Shutdown furloughs CISA, Defender BIOS bug, Motilily dealership cyberattack - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines – Episode Summary

Podcast: Cyber Security Headlines
Host: Steve Prentiss (CISO Series)
Episode: Shutdown furloughs CISA, Defender BIOS bug, Motility dealership cyberattack
Date: October 3, 2025

Overview

This episode dives into a turbulent week in cybersecurity, covering a U.S. government shutdown affecting CISA’s capabilities, critical bugs and breaches impacting major vendors like Microsoft and Red Hat, and new threats from ransomware, extortion, and spyware campaigns. Host Steve Prentiss highlights cascading risks for organizations and individuals—from government processes to enterprise tech, dealership software, and even personal messaging apps.

Key Discussion Points & Insights

1. Government Shutdown Disrupts CISA Operations

Impact:
- Only about 35% of Cybersecurity and Infrastructure Security Agency (CISA) staff remain active due to the U.S. government shutdown.
- Essential functions will be maintained, with emergency staff recall possible if needed.
Agency Statement:

"While a government shutdown can disrupt federal operations, CISA will sustain essential functions and provide timely guidance to minimize disruptions."
— Marcy McCarthy, CISA Spokesperson ([00:31])
Insight:
- Large-scale federal cyber defense is strained, raising concerns about responsiveness to major incidents.

2. Microsoft Defender Bug Triggers Faulty BIOS Update Alerts

Summary:
- A bug in Microsoft Defender for Endpoints is inaccurately flagging some device BIOS firmware as outdated, prompting unnecessary update requests.
- Issue mainly affects Dell devices due to a logic bug in Defender for Endpoint.
- Fix is pending; the scale of affected users and regions is undisclosed.
Quote:

"This known issue affects Dell services and is caused by a Defender for Endpoint Logic bug. A fix is on the way."
— ([01:01])
Insight:
- Corporate fleet management could be disrupted, and security teams should watch for unnecessary BIOS updates or confusion among users.

3. Red Hat GitHub Breach Exposes Sensitive Customer Data

Incident Detail:
- "Crimson Collective" claims responsibility for breaking into Red Hat's private GitHub repositories, exfiltrating 570 GB of compressed data.
- Stolen files include over 28,000 internal repos and hundreds of customer engagement reports (CERs) with deeply sensitive architectural and authentication details.
- File listings and samples published online; risk of secondary attacks is high.
Quote:

"These reports usually contain architecture diagrams, configuration details, authentication tokens, network maps, and are effectively a blueprint of a customer's IT environment."
— ([01:37])
Insight:
- Massive breach threatens enterprise customers, putting proprietary and operational data at risk.

4. Motility RV Software Company Faces Ransomware Attack

Details:
- Software provider for RV, bus, and boat dealerships suffered ransomware, encrypting servers and exposing over 760,000 individuals’ information.
- Attack linked to the PEAR ransomware gang, which also targeted Motility's parent, Reynolds and Reynolds.
- Business operations and customer data significantly impacted.
Quote:

"Personal information of more than 760,000 people was stolen. A claim of responsibility has been made by the PEAR ransomware gang."
— ([02:24])
Insight:
- Vendors in retail and transportation are increasingly attractive targets for ransomware, with significant personal and operational data at stake.

5. Executive Extortion Using Oracle E-Business Suite Data

What Happened:
- Hackers, allegedly related to the CLOP ransomware gang, are attempting to extort C-level executives using stolen data from Oracle’s E-Business Suite.
- Extortion emails sent to multiple organizations; extent and type of data stolen remain unclear.
Quote:

"Incident responders at Mandiant and Google Threat Intelligence Group have released a warning about hackers... attempting to extort corporate executives by threatening to leak sensitive information."
— ([03:32])
Insight:
- Suggests attackers are targeting not just infrastructure but the personal reputations and leverage points of company leaders.

6. Outlook Bans SVG Images to Mitigate Malware and Phishing

Details:
- Microsoft disables inline SVG image display in Outlook for Web and the new Outlook for Windows, citing security risks.
- SVG files have increasingly been abused for delivering malware and phishing forms.
- Change started in September, completion expected by mid-October.
Quote:

"SVG, or Scalable Vector Graphics files, have been used to deploy malware and increasingly to display forms used in phishing attacks."
— ([04:11])
Insight:
- Reflects security enhancements against a new wave of email-delivered attacks.

7. Codex Global Outage Caused by AWS Social Engineering

Incident Outline:
- Attackers used fraudulent legal documents to trick AWS into freezing Codex Global’s domain (Kodex), disrupting subpoena/data request management for major clients and law enforcement.
- Outage lasted nearly four hours; ownership was not lost, and no data was compromised.
- AWS has promised improved safeguards.
Quote:

"AWS mistakenly froze it due to a fraudulent legal order. Codex confirmed no breach or data compromise occurred. AWS has since resolved the issue and pledged safeguards."
— ([04:40])
Insight:
- Emphasizes the risks of social engineering even at cloud infrastructure provider level, and the potential for outsized impact on business processes.

8. Spyware Campaign Targets Messaging App Users in UAE

What Researchers Found:
- ESET identified spyware-laced fake apps, "Prospy" and "ToSpy," masquerading as legitimate messaging apps ("Signal" and "ToeTalk") targeting UAE users.
- Distributed via fake app stores designed to appear credible.
Quote:

"The spyware is made available through fake websites and app stores, which themselves are made to look like legitimate app stores."
— ([05:23])
Insight:
- Demonstrates how attackers are adapting to region-specific targets and exploiting trust in app stores.

Notable Quotes & Memorable Moments

On CISA operations under shutdown:

"Only about 35% of the agency's staff now remain active, and agency spokesperson Marcy McCarthy has stated that... CISA will sustain essential functions and provide timely guidance to minimize disruptions."
— [00:16]
Microsoft Defender bug's urgent fix:

"A fix is on the way, but Microsoft has not yet said how many users may be impacted by these ongoing Defender XDR issues and in what regions."
— [01:11]
On the importance of customer engagement reports (CERs) in the Red Hat breach:

"...are effectively a blueprint of a customer's IT environment."
— [01:45]
Codex Global's AWS incident:

"Although attackers attempted to transfer the domain, ownership was never lost. AWS mistakenly froze it due to a fraudulent legal order."
— [04:52]

Key Timestamps for Important Segments

| Segment Topic | Timestamp | |------------------------------------------------------|-----------| | CISA Staff Furlough (Government Shutdown) | 00:07 | | Microsoft Defender BIOS False Alert | 00:51 | | Red Hat GitHub Breach | 01:21 | | Motility RV Ransomware Attack | 02:13 | | Executive Extortion via Oracle Data | 03:25 | | Microsoft Outlook SVG Image Ban | 04:11 | | Codex Global/AWS Social Engineering Outage | 04:32 | | UAE Messaging App Spyware Discovery | 05:11 |

Tone & Style

The episode maintains a brisk, informative tone characteristic of daily security briefings. Steve Prentiss delivers news with a sense of urgency befitting rapid developments and emerging threats, punctuated by direct quotes and practical implications for listeners.

Summary Takeaway

This episode underscores the relentless pace and expanding scope of cybersecurity threats—from the halls of federal agencies to the consumer’s inbox and app store. With governmental, corporate, and personal vectors all in play, the need for adaptive defenses, attentive staff, and robust incident response is clearly greater than ever.

Loading summary

Transcript4 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Friday, October 3, 2025. I'm Steve Prentiss. Government Shutdown Furloughs Most CISA Staff Only about 35% of the agency's staff now remain active, and agency spokesperson Marcy McCarthy has stated that while a government shutdown can disrupt federal operations, CIS will sustain essential functions and provide timely guidance to minimize disruptions. CISA says more staff can be recalled in the event of an emergency. Microsoft Defender bug triggers erroneous BIOS update Alerts Microsoft is working to resolve a bug that causes Defender for Endpoints to incorrectly tag some devices BIOS firmware as outdated, prompting users to update it. The company posted a service alert that said this known issue affects Dell services and is caused by a Defender for Endpoint Logic bug. End quote. A fix is on the way, but Microsoft has not yet said how many users may be impacted by these ongoing Defender XDR issues and in what regions Raid on Red Hat repos jeopardizes sensitive customer files According to the Register, a group calling itself the Crimson Collective claims to have broken into Red Hat's private GitHub repositories, exfiltrating some 570 GB of compressed data. This includes sensitive documents belonging to customers. The group announced on Telegram that it accessed more than 28,000 internal repos and stole hundreds of customer engagement reports, known as CERs. These reports usually contain architecture diagrams, configuration details, authentication tokens, network maps, and are effectively a blueprint of a customer's IT environment. The group has already published file listings and has shared samples online. Motility RV Software company suffers cyber attack the company, which makes software for dealers who sell RVs, buses, boats and other large vehicles, warned customers Wednesday of a data security incident that was discovered on August 19. The company describes this as a ransomware attack in which their servers were encrypted, the company's business operations were impacted, and personal information of more than 760,000 people was stolen. A claim of responsibility has been made by the PEAR ransomware gang that is P E A R, which also attacked Motility's parent company Reynolds and Reynolds a few weeks ago. Huge thanks to our sponsor, Nudge Security. Here's the thing. Your employees are signing up for new apps, sharing data and connecting tools together, often without anyone knowing, and AI adoption is accelerating this trend. What if you could continuously discover when people start using new apps or sharing data and then prompt them with security guidance right when and where they are working at Nudge security. They call that securing the workforce edge. Instead of trying to control everything, which, let's face it, is impossible, they give it and security teams the visibility they need and automation to guide employees towards secure behaviors. The result? Your workforce stays productive, your data stays secure, and you can finally get some sleep at night. Learn more@nudgesecurity.com workforce edge that is nudgesecurity as one word.com workforce edge also as one word executive extortion attempt uses data allegedly stolen through Oracle tool Incident responders at Mandiant and Google Threat Intelligence Group have released a warning about hackers possibly connected to the CLOP Ransomware gang who are attempting to extort corporate executives by threatening to leak sensitive information that they claim was stolen through the Oracle E Business suite. This is a platform that contains several applications to manage a company's finance, human resources and supply chain functions. The threat actors have already sent extortion emails to executives at numerous organizations, but Mandiant would not say how many companies may have been impacted or what information might have been stolen. No more SVG images for Outlook Microsoft has announced that Outlook for Web and the new Outlook for Windows will no longer display inline SVG images. Svg, or Scalable Vector graphics files have been used to deploy malware and increasingly to display forms used in phishing attacks. The change away from SVGs started in September and is expected to be completed for all customers by mid October. SAPO tracking platform blames outage on AWS social engineering attack Codex Global that is Kodex, a platform used by law enforcement and major tech firms to manage subpoenas and data requests, suffered a temporary outage on October 1st after attackers tricked AWS into freezing its domain. The disruption took down Codex's website, portal API and some email services for nearly four hours. Although attackers attempted to transfer the domain, ownership was never lost. AWS mistakenly froze it due to a fraudulent legal order. Codex confirmed no breach or data compromise occurred. AWS has since resolved the issue and pledged safeguards. Experts note, however, that a successful attack could have exposed sensitive data and account access. Researchers uncover spyware targeting messaging app users in the UAE the researchers from ESET have discovered this new spyware embedded in fake messaging apps that are targeting people in the United Arab Emirates. The two apps are named Prospy and 2 Spy, I.e. t O S P Y, which masquerade as signal, and Toe Talk, which is a free messaging and calling app that originated in the United Arab Emirates. The spyware is made available through fake websites and app stores, which themselves are made to look like legitimate app stores. It's Friday, which means we've got our Week in Review live stream coming up later today at 3:30pm Eastern. And we've got a very special guest host this week, Nick Espinosa, host of the nationally syndicated Deep Dive radio show. He has already been a regular and entertaining guest and we can't wait to have him running the show. So make sure you're subscribed to the CISO series YouTube channel to never miss any of our live streams or other videos and in this case, to join us today at 3:30 to add your comments as Nick drives home the stories of the week. And if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentice reporting for the CISO series.
[07:26]
A
Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines.
[07:37]
B
Sam.