CyberWire Daily - When GoAnywhere goes wrong.
Episode Date: October 14, 2025Fortra confirms an exploitation of the maximum-severity GoAnywhere flaw. Harvard investigates a claim of a breach. Banking Trojan targets Brazilian WhatsApp users. Reduction-in-force hits CISA. SimonM...ed says 1.2 million hit by Medusa ransomware. Netherlands invokes the Goods Availability Act against a Chinese company. We have our Business Breakdown. On today’s Industry Voices, we are joined by Mickey Bresman sharing insights on hybrid identity security. And, beware of the shuffler. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today’s Industry Voices, we are joined by Mickey Bresman, Semperis CEO, sharing insights on hybrid identity security and their HIP Conference. Mickey joined us as their 2025 Hybrid Identity Protection (HIP) Conference wrapped up. If you want to hear the full conversation, you can tune in here. Selected Reading Fortra cops to exploitation of GoAnywhere file-transfer service defect (CyberScoop) Harvard Investigating Security Breach After Cybercrime Group Threatens To Release Stolen Data (The Crimson) WhatsApp Worm Targets Brazilian Banking Customers (Sophos News) Government Shutdown Fallout: RIF Notices Hit CISA as Cyber Threats Rise (ClearanceJobs) SimonMed says 1.2 million patients impacted in January data breach (Bleeping Computer) Netherlands invokes special powers against Chinese-owned semiconductor company Nexperia (The Record) UK fines 4chan over noncompliance with Online Safety Act (The Record) Synechron acquires RapDev, Calitii, and Waivgen. (N2K Pro Business Briefing) Hackers Rig Casino Card-Shuffling Machines for ‘Full Control’ Cheating (WIRED) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use Indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post.
noticed. Indeed's sponsored jobs helps you stand out and hire fast. Your post jumps to the top
of search results, so the right candidates see it first. And it works. Sponsored jobs on Indeed
get 45% more applications than non-sponsored ones. One of the things I love about Indeed is how
fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K Cyberwire. Many
of my colleagues here came to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed,
according to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75-sponsored job credit to get your job.
more visibility at indeed.com slash cyberwire.
Just go to indeed.com slash cyberwire right now
and support our show by saying you heard about Indeed on this podcast.
Indeed.com slash cyberwire.
Terms and conditions apply.
Hiring?
Indeed is all you need.
Portra confirms an exploitation of the maximum severity go-anywhere flaw.
Harvard investigates a claim of a breach.
Banking Trojan targets Brazilian WhatsApp users.
Reduction in force hits Sisa.
Simon Medd says 1.2 million hit by Medusa ransomware.
Netherlands invokes the Goods Availability Act against a Chinese company.
We have our business breakdown.
On today's industry voices, we are.
are joined by Mickey Bresman, sharing insights on hybrid identity security, and
Aware of the Shuffler.
Today is October 14, 2025.
I'm Maria Vermazas, host of T-minus Space Daily sitting in for Dave Bittner, and this is
your Cyberwire Intel Briefing.
Thank you for joining me today. Let's get into it.
Security firm Fortra has belatedly confirmed in the wild exploitation of a maximum
severity vulnerability in its Go Anywhere managed file transfer software, which was
patched three weeks ago. The vulnerability is a decerealization flaw that allows an actor
with a validly forged license response signature
to deserialize an arbitrary actor-controlled object
possibly leading to command injection.
The U.S. cybersecurity and infrastructure security agency, or SISA,
added the flaw to its known exploited vulnerabilities catalog two weeks ago,
and Microsoft last week published a report on the active exploitation.
Sisa and Microsoft both say the vulnerability is being used in ransomware campaigns.
Researchers at Watchtower, who published,
published a report on the vulnerability last month, note that some details of the exploitation
are still unclear. Watchtower's CEO Ben Harris told CyberScoop that the exploitation implies
that the attacker has somehow circumvented or satisfied the cryptographic requirements
needed to exploit this vulnerability.
Harvard University has disclosed that it was compromised by a zero-day flaw affecting
Oracle's e-business suite system, and the school is investigating a potential breach
after the Klopp ransomware gang
listed the university on its leak site.
Oracle issued an emergency patch
for the flaw last week.
A Harvard spokesperson told bleeping computer
that Harvard is aware of reports
that data associated with the university
has been obtained as the result
of a zero-day vulnerability
in the Oracle E-Business Suite system.
This issue has impacted many Oracle E-Business Suite customers
and is not specific to Harvard.
While the investigation is ongoing,
we believe that this incident
impacts a limited number of parties associated with a small administrative unit.
Upon receiving it from Oracle, we applied a patch to remediate the vulnerability.
We are continuing to monitor and have no evidence of compromise to other university systems.
Sophos describes a malware campaign targeting Brazilian WhatsApp users with a banking Trojan
that's tailored for customers of Brazilian banks and cryptocurrency exchanges.
The malware is delivered by tricking users into executing users.
a malicious file attached to a self-spreading message received from a previously infected
WhatsApp web session. It then sends similar malicious messages to all of the victim's contacts.
Sophos has observed first-stage power shell activity associated with this campaign
in over 400 customer environments and on more than 1,000 endpoints.
As the U.S. government shutdown drags on.
Sisa is now facing reductions in force or riffs.
threaten its already lean operations. With over 1,000 employees already departed this year,
SISA had slated only 889 staffers to remain on duty during the shutdown, which is roughly 35% of its
workforce. Last week, RIF notices began rolling out across the agency, putting the future
staffing levels of its critical cybersecurity divisions at risk. Experts warned that amid rising
cyber threats, even temporary staffing gaps could hinder detection,
response and information sharing.
U.S. medical imaging provider Simon Med Imaging
disclosed a data breach affecting 1.2 million patients
stemming from unauthorized access between January 21st and February 5th, 2025.
The breach was uncovered when a vendor notified Simon Med of a security incident on January 27th.
Investigators confirmed suspicious network activity the next day.
Attackers claimed responsibility via the Medusa Ransomware Group,
demanding $1 million and leaking data such as ID scans, patient details, and medical reports.
Simon Med responded by resetting passwords, enforcing multi-factor authentication,
deploying endpoint detection, and restricting third-party access.
So far, Simon Med reports no confirmed misuse of the stolen data
and is offering affected individuals' free identity protection services.
The government of the Netherlands has invoked extraordinary powers
to override business decisions at Nexperia, which is a semiconductor firm,
partly owned by China, citing serious governance shortcomings.
Under the newly applied Goods Availability Act,
Dutch authorities can block or reverse asset transfers and strategic moves,
perceived as threats to critical technological know-how.
Nexperia's parent, Wing Tech, condemned the decree as geopolitically motivated and vowed to
appeal in court.
The move reflects broader concerns over Chinese influence and,
intellectual property transfer in the semiconductor sector, especially where cutting-edge technology
like lithography is involved. The UK regulator, Offcom, has issued a 20,000-pound fine to U.S.-based
forum, Forchan, marking the first enforcement under the UK's Online Safety Act. The penalty stems
from Forchan's failure to respond to legally mandated requests for its illegal harms risk assessment
and other compliance documentation.
Offcom will also impose an extra 100-pound daily fine
for up to 60 days if the site still does not comply.
For its part, For Chans' lawyers,
contend that off-com lacks authority over a U.S. platform,
and they refuse to pay,
arguing that the action conflicts with America's free speech protections.
And now for our business breakdown,
last week's business breakdown highlights a staggering $250 million raised
across seven investments and 12 acquisitions. On the investment front, French open source security
solution provider, Philigran, finished its series C round, raising $58 million. The funding will
be used to accelerate the company's development of its open GRC platform, which is an open source
platform for threat-informed cyber risk management. Alongside further developing this platform,
Philigran is also looking to scale its presence in Saudi Arabia, Japan, the United States, and the Dock region.
For acquisitions, the digital consulting firm Cinecron acquired three companies
as it looks to launch its new Global Service Now business.
The three companies are RAPDEV, Calte, and WaveGen.
RAPDiv is one of the world's largest data dog partners.
WaveGen is the leading Appian partner,
and Caltee Architects and delivers full-scale Service Now implementations.
Alongside debuting a Global Service Now business,
Sinecron is also looking to expand outside the financial sector into new markets,
such as health care and energy.
Additionally, SAIC, which is the Virginia-based defense contractor,
has acquired Silver Edge Government Solutions for $205 million.
With this acquisition, SAIC is looking to incorporate Silver Edge's flagship product,
SOAR, into its offerings.
And SOAR is a SaaS service that utilizes automation, AIML,
data visualization, and cross-domain capabilities
to deliver turnkey, customizable software solutions to clients.
And that wraps this week's business breakdown for deeper analysis on major business moves
shaping the cybersecurity landscape, subscribe to N2K Pro, and check out thecyberwire.com
every Wednesday for the latest updates.
Stick around after the break on today's industry voices.
We are joined by Mickey Bresman, sharing insights on how.
hybrid identity security, and beware of the shuffler.
What's your 2 a.m. security worry? Is it, do I have the right controls in place? Maybe are my
vendors secure? Or the one that really keeps you up at night? How do I?
get out from under these old tools and manual processes. That's where Vanta comes in. Vanta automates
the manual works, so you can stop sweating over spreadsheets, chasing audit evidence, and filling
out endless questionnaires. Their trust management platform continuously monitors your systems,
centralizes your data, and simplifies your security at scale. And it fits right into your
workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready.
all the time.
With Vanta, you get everything you need to move faster, scale confidently, and finally, get back to sleep.
Get started at Vanta.com slash cyber.
That's V-A-N-T-A-com slash cyber.
And now, a word from our sponsor, Threat Locker, the powerful zero-trust enterprise solution that stops
ransomware in its tracks. Allow listing is a deny-by-default software that makes application
control simple and fast. Ring fencing is an application containment strategy, ensuring apps can
only access the files, registry keys, network resources, and other applications they truly
need to function. Shut out cybercriminals with world-class endpoint protection from Threat Locker.
On today's industry voices, Dave Bittner recently sat down with Mickey Bresman,
some Paris CEO, and shared insights on hybrid identity security and their hip conference.
Here's their conversation.
So the identity security motion is keep on growing bigger and more important to the different audiences,
both security and ideal operational ones.
I think there are several interesting key.
takeaways that I have from this event, where, first of all, we have the biggest number
of attendees till date.
I believe that we were at roughly 400 attendees, which is obviously great to see that it's
keep on growing.
I think the main things that I have is takeaways from the conference is that it was very
interesting to hear that Microsoft is committed to Active Directory security and support.
and we had Microsoft speakers on stage.
It was also interesting to see the type of audience that we had,
where you had people that have responsibility for five domain controllers
and all the way to more than 5,000 domain controllers.
So it's a very diverse type of a group.
I think also an interesting takeaway was that hybrid environments
will remain the standard for, God knows for how long, maybe even forever,
as opposed to the previous thinking that potentially companies will be either on-prem,
either in the cloud, reality-wise, the vast majority of that in this year
all are suggesting that they see their companies remaining as hybrid.
I think another interesting point was around the fact that, and that's my observation,
that identity is more critical than ever,
and it just continues to get more and more attention from the security teams
with the clear understanding that
in the new, you know, modern enterprise
with remote world, cloud applications,
identity plays the biggest role
in terms of how they actually defend the organization.
And obviously, you cannot have a conference today
without bringing up AI.
But in this case, AI have a different application
for the identity security space.
What I mean by that is one of the conclusions
that is currently coming out from HIP
is that agentic AI
is actually introducing a new type of identities.
So if traditionally organizations
thought about identities as a human identity
and there was another classification
of a machine identity,
now all of a sudden we have a third bucket
that is called agentic AI
or basically agent identities
because those are not humans, obviously,
but they also don't be,
like machine identities, and that requires a completely different approach on when we
introduce this new type of an identity to the organization, how do we make sure that it is done
in a secured manner and is managed correctly in the organization?
Well, what were some of the conversations around that topic with the Agentic AI?
Where do you suppose we're headed?
Yeah, that's a great one.
I think there is a lot of questions that are coming up.
Obviously, the adoption of agentic AI is, you know, it's infinity.
It's just starting.
And I think what we're seeing is companies trying to understand what does it actually
mean to their environments.
As an example, one of the questions that customers are currently trying to answer
for themselves is, will my organization have multiple agentic AI type of systems?
Maybe I'm going to use Microsoft Copilot and at the same time I'm going to be using Gemini as an example.
And that's most likely what's going to happen, at least from what I'm hearing.
And then if that is indeed the case, then it creates a new type of a question.
And again, I'm looking at right now from the identity point of view.
Where will those identities be coming from?
Meaning, is it reasonable to assume that we will still have the agentic AI identities exist in the same IDPs that we're having today?
Or will it mean now that we will need to rethink the entire model?
Because of a sudden, potentially those identities will not exist outside or will not be managed,
will be probably a better way to put it, outside of the provider of those identities.
To put it very simple.
If my company is using Android as the identity source in the cloud,
then I think it's reasonable to assume that their genetic identities will be managed in AndroidD.
But if I'm now adopting Gemini as an example,
should I make the assumption that I'll be able to manage those identities in AndroidD as well?
Or should I be starting to think of those identities existing only inside of Gemini,
which is obviously a completely different type of an approach?
Well, from the unique point of view that you and your colleagues at Sempris have,
where are you seeing enterprises falling short when it comes to securing active directory?
That's a very big question.
Yeah.
Look, there's a lot of interesting questions that are all things that we're seeing now in the industry.
By the way, another interesting point that I've seen coming here from the conference is active
directory has been around for more than 25 years, which is typically seen as something in the
technology space. We often refer to technology that has been here for a while. We will
refer to it as a legacy, which will typically imply that, you know, it's not the best of what
you can have and you should probably thinking about adopting something else. But the reality
is what I'm hearing from customers is that that's not how they see it. What they see is the fact
that Actuary has been around for 25 years, makes it very mature, and that maturity is
actually seen as an advantage. So I think it was very interesting to see that many companies
got to this realization that they will continue and have Actuary as the core of the identity
story for a long period of time. At this point, I'm no longer trying to make any predictions
till when, because it made me forever. One of the
examples that people kept using at the conference all the time is mainframe, where it's just
there and it's been there and there have been multiple instances where people thought
it will not be, but the reality is that it is still very much there. It basically requires
organizations to rethink. If actor director is going to be the source of my identity
story for my company for the years to come, then obviously I need to
rethink, how do I make sure that that system is secured? How do I make sure that that system is
properly protected and managed? And obviously, I need to make sure that if something happens
and somebody compromises that system, that I have a way to bounce back and have the system
up and running in a relatively short period of time. I was looking through the Global Ransomware
report that you all published earlier this year. One of the statistics that caught my eye was that
70% of companies paid the ransom when they were victimized.
Do you have any advice for organizations of ways to drive down that number?
For sure.
Well, Dave, you know, if you think about why would somebody decide to pay ransom,
in most cases, the answer is going to be one of the two reasons.
The first one, you just concluded that you have no way to bounce back in a reasonable amount of time.
So let's say that, and I actually would argue that that is the biggest reason.
So just to explain a bit, the second reason is going to be because you had a data that was stolen from the organization that you deemed to be so sensitive that if it would have been published, then it's going to hurt a tremendously.
So maybe let's start with the second point.
The second point to me is that even if you pay ransom, you actually should assume that that data still can be published because we've seen multiple times that the bad actors are not necessarily going to play.
you know, by the rules, so to speak.
And it might be that they will take your money,
but they will still go ahead and publish it.
And we also see the instances where, you know,
now it's a bit more organized.
So you might have more than one group of bad actors
actually walking against you.
And we've seen without mentioning names,
although it was very publicly covered.
We've seen those situations where you paid
who you thought is the main ransomary group,
But then another group showed up and said, well, we actually have not been paid.
So we're going to publish your data in any case.
So I think from that point of view, I know it's very tricky to decide if you should or should not be paying in order to get your data back.
But my main point there is that even if you do pay, you can't really know if you will or will not get your data back.
So let's assume for a minute that that is not the main decision in terms of should it be paying or not.
meaning the data that have been stolen,
and let's go back to the first point,
which I think is the more critical,
how fast can I actually bounce back?
And I will suggest to think about it,
if I'm now taking the CEO point of view
and my company was hit,
I would want to know a couple of things.
How fast can we go back to what is defined
as at least the minimal operational mode of my company?
And probably the bigger question
that I'm going to have, how much trust do I have in the numbers that are being put in front
of me by my IT organization?
If they're saying that they will bounce back as an example in a matter of 48 hours, can I really
believe that that's what's going to happen?
And the only way to do that, and that's the question of what can be done, is to make sure
that you actually have your playbooks, your run books, all ready to go, that you know how to
approach your cyber insurance provider in the case of an emergency, you actually tested and
tried to make sure that you understand what needs to happen if one of the decision makers is
not available, like who becomes the next in line. You also tried your recovery process,
not just by restoring a server, but you actually made sure that you understand how you will
be communicating with the different teams. You understand what is the sequence of events that is
going to take place. So basically you have a clear understanding of what is the bounce back
process looks like. And if you have that and you can now speak to the management with the
confidence of saying we've done it before, we are well organized, we are well planned and we can
guarantee that we, you know, guarantee is a big term here. But we are very confident that we can
go live again in 24 hours. I guarantee to you in this case that the management will be very
very unlikely to decide to pay ransom.
That was Mickey Bresman,
Sampera CEO, sharing insights
on hybrid identity security and their
hip conference.
At Talas,
they know cybersecurity can be tough
and you can't protect everything.
But with Talas, you can
secure what matters most. With Talis's industry-leading platforms, you can protect critical applications,
data and identities, anywhere and at scale with the highest ROI. That's why the most trusted brands
and largest banks, retailers, and healthcare companies in the world rely on Talis to protect
what matters most. Applications, data, and identity. That's Talis. T-H-A-L-E-S. Learn more at
talusgroup.com slash cyber.
With Amex Platinum, access to exclusive Amex presale tickets can score you a spot trackside.
So being a fan for life turns into the trip of a lifetime.
That's the powerful backing of Amex.
Pre-sale tickets for future events subject to availability and varied by race.
Terms and conditions apply.
Learn more at amex.ca.ca.
And finally, a group of researchers hacked an automatic card shuffler used in casinos
by sneaking tiny sensors and wireless gear inside, basically turning a blackjack shoe into a spy
gadget. The mod lets them track cards positions as they get shuffled and deliver real-time
advice to a player's phone. Wagers aside, it's a brilliant act of low-tech villainy meets high-tech
mischief. Casinos, please take note, even your
Shuffler might be listening.
And that's The CyberWire.
For links to all of today's stories, check out our daily briefing at TheCiberwire.
We'd love to know what you think of our podcast.
Your feedback ensures we deliver the insights.
that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at
N2K.com.
N2K's senior producer is Alice Carruth.
Our producer is Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilfey is our publisher.
And I'm your host, Maria Vermazas, in this.
week for Dave Bittner. Thanks for listening. I'll see you tomorrow.
Cyber Innovation Day is the premier event for cyber startups, researchers, and top VC firms
building trust into tomorrow's digital world.
Kick off the day with unfiltered insights and panels on securing tomorrow's technology.
In the afternoon, the eighth annual Data Tribe Challenge takes center stage as elite startups
pitch for exposure, acceleration, and funding.
The Innovation Expo runs all day, connecting founders,
investors and researchers around breakthroughs in cybersecurity.
It all happens November 4th in Washington, D.C.
Discover the startups building the future of cyber.
Learn more at cid. datatrib.com.