Summary5 min read

Cyber Security Headlines – Detailed Summary

Podcast: Cyber Security Headlines
Host: CISO Series (Steve Prentiss & Rich Stroffolino)
Episode: Australia BadCandy warning, Cisco firewall attack, Aardvark eats bugs
Date: November 3, 2025

Episode Overview

This episode delivers a rapid-fire rundown of current major cybersecurity stories affecting organizations worldwide. Topics include new threats targeting Cisco devices in Australia, Chinese state-sponsored attacks on government firewalls, OpenAI’s new autonomous security agent, regulatory changes in the US telecom sector, practical security guidance from US agencies, emerging malware trends, and a major Conti ransomware extradition. The hosts maintain a concise, newsy tone, passing the mic between themselves to present headline stories with key context and impact.

Key Discussion Points & Insights

1. Australia’s ASD Warning: Bad Candy Attacks on Cisco Devices

Timestamps: 00:06–01:14

Threat: Unpatched Cisco IOS devices in Australia are being targeted using a newly discovered implant named “Bad Candy.”
Exploit: The attack leverages a CVE-rated flaw with a CVSS score of 10 – the maximum risk score.
Mechanism: Attackers gain elevated privileges by creating new accounts.
Features:
- Bad Candy is a lightweight, LUA-based web shell.
- Not persistent: It doesn’t survive reboots; however, unpatched devices remain at risk for reinfection.
Trend: The attackers can repeatedly regain access if proper patching isn’t enforced.

Notable Quote:

"It lacks a persistence mechanism, which means it cannot survive across system reboots. But if a device remains unpatched and exposed to the Internet, it's possible for the threat actor to reintroduce the malware and regain access to it."
— Steve Prentiss, 00:49

2. Chinese Hackers Exploit Cisco ASA Firewalls Globally

Timestamps: 01:14–01:48

Actors: China-based group “Storm 1849” (per Palo Alto Networks)
Targets: Cisco Adaptive Security Appliances used by governments across the US, Europe, and Asia, including defense contractors and military orgs.
Functionality at risk: Devices conduct spam filtering, antivirus, and intrusion prevention.
Timeline: Multiple organizations were attacked throughout October.

3. OpenAI’s Aardvark: GPT-5 Agent for Code Security

Timestamps: 01:48–02:36

Overview:
- OpenAI’s “Aardvark” is an autonomous agent powered by GPT-5, currently in private beta.
- Embeds into software development pipelines.
Capabilities:
- Monitors code commits and changes.
- Automatically finds and proposes fixes for code vulnerabilities.
- Creates a contextual threat model for each project before scanning for existing and potential new issues.
Technology: Utilizes large language model (LLM) reasoning for remediation.

Notable Quote:

"Aardvark analyzes a project's codebase to produce a threat model that it thinks best represents its security objectives and design. With this contextual foundation, the agent then scans its history to identify existing issues, as well as detect new ones by scrutinizing incoming changes to the repository."
— Steve Prentiss, 02:11–02:29

4. FCC Plans Rollback of Post-Hack Cybersecurity Regulations

Timestamps: 02:36–03:30

Regulatory Backdrop: After last year’s breach of at least nine major US telecoms (linked to Chinese hackers and the theft of presidential and VP correspondence), cybersecurity rules were implemented.
Current Development: FCC now plans to remove some of these regulations.
- The initial requirement: annual network security certifications and risk management plans.
- Reason: Recent comments suggest telecoms have “voluntarily” improved security and the rule is “legally erroneous.”

Notable Quotes:

"Telecoms have already taken voluntary steps to secure their networks and that the ruling was legally erroneous."
— Steve Prentiss, 03:23

5. CISA & NSA Security Guidance for Microsoft Exchange Servers

Timestamps: 03:58–04:47

Guidance: Over a dozen recommendations, including:
- Patch and update Exchange servers regularly.
- Migrate from unsupported versions.
- Enable anti-spam/anti-malware, restrict admin access to secure workstations only.
- Apply security baselines to Exchange and Windows environments.
- Enable MFA and use OAuth 2.0 for stronger authentication.
Major Advice:
- “Decommission end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365.”

Notable Quote:

"Decommission, end of life on premises or hybrid exchange servers after transitioning to Microsoft 365."
— Rich Stroffolino, 04:38

6. Ukrainian Extradited to US Over Conti Ransomware Attacks

Timestamps: 04:47–05:32

Subject: Oleksiy Litvinenko, 43, extradited from Ireland; charged for deploying Conti ransomware.
Impact:
- Extorted over $500,000 from US victims (2020–June 2022).
- Managed victim data and ransom notes.
- Victims across nearly every US state and 24+ other countries.
Potential sentence: Up to 25 years in prison.

7. Massive Surge in NFC Relay Malware Stealing Card Data

Timestamps: 05:32–06:19

Scope:
- Over 760 malicious Android apps discovered in Eastern Europe.
- Technique: NFC relay malware exploits Android’s “host card emulation” to steal contactless payment data.
- Originated in Poland (2023), spread to Czech Republic and Russia.

Notable Quote:

"NFC malware takes advantage of Android's host card emulation to emulate or steal contactless credit cards and payment data."
— Rich Stroffolino, 05:58

8. Raisida Gang Uses Bing Ads to Deliver Malware via Teams

Timestamps: 06:19–06:54

Campaign: Began in June, continues actively.
Technique:
- Purchases Bing search ads mimicking real sites (typosquatting).
- Delivers “Oyster Loader” malware (a.k.a. Broomstick, Cleanup Loader) via fake links.
- Uses packing tools to hide malware capabilities and evade detection.
Threat Vector: Malicious Microsoft Teams ads.

Memorable Moments & Quotes

On Bad Candy reinfection:
"If a device remains unpatched and exposed to the Internet, it's possible for the threat actor to reintroduce the malware and regain access to it."
— Steve Prentiss, 00:59
On Aardvark’s approach:
"Aardvark analyzes a project's codebase to produce a threat model that it thinks best represents its security objectives and design."
— Steve Prentiss, 02:18
On the rollback of FCC regulations:
"Telecoms have already taken voluntary steps to secure their networks and that the ruling was legally erroneous."
— Steve Prentiss, 03:23
On NFC card theft:
"NFC malware takes advantage of Android's host card emulation to emulate or steal contactless credit cards and payment data."
— Rich Stroffolino, 05:58

Important Segment Timestamps

Australia Bad Candy/Cisco iOS exploit: 00:06–01:14
Chinese hacks on Cisco firewalls: 01:14–01:48
OpenAI Aardvark agent: 01:48–02:36
FCC telecom regulation rollback: 02:36–03:30
CISA/NSA Exchange Server guidance: 03:58–04:47
Conti ransomware extradition: 04:47–05:32
NFC Android malware: 05:32–06:19
Microsoft Teams malware/Bing ad campaign: 06:19–06:54

Summary

This episode underscores the dynamism and geographic breadth of current cybersecurity threats, from sophisticated state-sponsored attacks on critical infrastructure to the surge in user-targeted malware and continued legal action against ransomware operators. The tone is brisk, factual, and slightly urgent—a necessary fit for a daily, CISO-focused security news podcast.
Listeners come away with actionable awareness of urgent patch requirements, the state of enterprise defenses, and practical guidance recommended by top cybersecurity agencies.

Loading summary

Transcript67 lines

[00:00]
Host
From the CISO series. It's Cybersecurity Headlines.
[00:07]
Steve Prentiss
These are the cybersecurity headlines for Monday, November 3, 2025. I'm Steve Prentiss. Australia warns of Bad Candy attacks exploiting Cisco iOS EE the Australian Signals Directorate.
[00:24]
Rich Stroffolino
ASD is warning of cyber attacks targeting unpatched Cisco iOS devices within Australia as a result of a previously undocument implants called Bad Candy.
[00:34]
Steve Prentiss
These attacks exploit a CVE numbered flaw with a CVSS score of 10 and.
[00:39]
Rich Stroffolino
Which allows unauthenticated attackers to create an account with elevated privileges. Bad Candy is described as a low.
[00:47]
Steve Prentiss
Equity LUA based web shell.
[00:50]
Rich Stroffolino
It lacks a persistence mechanism, which means it cannot survive across system reboots. But if a device remains unpatched and exposed to the Internet, it's possible for.
[00:59]
Steve Prentiss
The threat actor to reintroduce the malware and regain access to it. End quote. Chinese hackers exploit Cisco ASA firewalls used by governments worldwide According to experts at Palo Alto Networks Unit 42, hackers from.
[01:15]
Rich Stroffolino
China based Storm 1849 are scanning for and exploiting a popular line of Cisco.
[01:21]
Steve Prentiss
Firewalls used by governments in the us, Europe and Asia. The group is targeting Cisco Adaptive security appliances, which, in addition to acting as.
[01:32]
Rich Stroffolino
Firewalls, also prevent some intrusions, handle spam, conduct antivirus checks and more, the researchers observed. Several U.S. financial institutions, defense contractors and.
[01:43]
Steve Prentiss
Military organizations attacked in this way throughout October.
[01:49]
Rich Stroffolino
OpenAI's Aardvark GPT5 agent finds and fixes code flaws automatically. This autonomous agent, currently available in private beta, works by embedding itself into the.
[02:01]
Steve Prentiss
Software development pipel, monitoring commits and changes.
[02:04]
Rich Stroffolino
To code bases, detecting security issues and how they might be exploited, and proposing.
[02:09]
Steve Prentiss
Fixes to address them using LLM based.
[02:11]
Rich Stroffolino
Reasoning and tool use. In their announcement, OpenAI also added that Aardvark analyzes a project's codebase to produce a threat model that it thinks best represents its security objectives and design. With this contextual foundation, the agent then scans its history to identify existing issues.
[02:30]
Steve Prentiss
As well as detect new ones by scrutinizing incoming changes to the repository, end quote.
[02:37]
Rich Stroffolino
FCC plans vote to remove cyber regulations installed after theft of presidential information from.
[02:43]
Steve Prentiss
Telecoms this past week, the Federal Communications.
[02:47]
Rich Stroffolino
Commission announced plans to remove some cybersecurity regulations that had been put in place after Chinese hackers breached at least nine.
[02:54]
Steve Prentiss
Telecommunications giants to steal the correspondence of the president and vice president. Last year, Chairman Brendan Carr released a.
[03:02]
Rich Stroffolino
Statement that said the agency would reverse a declaratory ruling published in January which would have mandated telecoms to better secure their networks and submit annual certifications attesting.
[03:12]
Steve Prentiss
To the creation of a cybersecurity risk management plan. On Thursday, FCC Secretary Marlene Dorch added.
[03:20]
Rich Stroffolino
More context, saying telecoms have already taken.
[03:23]
Steve Prentiss
Voluntary steps to secure their networks and that the ruling was legally erroneous. End quote.
[03:31]
Rich Stroffolino
Huge thanks to our sponsor ThreatLocker. Imagine having the power to decide exactly what runs in your IT environment and blocking everything else by default.
[03:41]
Steve Prentiss
That's what ThreatLocker delivers as a zero.
[03:44]
Rich Stroffolino
Trust endpoint protection platform. ThreatLocker fills the gaps traditional solutions leave behind, giving your business stronger security and control.
[03:53]
Steve Prentiss
Don't just react to threats, stop them with ThreatLocker.
[03:58]
Rich Stroffolino
CISA and NSA share tips on securing.
[04:01]
Steve Prentiss
Microsoft Exchange servers More than a dozen.
[04:05]
Rich Stroffolino
Key security recommendations for network defenders were shared between the agencies and their partners. These included keeping servers up to date, migrating from unsupported Exchange versions, enabling emergency mitigation services, activating built in anti spam and anti malware features, restricting administrative access to authorized workstations, and implementing security baselines for both Exchange Server and Windows systems. The agencies also made recommendations around strengthening authentication by enabling MFA, leveraging OAuth 2.0.
[04:36]
Steve Prentiss
And many other procedures.
[04:39]
Rich Stroffolino
The agencies also advised network Defenders to, quote, decommission, end of life on premises or hybrid exchange servers after transitioning to Microsoft.
[04:47]
Steve Prentiss
365End Quote Ukrainian extradited to US over Conti ransomware Oleksiy Litvinenko, 43, was extradited.
[04:58]
Rich Stroffolino
From Cork, Ireland, to face charges of deploying Conti ransomware that extorted over $500,000.
[05:05]
Steve Prentiss
From U.S. victims between 2020 and June 2022.
[05:09]
Rich Stroffolino
Court filings allege that Litvinenko managed stolen Conti victim data and ransom notes. Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department's Criminal Division said Litvinenko's activities defrauded victims in almost every.
[05:25]
Steve Prentiss
US State and from over two dozen countries worldwide. He now faces up to 25 years in prison.
[05:33]
Rich Stroffolino
Another surge of NFC relay malware steals.
[05:36]
Steve Prentiss
Europeans credit cards Related to a story.
[05:39]
Rich Stroffolino
We covered in June, mobile security firm Zimperium says near field communication NFC relay malware has grown massively popular in Eastern Europe, with researchers discovering over 760 malicious Android apps using the technique to steal.
[05:55]
Steve Prentiss
People'S payment card information over the past few months.
[05:59]
Rich Stroffolino
NFC malware takes advantage of Android's host card emulation to emulate or steal contactless credit cards and payment data. The technique was first spotted in the wild in Poland in 2023, and this was followed by campaigns in the Czech Republic and later more massive attack waves in Russia.
[06:19]
Steve Prentiss
Raisida Pwns users with Microsoft Teams ads.
[06:24]
Rich Stroffolino
According to Aaron Walton of Expel, the prolific Ransomer gang is leveraging malicious advertisements to deliver Oyster Loader malware, also known.
[06:32]
Steve Prentiss
As Broomstick and Cleanup Loader, and this.
[06:35]
Rich Stroffolino
Campaign began in June and is continuing. It is being done by purchasing search engine ads, in this case in Bing.
[06:41]
Steve Prentiss
And driving people to spoofed typo squatted sites.
[06:45]
Rich Stroffolino
To ensure a lower detection rate by antivirus engines when victims click on the.
[06:48]
Steve Prentiss
Links, Raisida employs a packing tool to hide the malware's capabilities.
[06:55]
Rich Stroffolino
Remember, if you're in the Big Apple, you can join us on November 5th at Faircon 25 for a live recording.
[07:01]
Steve Prentiss
Of the CISO Series Podcast.
[07:03]
Rich Stroffolino
If you've never attended one of our live shows, you get the same great discussions we feature on every episode, plus fun games and a lightning Q and A. You need to register for the event, but We've got a 75% off registration.
[07:16]
Steve Prentiss
Code for our listeners.
[07:18]
Rich Stroffolino
Just head on over to the events.
[07:19]
Steve Prentiss
Page@Cisoseries.Com for more details.
[07:23]
Rich Stroffolino
Do you want to know more about the most pressing stories of the last few days in time for your weekly stand up? Join us today at 4:00pm Eastern time for the Department of no Where. Our guests will sort out the priority stories and do a deep dive on.
[07:37]
Steve Prentiss
The ones that matter the most.
[07:39]
Rich Stroffolino
And of course, we will actively involve you in the conversation.
[07:42]
Steve Prentiss
Just go to YouTube, search for CISO.
[07:44]
Rich Stroffolino
Series and look for Rich Stroffolino's smiling.
[07:47]
Steve Prentiss
Face under upcoming Live Streams.
[07:51]
Rich Stroffolino
And finally, if you have some thoughts on the news from today or about this show in general, please be sure.
[07:55]
Steve Prentiss
To reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO Series.
[08:09]
Host
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.

Cyber Security Headlines – Detailed Summary

Episode Overview

Key Discussion Points & Insights

1. Australia’s ASD Warning: Bad Candy Attacks on Cisco Devices

Timestamps: 00:06–01:14

Threat: Unpatched Cisco IOS devices in Australia are being targeted using a newly discovered implant named “Bad Candy.”
Exploit: The attack leverages a CVE-rated flaw with a CVSS score of 10 – the maximum risk score.
Mechanism: Attackers gain elevated privileges by creating new accounts.
Features:
- Bad Candy is a lightweight, LUA-based web shell.
- Not persistent: It doesn’t survive reboots; however, unpatched devices remain at risk for reinfection.
Trend: The attackers can repeatedly regain access if proper patching isn’t enforced.

Notable Quote:

"It lacks a persistence mechanism, which means it cannot survive across system reboots. But if a device remains unpatched and exposed to the Internet, it's possible for the threat actor to reintroduce the malware and regain access to it."
— Steve Prentiss, 00:49

2. Chinese Hackers Exploit Cisco ASA Firewalls Globally

Timestamps: 01:14–01:48

Actors: China-based group “Storm 1849” (per Palo Alto Networks)
Targets: Cisco Adaptive Security Appliances used by governments across the US, Europe, and Asia, including defense contractors and military orgs.
Functionality at risk: Devices conduct spam filtering, antivirus, and intrusion prevention.
Timeline: Multiple organizations were attacked throughout October.

3. OpenAI’s Aardvark: GPT-5 Agent for Code Security

Timestamps: 01:48–02:36

Overview:
- OpenAI’s “Aardvark” is an autonomous agent powered by GPT-5, currently in private beta.
- Embeds into software development pipelines.
Capabilities:
- Monitors code commits and changes.
- Automatically finds and proposes fixes for code vulnerabilities.
- Creates a contextual threat model for each project before scanning for existing and potential new issues.
Technology: Utilizes large language model (LLM) reasoning for remediation.

Notable Quote:

"Aardvark analyzes a project's codebase to produce a threat model that it thinks best represents its security objectives and design. With this contextual foundation, the agent then scans its history to identify existing issues, as well as detect new ones by scrutinizing incoming changes to the repository."
— Steve Prentiss, 02:11–02:29

4. FCC Plans Rollback of Post-Hack Cybersecurity Regulations

Timestamps: 02:36–03:30

Regulatory Backdrop: After last year’s breach of at least nine major US telecoms (linked to Chinese hackers and the theft of presidential and VP correspondence), cybersecurity rules were implemented.
Current Development: FCC now plans to remove some of these regulations.
- The initial requirement: annual network security certifications and risk management plans.
- Reason: Recent comments suggest telecoms have “voluntarily” improved security and the rule is “legally erroneous.”

Notable Quotes:

"Telecoms have already taken voluntary steps to secure their networks and that the ruling was legally erroneous."
— Steve Prentiss, 03:23

5. CISA & NSA Security Guidance for Microsoft Exchange Servers

Timestamps: 03:58–04:47

Guidance: Over a dozen recommendations, including:
- Patch and update Exchange servers regularly.
- Migrate from unsupported versions.
- Enable anti-spam/anti-malware, restrict admin access to secure workstations only.
- Apply security baselines to Exchange and Windows environments.
- Enable MFA and use OAuth 2.0 for stronger authentication.
Major Advice:
- “Decommission end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365.”

Notable Quote:

"Decommission, end of life on premises or hybrid exchange servers after transitioning to Microsoft 365."
— Rich Stroffolino, 04:38

6. Ukrainian Extradited to US Over Conti Ransomware Attacks

Timestamps: 04:47–05:32

Subject: Oleksiy Litvinenko, 43, extradited from Ireland; charged for deploying Conti ransomware.
Impact:
- Extorted over $500,000 from US victims (2020–June 2022).
- Managed victim data and ransom notes.
- Victims across nearly every US state and 24+ other countries.
Potential sentence: Up to 25 years in prison.

7. Massive Surge in NFC Relay Malware Stealing Card Data

Timestamps: 05:32–06:19

Scope:
- Over 760 malicious Android apps discovered in Eastern Europe.
- Technique: NFC relay malware exploits Android’s “host card emulation” to steal contactless payment data.
- Originated in Poland (2023), spread to Czech Republic and Russia.

Notable Quote:

"NFC malware takes advantage of Android's host card emulation to emulate or steal contactless credit cards and payment data."
— Rich Stroffolino, 05:58

8. Raisida Gang Uses Bing Ads to Deliver Malware via Teams

Timestamps: 06:19–06:54

Campaign: Began in June, continues actively.
Technique:
- Purchases Bing search ads mimicking real sites (typosquatting).
- Delivers “Oyster Loader” malware (a.k.a. Broomstick, Cleanup Loader) via fake links.
- Uses packing tools to hide malware capabilities and evade detection.
Threat Vector: Malicious Microsoft Teams ads.

Memorable Moments & Quotes

On Bad Candy reinfection:
"If a device remains unpatched and exposed to the Internet, it's possible for the threat actor to reintroduce the malware and regain access to it."
— Steve Prentiss, 00:59
On Aardvark’s approach:
"Aardvark analyzes a project's codebase to produce a threat model that it thinks best represents its security objectives and design."
— Steve Prentiss, 02:18
On the rollback of FCC regulations:
"Telecoms have already taken voluntary steps to secure their networks and that the ruling was legally erroneous."
— Steve Prentiss, 03:23
On NFC card theft:
"NFC malware takes advantage of Android's host card emulation to emulate or steal contactless credit cards and payment data."
— Rich Stroffolino, 05:58

Important Segment Timestamps

Australia Bad Candy/Cisco iOS exploit: 00:06–01:14
Chinese hacks on Cisco firewalls: 01:14–01:48
OpenAI Aardvark agent: 01:48–02:36
FCC telecom regulation rollback: 02:36–03:30
CISA/NSA Exchange Server guidance: 03:58–04:47
Conti ransomware extradition: 04:47–05:32
NFC Android malware: 05:32–06:19
Microsoft Teams malware/Bing ad campaign: 06:19–06:54