Cyber Security Headlines: LLM Legalese Prompts, Maryland Transit Cyberattack, Hacking into University
Podcast: Cyber Security Headlines
Host: Steve Prentiss
Date: September 2, 2025
Episode Overview
This episode delivers a brisk and incisive roundup of major cybersecurity developments as of September 2, 2025. Steve Prentiss covers inventive large language model (LLM) attacks, a high-profile government cyber incident, academic hacking, new Android malware campaigns, controversy over AI in UK social services, a novel ransomware tactic naming SentinelOne, and an international maritime disruption attributed to hacktivists. The tone remains factual and forward-looking, emphasizing both technical depth and policy implications.
Key Discussion Points & Insights
1. Legal PWN Technique: Hiding LLM Prompts in Legalese
[00:06]
- What Happened:
Researchers at Pangea report a “creative way to jailbreak LLMs”, by embedding adversarial prompts into the legalese of contract documents. - Technical Insight:
Many LLMs, especially the most widely used, struggle to distinguish user-given instructions from those concealed in ingested data (e.g., contracts). - Threat Landscape:
– Previously, prompt injection occurred via calendar entries or inline comments.
– Now evolving to complex legal text that passes by human review undetected. - Implication:
LLMs could be silently manipulated to leak data or ignore policy constraints if adversarial language passes technical and human scrutiny.
“Not all LLMs are fooled, but the most popular and heavily used ones do succumb to the prompts more readily.” — Steve Prentiss, [00:38]
2. Maryland Transit Cyberattack
[01:08]
- Incident:
The Maryland Transit Administration confirmed a cyber attack affecting “some of its operation and information systems and call centers.” - Disclosure & Scope:
– Attack reported August 25, shortly before a parallel breach was disclosed in Nevada state systems.
– Officials shared no details on the severity or type of data targeted. - Broader Trend:
Indicates an uptick in state-level attacks on critical government infrastructure.
“Representatives said hackers accessed its systems, but they did not share information on the scope of the incident.” — Steve Prentiss, [01:23]
3. Hacking into a Spanish University
[02:00]
- Incident:
Spanish police arrested a 21-year-old accused of hacking a government website to change his and friends’ academic records. - Attack Vector:
– Breach involved work accounts from 13 professors in Andalusian universities.
– Some professors were responsible for preparing entrance exams. - Significance:
Highlights risks posed by stolen PII and access to academic administration systems.
“This story highlights ways in which stolen PII does get used…” — Steve Prentiss, [02:00]
4. Android ‘Brokewell’ Malware: Fake TradingView Ads
[02:47]
- Attack:
Bitdefender researchers found hackers abusing Meta ad platforms to distribute “TradingView Premium” apps—actually delivering the Brokewell Android malware. - Technical Details:
– Malware enables info-stealing, remote monitoring, and device takeover.
– Campaign has been active since mid-July, specifically targeting mobile users. - Social Engineering:
Fake ads mirror real TradingView branding.
“The ads replicate the branding and style of Trading View, a legitimate charting and financial analysis platform and social network.” — Steve Prentiss, [03:08]
5. Palantir AI Contract in UK Social Services
[04:04]
- Development:
Coventry City Council (UK) signs a £500,000-a-year contract with Palantir to use AI for social service case note transcription and records summarizing, amid vocal concern. - Controversy:
– Palantir involvement in military and government activities fuels mistrust.
– The system will be used for children with special educational needs.
– Broader expansion, including law enforcement and NHS, creates ethical questions. - Concerns:
Local officials are wary both of the technology’s impact and the supplier’s history.
“A number of councillors and other officials have raised concerns about the technology itself, as well as with this particular supplier.” — Steve Prentiss, [05:02]
6. Cephalis Ransomware Spoofs SentinelOne
[05:26]
- Malware Mechanics:
Cephalis ransomware targets organizations by exploiting unsecured RDP accounts (lacking MFA). - Attack Vector:
– Drops a real SentinelOne executable in the downloads folder.
– Tricks the legitimate program into sideloading a malicious DLL that launches the ransomware.
– Deletes Windows Shadow Copies, disables Defender, preempting recovery. - Targets:
Law firms, healthcare, finance, governmental and IT firms in the US and Japan.
“Cephalis breaks in by leveraging Remote Desktop Protocol accounts that have not been secured with multi factor authentication…” — Steve Prentiss, [05:30]
7. Hackers Disrupt Iranian Ship Communications
[06:26]
- Incident:
The hacking group “Lab Duktegan” disrupted communications for 60 Iranian ships (tankers and cargo) via an attack on satellite communications provider FNAVA. - Tactics:
– Disabled central system (Falcon) and wiped core data, leaving ships unable to communicate.
– Known for prior doxxing of Iranian state hackers (APT34). - Impact:
Demonstrates capabilities of non-state actors in critical infrastructure attacks.
“The group's name? Lab Duktegan is a translation from Farsi meaning sewn lips or closed lips.” — Steve Prentiss, [07:12]
Notable Quotes
-
On LLM Security Gaps:
“Not all LLMs are fooled, but the most popular and heavily used ones do succumb to the prompts more readily.” — Steve Prentiss, [00:38] -
On Government Breach Disclosure:
“Representatives said hackers accessed its systems, but they did not share information on the scope of the incident.” — Steve Prentiss, [01:23] -
On Classroom Hacking:
“This story highlights ways in which stolen PII does get used…” — Steve Prentiss, [02:00] -
About Fake TradingView Ad Campaigns:
“The ads replicate the branding and style of Trading View, a legitimate charting and financial analysis platform and social network.” — Steve Prentiss, [03:08] -
About Palantir's Role in UK Public Sector:
“A number of councillors and other officials have raised concerns about the technology itself, as well as with this particular supplier.” — Steve Prentiss, [05:02] -
On Cephalis Ransomware’s Infection Path:
“Cephalis breaks in by leveraging Remote Desktop Protocol accounts that have not been secured with multi factor authentication…” — Steve Prentiss, [05:30] -
Regarding Lab Duktegan:
“The group's name? Lab Duktegan is a translation from Farsi meaning sewn lips or closed lips.” — Steve Prentiss, [07:12]
Important Timestamps
- 00:06 — Start of news stories
- 00:38 — LLM prompt injection via contract legalese
- 01:08 — Maryland Transit cyberattack
- 02:00 — University exam grade hacking in Spain
- 02:47 — Brokewell Android malware in fake TradingView ads
- 04:04 — Palantir AI controversy in Coventry social services
- 05:26 — Cephalis ransomware spoofs SentinelOne
- 06:26 — Iranian ships' comms disrupted by Lab Duktegan
Final Notes
- The episode underscores the creative evolution of cyber attack vectors—from AI prompt manipulation and social engineering to critical infrastructure sabotage.
- The host’s neutral, concise tone keeps focus on factual reporting while isolating the most crucial, high-impact developments.
- For deeper dives, listeners are encouraged to visit CISOseries.com for full story coverage.