Apple zero-day patch, Jailbreaking ChatGPT-5 Pro, 7-year old Cisco Vulnerability exploited - Cybersecurity Headlines

Summary4 min read

Cyber Security Headlines – August 21, 2025: Summary

Podcast: Cyber Security Headlines
Host: Hadas Kasorla, CISO Series
Episode Theme:
A roundup of daily information security news highlighting Apple’s urgent zero-day patch, fresh exploits against old vulnerabilities, emerging threats in AI, ransomware attacks, and new risks in enterprise tools—all presented in an engaging and concise format.

1. Apple Emergency Zero-Day Patch

[00:10–01:12]

Main Point: Apple released emergency patches after discovering a new zero-day vulnerability already being exploited.
Technical details:
- The flaw is in Apple’s Image I/O framework, used for processing photos/graphics.
- Attackers can send a malicious image, leading to memory corruption and potential remote code execution.
- Devices affected: iPhone Xs/newer, multiple iPads, and Macs running Sequoia, Sonoma, or Ventura.
Notable quote:
- “A patch today keeps the zero day away.” — Hadas Kasorla [00:10]

2. Jailbreaking ChatGPT-5 Pro

[01:13–02:15]

Main Point:
- Adversa AI reports GPT-5 Pro is sometimes routed via older/weaker models (codenamed “Promiscuous”) to save costs.
Security implication:
- Prompts with certain words/structures get handled by less restrictive models, reviving classic jailbreak exploits.
- As a result, queries for slurs, malware instructions, or illicit guides may bypass GPT-5 Pro’s safeguards.
Notable insight:
- “That means that output GPT5 Pro would normally refuse, like offensive slurs, malware instructions or guides for hacking or drug making could slip through again.” — Hadas Kasorla [01:55]

3. Russian APT Exploits 7-Year Old Cisco Vulnerability

[02:16–03:10]

Main Point:
- Static Tundra, linked to Russian state hackers, is exploiting a seven-year-old Cisco Smart Install remote code execution flaw.
Scope:
- Targets: Telecom, higher education, manufacturing, with focus on Ukraine and its allies.
- Actions: Stealing configs, altering settings, maintaining backdoors, deploying “sinfulnock” implants.
Key issue: Thousands of unpatched/end-of-life systems remain at risk, despite long-available patches.
Quote:
- “The thing about vulnerabilities is that they stay vulnerable.” — Hadas Kasorla [02:16]

4. Oregon “Wrapperbot” Botnet Indictment

[03:11–04:00]

Main Point:
- A 22-year-old from Oregon charged for creating “Wrapperbot,” a vast botnet used for disruptive DDoS attacks.
Details:
- Pulled in 90,000 devices; peaked at 6 terabits of traffic.
- Targets included tech companies and government agencies.
- Facing up to 10 years in prison.
Unique delivery:
- The summary of this event is performed as an extended, rhythmic rap-style verse:
  - “I'm beginning to feel like a rapbot… The scope was vast, from tech firms to government. None held fast…” — Hadas Kasorla [03:17–03:54]
Lesson:
- “Unpatched devices leave doors open wide.” [03:56]

5. Ransomware Hits Pharma Research Firm

[04:37–05:25]

Main Point:
- Indiana firm Innotiv hit by Killin ransomware group, resulting in encrypted systems and data theft (176 GB, 160,000+ files).
Response:
- Outside cyber experts hired; law enforcement alerted; company shifts to offline processes while restoring systems.
Unknowns:
- It’s not clear how long recovery will take or the eventual financial impact.
Quote:
- “Killin ransomware group has claimed responsibility, saying it stole about 176 gigabytes of data...” [04:40]

6. Fake Podcast Invitations as Social Engineering

[05:26–06:01]

Main Point:
- Attackers are now targeting execs with convincing, branded fake podcast invites (often spoofing real hosts) that trick them during a “technical check.”
Tactics:
- Use of AI-generated voices/videos to pose as hosts.
- Victims asked to install software, provide remote access, or send files—resulting in data theft or malware infections.
Notable quote:
- “Researchers note that this method leverages common business practices, since executives are accustomed to media requests and interview preparation.” [05:49]

7. Vulnerabilities in Wisconsin Municipal Accounting Software

[06:02–06:41]

Main Point:
- Researchers say Workhorse Software Services (used by 300+ WI municipalities) leaves SQL credentials in plaintext and allows unencrypted database backups from the login screen.
Risks:
- Attackers can steal sensitive personal/financial data, tamper with finances or disrupt operations.
Quote (Sports reference):
- “Much like this year’s Packers Defensive Line, researchers published findings of flaws...” [06:04]

8. New Password Manager Clickjacking Attack

[06:42–07:36]

Main Point:
- Marek Toth demonstrates a clickjacking attack that exploits browser extension password managers via invisible injected login fields.
Details:
- Affects 11 major managers, including 1Password, Bitwarden, LastPass.
- Works if attacker controls a trusted subdomain.
- No vendor fixes at time of recording.
Quote:
- “The trick only works if the attacker is on a domain or subdomain your password manager already trusts.” [07:17]

9. Memorable Moments & Tone

Engaging language: The host uses playful and memorable turns of phrase (“I’m beginning to feel like a rapbot,” [03:17]), sports analogies, and rhyme.
Key advice: “Stay Alert, Stay Patched, Stay Hydrated.” — Hadas Kasorla [08:28]

10. Notable Quotes (Chronological with Timestamps)

“A patch today keeps the zero day away.” — Hadas Kasorla [00:10]
“The thing about vulnerabilities is that they stay vulnerable.” — Hadas Kasorla [02:16]
“Unpatched devices leave doors open wide.” — Hadas Kasorla [03:56]
“Much like this year’s Packers Defensive Line, researchers published findings of flaws...” — Hadas Kasorla [06:04]
“Stay Alert, Stay Patched, Stay Hydrated.” — Hadas Kasorla [08:28]

11. Important Timestamps

[00:10] Apple zero-day patch details
[01:13] ChatGPT-5 Pro jailbreaking
[02:16] Cisco vulnerability exploited
[03:11] Wrapperbot botnet
[04:37] Pharma ransomware hit
[05:26] Fake podcast social engineering
[06:02] Wisconsin municipal software flaws
[06:42] Password manager clickjacking

This episode delivers urgent cybersecurity headlines, actionable insights, and memorable calls to vigilance in a fast-paced, approachable style perfect for information security teams and anyone seeking to stay updated with the latest threats.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity headlines.
[00:08]
B
These are the CyberSecurity headlines for August 21, 2025. I'm Hadas Kasorla. A patch today keeps the zero day away Apple has released emergency security updates after discovering a new zero day flaw that is already being exploited in targeted attacks. The bug is in Apple's Image I O framework, which processes photos and graphics. Hackers can craft a malicious image that, when opened or previewed, causes the system to write data outside the safe boundaries of memory. This can lead to corruption and potentially allow attackers to run their own code on the device. The patch covers iPhones from Xs and newer, multiple iPad generations, and Max running Sequoia, Sonoma and Ventura. Jailbreaking ChatGPT5Pro A new report from Adversa AI warns that GPT5 may not always be the one answering your queries. Instead, an internal router nicknamed Promiscuous diverts prompts to older or smaller models of GPT to save costs. Researchers found that certain words or structures in a prompt can cue the router to hand requests to these weaker models. Where old jailbreak tricks still work. That means that output GPT5 Pro would normally refuse, like offensive slurs. Malware instructions or guides for hacking or drug making could slip through again. The thing about vulnerabilities is that they stay vulnerable. A hacking group known as Static Tundra, tied to the Russian State Security Service division responsible for hacking and digital espionage, is exploiting the seven year old Cisco Smart Install remote code execution vulnerability to break into networks around the world. The flaw affects Cisco, iOS and iOS XE devices with the Smart Install feature. And despite patches being available for years, thousands of unpatched or end of life systems remain exposed. Investigators say the hackers are targeting telecom, higher education and manufacturing sectors in North America, Europe, Asia and Africa, with a special focus on Ukraine and its allies since the war began. Once inside, they harvest configuration files, alter settings to maintain backdoors, and even deploy implants like sinfulnock for stealthy long term access. I'm beginning to feel like a rapbot. In Oregon, a 22 year old was charged for building a botnet that grew large. He called it Wrapperbot, investigators say, and it blocked network traffic in a disruptive way. Traffic surged steady 2 terabytes wide, peaking at 6 and overwhelming the tide. 90,000 devices were pulled into play, launching attacks on systems each day, officials confirmed. The scope was vast, from tech firms to government. None held fast with a warrant to arrest him for his tricks. Agents arrived at his house on August 6. He now faces up to 10 years for directing attacks that confirmed the fears. The lesson remains in the Warnings supplied Unpatched devices leave doors open wide. Huge thanks to our sponsor Conveyor. It's Thursday. Have you been personally victimized by a portal security questionnaire this week? Most solutions just give you a browser extension to copy and paste answers into. Still leaving hours of manual work with Conveyor. You don't have to slog through it yourself. Just open the portal and Conveyor's AI will scroll through each page, find the questions and fill in answers for you, start to finish. See how@www.conveyor.com killing me softly with ransomware Indiana based pharmaceutical research firm Innotiv has confirmed it was hit by a ransomware attack on August that encrypted parts of its IT systems and disrupted operations. The Killin ransomware group has claimed responsibility, saying it stole about 176 gigabytes of data, including more than 160,000 files, and has already posted samples on its leak site. Enotiv says it has called in outside cybersecurity experts, notified law enforcement and shifted to offline processes with systems are restored. The company has not yet said how long recovery will take or whether the breach will have a material financial impact. Sure, Joe Rogan I'd love to be on your podcast. The Better Business Bureau warns that attackers are using fake podcast invitations to trick executives, often targeting high profile employees with emails that look legitimate and carry professional branding. Victims are asked to join a test interview or technical check during which AI generated voices and videos pose as podcast hosts. While the session seems routine, the attackers prompt the target to install software, grant remote access or share files, giving them the ability to exfiltrate data, harvest credentials or deploy malware. Researchers note that this method leverages common business practices, since executives are accustomed to media requests and and interview preparation vulnerabilities discovered in Wisconsin municipal software. Much like this year's Packers Defensive Line researchers published findings of flaws in Workhorse Software Services accounting software, which is used by more than 300 municipalities in Wisconsin. One vulnerability involves storing SQL Server credentials in a plain text file on shared network folders, while the other allows creation of unencrypted database backups directly from the login screen. These issues could let attackers access complete municipal databases containing sensitive data such as Social Security numbers and financial records, and also tamper with audit trails and fiscal operations. Threat actors could use these weaknesses to commit identity theft, disrupt municipal functions or or manipulate financial oversight processes. This new clickjacking is so dumb a new study shows that browser extension password managers can be tricked into giving up your logins with just one click. Security researcher Marek Toth calls it a form of clickjacking, and it's the same principle. But instead of tricking you into clicking a malicious button, your click triggers invisible login fields that have been injected into the page's DOM or document object model. When that happens, the extension may think it's a real form and auto fill your saved username, password, two factor codes, even credit card details. The trick only works if the attacker is on a domain or subdomain your password manager already trusts. Tests showed that 11 major browser extension managers were vulnerable, including 1Password Big Bitwarden LastPass. So far, vendors haven't issued fixes, and the flaw does affect Chrome Edge and other browsers. Remember to join us this Friday for a special edition of our Week in Review show. We're celebrating the five year anniversary of cybersecurity headlines. We'll still be running down the top news of the week, but also reflecting on some of our favorite stories and experiences since the show debuted back in 2020. So if you can, join our livestream on the CISO Series YouTube channel this Friday at 3:30pm Eastern Time. If you have some thoughts on the news from today or about the show in general, be sure to reach out to us@feedbackisoseries.com we'd love to hear from you. I'm Hadas Kasorla reporting for the CISO series. Stay Alert, Stay Patched, Stay Hydrated.
[08:41]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines.