Summary4 min read

Cyber Security Headlines – Episode Summary

Podcast: Cyber Security Headlines (CISO Series)
Episode Date: September 29, 2025
Host: Steve Prentiss
Main Theme:
A fast-paced round-up of the day’s top cyber security stories, ranging from international espionage and government risk management frameworks to the latest threats facing businesses and updates on major software vulnerabilities.

Key Discussion Points and Insights

1. Dutch Teenagers Arrested for Suspected Russian Espionage

[00:21] Two Dutch teenagers were arrested for allegedly attempting espionage on behalf of Russia.
- Incident details:
  - The teens used a Wi-Fi sniffer device near the offices of Europol, Eurojust, and the Canadian Embassy in The Hague.
  - No systems were compromised.
  - Recruitment occurred over Telegram; they were caught following an intelligence tip.
  - This marks an "escalation to lower level recruitment cases" in Europe, referencing prior incidents in Germany involving young recruits.
- Quote:
  - "There are no signs of compromise on any of the agency's systems. The boys were allegedly recruited over Telegram and were arrested following a tip from the country's intelligence service." – Steve Prentiss [00:36]

2. U.S. Department of Defense Announces New Cybersecurity Framework

[01:28] The DoD introduced the "Cybersecurity Risk Management Construct" (CSRMC) to replace its former risk management framework (RMF).
- The old system was criticized for being “overly reliant on static checklists and manual processes that failed to account for operational needs and cyber survivability requirements.”
- CSRMC promises a shift to "dynamic, automated, and continuous risk management," aligning cyber defense with the realities of modern warfare.
- Listeners are directed to the show notes for a full outline of the framework’s five phases.
- Quote:
  - "...enabling cyber defense at the speed of relevance required for modern warfare." – Steve Prentiss [02:17]

3. Oyster Malware Distributed via Fake Microsoft Teams Installers

[02:44] Attackers are leveraging SEO poisoning and malvertising to distribute fake Teams installers, leading to Oyster malware infections.
- Oyster malware (aka Broomstick, Cleanup Loader):
  - Gives attackers remote access, ability to execute commands, deploy payloads, transfer files.
  - Initially surfaced in 2023, tied to several campaigns, including ransomware group Raisida.
- Quote:
  - "Hackers have been using SEO poisoning and search engine advertisements, also called malvertising, to promote fake Microsoft Teams installers..." – Steve Prentiss [02:48]

4. Union County, Ohio, Targeted in Data-Stealing Cyberattack

[04:44] Recent cyberattack on Union County, Ohio:
- Stolen data includes Social Security numbers, financial info, driver’s licenses, fingerprints, medical information, and passport details.
- Impact: Approximately 45,000 individuals affected.
- No group has taken credit as of airing.
- Security concern: Highlights trend of local government attacks increasing in scope and severity.

5. Maximum Severity Flaw in GoAnywhere File Transfer Service

[05:16] Ongoing concerns regarding FORTA’s GoAnywhere MFT product:
- Researchers warn of a maximum severity vulnerability, with differing accounts on when exploitation began.
- Conflict:
  - Forta says it self-identified the vulnerability and claims no active exploitation.
  - Watchtower researchers report credible exploit evidence from a day prior to Forta’s claim.
- Issue: Challenges in vulnerability disclosure and vendor communication highlighted.
- Quote:
  - "The conflicting accounts highlight ongoing challenges in vulnerability disclosure, especially when vendors downplay severity or exploitation status." – Steve Prentiss [05:41]

6. UK Government’s Digital ID (“Brit Card”) Proposal

[06:00] Prime Minister Keir Starmer to propose digital ID cards for all working adults to address illegal migration.
- Would require new legislation; faces strong privacy and civil liberty criticism.
- The government argues it is essential for ensuring legal employment rights.
- Cites a shift in public opinion since the Blair administration’s failed ID card plan in the 2000s.

7. Cisco Patches Two Actively Exploited Zero-Days in Firewall Products

[06:42] Cisco urges immediate patching for two serious VPN web server vulnerabilities in its ASA and Secure Firewall products:
- Both have been exploited in the wild; CVSS scores of 9.9 and 6.5.
- Cisco does not disclose attackers’ identity or attack prevalence.
- Quote:
  - "Cisco said it is aware of attempted exploitation of both vulnerabilities, but did not reveal who may be behind them or how widespread these attacks are." – Steve Prentiss [06:56]

Notable Quotes and Memorable Moments

On the shift in government frameworks:
"Shifting from snapshot-in-time assessments to dynamic, automated, and continuous risk management, enabling cyber defense at the speed of relevance..." – Steve Prentiss [02:10]
On malvertising trends:
"Hackers have been using SEO poisoning and search engine advertisements, also called malvertising, to promote fake Microsoft Teams installers that infect Windows devices..." – Steve Prentiss [02:44]
On digital privacy concerns:
"The proposal...has already drawn criticism from civil liberties and privacy groups." – Steve Prentiss [06:17]

Key Segment Timestamps

[00:21] – Dutch espionage arrests
[01:28] – DoD Cybersecurity Risk Management Construct
[02:44] – Oyster Malware via Fake Teams Installers
[04:44] – Union County, Ohio cyberattack
[05:16] – GoAnywhere maximum severity flaw
[06:00] – UK Digital ID proposal
[06:42] – Cisco zero-day vulnerabilities

This episode delivers a densely packed update on international espionage activity, evolving government and enterprise cybersecurity frameworks, ongoing cyber threats—including malware and ransomware campaigns—and highlights critical vulnerabilities impacting organizations worldwide. Steve Prentiss maintains a clear, concise, and slightly urgent tone, emphasizing both breaking news and deeper trends in cyber risk and policy.

Loading summary

Transcript4 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Monday, September 29, 2025. I'm Steve Prentiss. Dutch teenagers arrested for attempted espionage for Russia Two teenagers were arrested by Dutch police on Monday, according to the Dutch newspaper Der Telegraph. The teens used a WI Fi sniffer device near the offices of the Europe law enforcement agency Europol, as well as those of Eurojust, the Union Agency for Criminal Justice Cooperation, and the Canadian Embassy in the Hague. There are no signs of compromise on any of the agency's systems. The boys were allegedly recruited over Telegram and were arrested following a tip from the country's intelligence service. Bleeping Computer adds that this case marks an escalation to lower level recruitment cases seen elsewhere in Europe, for example, in Germany, where young people were paid by Russian agents to perform acts of vandalism and sabotage on critical infrastructure Department of Defense announces replacement for risk management framework the DoD has unveiled a new five phase framework for assessing cyber risks on its networks. Named the Cybersecurity Risk Management Construct, it has been designed to replace the older risk management framework, which is being described now as overly reliant on static checklists and manual processes that failed to account for operational needs and cyber survivability requirements, a statement from the Department says. The CSRMC addresses these gaps by shifting from snapshot in time assessments to dynamic, automated and continuous risk management, enabling cyber defense at the speed of relevance required for modern warfare. A layout of its five phase life cycle plus further details is available as a link to the report in the show Notes to this episode. Fake Microsoft Teams installers deliver Oyster malware Hackers have been using SEO poisoning and search engine advertisements, also called malvertising, to promote fake Microsoft Teams installers that infect Windows devices with the Oyster backdoor, providing initial access to corporate networks. Oyster malware, also known as Broomstick and Cleanup Loader, is a backdoor that first appeared in mid 2023 and has since been linked to multip campaigns, providing attackers with remote access to infected devices, allowing them to execute commands, deploy additional payloads and transfer files. Organized ransomware operations like Raisida have also used the malware to breach corporate networks. Huge thanks to our sponsor Nudge Security. Here's the thing, your employees are signing up for new apps, sharing data and connecting tools together, often without anyone knowing. And AI adoption is accelerating this trend. What if you could continuously discover when people start using new apps or sharing data and then prompt them with security guidance right when and where they are working at nudge security. They call that securing the workforce edge. Instead of trying to control everything, which, let's face it, is impossible, they give it and security teams the visibility needed and automation to guide employees towards secure behaviors. The result? Your workforce stays productive, your data stays secure, and you can finally get some sleep at night. Learn more@nudgesecurity.com workforce edge that is nudge security as one word.com workforce edge also as one word Union County, Ohio suffers cyberattack in this most recently announced local government attack, hackers stole data including Social Security numbers, financial information, driver's license numbers, fingerprint data, medical information and passport numbers. The attack occurred on May 18 and impacts around 45,000 people. No ransomware gang has yet taken credit for the attack. Experts express concern over maximum severity Go anywhere defect following up on a story we covered last week, cybersecurity experts are voicing concern over a maximum severity flaw in FORTA's GoAnywhere MFT file transfer service. While Forta claims it found the vulnerability during a September 11 security check and has not confirmed active exploitation, researchers at Watchtower say they have credible evidence of attacks dating back to September 10th. The conflicting accounts highlight ongoing challenges in vulnerability disclosure, especially when vendors downplay severity or or exploitation status. Fortis Advisory, criticized for lacking clarity, was later updated with indicators of compromise and stack traces that suggested impacted customers could confirm if their systems had been breached. UK Prime Minister to unveil digital ID cards Keir Starmer is set to announce plans requiring all working adults to hold digital ID cards, dubbed Brit Cards, as part of efforts to curb illegal migration. The proposal, which would need new legislation, has already drawn criticism from civil liberties and privacy groups. Number 10 Downing street the official prime minister's residence, argues the measure is essential to ensure that only those with legal rights can work, suggesting public opinion has shifted since Tony Blair's abandoned ID card initiative back in 2000. Cisco warns of ASA zero day duo under attack Cisco is urging customers to patch two security flaws impacting the VPN Web server of Cisco Secure Firewall Adaptive Security Appliance Software and Cisco Secure Firewall Threat Defense software, which it said have been exploited in the wild. These zero day vulnerabilities have CVE numbers and have CVSS scores of 9.9 and 6.5, respectively. Cisco said it is aware of attempted exploitation of both vulnerabilities, but did not reveal who may be behind them or how widespread these attacks are, end quote. If you want to help make some great content for the CISO series, we've got a great way for you to participate. We need our listeners, that is you to fill out a quick five question survey. These are Family Feud style questions and your responses will be used for an upcoming live event. If you've got an extra minute, head on over to cisoseries.com participate to fill it out. And if you are in the Houston area, be sure to join the CISO Series team at a meetup tonight at Frost Town Brewing. We will be there for Hugh Sec Kahn the next day. So if you're in town be sure to say hi to David Spark and the rest of the team. Head on over to cisoseries.com events for details. And finally, of course, if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series.
[07:45]
A
Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines.
[07:52]
B
It.