Google patches zero-day, Copilot's forced installation, Scattered Spider arrests - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines – September 19, 2025

Host: Steve Prentiss (CISO Series)
Episode Focus:
This episode delivers concise updates on the latest cybersecurity incidents and trends, including Google patching a critical Chrome zero-day, Microsoft forcing installation of its Copilot app, notable arrests in the Scattered Spider hacking group, and broader topics related to data privacy, infrastructure vulnerabilities, and the environmental impact of cloud computing.

Key Discussion Points & Insights

1. Google Patches Sixth Chrome Zero-Day of the Year

Summary:
Google has released an emergency security update to patch the sixth Chrome zero-day exploitable vulnerability so far in 2025.
- The flaw, a type confusion issue in the V8 JavaScript and WebAssembly engine, has been actively exploited since early in the year (CVE number not specified in the episode).
- Google’s Threat Analysis Group confirmed the existence of a public exploit, typically signaling ongoing in-the-wild exploitation.
Notable Quote:

“Emergency security updates were released to patch this sixth one, which has been active since the start of the year.” – Steve Prentiss [00:08]

2. Microsoft 365 Copilot App: Forced Installation Coming in October

Summary:
Microsoft will automatically install the Microsoft 365 Copilot app on Windows devices outside the European Economic Area starting in October, provided they have the Microsoft 365 desktop apps.
- Admins are encouraged to proactively inform help desks and users to reduce confusion.
- The app will appear in the Windows Start menu and be enabled by default, though admins can opt out via the admin center.
Notable Quote:

“The company is advising admins to notify their organization’s help desk teams and users before the app is forcibly installed on their devices to reduce confusion and support requests.” – Steve Prentiss [00:34]

3. Scattered Spider: Two More Teen Suspects Arrested

Summary:
Two teenagers, aged 18 and 19, have been arrested in connection with the cyber attack on Transport for London last year.
- The eldest is also suspected of attempts against US healthcare firms SSM Healthcare Corporation and Sutter Health.
- Charges were brought under the UK’s Computer Misuse Act and announced by Britain’s National Crime Agency.
Notable Quote:

“The elder of the two may also have been involved in attempted attacks against US healthcare companies.” – Steve Prentiss [01:06]

4. ChatGPT Data Theft: Shadow Leak Attack

Summary:
Web security researchers at Radware unveiled a server-side data theft attack named “Shadow Leak” targeting ChatGPT’s deep research feature.
- The exploit leveraged a specially crafted email; no user interaction required.
- The malicious email instructed the agent to collect sensitive data and transmit it to the attacker.
- OpenAI addressed the vulnerability after being notified.
Notable Quote:

“It simply sent a specially crafted email that instructed the Deep Research agent to silently collect valuable data and send it back to the attacker.” – Steve Prentiss [01:39]

5. WatchGuard: Critical Vulnerability in Firebox Firewalls

Summary:
WatchGuard issued security updates to patch a remote code execution vulnerability impacting Firebox firewalls running Fireware OS 11X and some 12 series.
- Caused by an out-of-bounds write weakness.
- Only vulnerable if using a certain VPN configuration, but a residual risk exists for sites with static gateway peers.
Notable Quote:

“While Firebox firewalls are only vulnerable…if they are configured to use a specific VPN, WatchGuard said that they may still be at risk of compromise if a branch office VPN to a static gateway peer is still configured.” – Steve Prentiss [03:15]

6. Russian Ransomware: Multi-Version Malware Loader Emerges

Summary:
Silent Push researchers have detected “Count Loader,” a malware loader used by Russian ransomware gangs such as LockBit, Black Basta, and Qilin.
- Loader comes in .NET, PowerShell, and JavaScript flavors.
- Targeted phishing campaigns, notably against Ukrainians, frequently impersonate the National Police of Ukraine via fake PDFs.
Notable Quote:

“Researchers say it is deployed either by initial access brokers or ransomware affiliates linked to LockBit…but Black, Basta, and Qilin.” – Steve Prentiss [03:57]

7. Cloudflare’s September 12 Outage: Root Cause Revealed

Summary:
Cloudflare attributed its recent outage to a React coding error involving misuse of a useEffect hook.
- The error caused unnecessary API calls, which led to the company effectively DDoSing itself.
- Outage disrupted the platform’s dashboard and many APIs for over an hour.
Notable Quote:

“The consequence was that the hook ran repeatedly during a single render…the function ran so often that the API was overloaded, causing the outage.” – Steve Prentiss [04:38]
“…the company to DDoS itself.” – Steve Prentiss [05:02]

8. Google's New UK Data Center: Environmental Concerns

Summary:
Google’s planned Thurrock Hyperscale Data Center in Essex, England, has drawn criticism due to its projected carbon footprint, estimated at over half a million tons of CO₂ annually—equivalent to 500 short-haul flights per week.
- The issue underscores the growing environmental impact of data centers, particularly as AI workloads scale up.
Notable Quote:

“A topic we don’t talk much about in the world of cybersecurity and data but one that still exists is the amount of CO₂ that data centers produce…” – Steve Prentiss [05:19]

Notable Quotes & Memorable Moments

“Google patches sixth Chrome zero day exploited in attacks this year.” – Steve Prentiss [00:08]
“Microsoft to force install the Microsoft 365 copilot app in October.” – Steve Prentiss [00:32]
“Two more Scattered Spider teen suspects arrested…” – Steve Prentiss [01:05]
“ChatGPT targeted in server-side data theft attack.” – Steve Prentiss [01:36]
“Cloudflare explains self-own in September 12 outage.” – Steve Prentiss [04:38]
“…amount of CO₂ that data centers produce…a number destined to increase significantly as AI becomes more ubiquitous.” – Steve Prentiss [05:21]

Timestamps for Important Segments

00:08 — Google Chrome zero-day patch
00:32 — Microsoft Copilot forced installation
01:05 — Scattered Spider arrests
01:36 — ChatGPT Shadow Leak attack
03:15 — WatchGuard Firebox firewall vulnerability
03:57 — Russian ransomware loader
04:38 — Cloudflare outage explanation
05:19 — Google’s UK data center environmental impact

Conclusion

This episode brings essential news for cybersecurity professionals, highlighting new vulnerabilities, law enforcement actions, and emerging trends in malware and infrastructure risks.

Google and WatchGuard respond quickly to critical vulnerabilities.
Enterprises should prepare for forced deployments of tools like Copilot.
Environmental impact from continued AI and data growth receives overdue attention.

For full details and extended articles, listeners are directed to visit CISOseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series. It's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Friday, September 19, 2025. I'm Steve Prentiss. Google patches sixth Chrome zero day exploited in attacks this year Emergency security updates were released to patch this sixth one, which has been active since the start of the year. The Zero Day vulnerability in question has a CVE number and has been described as a type confusion issue in the V8 JavaScript and WebAssembly engine. The company did not specify whether this security flaw is still being actively abused in the wild, but stated that it has a public exploit, a common indicator of active exploitation. This is according to reporting from Google's Threat Analysis Group on Tuesday. Microsoft to force install the Microsoft 365 copilot app in October. This installation will occur on Windows devices that are outside the European Economic Area and that have the Microsoft 365 desktop client apps. The company is advising admins to notify their organization's help desk teams and users before the app is forcibly installed on their devices to reduce confusion and support requests. The app will be added to the Windows Start menu and will be enabled by default. Admins will be able to opt out in the app's admin center. Two more scattered Spider Teen suspects Arrested these individuals have been arrested in relation to the Transport for London cyber attack that occurred in September of last year. The two individuals, aged 18 and 19, faced charges under the Computer Misuse act and Britain's National Crime Agency also stated that the elder of the two may also have been involved in attempted attacks against US healthcare companies SSM Healthcare Corporation and Sutter Health. ChatGPT targeted in server side data theft attack According to researchers at web security company Radware, a service side data theft attack dubbed Shadow Leak quote targeted ChatGPT's deep research capability which is designed to conduct multi step research for complex tasks. End quote this attack did not require any user interaction. It simply sent a specially crafted email that instructed the Deep Research agent to silently collect valuable data and send it back to the attacker. OpenAI neutralized Shadowleak after having been notified by Radware Huge thanks to our sponsor Drata. Leading security teams Trust Safebase by Drata to turn trust into a growth engine. Their enterprise grade Trust center puts your security posture in one secure customer facing portal, giving buyers instant visibility into your company's continuous controls, certifications and policies with AI powered questionnaire assistance. Blast through inbound security questionnaires in minutes instead of days, automate cross functional workflows and eliminate friction. That means less manual work and faster deal cycles. Win with trust. Learn more at SafeBase IO that is safe B A S E IO Watchguard warns of critical vulnerability in Firebox firewalls the company has released security updates to address a remote code execution vulnerability impacting the company's Firebox firewalls. The CVE numbered flaw is a critical security flaw caused by an out of bounds write weakness that can allow attackers to execute malicious code remotely on vulnerable devices following successful exploitation. It affects firewalls running Fireware, OS 11X and some in the 12 series. While Firebox firewalls are only vulnerable to attacks if they are configured to use a specific vpn, watchguard said that they may still be at risk of compromise if a branch office VPN to a static gateway peer is still configured. End quote Russian ransomware versatility grows through multi version malware loader Researchers at Silent Push have identified a new malware loader called Count Loader being used by Russian ransomware gangs to deliver tools like cobalt strike, Adaptix, C2 and the pure HVNC rat. The researchers say it is deployed either by initial access brokers or ransomware affiliates linked to Lockbit, but Black, Basta and Qilin. The malware exists in three forms, NET, PowerShell and JavaScript, and has been seen in phishing campaigns targeting Ukrainians with fake PDFs, impersonating the National Police of Ukraine. Cloudflare explains self own in September 12 outage following up on this Cloudflare outage, the company has now admitted that a coding error using a React useeffect hook caused the outage for the platform's dashboard and many of its APIs. The outage lasted for over an hour and was triggered by a bug in the dashboard, which caused repeated unnecessary calls to the tenant service API, and one of the dependencies was recreated on every state or prop change. The consequence was that the hook ran repeatedly during a single render of the dashboard, when it was only intended to run once. The function ran so often that the API was overloaded, causing the outage. According to the Register, this caused the company to DDoS itself. Google's huge new UK data center comes with large carbon footprint, a topic we don't talk much about in the world of cybersecurity and data. But one that still exists is the amount of CO2 that data centers produce, a number destined to increase significantly as AI becomes more ubiquitous. This issue came back to light this week with the announcement of a new Google data center in the English county of Essex. It is expected to emit more than half a million tons of carbon dioxide a year, equivalent to about 500 short haul flights per week week. This according to planning documents. Named the Thurrock Hyperscale Data center. It will cover 128 acres and will be just one of many huge computer and AI power plants if it secures planning consent from the government. If you want to help make some great content for the CISO Series, we've got a great way for you to participate. We need our listeners to fill out a quick five question survey. They are Family Feud style questions and your responses will be used for an upcoming live event. If you've got an extra minute, head on over to cisoseries.com participate and if you're in the Houston area, be sure to join us for our next CISO Series meetup. We'll be at Frost town Brewing on September 29th starting at 3pm Come on down to network with some fellow CISO Series fans, meet the CISO Series team and get some free food and drink. Head on over to our events page@cisoseries.com for more details. And at 3:30pm Eastern today we have our Week in Review Show. Jack Kufal, CISO at Michigan Medicine, and Nick Espinosa, host of the Deep Dive Radio show, will be our guests providing their expert commentary on the news of the week. To join us live and include your own comments, head on over once again to the events page@cisoseries.com and finally, of course, if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us by email feedback@cisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO Series.
[07:51]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.