challenges, and how do we help inform that? So that's just an example of two
things we're working on there. Another one that's more kind of, I would say, proactive coming from
our members. There's a lot of work happening now around public education, around cybersecurity and
frauds and scams. Here at Aspen Digital, on behalf of Craig Newmark Philanthropies, we lead a public
service awareness campaign called Take 9, and it's a consumer-focused public service awareness
campaign that's really focused on getting folks to see themselves in the effort to address
cyber frauds and scans.
And the core message is around slowing down, right?
We say in cyber creating friction in the system, in this context, we're talking about the
human in the loop and asking those humans to literally slow down for nine seconds.
That nine seconds, it turns out, science has told us, helps move us from reacting to responding
when we get that email, that fishing email, or a deep fake phone call with deep fake voice,
for example, all of these sophisticated tools.
So that public service and communication around cyber as well as frauds and scams is another
priority area for us.
Well, I would love to dig into two of the topics that you mentioned, starting with offensive
cyber.
I mean, I think it's certainly a hot topic for discussion these days.
And a lot of folks are wondering how this could play out.
My sense is that people are kind of hanging back and seeing, you know, how is this going to be enabled, right?
How are we going to be given legal protection and cover to be able to do these sorts of things?
What are your insights?
I think that's right.
I think we're waiting and seeing a little bit.
As you know and your listening audience knows, it's a complicated area where because so much of the critical infrastructure in this country and the data in this country is owned in the private
sector, this idea of offensive operations and how and what the private sector's role in that
can and should be, as you mentioned, liability. These are all open questions. So that's exactly
what we've been sort of exploring and exploring different opinions, right, because opinions do
vary in this regard. And I think time will tell where this administration is really headed. There's also
a point of view that we shouldn't solely focus on offense. We shouldn't lose track of the basics
when it comes to resiliency in cyber and that that is ultimately a good defense, ultimately being
really key to a good offense. Sean Joyce just wrote a really interesting piece that's up on
the Aspen Digital website about that as well, right? So while we wait to see where things shake out
on this move to move to more offensive capability and action.
There's also, you know, the line of thinking that says,
let's not forget about the fundamentals is a key component as well.
Be sure to check out my full conversation with Dr. Sasha O'Connell
on this week's episode of caveat wherever you get your favorite podcasts.
And finally, meta, it seems, has once again confused moral compass with revenue forecast.
Internal documents unearthed by Reuters show the company expected to earn about 10% of its 2024 revenue, roughly $16 billion, from scam ads and banned goods.
That's right.
from fake investment schemes, fraudulent e-commerce, and shady medical products that Mehta's
own systems flagged as high risk. Rather than ban those advertisers outright, Meta often just
charged them more, a sort of fraudster surcharge for the privilege of duping users. The company's
own internal estimates put them at showing 15 billion scam ads daily, and when victims clicked,
meta's ad system kindly served them even more. Even as executives congratulated themselves for
reducing scam reports, internal slides admitted meta's platforms had become a pillar of the global
fraud economy. Not to worry, meta promises it's working on it, just slowly enough not to upset those
quarterly earnings.
And that's The CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast.
app. Please also fill out the survey and the show notes or send an email to Cyberwire at
n2K.com. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed
by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer
Ivan. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you
back here tomorrow.
Thank you.