Android security changes, CISA incentive audit, LLM usage - Cybersecurity Headlines

Cyber Security Headlines – September 16, 2025

Episode Overview

In this episode, host Rich Stroffolino of the CISO Series unpacks the day's most important cybersecurity news. The agenda includes sweeping changes to Android's security update process, findings on CISA's cyber employee incentive program, real-world adoption of LLMs by security practitioners, critical data breach disclosures, new sanctions over Russian cyberattacks, and industry insights into old vulnerabilities and insider threats.

Key Discussion Points and Insights

Android Shifts to Risk-Based Security Updates

[00:08–01:30]

Change Announced: Google alters its Android Security Bulletin (ASB) strategy, focusing monthly updates on only high-risk vulnerabilities; other patches move to a quarterly release.
Goal: Reduce testing/validation burden for OEMs and accelerate patch turnaround on critical issues.
Result: Some months may see zero vulnerabilities listed in the public ASB.
Quote:
- "Hopefully speeding up patch time on the most critical issues while giving them more flexibility in addressing less urgent ones." — Rich Stroffolino [00:38]

CISA Incentive Audit Exposes Mismanagement

[01:30–02:20]

Backdrop: A Department of Homeland Security OIG audit reveals abuse and poor record-keeping in CISA's bonus program aimed at retaining critical cyber employees.
Findings:
- Bonuses paid to non-cyber support roles.
- Inadequate documentation for bonuses and enrollments.
- Bonuses treated as improper back pay from 2022–2024.
OIG's Recommendation:
- Do not end the program.
- Transfer responsibility to another office.
- Establish clearer guidance and record processes.
Quote:
- "The OIG's audit found the program was used to pay employees in support functions outside of cybersecurity." — Rich Stroffolino [01:41]

How Security Practitioners Use LLMs: Anthropic’s Economic Index

[02:21–03:00]

Report Released: Anthropic's Economic Index details Liong Large Language Model (LLM) deployment, especially by security professionals.
Top Use Cases for InfoSec Analysts:
- Automating coordination of computer system plans with stakeholders.
- Creating documentation.
- Performing risk assessments.
- Developing incident response plans.
Other Roles:
- Automation of security functions by web developers/administrators and network admins.
Quote:
- "For information security analysts, the most popular use case was automating the coordination of computer system plans with stakeholders." — Rich Stroffolino [02:36]

Open Source AI Security Tool Benchmarks: Cybersock Eval

[03:01–03:48]

Release: CrowdStrike & Meta’s Cybersock Eval offers open source benchmarks for evaluating LLMs in cybersecurity.
Focus: Malware analysis & threat intelligence reporting—areas where LLMs’ value is uncertain.
Findings:
- Early results: "Middling performance" from major LLMs.
- Limited gains in security reasoning, unlike code/math tasks.
Quote:
- "Because most models have not been trained to reason about cybersecurity analysis, they don't currently see similar performance scaling for additional analysis time." — Rich Stroffolino [03:37]

Major Data Breaches Disclosed

Fairmont Federal Credit Union Breach

[04:08–04:46]

Incident: Over 187,000 affected after names, SSNs, payment card data, and more were stolen.
Timeline: Breach took place between Sep 2023–Oct 2023, discovered Jan 2024; concluded investigation Aug 2025.
Perpetrators: Black Basta ransomware group claims responsibility.
Quote:
- "The attack occurred... credit union did not discover the breach until January 23, 2024, and did not conclude its investigation until August 17, 2025." — Rich Stroffolino [04:26]

Finwise Insider Threat Breach

[06:00–06:35]

Incident: Former Finwise employee accessed sensitive data post-termination, affecting 689,000 customers (including American First Finance users).
Discovery Lag: Breach on May 31, 2024; detected June 18, 2025.
Remediation: Two years of credit monitoring offered.
Quote:
- "No word, though, on how the former employee was able to access the info and after employment or the extent of the personal data leaked." — Rich Stroffolino [06:24]

Microsoft SMBv1 Issues Highlight Legacy Vulnerabilities

[04:47–05:24]

Issue: September 2025 Windows update disrupts SMB v1 file sharing on Windows 1110 and Server OS.
Advice: Microsoft pushes users to drop legacy SMBv1, deprecated since 2014.
Quote:
- "But really, please don't use CIFS, SMBV1 or any other ancient file sharing, please." — Rich Stroffolino [05:18]

Geopolitics: New Zealand Sanctions Russian Cyber Actors

[05:25–06:00]

Action: NZ sanctions Russian GRU-linked group (Unit 29155 a.k.a. Ember Bear/Cadet Blizzard) for attacks including Ukraine’s 2022 Whispergate incident.
International Context: EU and UK have also sanctioned the same actors.
Quote:
- "The group was responsible for the 2022 Whispergate attack on the Ukrainian government ahead of Russia's invasion of the country." — Rich Stroffolino [05:37]

Brief Feature: SMS Security & the Supply Chain

[06:36–07:00]

Tease: Next podcast episode digs into SMS delivery supply chain as an attack surface, following the prominence of SIM-swapping and general SMS insecurity.

Memorable Quotes & Moments

On supply chain SMS vulnerabilities:
"There's also a whole supply chain for delivering these messages. That's an underappreciated attack surface." — Rich Stroffolino [06:45]
On security legacy tech:
"Microsoft reminds us that people still use old things." — Rich Stroffolino [04:47]

Important Timestamps

Android risk-based security update change: 00:08–01:30
CISA incentive audit: 01:30–02:20
LLM use in InfoSec: 02:21–03:00
Open source benchmarks for AI security: 03:01–03:48
Fairmont Federal CU breach: 04:08–04:46
Microsoft SMBv1 problem: 04:47–05:24
New Zealand sanctions Russian cyber actors: 05:25–06:00
Finwise insider breach: 06:00–06:35
SMS security chain preview: 06:36–07:00

Summary

This episode paints a vivid picture of the evolving cybersecurity landscape, where even major platforms like Android are shifting strategies to balance risk and response times, while institutions wrestle with both legacy vulnerabilities and the complexities of human trust. The deep dive into LLMs and their nuanced real-world adoption underscores the profession's ongoing experiment with AI-driven tools, while high-profile data breaches and global cyber actions keep defense and accountability at the forefront. As always, the episode closes with a wink to both professionals and everyday users: don't use ancient protocols, and never underestimate overlooked attack surfaces—like the SMS supply chain.

Transcript

A (0:00)

From the CISO series, it's Cybersecurity Headlines.

B (0:07)

These are the cybersecurity headlines for Tuesday, September 16, 2025 I'm Rich Stroffelino Android Moving to Risk Based security updates Since August 2015, Google has published a monthly Android Security Bulletin, or ASB, listing vulnerabilities fixed in its monthly security update. This came in two varieties, a public one and a private one, sent To OEM partners 30 days in advance to give them time to test and release patches before they go public. Google will now shift the monthly ASB to list high risk vulnerabilities only, while most other patches will go into a quarterly asb. This was designed to reduce the number of patches to test and validate by OEMs, hopefully speeding up patch time on the most critical issues while giving them more flexibility in addressing less urgent ones. As a result, some monthly ASB updates may list zero vulnerabilities CISA Accused of Cyber Incentive Mismanagement this finding came from the Department of Homeland Security Office of the Inspector General, which began an audit after receiving a complaint about the program in 2023. This program was developed to incentivize mission critical cyber employees to stay in their roles. The OIG's audit found the program was used to pay employees in support functions outside of cybersecurity. It also found a lack of adequate records for program enrollment and payouts, as well as a violation of federal rules for paying out incentive bonuses as part of unallowable back pay from 2022 to 2024. OIG didn't recommend ending the program, but said it should hand over management to a separate office and develop consistent guidance and tracking for the program. How security practitioners use LLMs Anthropic released its Economic Index, an in depth report on who, where and how its LLMs are being used. The report is fairly granular, going into different use rates across countries and US States, as well as how different professions use it. For information security analysts, the most popular use case was automating the coordination of computer system plans with stakeholders. Other common use cases were creating documentation, performing risk assessments and and developing incident response plans. Other jobs seeing automation of security functions included web developers, web admins and network administrators. There's lots of great stuff in the report, so be sure to check it out in our show Notes Open Source Benchmarks for AI security tools CrowdStrike and Meta released Cybersock Eval, a suite of open source benchmark tools meant to provide a Baseline to evaluate LLMs for real world cybersecurity use cases. These benchmarks are specifically focused on malware analysis and threat intelligence reporting, which CrowdStrike says it currently has an inadequate understanding of LLM effectiveness on. In a paper supporting the benchmarks, the researchers show initial results on both tasks by major LLMs showed middling performance across the board. In the GitHub notes on cybersock eval, CrowdStrike also said it has found that because most models have not been trained to reason about cybersecurity analysis, they don't currently see similar performance scaling for additional analysis time. That's typically shown in coding and math tests. And now, thanks to today's episode sponsor Drata leading security teams trust Safebase by Drata to turn trust into a growth engine. Their enterprise grade Trust center puts your security posture in one secure customer facing portal, giving buyers instant visibility into your company's continuous controls, certifications and and policies with AI powered questionnaire assistance. Blast through inbound security questionnaires in minutes instead of days. Automate cross functional workflows and eliminate friction. That means less manual work and faster deal cycles. Win Trust. Learn more@safebase IO that's s a F E B A S E I O Credit union notifies users about 2023 data breach Fairmont Federal Credit Union notified over 187,000 individuals about the attack, which saw names, dates of birth, Social Security numbers, driver's license numbers, government IDs and full payment card numbers with PINs stolen. The attack occurred between September 30 and October 18, 2023, just shy of two years ago. Fairmont did not discover the breach until January 23, 2024, and did not conclude its investigation until August 17, 2025. The credit union did not give specifics on the attack or attribute it, but the Black Basta Ransomware Group listed it on its leak site. Microsoft reminds us that people still use old things. Microsoft confirmed that the September 2025 Windows security update caused connection issues with shared files and folders over SMB v1 on the latest build of Windows 1110 and Windows Server platforms. Microsoft probably isn't too upset by this. It's been trying to phase out the 30 year old file sharing protocol since deprecating it back in 2014 and and no longer installing it by default on Windows since 2017 until it releases a fix. Microsoft recommends that impacted users allow traffic on TCP port 445 as a workaround. But really, please don't use CIFS, SMBV1 or any other ancient file sharing, please. New Zealand sanctions Russians over cyberattacks New Zealand Foreign Minister Winston Peters announced the country imposed sanctions on threat actors working with Russia's unit 29155, aka Ember Bear and Cadet Blizzard, believed to be part of its GRU intelligence agency. The group was responsible for the 2022 Whispergate attack on the Ukrainian government ahead of Russia's invasion of the country. New Zealand specifically cited the group's conduct in Ukraine for the sanctions. The EU and Great Britain have also sanctioned the group in recent months. Finwise Discloses Insider Threat Breach Finwise is a bank that originates and funds loans for consumer facing services, including American First Finance. The bank sent a data breach notification on behalf of American First Finance stating that an incident occurred on May 31, 2024, where a former employee accessed sensitive customer data after their employment ended. Finwise did not discover the breach until June 18, 2025. A filing with the main Attorney General's office disclosed that this impacted 689,000 customers. No word, though, on how the former employee was able to access the info and after employment or the extent of the personal data leaked. Finimize is offering the industry standard platitude of two years of credit monitoring. SMS messages don't have a great security reputation already. We can thank sim swapping attacks for that. But there's also a whole supply chain for delivering these messages. That's an underappreciated attack surface. We dig into this on our latest episode of the CISO Series podcast. Look for the episode Wait, SMS doesn't stand for SUPA Mega Secure. Wherever you get your podcasts, and if you have some thoughts on the news of the day or feedback about the show, be sure to reach out to us@feedbackesoseries.com we'd love to hear from you. Reporting for the CISO series, I'm Rich Stroffolino, reminding you to have a super sparkly day.