Cisco firewall warning, Colt Telecom cyberattack, CISA's OT request - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines – Episode Summary
Podcast: Cyber Security Headlines
Host: Steve Prentiss (CISO Series)
Date: August 18, 2025
Episode Theme:
A fast-paced daily roundup of key stories in cybersecurity, including high-severity product vulnerabilities, major cyberattacks, new industry reports, crime tactics, law enforcement actions, and evolving cyberthreats. This episode is tailored for professionals needing crucial updates from credible sources to inform risk management and security posture.

Main Stories & Discussion Points

1. Cisco Firewall Max Severity Vulnerability

Topic: Cisco released a patch for a maximum severity flaw in its Secure Firewall Management Center software.
Details:
- The bug allows unauthenticated remote attackers to inject arbitrary shell commands and execute privileged operations.
- Discovered during internal testing; no evidence of exploit in the wild so far.
- Users are strongly advised to update or apply mitigations.
Notable Quote:
- “...could allow unauthorized syndicated attackers to inject arbitrary shell commands and execute high privilege commands.” – Steve Prentiss [00:14]
Takeaway: Fast remediation is critical, even in absence of active exploitation.

2. Colt Telecom Ransomware Attack

Topic: Colt Telecom, a major British/EU/Asia/North America provider, suffered a data breach claimed by the Warlock ransomware gang.
Details:
- Attackers offer 1 million allegedly stolen documents for $200,000.
- Data includes financials, employee/customer info, executive emails, and software code.
- Root cause:
  - Likely exploitation of a Microsoft SharePoint zero-day (in use since July 18, patched July 21).
Notable Quote:
- “The hacker likely gained access by exploiting a remote code execution vulnerability in Microsoft SharePoint, which has been exploited as a zero-day since at least July 18.” – Steve Prentiss, referencing Kevin Beaumont [01:06]
Takeaway: Prompt response to critical vendor advisories is vital to prevent breach.

3. CISA’s Plea to OT Environments

Topic: U.S. CISA (Cybersecurity and Infrastructure Security Agency) appeals for urgent improvement of Operational Technology (OT) defenses.
Details:
- OT-targeted attacks are up 87% year-over-year (per Dragos).
- New foundational CISA guidance urges asset inventory and fresh security taxonomy—“assume nothing and start entirely fresh.”
Notable Quote:
- “Starts with the absolute basics: assume nothing and start entirely fresh with a new taxonomy-based OT asset inventory.” – Steve Prentiss [02:00]
Takeaway: Cyber hygiene and visibility are as crucial in OT as in IT; new guidance is foundational.

4. Ghost Tapping: Retail Fraud Tactic

Topic: Recorded Futures Insect Group describes “ghost tapping,” a fraud method proliferated by organized crime.
Details:
- Stolen payment cards and OTPs loaded onto burner phones.
- Devices sold on Telegram, used by mules for in-person fraud.
- Scheme concentrated in Southeast Asia, primarily led by Chinese gangs.
- Police urge caution on entering bank details and OTPs on untrusted ecommerce sites.
Notable Quote:
- “The gangs first use social engineering, phishing, and mobile malware to steal victims’ card information and then intercept one-time passwords.” – Steve Prentiss [02:46]
Takeaway: Multi-layered security and user education are needed to combat sophisticated, hybrid fraud.

5. Plex Urges Critical Security Updates

Topic: Plex Media Server users notified of urgent need to update vulnerable versions.
Details:
- Only certain versions affected, but update considered urgent.
- Patches available from Plex’s official channels.
Takeaway: Regular patch cycles and attention to vendor notifications remain essential.
Timestamp: [03:40]

6. U.S. DOJ Seizes Zeppelin Ransomware Assets

Topic: DOJ seizes $2.8 million in crypto, cash, and a luxury vehicle from alleged ransomware operator.
Details:
- Suspect: Yanis Alexandrovich Antropenko, indicted for computer fraud and money laundering.
- Zeppelin ransomware ran 2019-2022, targeted global organizations.
Takeaway:
- Law enforcement efforts continue to disrupt ransomware operations financially and operationally.
Timestamp: [04:10]

7. Ermac 3.0 Android Banking Trojan Source Code Analysis

Topic: Hunt IO cybersecurity team gained access to full source code of Ermac 3.0.
Details:
- Malware has evolved from Cerberus and Hook.
- Affects over 700 banking, shopping, crypto apps.
- New capabilities: advanced injection, better C2, backdoors; source code shows flaws like hardcoded secrets.
- Operators linked to the BlackRock group.
Notable Quote:
- “Now version 3.0 supports new injection methods, a C2 command and control panel, Android backdoor, and confirmation of its status as an active malware-as-a-service platform.” – Steve Prentiss [05:00]
Takeaway:
- Active tracking, detection, and analysis required as mobile threats quickly evolve.

8. New HTTP/2 ‘MadeYouReset’ DoS Vulnerability

Topic: Deepness Lab researchers found new way to abuse HTTP/2 to cause denial-of-service.
Details:
- Techniques bypass server-imposed limits on concurrent requests.
- Attack can lead to out-of-memory crashes.
- Now assigned a CVE number; follows other recent HTTP/2 flaws like Rapid Reset.
Notable Quote:
- “MadeYou Reset is the latest flaw in HTTP 2 Rapid Reset and HTTP 2 Continuation Flood.” – Steve Prentiss [06:00]
Takeaway:
- HTTP/2, though efficient, is increasingly targeted; organizations with exposed services must stay alert to new attack methods.

Notable Quotes and Memorable Moments

“...could allow unauthorized syndicated attackers to inject arbitrary shell commands and execute high privilege commands.” – Steve Prentiss (Cisco firewall) [00:14]
“The hacker likely gained access by exploiting a remote code execution vulnerability in Microsoft SharePoint...” – Steve Prentiss quoting Kevin Beaumont [01:06]
“Starts with the absolute basics: assume nothing and start entirely fresh with a new taxonomy-based OT asset inventory.” – Steve Prentiss [02:00]
“The gangs first use social engineering, phishing, and mobile malware to steal victims’ card information and then intercept one-time passwords.” – Steve Prentiss [02:46]
“Now version 3.0 supports new injection methods, a C2 command and control panel, Android backdoor...” – Steve Prentiss [05:00]
“MadeYou Reset is the latest flaw in HTTP 2 Rapid Reset and HTTP 2 Continuation Flood.” – Steve Prentiss [06:00]

Key Timestamps

[00:06] - Episode headlines overview
[00:14] - Cisco firewall vulnerability details
[01:06] - Colt Telecom breach, attribution, and root cause
[02:00] - CISA OT cybersecurity plea and foundational guidance
[02:46] - Ghost tapping fraud tactics, warnings
[03:40] - Plex vulnerability and urgent updates
[04:10] - US DOJ Zeppelin Ransomware asset seizure
[05:00] - Ermac 3.0 Android banking Trojan analysis
[06:00] - New HTTP/2 ‘MadeYouReset’ vulnerability details

Summary Takeaways

This episode highlights the urgency of promptly patching critical systems, maintaining vigilance in operational technology environments, tracking emerging criminal tactics, and proactively responding to new vulnerabilities across platforms from web infrastructure to mobile. The speed at which threat actors weaponize new exploits underscores the importance of up-to-date intelligence, collaboration, and continuous hygiene in enterprise security.

For full reports, interviews, and resources, visit CISOseries.com.

Loading summary

Transcript4 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Monday, August 18, 2025. I'm Steve Prentiss. Cisco warns of maximum severity defect in firewall software, according to an advisory published by the company on Thursday. This flaw affects the company's Secure Firewall Management center software and could allow unauthorized syndicated attackers to inject arbitrary shell commands and execute high privilege commands, end quote. The flaw was noticed during internal security testing and a patch has been released. Cisco's Product Security Incident Response Team is currently not aware of any exploitation of the vulnerability, but an update or mitigation is strongly advised. UK's cult telecom suffers Cyberattack, the British telecommunications network, whose name stands for City of London Telecom, provides services in 30 countries across Europe and Asia as well as in North America. A threat actor claiming to be a member of the Warlock ransomware gang claimed responsibility for the attack and had offered to sell what it says is a batch of 1 million documents allegedly stolen from Colt, asking price $200,000. The information for sale supposedly includes financial, employee, customer and executive data, internal emails and software development information. Cybersecurity researcher Kevin Beaumont is quoted by Bleeping Computer as suggesting the hacker likely gained access by quote, exploiting a remote code execution vulnerability in Microsoft SharePoint, which has been exploited as a zero day since at least July 18 and which was addressed by Microsoft on July 21. CISA implores OT environments to lock down critical infrastructure the agency is seeking to get attention from companies with operational technology environments to get them to set a better cybersecurity posture, noting an increase in attacks this year 87% year over year. According to Dragos. CISA published some new foundational guidance for OT cybersecurity that starts with the absolute basics, assume nothing and start entirely fresh with a new taxonomy based OT asset inventory, end quote. A link to this report is available in the show Notes to this episode. Scammers use ghost tapping for retail fraud A report released Thursday from researchers at Recorded Futures Insect Group describes a crime technique called ghost tapping in which stolen payment card details are uploaded onto a burner phone and used in person to purchase goods. This is currently being used by Chinese organized criminal groups in Southeast Asia. The gangs first use social engineering, phishing and mobile malware to steal victims card information and then intercept one time passwords. The phones are then offered for sale on telegram channels where criminal syndicates buy them and then use hired mules to make purchases with the phones. Local police are cautioning people to not enter their bank details into suspect e commerce sites and especially to not then use one time passwords on that same site. Huge thanks to our sponsor Conveyor. Have you been personally victimized by portal security questionnaires? Conveyor is here to help. Endless clicks, bad navigation, and expanding questions stacked like Russian nesting dolls all add up to hours of your life that you'll never get back. With Conveyor's AI powered browser extension, you can open a portal questionnaire, scan for questions and watch it auto populate your answers back into the portal without the copy and the paste. See how this is done at www.conveyor.com that is C O N V E-Y-O-R.com Plex makes urgent appeal to users to update their media servers the Plex Media platform sent out a notification to some of its users on Thursday to update their media servers due to a recently patched security vulnerability. The flaw affects only certain Plex Media server versions, but applying the update is considered urgent. The patch can be downloaded from the Plex server management page or the official downloads page. Department of justice seizes assets from creator of Zeppelin Ransomware the US Department of Justice has announced the seizure of more than $2.8 million in cryptocurrency from suspected ransomware operator Yanis Alexandrovich Antropenko. He was indicted in Texas for computer fraud and money laundering and was linked to Zeppelin Ransomware, a now defunct extortion operation that ran between 2019 and 2022. This operation targeted a range of individuals, businesses and organizations worldwide, including in the US Authorities also confiscated cash and a luxury vehicle. Researchers get clear look at Ermac 3.0 banking Trojan a team from Hunt IO Cybersecurity has been able to review the full source code of the Android banking Trojan Ermac 3.0. That is Ermac and just how it has evolved from Cerberus and Hook to a point where it is now impacting more than 700 banking, shopping and cryptocurrency applications. Ermac is operated by the threat actor behind the BlackRock mobile software. The link of the Ermac 3.0 code exposed flaws like hard coded secrets, static tokens and weak credentials. End quote we at Cybersecurity Headlines reported on version 2.0 of EIRMC back in May of 2022. Now version 3.0 supports new injection methods, a C2 command and control panel, Android backdoor, and confirmation of its status as an active malware as a service platform. New HTTP 2 vulnerability allows for denial of service attacks, according to researchers at Deepness Lab. A new attack technique called Made you reset could be explored to conduct powerful denial of service attacks. It bypasses the typical server Imposed limit of 100 concurrent HTTP 2 requests per TCP connection from a client, and this allows an attacker to create a denial of service condition and possibly escalate into out of memory crashes. Now, having been assigned a CVE number, MadeYou Reset is the latest flaw in HTTP 2 Rapid Reset and HTTP 2 Continuation Flood. If you have some thoughts on news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series.
[07:33]
A
Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headline.
[07:40]
B
Sam.