CyberWire Daily - Wheels left spinning after cyber incident.
Episode Date: September 5, 2025A cyberattack disrupts Bridgestone’s manufacturing operations. CISA warns of critical vulnerabilities in products used across multiple sectors. Additional cybersecurity firms confirm data exposure i...n the recent Salesforce–Salesloft Drift attack. A configuration vulnerability in Sitecore products leads to remote code execution. HHS promises stricter enforcement of healthcare information access rules. Texas sues an education software provider over a December 2024 data breach. A federal jury orders Google to pay $425 million over improperly collected user data. Nations unite for global guidance on SBOMs. On our Industry Voices segment, we are joined by Aron Anderson, Enterprise Security Manager of Adobe, on embracing the journey to zero trust. Chess.com gets caught in a tricky gambit. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Industry Voices On our Industry Voices segment we are joined by Aron Anderson, Enterprise Security Manager of Adobe, as he is talking about embracing the journey to zero trust. If you want to hear the full conversation from Aron, you can check it out here. Selected Reading Tire giant Bridgestone confirms cyberattack impacts manufacturing (Bleeping Computer) CISA issues ICS advisories on hardware flaws in Honeywell, Mitsubishi Electric, Delta Electronics, rail communication protocols (Industrial Cyber) More Cybersecurity Firms Hit by Salesforce-Salesloft Drift Breach (SecurityWeek) Unknown miscreants snooping around Sitecore via sample keys (The Register) HHS Says It's 'Cracking Down' on Health Information Blocking (BankInfo Security) Texas sues PowerSchool over breach exposing 62M students, 880k Texans (Bleeping Computer) Google hit with $425 million verdict in privacy class action suit (The Record) US and 14 Allies Release Joint Guidance on Software Bill of Materials (Infosecurity Magazine) Chess.com says 4,500 people had data stolen during June breach (The Record) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
The DMV has established itself as a top-tier player in the global cyber industry.
DMV rising is the premier event for cyber leaders and innovators
to engage in meaningful discussions and celebrate the innovation happening in and around the Washington
D.C. area. Join us on Thursday, September 18th, to connect with the leading minds shaping
our field and experience firsthand why the Washington, D.C. region is the beating heart of cyber
innovation. Visit DMV Rising.com to secure your spot.
certificates lifespans will be cut in half, meaning double today's renewals.
And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal
volume.
That's exponential complexity, operational workload, and risk, unless you modernize your strategy.
CyberArk, proven in identity security, is your partner in certificate security.
CyberArc simplifies life cycle management with visibility, automation, and control at scale.
Master the 47-day shift with CyberArk.
Scan for vulnerabilities, streamline operations, scale security.
Visit cyberark.com slash 47-day.
That's cyberark.com slash the numbers 47-D-A-Y.
A cyber attack disrupts bridgestones manufacturing operations.
CISO warns of critical vulnerabilities in products across multiple sectors.
Additional cybersecurity firms confirm data exposure in the recent Salesforce sales loft drift attack.
A configuration vulnerability in site core products leads to remote code execution.
HHS promises stricter enforcement.
of health care information access rules.
Texas sues an education software provider
over a December 2024 data breach.
A federal jury orders Google
to pay $425 million
over improperly collected user data.
Nations unite for global guidance on S-bombs.
On our industry Moises segment,
we're joined by Aaron Anderson,
Enterprise Security Manager of Adobe
on embracing the journey to zero trust.
And chess.com gets caught in a tricky gambit.
It's Friday, September 5, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Happy Friday, and thanks for joining us here today.
Bridgestone Americas, the North American arm of Tire Giant Bridgestone,
is investigating a cyber attack that disrupted some manufacturing operations.
The incident reported on September 2nd, initially impacted two facilities in South Carolina
and later one in Quebec.
Bridgestone says its rapid response contained the attack early,
preventing customer data theft or deeper network compromise.
While forensic analysis continues, the company stressed that business continuity and customer obligations remain top priorities.
Staff are working to minimize supply chain impacts, though product shortages are possible.
Bridgestone has not confirmed whether ransomware was involved and no group has claimed responsibility.
The company previously suffered a lock-bit ransomware attack in 2022, raising questions about potential repeat targeting.
SISA issued five new ICS advisories warning of critical vulnerabilities in products used across energy, manufacturing, transportation, and health care sectors.
Affected systems include Honeywell's One Wireless WDM and Experian PKS, Mitsubishi Electric's Iconics Digital Solutions, Delta Electronics ComGR, and the End of Train, Head of Train Rail Protocol.
a highlighted flaws ranging from memory buffer overflows and integer underflows to weak encryption
and symbolic link exploitation. Many issues could enable remote code execution, denial of service,
or data exposure. Notably, Honeywell and Mitsubishi vulnerabilities carry high CVSS scores,
while Delta's flaw scored 9.8. Rail vulnerabilities could let attackers spoof break control
signals. Vendors are releasing patches, but SISA urges immediate mitigations such as strict access
controls, network segmentation, and patching to reduce exploitation risk.
Cybersecurity firms' proofpoint spy cloud tanyum antennable confirmed data exposure in the recent
Salesforce sales loft drift attack, part of a campaign disclosed on August 26 by Google.
Threat Group UNC 6395 exploited OOF tokens in the drift integration to steal sensitive
Salesforce data from over 700 organizations.
Exposed information included AWS keys, emails, phone numbers, and CRM details.
While the firm stressed that customer-protected data and internal systems were not compromised,
they rotated credentials, removed drift, and secured systems to prevent
further impact.
Attackers are exploiting a configuration vulnerability in SiteCorps products to achieve remote
code execution and deploy malware. The flaw affects all versions of SiteCorps XM, XP, and
manage cloud if deployed in multiple instance mode with customer-managed static machine keys.
Systems using sample keys from old SiteC documentation are most at risk.
Criminals have used these exposed keys to push malicious view-state payloads, enabling deployment of weep-steel malware for system and user data collection.
Mandiant reported disrupting one such attack before full impact was known, but observed privilege escalation, credential theft, and lateral movement attempts.
Sight Corps urges customers to rotate keys immediately.
Sisa has added the flaw to its known exploited vulnerabilities catalog.
The Department of Health and Human Services announced stricter enforcement of the 21st century Cures Act's information blocking rules,
which prohibit practices that interfere with access, exchange, or use of electronic health information.
Violations can carry fines up to $1 million for health IT vendors and information exchanges,
while providers risk financial penalties from Medicare and Medicaid.
HHS says patients must have free, timely electronic access to their records, including through apps of choice.
Exceptions exist for privacy and security concerns, but providers delaying or limiting access may face enforcement.
The Office of Inspector General is investigating cases, and experts expect HHS to focus on vendors imposing unreasonable data restrictions and providers failing to provide timely,
access.
Texas Attorney General Ken Paxton has sued Education Software Provider Power School over a
December 24 data breach that exposed the personal information of 62 million students, including
880,000 Texans.
The breach, caused by stolen subcontractor credentials, led to the theft of names, social security
numbers, contact details, and medical data.
attackers demanded $2.85 million in Bitcoin.
Power School later confirmed paying the ransom.
Though the company claimed stolen data was erased, schools were later re-extorted.
One 19-year-old student has since pleaded guilty to orchestrating the attack.
Paxton alleges Power School violated Texas Consumer Protection and Identity theft laws
by failing to secure sensitive data.
Crowdstrike investigations also revealed early,
breaches in 2024. Paxton vowed to hold power school accountable for putting families at risk.
A federal jury ordered Google to pay $425 million to plaintiffs who claimed the company collected user data
even after they disabled app activity tracking. The class action suit representing 98 million users
alleged Google violated its own privacy policy over an eight-year period. The jury did not find
malice or award punitive damages, but ruled Google's actions invaded privacy. Privacy advocates
hailed the verdict as a rare and significant win, while Google plans to appeal, arguing its
privacy tools already honor user choice. Cybersecurity and intelligence agencies from 15
countries have jointly released guidance promoting software bills of materials, S-bombs, as a key tool
for securing the global software supply chain.
Published September 3rd, the document titled
A Shared Vision of Software Bill of Materials for Cybersecurity,
defines S-bombs, explains their value,
and outlines roles for producers, users, and operators.
It encourages broad adoption,
harmonized implementations,
and integration into security workflows.
Signatories include SISA, NSA,
and agencies from Europe, Asia, and beyond.
officials stressed that modern software's complexity makes transparency essential,
while experts warned that divergent approaches could hinder progress.
Observers see the agreement as a milestone,
but note the next challenge is aligning legislation across nations
to avoid fragmented requirements and costs.
Coming up,
after the break, my conversation with Aaron Anderson, Enterprise Security Manager at Adobe,
on embracing the journey to zero trust. And chess.com gets caught in a tricky gambit. Stay with us.
At Talas, they know cybersecurity can be tough, and you can't protect everything.
thing. But with TALIS, you can secure what matters most. With TALIS's industry leading platforms,
you can protect critical applications, data and identities, anywhere and at scale with the highest
ROI. That's why the most trusted brands and largest banks, retailers, and healthcare companies in the
world rely on TALIS to protect what matters most. Applications, data, and identity. That's TALIS.
T-H-A-L-E-S. Learn more.
at talusgroup.com slash cyber.
And now a word from our sponsor, Threat Locker,
the powerful zero-trust enterprise solution that stops ransomware in its tracks.
Allow listing is a deny-by-default software that makes application control simple and fast.
Ring fencing is an application containment strategy.
ensuring apps can only access the files, registry keys, network resources, and other applications they truly need to function.
Shut out cybercriminals with world-class endpoint protection from Threat Locker.
Aaron Anderson is Enterprise Security Manager of Adobe, and on today's sponsored industry voices segment,
we discuss embracing the journey to zero trust.
So I've been working in Adobe for quite a while now for 25 years,
just had my anniversary.
So I started off actually doing supports in an IT capacity
out of college for a different organization.
I came to Adobe, started working in more of a SOC incident analyst kind of role,
and then just over the years I've been able to take advantage of Adobe's flexibility
and move into new roles.
And now I manage a team that's all focused on
enterprise security and architecture and engineering types tasks.
Well, today we're focusing on Zero Trust.
I would love to hear how you and your colleagues at Adobe define that.
Yeah, so for us, Zero Trust is really based on some of the more common frameworks.
We tend to use at Adobe the CESA framework, and it's a way of evaluating our own controls
and our own maturity against those controls for how we want to address changes in the environment
and how we're assessing our ability to, you know, address those changes.
So as a good example, it used to be that previous to zero trust,
a lot of the perimeter controls were sufficient for what a lot of security organizations
consider, you know, good enough.
But nowadays, it's really addressing the assumed compromise type of mindset where we don't
know for a fact that the device or the user or those things are what we expect.
And so really building into how we allow access based on that zero trust concept of
confirming it is what we think it is, assessing the impact or the risk rather before access
is granted, and using other attributes to make those decisions at the time of access.
I'm curious, as you and your colleagues have gone along this pathway, have you found that
there are some common misperceptions that folks have about zero trust?
Yeah, there's a few, a few that we've encountered.
One is that zero trust has been out there for a while now, so everybody's perception of what
it does or does not include is a little bit different.
So internally, that means really evaluating and evangelizing how we perceive zero-trusted Adobe, how we've done our own assessments, what the framework looks like that we're using, and how we're measuring our success and adherence to those principles across the board.
I think another misconception I've seen just talking to other individuals and other companies that it's only intended for large organizations.
And our implementation of it and how we've used the controls and the framework really highlights that you don't have to be a large organization.
with fast resources to take advantage of zero trust.
It's really something that you can do at almost any level
whether it comes to how you're managing your identities and entitlements
to broader device and data controls
that might get into the level of what a large enterprise can do.
But again, it can really vary by organization,
but all of the security controls,
regardless how to what level they're implemented,
still offer some value for an organization.
Well, can you take us through that journey
and maybe help some organizations hear about,
about where maybe they should start with zero trust?
What sort of considerations did you all make
once you made a decision to move forward with this?
Yeah, so we started with really evaluating
what were some of the more common frameworks
that talk about zero trust.
So at Adobe, we use the CSEA framework, as I mentioned,
and that's really built upon other ways
that CESA standards have been implemented at Adobe.
So there's some built-in trust for what those provide.
So really evaluating that,
where were we at from a maturity perspective?
Because zero-trust, again, is more of a journey.
and so really evaluating where are we at today, where do we want to go,
and how can we use that to make prioritized decisions about where we want to end up?
And then I think some of the other things that took us down the path of considering what we want to do here
is just recognizing the changes in the environment,
some of the historical perimeter level controls, things like firewalls,
just were no longer sufficient for a largely SaaS and cloud-based type of environments.
You know, the pandemic and remote work made a big difference.
So really all of a sudden, so many workers were not using the corporate networks,
so really evaluating how our controls were reflected and still meeting our expectations
for the changes in both the work patterns, where the data actually that we were trying to protect
resided, and just how people are now accessing it in such a different way than they used to in the past.
And evaluating, did we still meet what we were expecting?
And what do we want to get out of it going forward, knowing those things will continue to be the trends?
How did you measure progress along the way?
and determine whether or not you were being successful.
Yeah, that's a good question, and it was definitely a challenge initially.
We started with some very basic measurements to begin with,
such as how many users or how many services were actually meeting our baseline standards.
So a great example was for remote access.
How many users have we successfully migrated to a stronger remote access solution
that was much more aligned with our zero trust initiative and efforts?
And then as we've matured, really getting much more complex to measuring how well are we not only achieving security goals, but also business goals, so aligning those two.
I think one example is when it comes to identity, we've really taken a stance of, as we've gotten more complex, not only looking to determine how we can achieve what we want to get from a security perspective.
So again, knowing who the user is behind that identity, how it's being used, what it reflects, but also evaluating how is this being impacting the business.
So can we do things with part of the zero trust initiative that would make it easier for the business to get value out of it?
And that's really getting back to how access is being granted in entitlements.
So as we streamline that, we saw value on the zero trust side and the security side, but also the business saw value in the amount of time they had to spend onboarding workers or ensuring that the access they had worked on day one.
So those are the things where I think, you know, just thinking the Adobe journey where we started to where we're going.
and we've really been able to mature those metrics and those value measurements to make
sure we're still on track.
Well, you mentioned the business sides of things, and how was leadership on board with this?
How are you able to set expectations for them along the way?
Yeah, so that's a good question in that initially some of the biggest ones we had were being
able to show the business value, making a secure remote solution, remote access solution
for all the remote work was just a big way.
And this is the time when we recognized both internally that so many workers were not going to come to the office, that it was just easy to sell.
This is a new offering that didn't require, say, radical changes or growth in our VPN solution.
The much more nuanced as we've, as we've been able to show progress there and show that we can deliver, being able to show the business and leadership clearly what we will be delivering is an outcome, how we'll be measuring it.
And that really went a long ways getting the, I think the supports and the recognition that our implementation was.
actually going to have value, not only from a security perspective, but either in cost savings
or in some cases, just ease of implementation for the business when it comes to, you know,
onboarding a new service. I think actually SaaS is a great example, being able to demonstrate
how the solutions we're providing can make it easier to more securely make a SaaS solution
available to our customers, our internal customers. It was a big win for the, not only the program
for the business as well. What advice do you have for organizations who,
may want to follow in your footsteps here. They're looking to implement a zero trust model in
their own organization. I would look to start with what it is that you might consider as a framework
just to get an understanding of how you're going to evaluate zero trust in your organization.
So then using that to really measure what's your current state. I think a lot of organizations
don't take the time to really evaluate where they're starting from. And if you don't know where
you start, it's kind of challenging to understand just how much success you've had or where you should
be prioritizing your work. I think another key thing I would consider is as you're starting
down this journey, really thinking of it as a journey and not just a project so that you can really
look at what's the long-term goals, what are the things we want to achieve over time, and how are we
going to measure in a very quantitative way as we're making that progress. You know, zero trust,
although a lot of it is very technology-based. A lot of the big wins actually come from understanding
how that technology will be measured and impact that business,
what kind of ways you can show definitive success
and something that leadership can get behind.
I don't think this is unique to zero trust.
This is common to a lot of security offerings being able to measure that.
I just think with zero trust because it's a whole program,
it's important to really be explicit in that
and being clear about how you'll be measuring your outcomes,
your successes, and how you'll be able to relate that
to either reductions in risk or business value.
Were there any unexpected challenges or things you can share with our listeners that you all learned along the way?
Yeah, so I think a couple of things would be is that, again, I think there were certain perspectives about how zero trust might work for an organization.
So there were some leadership misconceptions or different perspectives rather on what it would be delivering and what it would be delivering.
I think some other things is just as we've gotten better at it, it's one of those things as you measure your maturity, you're like just the breadth of what might be involved.
I think one of the things that we've learned is just using identities, which are very important nowadays.
The growth of both human and non-human identities is we've really looked to mature our zero trust solutions is just highlighted how big that can get without a lot of control.
So really internally being explicit about what that scope is and just learning, just how broad the business might organically grow in ways we didn't expect came to light as we start to implement controls or really look at the workflows that were being used by different teams.
Now, I'm curious as we've seen this explosion of the use of artificial intelligence and machine learning,
has that had any impact on your zero-trust journey?
Yeah, I think it's had both, there's both some capabilities we're using now.
So especially around machine learning, we're using a lot of that technology to do better analysis of the activity that's going on
and use that to make decisions in a continuous model as to whether or not access should be granted.
So I think a good example is using not only the combination of the user, but other data mining around the user type, the device type, the geography to make real-time assessments as to whether or not that access should be allowed, or if some other kind of mitigating step might be required.
A good example might be step-up authentication where combinations of those factors can be used in near or real-time in some cases to make decisions on what that access is actually going to look like.
The other flip side is that AI has made, I think it has a lot of opportunities,
but there's still a lot of work to be done exactly how that represents risk
and from a zero trust perspective are the controls that we currently have in place still able to take,
still able to function in a way that matches how AI is being used.
One of the things that I think most organizations are looking at AI have noticed is that
a lot of AI technology requires a lot of broad access to data in order to make the
best use of that information and to make it valuable back to the customers. But that combination
of access for a service to access many data types does mean that maybe some of your traditional
controls will no longer be sufficient when it comes to just doing device posture checks or
identity checks. I think this is also directly related to what we've seen internally is just
the growth of non-human identities in order to associate all this data together as well. And that's
an area where I do believe the zero trust foundations will apply to that. It's just taking a little
more time to make sure that our controls are still encountering, rather, factoring that
in when we make decisions.
Where do you suppose we're headed with this? I mean, it sounds like from Adobe's point
of view, zero trust is here to stay. Yeah, I do think it's here to stay. And I do think because
it's a framework that's really we envision as a program, it's meant to be to grow and change
as risk change. So I do believe that the concepts, the core concepts, still have a lot of value
and they allow for continuing to look at new ways of business doing things,
the new security requirements.
I think as an example, as we've gotten better at it,
we're using it to evaluate maybe areas that we knew were risk,
but we didn't quite understand as well around some of our vendor and vendor onboarding
and some of the risks associated with those vendors.
So as an example, asking our own onboarding partners,
just how are they thinking about COTrust or at least the core concepts of it
and using that in our decision-making process.
So it's definitely here to stay, at least for the long time, that I can see.
And I do believe that because of the flexibility it offers,
it will continue to be something that can be changed
to meet changes in either risk or business requirements.
Early on, it became really important to get the executive support,
like with any security projects.
And I think zero trust really makes it easier to do that
if you take the time to evaluate what you're at
and really have clear metrics and outcomes you're delivering.
So keeping that in mind, I think a lot of organizations,
can be successful with it.
That's Aaron Anderson,
Enterprise Security Manager at Adobe.
With Amex Platinum,
access to exclusive
Amex pre-sale tickets
can score you a spot trackside.
So being a fan for life
turns into the trip of a lifetime.
That's the powerful backing of Amex.
Pre-sale tickets for future events,
Subject to availability and varied by race.
Terms and conditions apply.
Learn more at mx.ca.
slash Y Annex.
Tim's new scrambled egg loaded croissant.
Or is it croissant?
No matter how you say it.
Start your day with freshly cracked scrambled eggs loaded on a buttery, flaky croissant.
Try it with maple brown butter today at Tim's.
At participating restaurants in Canada for limited time.
And finally, looks like chess.com just got caught in a tricky
Gambit. The online chess giant admitted that 4,500 of its players had their data swiped during a
June breach involving a compromised file transfer tool. That's less than 0.003% of its 100 million users,
a small pawn sacrifice, but still a blunder. The attack ran from June 5th through June 18th before
being checkmated on June 19th when federal authorities were alerted. No banking details. No banking details
user names or passwords were taken, so accounts remain in stalemate-safe condition.
Chess.com insists its code wasn't compromised, though it declined to reveal which tool was the
weak square on the board. Hackers remain anonymous, and no exposed data has surfaced online.
For now, players can keep their kings safe and their rooks on the file.
Graham Cluley, call your office.
And that's the Cyberwire.
For links to all of today's stories,
check out our daily briefing at the Cyberwire.com.
Be sure to check out this weekend's research Saturday
and my conversation with Selena Larson,
threat researcher and lead of intelligence analysis
and strategy at ProofPoint.
The research we're discussing is titled
Microsoft Oath App impersonation campaign
leads to MFA fishing.
That's Research Saturday.
Check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to Cyberwire,
at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester
with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kielpe is our publisher
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week.
I'm going to be.