Cyber Security Headlines – Episode Summary

Podcast: Cyber Security Headlines
Host: Steve Prentiss
Date: September 12, 2025
Episode Theme:
A snapshot of the most pressing cybersecurity developments around the globe, including updates on SonicWall VPN exploits, priorities for the Acting Federal Cyber Chief, the significant increase in U.S. investment in spyware, and emerging threats against infrastructure and privacy.

Main Topics and Key Insights

1. SonicWall SSL VPN Flaws Under Active Exploitation

[00:06 – 01:35]

SonicWall devices are being actively targeted due to a year-old vulnerability with a CVSS score of 9.3.
The issue: Local user passwords migrated without being reset, facilitating renewed Akira ransomware activity since late July.
Advice to Customers:
- Rotate passwords for all SonicWall local accounts.
- Remove any unused or inactive SonicWall accounts.
- Ensure Multi-Factor Authentication (MFA) and Time-based One-Time Passwords (TOTP) are enabled.
- Restrict virtual office portal access to internal networks.
Quote:
“Customers are advised to rotate Passwords on all SonicWall local accounts, remove any unused or inactive SonicWall local accounts, ensure MFA and TOTP policies are configured, and restrict virtual office portal access to the internal network.”
— Steve Prentiss [00:55]

2. Acting Federal Cyber Chief’s Strategic Priorities

[01:35 – 02:20]

Michael Duffy (Acting Federal Cyber Chief) outlined key federal cybersecurity goals at the Billington Cybersecurity Summit:
- Enterprise Cyber Defense
- Increasing Operational Resilience
- Securing a Modern U.S. Government
Stressed proactive, cross-agency action rather than reactive, isolated measures.
Key Quotes:
- “Leaders thinking about things like vulnerability management, supply chain or incident responses not just for their own agency but across the enterprise as well.”
  — Steve Prentiss, quoting Michael Duffy [01:50]
- “It’s incumbent upon agencies to act now rather than waiting for the next cyber crisis to shape the next 10 years.”
  — Steve Prentiss, quoting Michael Duffy [02:07]

3. U.S.-Based Spyware Investment Nearly Triples

[02:20 – 03:12]

Atlantic Council report: U.S. firms backing spyware manufacturers jumped from 11 (2023) to 31 (2024).
The U.S. is now the largest investor in this sector.
Notable transactions:
- Paragon’s “graphite” spyware (used against WhatsApp users) acquired by AE Industrial Partners (Florida).
- Saito Tech Ltd (Candiru spyware) backed by Integrity Partners.
Ethical and regulatory implications left unaddressed.

4. UK Cybersecurity Legislation Delayed Again

[03:12 – 04:10]

The UK government’s cybersecurity and resilience bill, finalized three years ago, is postponed following a cabinet reshuffle.
Delay occurs amid rising cyberattacks, including a recent Jaguar Land Rover incident labeled an “economic security incident.”
Persistent risk for major brands such as Marks & Spencer and Co-op, which have faced significant disruptions.
Analysis: Policymaking continues to lag behind threat realities, underscoring the urgent need for legislative momentum.

5. Record-Breaking DDoS Attack Targets Defender

[05:11 – 05:59]

A European DDoS mitigation provider was attacked with a staggering 1.5 billion packets per second (pps) DDoS blast.
Attack leveraged thousands of IoT devices and vulnerable Mikrotik routers.
Fastnet Mon, the mitigator, did not disclose the targeted customer, describing them only as a "DDoS scrubbing provider."
Highlights the escalating scale and sophistication of infrastructure attacks.

6. Malware Campaign via ConnectWise Screen Connect

[05:59 – 06:30]

Level Blue researchers warn of a malware campaign using the legitimate ConnectWise Screen Connect tool to deliver AsyncRAT.
Attack tactics:
- PowerShell loaders
- Persistence achieved via fake Skype updater
- Fileless malware: .NET assemblies run in-memory, bypassing disk-based detection methods.
Growing trend toward living-off-the-land and fileless attacks that evade traditional security measures.

7. KillSec Ransomware Hits Brazilian Healthcare Provider

[06:30 – 07:13]

Attack on Medic Solution, a healthcare software company in Brazil, enabled by an insecure AWS S3 bucket.
Data exposure window: several months.
Stolen data: Over 34 GB of patient information, including lab results and assessments.
KillSec actors have also struck healthcare targets in Colombia, Peru, and the U.S.
Significance: Highlights the ongoing vulnerability of healthcare data and the dangers of cloud misconfigurations.

8. VMScape Attack: Breaking Guest-Host Isolation in the Cloud

[07:13 – 07:54]

ETH Zurich researchers unveiled “VMScape,” a Spectre-like vulnerability.
Allows malicious VMs to extract cryptographic secrets from unmodified QEMU hypervisors on AMD and Intel processors.
Bypasses existing Spectre mitigations, threatening cloud-hosted data isolation.
Quote:
“A threat actor could deploy such an attack against a cloud provider by simply renting a virtual machine to leak secrets from the Hypervisor or other VMs.”
— Steve Prentiss [07:40]
Implication: Could upend trust in the multi-tenant cloud model.

Notable Quotes & Memorable Moments

On urgency in federal preparedness:
“It’s incumbent upon agencies to act now rather than waiting for the next cyber crisis to shape the next 10 years.”
— Michael Duffy (quoted by Steve Prentiss) [02:07]
On VMScape’s impact:
“A threat actor could deploy such an attack against a cloud provider by simply renting a virtual machine to leak secrets from the Hypervisor or other VMs.”
— Steve Prentiss [07:40]

Additional Resources & Events

Super Cyber Friday live stream at 1pm ET: Focused on “Hacking managed services.”
Week in Review show at 3:30pm ET: Guests include Rob Thiel (CTO, Oklahoma Department of Commerce) and Howard Halton (CEO, gigaom).
More details and registration available at cisoseries.com/events

Summary Prepared by:
Your Cyber Security Headlines Podcast Summarizer
All news stories verified as of September 12, 2025. For expanded coverage, visit cisoseries.com.

Transcript

A (0:00)

From the CISO series, it's Cybersecurity Headlines.

B (0:06)

These are the cybersecurity headlines for Friday, September 12, 2025. I'm Steve Prentiss. Sonic Wall SSL VPN flaws now being actively Exploited following up on a story we covered in August, cybersecurity firm Rapid7 says it has observed a spike in intrusions involving SonicWall appliances over the particularly following reports about renewed Akira ransomware activity since late July. Sonicwall has subsequently confirmed that the attacks on its firewalls involved a year old security flaw with a CVSS score of 9.3 where local user passwords were carried over during the migration and not reset. Customers are advised to rotate Passwords on all SonicWall local accounts, remove any unused or inactive SonicWall local accounts, ensure MFA and TOTP policies are configured, and restrict virtual office portal access to the internal network. Acting Federal Cyber Chief outlines his priorities Michael Duffy, speaking at the Billington Cybersecurity Summit, identified his priorities as quote, focusing enterprise cyber defense, increasing operational resilience and securing a modern US Government, end quote. For the first of these, he described it as a matter of leaders thinking about things like vulnerability management, supply chain or incident responses not just for their own agency but across the enterprise as well, end quote, adding it's incumbent upon agencies to act now rather than waiting for the next cyber crisis to shape the next 10 years, end quote. US based investors in spyware firms nearly tripled in 2024, according to a report from the Atlantic council think tank. 31American firms were found to be backing the manufacturers of Spyware, compared to 11 in 2023. The report continues by saying the US is the largest investor in the spyware market and mentions as examples Paragon, makers of the graphite product allegedly used to target WhatsApp users, which was acquired by Florida based AE Industrial Partners last year and also Integrity Partners, which invested in Saito Tech Ltd. Creator of the Candiru spyware UK cybersecurity legislation delayed again the UK government's long awaited cybersecurity and resilience bill has been delayed again despite its main provisions being finalized three years ago. The Sunak government failed to table the bill in 2022 and the Starmer government's nearly identical version was due this week but was postponed amid a cabinet reshuffle. No new date has been announced. The delay comes as Britain faces escalating cyber attacks, including a recent incident that halted production at Jaguar Land Rover, described as an economic security incident. Other attacks have of course hit retailers like Marks and Spencer and the Co op, causing nationwide supply disruptions. Huge thanks to our sponsor Vanta. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and help you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get started at vanta.com headlines that is V A N T A dot com headlines DDoS defender targeted in giant DDoS attack a Europe based DDoS mitigation service provider was targeted in a massive distributed denial of service attack that reached 1.5 billion packets per second. The attack was launched from thousands of IoTs and Mikrotik routers. Fastnet Mon, the company that mitigated the attack, did not name the targeted customer, but describes them as a DDoS scrubbing provider. The attack was detected in real time and mitigation action was taken using the customer's DDoS scrubbing facility. Hackers use ConnectWise Screen Connect to drop asyncrat Researchers at Level Blue are warning of a campaign that uses the remote desktop software to deploy the Async wrapped Trojan. The report states that attackers are using PowerShell loaders and are achieving persistence via a fake Skype updater. This attack is an example of a fileless malware campaign in which. Net assemblies are run directly in memory instead of saving executables to disk, which makes detection and defense much more difficult. Killsec Ransomware Attacks Brazilian healthcare software provider the attack targeted Medic Solution, a software solutions provider for the healthcare industry in Brazil. And according to researchers at RE Security, the root cause of the incident was data exfiltration from an insecure AWS S3 bucket. The window of exposure is estimated as several months. The data stolen includes sensitive laboratory results and reports, medical assessments and other private patient information. The total volume of stolen data exceeds 34 gigabytes. KillSec ransomware actors have also targeted healthcare institutions in Colombia, Peru and the US new VMScape attack breaks guest host isolation on AMD and Intel CPUs as posted on Bleeping Computer A new Spectre like attack, dubbed VMScape, allows a malicious virtual machine to leak cryptographic keys from an unmodified QEMU hypervisor process running on modern amd or Intel CPUs. This attack, developed by a team of researchers at ETH Zurich public university in Switzerland, breaks the isolation between VMs and the cloud hypervisor, bypassing existing spectrum mitigations and threatening to leak sensitive data by leveraging speculative execution. The researchers note that a threat actor could deploy such an attack against a cloud provider by simply renting a virtual machine to leak secrets from the Hypervisor or other VMs. End quote. As usual, we've got a busy Friday of live streams today, in fact, a little busier. It starts at 1pm with Super Cyber Friday, where the topic will be Hacking managed services, an hour of critical thinking about what questions to ask when you're looking for a provider. Then, at 3:30pm Eastern, we have our Week in Review show. Our guests this week are Rob Thiel, CTO of the Oklahoma Department of Commerce, and Howard Halton, newly minted CEO of gigaom. They together will be providing their expert commentary on the news of the week with host Rich Stroffolino. To find out more about both shows and to register to join the conversations, simply go to the events page@cisoseries.com and if you have some thoughts on the news from today or about the show in general, please be sure to reach out to us at feedbackisaseries. We would love to hear from you. I'm Steve Prentiss reporting for the CISO series.

Cyber Security Headlines – Episode Summary

Main Topics and Key Insights

1. SonicWall SSL VPN Flaws Under Active Exploitation

[00:06 – 01:35]

SonicWall devices are being actively targeted due to a year-old vulnerability with a CVSS score of 9.3.
The issue: Local user passwords migrated without being reset, facilitating renewed Akira ransomware activity since late July.
Advice to Customers:
- Rotate passwords for all SonicWall local accounts.
- Remove any unused or inactive SonicWall accounts.
- Ensure Multi-Factor Authentication (MFA) and Time-based One-Time Passwords (TOTP) are enabled.
- Restrict virtual office portal access to internal networks.
Quote:
“Customers are advised to rotate Passwords on all SonicWall local accounts, remove any unused or inactive SonicWall local accounts, ensure MFA and TOTP policies are configured, and restrict virtual office portal access to the internal network.”
— Steve Prentiss [00:55]

2. Acting Federal Cyber Chief’s Strategic Priorities

[01:35 – 02:20]

Michael Duffy (Acting Federal Cyber Chief) outlined key federal cybersecurity goals at the Billington Cybersecurity Summit:
- Enterprise Cyber Defense
- Increasing Operational Resilience
- Securing a Modern U.S. Government
Stressed proactive, cross-agency action rather than reactive, isolated measures.
Key Quotes:
- “Leaders thinking about things like vulnerability management, supply chain or incident responses not just for their own agency but across the enterprise as well.”
  — Steve Prentiss, quoting Michael Duffy [01:50]
- “It’s incumbent upon agencies to act now rather than waiting for the next cyber crisis to shape the next 10 years.”
  — Steve Prentiss, quoting Michael Duffy [02:07]

3. U.S.-Based Spyware Investment Nearly Triples

[02:20 – 03:12]

Atlantic Council report: U.S. firms backing spyware manufacturers jumped from 11 (2023) to 31 (2024).
The U.S. is now the largest investor in this sector.
Notable transactions:
- Paragon’s “graphite” spyware (used against WhatsApp users) acquired by AE Industrial Partners (Florida).
- Saito Tech Ltd (Candiru spyware) backed by Integrity Partners.
Ethical and regulatory implications left unaddressed.

4. UK Cybersecurity Legislation Delayed Again

[03:12 – 04:10]

The UK government’s cybersecurity and resilience bill, finalized three years ago, is postponed following a cabinet reshuffle.
Delay occurs amid rising cyberattacks, including a recent Jaguar Land Rover incident labeled an “economic security incident.”
Persistent risk for major brands such as Marks & Spencer and Co-op, which have faced significant disruptions.
Analysis: Policymaking continues to lag behind threat realities, underscoring the urgent need for legislative momentum.

5. Record-Breaking DDoS Attack Targets Defender

[05:11 – 05:59]

A European DDoS mitigation provider was attacked with a staggering 1.5 billion packets per second (pps) DDoS blast.
Attack leveraged thousands of IoT devices and vulnerable Mikrotik routers.
Fastnet Mon, the mitigator, did not disclose the targeted customer, describing them only as a "DDoS scrubbing provider."
Highlights the escalating scale and sophistication of infrastructure attacks.

6. Malware Campaign via ConnectWise Screen Connect

[05:59 – 06:30]

Level Blue researchers warn of a malware campaign using the legitimate ConnectWise Screen Connect tool to deliver AsyncRAT.
Attack tactics:
- PowerShell loaders
- Persistence achieved via fake Skype updater
- Fileless malware: .NET assemblies run in-memory, bypassing disk-based detection methods.
Growing trend toward living-off-the-land and fileless attacks that evade traditional security measures.

7. KillSec Ransomware Hits Brazilian Healthcare Provider

[06:30 – 07:13]

Attack on Medic Solution, a healthcare software company in Brazil, enabled by an insecure AWS S3 bucket.
Data exposure window: several months.
Stolen data: Over 34 GB of patient information, including lab results and assessments.
KillSec actors have also struck healthcare targets in Colombia, Peru, and the U.S.
Significance: Highlights the ongoing vulnerability of healthcare data and the dangers of cloud misconfigurations.

8. VMScape Attack: Breaking Guest-Host Isolation in the Cloud

[07:13 – 07:54]

ETH Zurich researchers unveiled “VMScape,” a Spectre-like vulnerability.
Allows malicious VMs to extract cryptographic secrets from unmodified QEMU hypervisors on AMD and Intel processors.
Bypasses existing Spectre mitigations, threatening cloud-hosted data isolation.
Quote:
“A threat actor could deploy such an attack against a cloud provider by simply renting a virtual machine to leak secrets from the Hypervisor or other VMs.”
— Steve Prentiss [07:40]
Implication: Could upend trust in the multi-tenant cloud model.

Notable Quotes & Memorable Moments

On urgency in federal preparedness:
“It’s incumbent upon agencies to act now rather than waiting for the next cyber crisis to shape the next 10 years.”
— Michael Duffy (quoted by Steve Prentiss) [02:07]
On VMScape’s impact:
“A threat actor could deploy such an attack against a cloud provider by simply renting a virtual machine to leak secrets from the Hypervisor or other VMs.”
— Steve Prentiss [07:40]

Additional Resources & Events

Super Cyber Friday live stream at 1pm ET: Focused on “Hacking managed services.”
Week in Review show at 3:30pm ET: Guests include Rob Thiel (CTO, Oklahoma Department of Commerce) and Howard Halton (CEO, gigaom).
More details and registration available at cisoseries.com/events

Summary Prepared by:
Your Cyber Security Headlines Podcast Summarizer
All news stories verified as of September 12, 2025. For expanded coverage, visit cisoseries.com.

wavePod

SonicWall VPM exploits, Fed cyberchief's priorities, U.S spyware investment triples

Summary

Cyber Security Headlines – Episode Summary

Main Topics and Key Insights

1. SonicWall SSL VPN Flaws Under Active Exploitation

2. Acting Federal Cyber Chief’s Strategic Priorities

3. U.S.-Based Spyware Investment Nearly Triples

4. UK Cybersecurity Legislation Delayed Again

5. Record-Breaking DDoS Attack Targets Defender

6. Malware Campaign via ConnectWise Screen Connect

7. KillSec Ransomware Hits Brazilian Healthcare Provider

8. VMScape Attack: Breaking Guest-Host Isolation in the Cloud

Notable Quotes & Memorable Moments

Additional Resources & Events

Transcript

Summary

Cyber Security Headlines – Episode Summary

Main Topics and Key Insights

1. SonicWall SSL VPN Flaws Under Active Exploitation

2. Acting Federal Cyber Chief’s Strategic Priorities

3. U.S.-Based Spyware Investment Nearly Triples

4. UK Cybersecurity Legislation Delayed Again

5. Record-Breaking DDoS Attack Targets Defender

6. Malware Campaign via ConnectWise Screen Connect

7. KillSec Ransomware Hits Brazilian Healthcare Provider

8. VMScape Attack: Breaking Guest-Host Isolation in the Cloud

Notable Quotes & Memorable Moments

Additional Resources & Events