Cyber Security Headlines (CISO Series)

Episode Summary:

Date: September 3, 2025
Host: Sarah Lane
Title: Google: Gmail is secure, Cloudflare blocks largest DDoS attack, Amazon shutters theft campaign

Episode Overview

This episode covers the top cybersecurity news stories of the day, with a particular focus on recent incidents and responses from major tech companies and government agencies. The main topics include Google's response to security rumors, Cloudflare's defense against a historic DDoS attack, a credential theft campaign halted by Amazon, and several key breach and vulnerability updates affecting both public and private sectors.

Key Discussion Points and Insights

1. Google Refutes Gmail Security Rumors

[00:10–01:00]

Recent rumors claimed up to 2.5 billion Gmail users were at risk after a Salesforce-related breach attributed to Shiny Hunters, leading to widespread concern about Gmail's security.
- Google firmly denied these allegations, stating:
  “2.5 billion Gmail users at risk [is] entirely false.” (Sarah Lane, 00:09)
- Gmail itself was not compromised; Google’s security measures reportedly block 99.9% of such threats.
- Quote:
  “Gmail itself was never compromised, adding that its protections block 99.9% of such threats and urged users to remain vigilant against scams.” (Sarah Lane, 00:25)

2. Cloudflare Thwarts Largest-Ever DDoS Attack

[01:01–01:45]

Cloudflare successfully blocked a record-breaking Distributed Denial of Service (DDoS) attack, which peaked at 11.5 terabits per second.
- The attack was a short-lived UDP flood, primarily originating from Google Cloud infrastructure.
- Cloudflare highlighted a surge in such attacks, with network-layer assaults up over 500% year-over-year.
- Noted that previous records stood at 7.3 Tbps in June 2025 and 3.8 Tbps in 2024.
- Quote:
  “Cloudflare says it blocked the largest DDoS attack ever recorded, which peaked at 11.5 teraBits per second…” (Sarah Lane, 01:10)

3. Jaguar Land Rover Cyber Attack Disrupts Operations

[01:46–02:10]

Jaguar Land Rover suffered a significant cyberattack disrupting production and retail systems.
- Operations shut down at sites such as the Solihull plant in the UK.
- No evidence of customer data theft as of reporting.
- The company is restoring systems but offered no details about the attack vector or timeline.

4. Amazon Halts APT29 Credential Theft Campaign

[02:11–02:58]

Amazon disrupted an advanced credential theft operation by APT29 (Russia-linked group behind the SolarWinds breach).
- Attackers compromised legit websites to send users to fake Cloudflare verification pages, abusing Microsoft’s device code authentication flow.
- The campaign used obfuscation and precision targeting.
- Amazon eliminated the threat infrastructure and advised reviewing Microsoft’s security guidance.
- Quote:
  “Amazon says it disrupted a credential theft campaign by a Russian state linked group behind the SolarWinds hack.” (Sarah Lane, 02:13)
- Advice to organizations: Restrict device authentication if not required.

5. CISA Appoints Nicholas Anderson as Executive Assistant Director

[03:27–03:58]

Nicholas Anderson appointed to lead cybersecurity at CISA.
- Formerly at Department of Energy and COO of Invictus International Consulting.
- Expected to strengthen ties with infrastructure partners.

6. JSON Config Leak Exposes Azure Directory Credentials

[03:59–04:29]

A misconfigured appsettings.json in ASP.NET Core apps exposed Azure Active Directory credentials.
- Leaked secrets allowed attackers access via OAuth 2.0 endpoints.
- Risk of data theft, privilege escalation, and malicious deployments highlighted.
- Insight:
  “Experts say the case underscores ongoing risks from cloud misconfigurations and hard coded secrets.” (Sarah Lane, 04:24)

7. Pennsylvania AG Resists Ransom, Recovers from Attack

[04:30–04:56]

Pennsylvania Attorney General's Office almost fully restored after an August 11 ransomware attack (linked to Citrix Bleed vulnerabilities).
- Ransom demands were refused.
- Some court case delays, but prosecutions and investigations continued unhindered.
- Reflects a growing trend of ransomware attacks on state and local governments.

8. Sangoma Patches Zero-Day Affecting FreePBX Servers

[04:57–05:37]

Emergency patch released for critical FreePBX zero-day vulnerability.
- Allowed admin panel access, DB manipulation, and remote code execution.
- Exploited in the wild since August 21, affecting versions 15–17.
- Added to CISA's Known Exploited Vulnerabilities catalog; federal agencies urged to patch by September 19.
- Sangoma shared indicators of compromise (IOCs) and mitigation tips.

Notable Quotes & Memorable Moments

Sarah Lane [00:09]:

"2.5 billion Gmail users at risk entirely false, says Google."
Sarah Lane [01:10]:

"Cloudflare says it blocked the largest DDoS attack ever recorded, which peaked at 11.5 teraBits per second..."
Sarah Lane [02:13]:

"Amazon says it disrupted a credential theft campaign by a Russian state linked group behind the SolarWinds hack."
Sarah Lane [04:24]:

"Experts say the case underscores ongoing risks from cloud misconfigurations and hard coded secrets."

Timestamps for Important Segments

00:09 — Google refutes Gmail security rumors
01:10 — Cloudflare blocks record-setting DDoS attack
01:46 — Jaguar Land Rover production disruptions
02:13 — Amazon stymies APT29 credential theft
03:27 — CISA taps Nicholas Anderson
03:59 — JSON config file leaks Azure credentials
04:30 — Pennsylvania AG recovers from ransomware
04:57 — Sangoma patches FreePBX zero-day

Episode Tone and Language

Sarah Lane delivers headlines with clarity and urgency, using direct statements from companies and agencies while emphasizing vigilance and the ongoing nature of cybersecurity challenges. The episode retains a professional but accessible tone, appropriate for industry professionals and the broader public.

Conclusion

This episode of Cyber Security Headlines delivers a succinct yet thorough update on some of the most significant cybersecurity developments, from debunking rumors to record-breaking DDoS defenses, state-level ransomware resilience, critical patch alerts, and leadership changes at key federal agencies.

For full stories, listeners are encouraged to visit CISOseries.com.

Transcript

A (0:00)

From the CISO series, it's Cybersecurity Headlines.

B (0:07)

These are the cybersecurity headlines for Wednesday, September 3, 2025. I'm Sarah Lane. 2.5 billion Gmail users at risk entirely false, says Google. Google dismissed claims that 2.5 billion Gmail users were at risk from a major attack, calling them entirely false. The rumors seem to have stemmed from a Salesforce related breach tied to Shiny Hunters, which led to phishing and phishing attacks. But Google says Gmail itself was never compromised, adding that its protections block 99.9% of such threats and urged users to remain vigilant against scams. Cloudflare blocks Largest recorded DDoS attack, peaking at 11.5 terabits per second Cloudflare says it blocked the largest DDoS attack ever recorded, which peaked at 11.5 teraBits per second in a short lived UDP flood largely originating from Google Cloud. The company noted it has fended off hundreds of hypervolumetric attacks in recent weeks, following previous records of 7.3 terabits per second in June and 3.8 in 2024. Cloudflare reported a sharp rise in DDoS activity overall, with network layer attacks up more than 500% year over year. Jaguar Land Rover says cyber attack severely disrupted production Jaguar Land Rover says a cyber attack severely disrupted its production and retail systems, forcing the company to shut down operations at sites including its Solihull plant in the uk. The automaker stressed there is no evidence that customer data was stolen and it is working to restore systems, but offered no timeline or details on the type of attack. Amazon Stymies APT29 credential theft campaign Amazon says it disrupted a credential theft campaign by a Russian state linked group behind the SolarWinds hack. Attackers compromised legitimate websites to redirect visitors to fake claims cloudflare verification pages, exploiting Microsoft's device code authentication flow to gain account access. The campaign used obfuscation and selective targeting to avoid detection, but Amazon tracked and dismantled its infrastructure, urging organizations to review Microsoft's guidance and restrict device authentication if not needed. Huge thanks to our sponsor, ThreatLocker. ThreatLocker is a global leader in zero trust endpoint security, offering cybersecurity controls to protect businesses from zero day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit threatlocker.com CISO that's threatlocker.com CISO CISA taps Nicholas Anderson for executive Assistant Director of Cybersecurity Nicholas Anderson has been appointed Executive Assistant Director of Cybersecurity at cisa, Safeguarding Federal networks and critical infrastructure. Anderson previously served in the Department of Energy during the current US President's first term and was most recently president and COO of Invictus International Consulting. CISA officials say his government and private sector experience will help strengthen engagement with infrastructure partners. JSON Config File Leaks Azure Active Directory Credentials A misconfigured appsettings JSON file and ASP Net Core exposed Azure Active Directory credentials, letting potential attackers Access through Microsoft's OAuth 2.0 endpoints. With these secrets, attackers could steal data, escalate privileges or deploy malicious apps. Experts say the case underscores ongoing risks from cloud misconfigurations and hard coded secrets. Pennsylvania AG says recovery continues after office refused to pay ransomware gang Pennsylvania Attorney General David Sunday said that his office has largely restored operations after a ransomware attack on August 11, rejecting calls to pay the ransom. While some court cases were delayed, he confirmed prosecutions and investigations aren't expected to be affected. The attack was linked to Citrix bleed to vulnerabilities and looks like a broader trend of ransomware targeting state and local governments. Sangoma patches Critical Zero day exploited to hack free PBX servers Sangoma released emergency patches for a critical zero day and free PBX that allowed attackers to access the admin panel, manipulate databases and execute code remotely. The flaw has been exploited in The Wild since August 21, affecting versions 15 through 17 and stemming from insufficient sanitization of user supplied data. CISA added this to its Known Exploited Vulnerabilities catalog, urging federal agencies to patch it by September 19th. Sangoma provided IOCs and mitigation guidance. Remember to join us this Friday for our Week in Review show. Each week we bring on a security leader to give us their take on the biggest cybersecurity news stories. This week, Rich Drofalino will be joined by Ray Espinosa from Elite Technology plus. We'll have a lively chat where you can hang out, have some fun and share your thoughts. We'd love to see you this Friday, 3:30pm Eastern Time for the show. Subscribe to the CISO Series YouTube channel to find it or go to our events page@ciso series.com and if you have thoughts on the news from today or about the show in general, be sure to reach out to us@feedbacksoseries.com we would love to hear from you. I am Sara Lane reporting for the CISO series, and I want you to stay classy.