ShinyHunters hits Vietnam, Petya-NotPetya copycat appears, CISA wants CVE - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines – Episode Summary

Podcast: Cyber Security Headlines
Host: Steve Prentiss (CISO Series)
Date: September 15, 2025
Episode Theme:
A rapid-fire breakdown of the day’s most critical cyber security events, focusing on global data breaches, the evolution of ransomware, major policy discussions, and notable vulnerability disclosures. The episode delivers headline news with expert context, drawing attention to the intersection of technology gaps, national concerns, and policy debates.

Key Discussion Points & Insights

1. ShinyHunters Breach at Vietnam's National Credit Information Center

Summary:
ShinyHunters compromised Vietnam’s National Credit Information Center by exploiting an “End Day” vulnerability in outdated, unsupported software.
Critical Details:
- The Center's software, being at the end of its life, had no available security patches.
- Attack confirmed by the Vietnam Cyber Emergency Response Team; RE Security's Hunter team accessed leaked data, which included information linked to other Vietnamese financial institutions.
- Notably, ShinyHunters did not demand a ransom but instead listed the stolen data for sale on dark web forums.
Quote:

“A known but unpatched flaw in End of Life software used by the Credit Information center. Because the software was no longer supported, no security patches were available, leaving the system especially vulnerable.”
— Steve Prentiss [00:23]

2. Hybrid PETIA – New Ransomware with UEFI Secure Boot Bypass

Summary:
ESET Research identified “Hybrid petia”, a ransomware copycat with advanced UEFI Secure Boot bypass capabilities.
Critical Details:
- Hybrid petia exploits a specific CVE flaw to compromise outdated UEFI systems.
- It targets and encrypts the master file table, crucial metadata for NTFS partitions.
- Although identified on VirusTotal in February, ESET hasn’t observed active campaigns in the wild; Hybrid petia doesn’t display the same aggressive spreading as the original NotPetya.
Quote:

“Hybrid petia, in addition to being a copycat, now adds the capability of compromising UEFI based systems and weaponizing a CVE numbered flaw to bypass UEFI Secure Boot.”
— Steve Prentiss [01:09]

3. CISA Urges Renewal of Cyber Information Sharing Law

Summary:
Nick Anderson (CISA Executive Assistant Director) appeals to Congress to renew the expiring 2015 Cybersecurity Information Sharing Act, crucial for cross-sector threat intelligence exchange.
Critical Details:
- The law is set to expire September 30, with House renewal legislation advanced but pending a full vote; the Senate is only beginning discussions.
- Lawmakers might attach an extension to a short-term funding bill to prevent disruption.
Quote:

“He is urging Congress to renew the 2015 Cybersecurity Information Sharing Act before it expires on September 30. The law encourages private companies to voluntarily share threat intelligence with the government.”
— Steve Prentiss [02:02]

4. Massive Leak from China’s “Great Firewall”

Summary:
Over 500 GB of internal documents and technical material related to China's internet surveillance system were leaked.
Critical Details:
- Leak includes source code, work logs, and deployment records of Tangzhou—a turnkey censorship and monitoring product used widely in China and now exported.
- Records show Tangzhou installed in 26 data centers in Myanmar, integrated at national internet exchange points, capable of handling 81 million simultaneous TCP connections.
- Further reporting connects technology exports to Pakistan, Ethiopia, and Kazakhstan, supporting mass surveillance operations.
Quote:

"This leak exposed details of Tangzhou, a commercial censorship platform developed by Chinese firm gege."
— Steve Prentiss [03:08]

5. Surge in Cyber Attacks Against UK Schools Due to Student Hackers

Summary:
The UK’s Information Commissioner’s Office (ICO) reports an increase in school data breaches, with over half caused by students.
Critical Details:
- 57% of 215 “insider threat” breaches (Jan 2022–Aug 2024) stem from student activity; motivations include dares, notoriety, financial gain, revenge, and rivalries.
- Lax data protection practices exacerbated the problem—examples include unattended devices and student access to staff equipment.
- UK’s National Crime Agency estimates 20% of 10–16-year-olds in Britain have engaged in illegal online activity.
Quote:

“…a worrying pattern in the 215 insider threat breach reports from the education sector…with 57% of incidents caused by students who are likely motivated by dares, notoriety, financial gain, revenge and rivalries.”
— Steve Prentiss [04:02]

6. Critical Vulnerability in Dassault’s Delmia Aprizo Exposed

Summary:
CISA issues a warning about an actively exploited remote code execution flaw in Delmia Aprizo, a global manufacturing operations platform by French company Dassault.
Critical Details:
- The flaw carries a severity score of 9.0.
- The platform is widely used for production scheduling, resource allocation, and integration with business systems globally.
Quote:

“CISA has issued a warning regarding the ongoing exploitation of a critical remote code execution flaw in Delmia Aprizo…”
— Steve Prentiss [05:04]

7. FBI Warns of Salesforce-targeting Cybercrime Gangs

Summary:
The FBI alerts organizations to increasing attacks by UNC6040 and UNC6395, responsible for recent Salesforce-related data theft and extortion campaigns.
Critical Details:
- Recommendations: staff phishing training, enforcement of multi-factor authentication (MFA), and applying least privilege access controls.
- Organizations should carefully vet indicators before acting (such as blocking detected threats).
Quote:

“The FBI advises organizations to strengthen defenses against cybercriminals targeting Salesforce and other systems.”
— Steve Prentiss [06:05]

8. CISA Seeks More Direct Control Over CVE Administration

Summary:
CISA publishes a summary expressing reservations about the CVE program’s proposed transition to a nonprofit model, citing conflicts of interest and the need for federal stewardship.
Critical Details:
- Nicholas Anderson voices CISA’s preference for a more centralized, government-led approach, emphasizing transparency and global coordination.
Quote:

“This, he says, ‘reinforces the need for CISA to take a more active role in the long term stewardship of the CVE program.’”
— Steve Prentiss [07:02]

Memorable Moments & Quotes

On End of Life Vulnerabilities:

“…Because the software was no longer supported, no security patches were available, leaving the system especially vulnerable.”
— Steve Prentiss [00:32]
On Student-Driven School Attacks:

“…One out of every five children in Britain aged between 10 and 16 has in illegal activity online.”
— Steve Prentiss [04:47]

Timestamps for Important Segments

[00:00] Intro & ShinyHunters Vietnam breach
[01:09] Hybrid PETIA ransomware details
[02:02] CISA’s push for law renewal
[03:08] Great Firewall leak explainer
[04:02] UK school cyber attacks and student motivations
[05:04] Delmia Aprizo vulnerability warning
[06:05] FBI Salesforce alert
[07:02] CISA and the future of CVE management

Tone

The episode maintains a succinct, consequence-oriented tone, blending urgent calls to action for practitioners with concise, accessible descriptions suitable for tech and security professionals as well as informed members of the public. Steve Prentiss’s delivery is factual and direct, prioritizing actionable intelligence over sensationalism.

For full articles and further deep dives, visit CISOseries.com.

Loading summary

Transcript1 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Monday, September 15, 2025. I'm Steve Prentiss. Shiny Hunters Hits Vietnam National Credit Information center the attack was confirmed by the Vietnam Cyber Emergency Response Team and RE Security's Hunter team was able to acquire samples of leaked data, much of which is connected to other financial institutions in Vietnam. This attack is believed to be an exploit of an End Day vulnerability. Quote A known but unpatched flaw in End of Life software used by the Credit Information center. Because the software was no longer supported, no security patches were available, leaving the system especially vulnerable. End quote Shiny Hunters did not extort the bank, but simply listed the data for sale on a dark web forum. Hybrid PETIA is a Petia not PETIA Copycat with UEFI Secure Boot Bypass According to a post in Welive Security from ESET Research, Hybrid petia, in addition to being a copycat, now adds the capability of compromising UEFI based systems and weaponizing a CVE numbered flaw to bypass UEFI Secure Boot on outdated systems. This new ransomware was uploaded to VirusTotal this past February and encrypts the master file table, which contains important metadata about all the files on NTFS formatted partitions. ESET has seen no signs of Hybrid PETIA being used in the wild yet and says it does not exhibit the aggressive network propagation seen in the original not Petia CISA officials call on lawmakers to extend cyber information sharing law A top CISA official, Nick Anderson, CISA's executive assistant director for Cybersecurity, speaking at the Billington Cybersecurity Summit in Washington, says he is urging Congress to renew the 2015 Cybersecurity Information Sharing act before it expires on September 30. The law encourages private companies to voluntarily share threat intelligence with the government. Renewal legislation has advanced in the House but has yet to reach a full vote, while the Senate is only beginning to circulate its own version, led by Homeland Security Committee Chair Rand Paul. With limited time left, lawmakers may extend the measure temporarily by attaching it to a short term government funding bill to prevent disruption. Great Firewall suffers its biggest leak ever On September 11, researchers confirmed that more than 500 gigabytes of internal documents, source code, work logs and internal communications from the so called Great Firewall were dumped online, including packaging repos and operational runbooks used to build and maintain China's national traffic filtering system. End quote this leak exposed details of Tangzhou, a commercial censorship platform developed by Chinese firm gege. Originally built on HP and Dell servers and later on Chinese hardware, Tangzhou functions as a turnkey, a great firewall in a box. Deployment records show it was installed across 26 data centers in Myanmar, capable of handling 81 million simultaneous TCP connections and integrated at national exchange points for large scale blocking and filtering. Additional reporting by Wired and Amnesty International reveals exports to Pakistan, Ethiopia and Kazakhstan where it supports mass surveillance and lawful intercept systems. Huge thanks to our sponsor Drata leading security teams Trust Safebase by Drata to turn Trust into a growth engine. Their enterprise grade Trust center puts your security posture in one secure customer facing portal, giving buyers instant visibility into your company's continuous controls, certifications and policies with AI powered questionnaire assistance. Blast through inbound security questionnaires in minutes instead of days, automate cross functional workflows and eliminate friction. This means less manual work and faster deal cycles. Win with Trust. Learn more@safebase IO that is s a f e b a s e IO Cyber attacks against schools driven by a rise in student hackers, says UK agencies the United Kingdom's Information Commissioner's Office ICO warned on Thursday that student hackers motivated by dares are driving an increasing number of cyber attacks and data breaches affecting schools, end quote the agency said it identified, quote, a worrying pattern in the 215 insider threat breach reports from the education sector between January 2022 and August 2024, with 57% of incidents caused by students who are likely motivated by dares, notoriety, financial gain, revenge and rivalries. The UK's National Crime Agency believes that one out of every five children in Britain aged between 10 and 16 has in illegal activity online. The 215 breaches described by the ICO in the education sector were caused by what was described as poor data protection practices, including staff accessing data without a legitimate need, by devices being left unattended or by students being allowed to use staff devices, end quote French tech company reveals critical vulnerability CISA has issued a warning regarding the ongoing exploitation of a critical remote code execution flaw in Delmia Aprizo, which is a joint manufacturing operations, management and manufacturing execution solution from the French company Dassault, that is D A S S A U L T. The vulnerability has a CVE number and a critical severity score of 9.0. Enterprises across a wide range of industries around the world use Del Mia Aprizo to schedule production, for quality management, to allocate resources, to deal with warehouse management and for integration between production equipment and business applications. End quote FBI Issues Flash Alert Regarding Salesforce Gangs the Flash Alert is intended to disseminate indicators of compromise associated with the recent malicious cyber activities by cybercriminal groups UNC6040 and UNC6395, which are responsible for a rising number of data theft and extortion intrusions. End quote these groups have been behind the numerous Salesforce related scams that have occurred this year. The FBI quote, advises organizations to strengthen defenses against cybercriminals targeting Salesforce and other systems. Recommended measures include training call center staff to recognize phishing attempts, enforcing MFA and applying the principle of least privilege with AAA systems to limit user actions and to investigate and vet indicators prior to taking action such as blocking End quote CISA Seeks Control over CVE CISA has published a two page summary of its vision for the future of the CVE. According to Nicholas Anderson, CESA's new executive assistant director for cybersecurity, the CVE's desire, through its Board of Directors to, quote, transition to a nonprofit entity with true international coordination, rigorous and transparent governance, and multiple funding sources from public, private and nonprofit organizations end quote does not sit well with sisa, who foresees conflicts of interest with that model. This, he says, quote, reinforces the need for CISA to take a more active role in the long term stewardship of the CVE program, end quote if you have some thoughts on the news from today or about the show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you, Steve I'm Steve Prentiss reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.