Hackers use Hyper-V, Cisco UCCX flaw, The Louvre's password

Cyber Security Headlines: November 7, 2025

Host: Steve Prentiss
Main Focus: The latest cybersecurity news, featuring evolving tactics by hackers, concerning breaches, vulnerabilities in major systems, and ongoing policy debates in Europe.

Episode Overview

This episode centers on new methods cybercriminals are using to evade detection, critical security vulnerabilities across major platforms and organizations, persistent problems with weak passwords, and regulatory shifts in Europe regarding data sharing. Notably, the episode highlights how threat actors are leveraging virtualization to bypass EDR, major breaches in Poland, a revealing story of security failings at the Louvre after a high-profile robbery, and destructive cyberattacks targeting Ukraine’s grain sector.

Key Discussion Points & Insights

1. Hackers Exploit Windows Hyper-V to Evade EDR Detection

[00:15]
- Threat actor group “Curly Comrades” utilizes Windows Hyper-V to run a minimalist Alpine Linux VM within infected endpoints.
- Purpose: Deploy custom malware (“Curly Shell”—custom reverse shell, and “Curl Cat”—reverse proxy) beyond the reach of typical endpoint detection and response (EDR) solutions.
- Geographic focus: Georgia, South Caucasus.

2. Critical Cisco UCCX Flaw Enabling Root Command Execution

[01:00]
- Cisco patched a significant vulnerability in “Unified Contact Center Express” (UCCX).
- The flaw allowed attackers to execute commands as root due to “improper authentication mechanisms associated to specific Cisco Unified CCX features.”
- UCCX is essential for call centers (supports up to 400 agents).

3. Large-Scale Cyber Attacks in Poland

[01:55]
- Digital Affairs Minister Krzysztof Gachowski:
  
  “These [cyber attacks] are now a daily occurrence.” (paraphrased, 01:57)
- Three major victims:
  - Supergross (online loan platform): PII of at least 10,000 customers stolen.
  - Blick (mobile payments): DDoS caused brief disruption.
  - Noa Itaka (largest travel agency): hit by unspecified attack.
- No confirmed links between the incidents; attack on Blick reportedly from Russia.

4. Louvre Museum Security Failures Exposed Post-Jewel Theft

[03:10]
- After a notorious theft of the French crown jewels, a 2014 audit revealed:
  - Password for video surveillance was literally “Louvre.”
  - Key security software was over 20 years old and unsupported.
  - “Significant delays and omissions in updating and expanding the museum's security.”
- Museum director Laurence Descartes’ resignation was refused by the French Culture Minister despite mounting pressure.

5. Popular Passwords in 2025 Remain Predictable

[04:10]
- Comparatech’s new report: Top 10 passwords include variations on “123456,” “password,” and “admin.”
- Others—“gin,” “a row of 10/8,” “root,” “India123,” “Minecraft”—round out the set.
- Paul Bischoff, Comparatech:
  
  “Companies that do not enforce good password techniques represent the most pressing problem.” (email interview, 04:32)

6. SonicWall Customer Portal Attack Attributed to Nation-State

[05:08]
- October brute-force and API attack on SonicWall cloud backup service.
- Bob Vankirk (CEO):
  
  “There was no impact to any SonicWall product, firmware, source code, production network or to any customer data or any other SonicWall system.” (video update, 05:36)
- Contrary advice from external experts: leaked configuration files include sensitive data (firewall rules, encrypted credentials).

7. EU Parliament Advances Europol Data Sharing Proposal

[06:00]
- Lawmakers voted to expand Europol’s capacity to share data and collect biometrics to combat human trafficking and migrant smuggling.
- Next step: full plenary vote before becoming law.

8. Sandworm Hacker Group Wiper Attacks on Ukraine’s Grain Sector

[06:26]
- Russian “Sandworm” group deployed multiple wiper malware campaigns against Ukraine in June and September.
- Focus: education, government, and especially the grain sector—the country’s main revenue.
- Tactic: Data is not ransomed, but outright destroyed, as part of sabotage.

Notable Quotes & Memorable Moments

On Museum Security:

“The password for the video surveillance system, for example, was Louvre L O U V R E, and this was according to a security audit performed in 2014.” — Steve Prentiss [03:18]
On Password Trends:

“Among the top 100 most used passwords of 2025, eight out of the top 10 are variations of 1, 2, 3, 4, 5, 6, with the other two being password and admin.” — Steve Prentiss [04:13]
On the SonicWall Leak:

“Those files contain a treasure trove of sensitive data, including firewall rules, encrypted credentials, routing configurations and more.” — Ryan Dewhurst, Watchtower [05:46]

Timestamps for Important Segments

[00:15] — Hackers use Hyper-V to deploy malware in Georgia.
[01:00] — Critical Cisco UCCX flaw patched.
[01:55] — Major cyber attacks reported in Poland.
[03:10] — Reveal of security failures at the Louvre post-robbery.
[04:10] — 2025 password trends: old habits persist.
[05:08] — SonicWall breach attributed to nation-state actor.
[06:00] — EU Parliament moves data sharing proposal ahead.
[06:26] — Sandworm’s continued cyber sabotage in Ukraine.

Tone & Style

The episode maintains a brisk, news-centric tone—concise, matter-of-fact, yet occasionally incredulous at persistent or glaring security missteps (e.g., “Louvre” as a password). The host, Steve Prentiss, delivers the headlines with clarity and urgency, stressing both immediate technical details and broader implications for organizations and industry observers.

Conclusion

This episode underscores several urgent themes: attacker innovation (virtualization for EDR evasion), the persistence of simple security failings (weak passwords, outdated software), the increasing severity and political impact of nation-state attacks, and the policy shifts required to meet these challenges. Organizations are urged to address not just sophisticated threats, but also the ongoing basics—such as password hygiene and timely system upgrades—while keeping watch on regulatory developments in Europe that may reshape enforcement and data sharing.

Transcript

A (0:00)

From the CISO series, it's Cybersecurity Headlines.

B (0:06)

These are the cybersecurity headlines for Friday, November 7, 2025. I'm Steve Prentiss. Hackers use Windows Hyper V to evade EDR detection According to a new report from bitdefender, a threat actor group known as Curly Comrades has been seen exploiting virtualization technologies as a way to bypass security SOL solutions and execute custom malware. The group has apparently enabled the Hyper V role on selected victim systems to deploy a minimalistic Alpine Linux based virtual machine. This allows them to deploy their custom reverse shell called Curly Shell and a reverse proxy called Curl Cat. The activity and victims appear to be centered in the country of Georgia in the South Caucasus. Critical Cisco UCCX flaw lets attackers run commands as root Cisco has released security updates to patch this vulnerability, which has a CVE number and it exists within the Unified Contact Center Express that is UCCX software and could enable attackers to execute commands with root privileges. Cisco describes its UCCX platform as a Contact center in a Box, a software solution for managing customer interactions in call centers supporting up to 400 agents. In a security bulletin released Wednesday, Cisco attributed the vulnerability to improper authentication mechanisms associated to specific Cisco Unified CCX features. End quote Poland reports three major cyber Attacks Authorities in Poland are looking into a series of recent cyber attacks, which Digital Affairs Minister Krzysztof Gachowski says are now a daily occurrence. The three largest in this recent spate focused on the online loan platform Supergross, which confirmed the theft of PII belonging to at least 10,000 customers. Also, a DDoS attack on Poland's payment infrastructure, briefly disrupting Blick, which is the country's leading mobile payment system used for instant transfers and cash withdrawals and finally Noa Itaka, which is Poland's largest travel agency. There is no official confirmation that these incidents are linked, but Gakowski attributed the attack on Blick as coming from r the Louvre's video security password was reportedly Louvre analysis of one of the most brazen museum robberies in history. The theft of the French crown jewels from the Galerie d' Apollon at the Louvre Museum in Paris shows that the museum has endured lax security measures that go back many years. The password for the video surveillance system, for example, was Louvre L O U V R E, and this was according to a security audit performed in 2014. Key parts of its security software were more than two decades old, and many are unsupported now by its developer. These specific examples may not have been directly involved in last month's jewel heist, but represent significant delays and omissions in updating and expanding the museum's security across video locations and, of course, technology. The director of the Louvre, Laurence Descartes, had struggled for years to obtain necessary upgrades. She tendered her resignation following the theft, but France's culture minister, Rachida Dati, refused it. Huge thanks to our sponsor ThreatLocker Imagine having the power to decide exactly what runs in your IT environment and blocking everything else by default. That's what ThreatLocker delivers as a zero trust endpoint protection platform. ThreatLocker fills the gaps traditional solutions leave behind, giving your business stronger security and control. Don't just react to threats, stop them with ThreatLocker. The most common passwords for 2025? You already know them. A new report from research company Comparatech shows that among the top 100 most used passwords of 2025, eight out of the top 10 are variations of 1, 2, 3, 4, 5, 6, with the other two being password and admin. In fact, variations of these three together pretty much occupy the entire 100 with gin, g I n, just like the alcohol, a row of 10/8 root, India123 and Minecraft. Comparatek's consumer privacy advocate Paul Bischoff said in an email interview with the Register that companies that do not enforce good password techniques represent the most pressing problem. Sonicwall attributes attack on customer portal to undisclosed nation state Mandiant has now concluded its investigation into the October brute force attack that exposed firewall configuration files of every Sonicwall customer who used the company's cloud backup service. SonicWall itself is placing blame on an undisclosed nation state that gained access to the cloud backup files using an API call, CEO Bob Vankirk said in a video published alongside the update. There was no impact to any Sonicwall product, firmware, source code, production network or to any customer data or any other Sonicwall system. However, Ryan Dewhurst, head of proactive threat intelligence at Watchtower, previously told CyberScoop that those files contain a treasure trove of sensitive data, including firewall rules, encrypted credentials, routing configurations and more. EU parliament votes to advance controversial Europol data sharing proposal On Tuesday, lawmakers in the European Union's Parliament voted to move ahead with a proposal that would allow Europol to expand data sharing and biometric data collection to fight human trafficking and migrant smuggling. This proposal will now be subject to a full plenary vote later this month. The proposal expands data sharing between national governments and Europol and allows for more substantial processing of biometric metric data Sandworm hackers use data wipers to disrupt Ukraine's grain sector in an ongoing story, Russian hacker group Sandworm has deployed multiple data wiping malware families in attacks targeting Ukraine's education government and the grain sector, which is the country's main revenue source. According to eset, these attacks occurred in June and September and are a continuation of Sandworm's destructive campaign against Ukraine. Unlike ransomware, where the data is typically stolen and then encrypted, wiper malware is used purely in sabotage operations. Do you want to know more about the most pressing stories of the last few days in time for your weekly stand up? Join us on Monday at 4pm Eastern Time for the Department of no Where. Our guests will sort out the priority stories and do a deep dive on the ones that matter the most. And of course, we will actively involve you in the conversation. Just Simply go to YouTube, search for CISO series and look for Rich Stroffolino's smiling face under upcoming live streams. And if you have some thoughts on the news from today or about the show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series.

Cyber Security Headlines: November 7, 2025

Episode Overview

Key Discussion Points & Insights

1. Hackers Exploit Windows Hyper-V to Evade EDR Detection

[00:15]
- Threat actor group “Curly Comrades” utilizes Windows Hyper-V to run a minimalist Alpine Linux VM within infected endpoints.
- Purpose: Deploy custom malware (“Curly Shell”—custom reverse shell, and “Curl Cat”—reverse proxy) beyond the reach of typical endpoint detection and response (EDR) solutions.
- Geographic focus: Georgia, South Caucasus.

2. Critical Cisco UCCX Flaw Enabling Root Command Execution

[01:00]
- Cisco patched a significant vulnerability in “Unified Contact Center Express” (UCCX).
- The flaw allowed attackers to execute commands as root due to “improper authentication mechanisms associated to specific Cisco Unified CCX features.”
- UCCX is essential for call centers (supports up to 400 agents).

3. Large-Scale Cyber Attacks in Poland

[01:55]
- Digital Affairs Minister Krzysztof Gachowski:
  
  “These [cyber attacks] are now a daily occurrence.” (paraphrased, 01:57)
- Three major victims:
  - Supergross (online loan platform): PII of at least 10,000 customers stolen.
  - Blick (mobile payments): DDoS caused brief disruption.
  - Noa Itaka (largest travel agency): hit by unspecified attack.
- No confirmed links between the incidents; attack on Blick reportedly from Russia.

4. Louvre Museum Security Failures Exposed Post-Jewel Theft

[03:10]
- After a notorious theft of the French crown jewels, a 2014 audit revealed:
  - Password for video surveillance was literally “Louvre.”
  - Key security software was over 20 years old and unsupported.
  - “Significant delays and omissions in updating and expanding the museum's security.”
- Museum director Laurence Descartes’ resignation was refused by the French Culture Minister despite mounting pressure.

5. Popular Passwords in 2025 Remain Predictable

[04:10]
- Comparatech’s new report: Top 10 passwords include variations on “123456,” “password,” and “admin.”
- Others—“gin,” “a row of 10/8,” “root,” “India123,” “Minecraft”—round out the set.
- Paul Bischoff, Comparatech:
  
  “Companies that do not enforce good password techniques represent the most pressing problem.” (email interview, 04:32)

6. SonicWall Customer Portal Attack Attributed to Nation-State

[05:08]
- October brute-force and API attack on SonicWall cloud backup service.
- Bob Vankirk (CEO):
  
  “There was no impact to any SonicWall product, firmware, source code, production network or to any customer data or any other SonicWall system.” (video update, 05:36)
- Contrary advice from external experts: leaked configuration files include sensitive data (firewall rules, encrypted credentials).

7. EU Parliament Advances Europol Data Sharing Proposal

[06:00]
- Lawmakers voted to expand Europol’s capacity to share data and collect biometrics to combat human trafficking and migrant smuggling.
- Next step: full plenary vote before becoming law.

8. Sandworm Hacker Group Wiper Attacks on Ukraine’s Grain Sector

[06:26]
- Russian “Sandworm” group deployed multiple wiper malware campaigns against Ukraine in June and September.
- Focus: education, government, and especially the grain sector—the country’s main revenue.
- Tactic: Data is not ransomed, but outright destroyed, as part of sabotage.

Notable Quotes & Memorable Moments

On Museum Security:

“The password for the video surveillance system, for example, was Louvre L O U V R E, and this was according to a security audit performed in 2014.” — Steve Prentiss [03:18]
On Password Trends:

“Among the top 100 most used passwords of 2025, eight out of the top 10 are variations of 1, 2, 3, 4, 5, 6, with the other two being password and admin.” — Steve Prentiss [04:13]
On the SonicWall Leak:

“Those files contain a treasure trove of sensitive data, including firewall rules, encrypted credentials, routing configurations and more.” — Ryan Dewhurst, Watchtower [05:46]

Timestamps for Important Segments

[00:15] — Hackers use Hyper-V to deploy malware in Georgia.
[01:00] — Critical Cisco UCCX flaw patched.
[01:55] — Major cyber attacks reported in Poland.
[03:10] — Reveal of security failures at the Louvre post-robbery.
[04:10] — 2025 password trends: old habits persist.
[05:08] — SonicWall breach attributed to nation-state actor.
[06:00] — EU Parliament moves data sharing proposal ahead.
[06:26] — Sandworm’s continued cyber sabotage in Ukraine.

wavePod

Summary

Cyber Security Headlines: November 7, 2025

Episode Overview

Key Discussion Points & Insights

1. Hackers Exploit Windows Hyper-V to Evade EDR Detection

2. Critical Cisco UCCX Flaw Enabling Root Command Execution

3. Large-Scale Cyber Attacks in Poland

4. Louvre Museum Security Failures Exposed Post-Jewel Theft

5. Popular Passwords in 2025 Remain Predictable

6. SonicWall Customer Portal Attack Attributed to Nation-State

7. EU Parliament Advances Europol Data Sharing Proposal

8. Sandworm Hacker Group Wiper Attacks on Ukraine’s Grain Sector

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Tone & Style

Conclusion

Transcript

Summary

Cyber Security Headlines: November 7, 2025

Episode Overview

Key Discussion Points & Insights

1. Hackers Exploit Windows Hyper-V to Evade EDR Detection

2. Critical Cisco UCCX Flaw Enabling Root Command Execution

3. Large-Scale Cyber Attacks in Poland

4. Louvre Museum Security Failures Exposed Post-Jewel Theft

5. Popular Passwords in 2025 Remain Predictable

6. SonicWall Customer Portal Attack Attributed to Nation-State

7. EU Parliament Advances Europol Data Sharing Proposal

8. Sandworm Hacker Group Wiper Attacks on Ukraine’s Grain Sector

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Tone & Style

Conclusion