SVG phishing campaign, Anthropic piracy lawsuit, Qantas penalizes executives

Cyber Security Headlines

Host: Steve Prentiss
Date: September 8, 2025
Main Topics: SVG Phishing, Anthropic Piracy Lawsuit, Qantas Cyberattack Response, Sitecore Zero-Day, Chess.com Breach, AI-Powered Malware Research, Frostbyte 10 Bugs, Android Vulnerability Tool

1. Overview

This episode spotlights new threats and developments in cybersecurity, with notable stories on sophisticated phishing attacks, major legal settlements in AI training, punitive executive actions in response to breaches, critical infrastructure vulnerabilities, and cutting-edge research in both attack and defense. The episode blends global headlines with expert commentary to help listeners keep pace with the fast-moving world of information security.

2. Key Discussion Points and Insights

SVG Phishing Campaign in Colombia (00:14)

Discovery: VirusTotal researchers identified a phishing campaign in Colombia hiding malicious payloads inside SVG image files, disguised as judicial system portals.
Technique: SVG (Scalable Vector Graphics) files can contain embedded HTML and JavaScript, making them an attractive vector for threat actors.
Detection: VirusTotal detected the campaign after its AI code insight platform added support for SVG analysis.
Insight: The use of SVG files for malware underscores the evolving complexity of phishing techniques, leveraging seemingly innocuous formats for malicious ends.

“SVG stands for Scalable Vector Graphics and is used to generate images...and is already in use by threat actors because they can display HTML and execute JavaScript when the graphic is loaded.”
— Steve Prentiss [00:27]

Anthropic $1.5 Billion Book Piracy Lawsuit Settlement (00:56)

Background: AI firm Anthropic agreed to a massive settlement with authors alleging their works were used without authorization to train the Claude chatbot.
Settlement Details: Authors are to receive about $3,000 per work for 500,000 works, setting a record in copyright compensation.
Judicial Nuance: Training AI on copyrighted material isn’t illegal per se, but sourcing from piracy sites crossed the legal line.
Impact: Anthropic sidestepped a potentially larger payout by settling before trial.

"A judge previously ruled that while training AI on copyrighted works isn't illegal, Anthropic wrongfully sourced books from piracy sites."
— Steve Prentiss [01:25]

Qantas Penalizes Executives for Cyberattack (02:00)

Action Taken: Qantas cut executives’ annual bonuses by 15% after a July cyberattack compromised data of 5.7 million.
CEO Impact: Vanessa Hudson’s pay was reduced by $250,000.
Why: Public accountability and risk management improvement post-breach.
Broader Message: Reflects a trend toward organizational accountability at the leadership level for breaches.

"...the penalty reflects accountability for the incident."
— Steve Prentiss [02:30]

Additional Note: Qantas is strengthening social engineering defenses and its overall risk management framework.

CISA Orders Patch for Sitecore Zero-Day (03:01)

Urgency: U.S. federal agencies must patch a critical Sitecore CMS bug by September 25.
Flaw Details: Rooted in a sample machine key in deployment guides since 2017—often left unchanged by admins.
Risks: Attackers can leverage the unchanged key to gain unauthorized access.
Real-World Incident: Mandiant reported stopping an active exploit using this method.

Chess.com Data Breach (04:16)

Incident: Chess.com, one of the largest online chess platforms, suffered a breach via a third-party file transfer app.
Scope: Only 4,500 users affected out of 200 million; no financial data compromised.
Containment: The incident was isolated, and Chess.com’s own infrastructure was not breached.

NYU's AI-Powered PromptLock Malware Project (05:03)

Clarification: Researchers at NYU Tandon created PromptLock, dubbed the world's first AI-powered malware, as a proof of concept to demonstrate AI-enabled ransomware threats.
Malware Capabilities: Automates the entire ransomware cycle—planning, adapting, and executing attacks.
Research Output: The project is documented in a new academic paper on “ransomware 3.0.”

"The team has published an academic paper and called the project ransomware 3.0 since it exploits large language models to autonomously plan, adapt and execute the ransomware attack life cycle."
— Steve Prentiss [05:39]

Frostbyte 10 Vulnerabilities in Supermarket Refrigerators (06:10)

Discovery: Armis found 10 serious vulnerabilities ("Frostbyte 10") in Copeland E2 and E3 controllers, used in major grocers’ refrigeration and HVAC systems.
Impact: Three bugs rated critical; attackers could alter temperatures, spoil perishable goods, and disrupt supply chains.
Action: Firmware updates released; especially urgent as E2 model nears end-of-life.

AI-Powered Android Vulnerability Discovery Tool (07:16)

Innovation: Researchers from Nanjing University and the University of Sydney developed “A2,” an AI tool that mirrors expert reasoning to discover and validate Android app vulnerabilities.
Results: Tested benchmarks revealed discovery of over 100 new zero-day vulnerabilities, demonstrating significant improvement in automated vulnerability research.

3. Notable Quotes & Memorable Moments

"Many customers simply used the sample machine key and never rotated it to something new."
— Steve Prentiss on the Sitecore vulnerability [03:40]
"The incident impacted PII of just 4,500 users, a very small percentage of the platform's estimated 200 million member user base."
— Steve Prentiss on Chess.com breach [04:39]
"Researchers at NYU's Tandon School of Engineering have now confirmed they created the code as part of a project meant to illustrate the potential harms of AI powered malware."
— Steve Prentiss [05:21]
"Three of the 10 flaws were rated critical, potentially allowing attackers to alter temperatures, spoil food and medicine, and disrupt supply chains."
— Steve Prentiss on Frostbyte 10 [06:26]

4. Timestamps for Important Segments

| Segment | Timestamp | |----------------------------------------------|-----------| | SVG Phishing Campaign | 00:14 | | Anthropic Piracy Lawsuit | 00:56 | | Qantas Executive Penalties | 02:00 | | Sitecore Zero-Day Order | 03:01 | | Chess.com Data Breach | 04:16 | | NYU PromptLock AI Malware | 05:03 | | Frostbyte 10 Fridge Flaws | 06:10 | | Android Vulnerability Tool | 07:16 |

For full story links and more in-depth coverage, visit CISOseries.com.

Cyber Security Headlines

1. Overview

2. Key Discussion Points and Insights

SVG Phishing Campaign in Colombia (00:14)

Discovery: VirusTotal researchers identified a phishing campaign in Colombia hiding malicious payloads inside SVG image files, disguised as judicial system portals.
Technique: SVG (Scalable Vector Graphics) files can contain embedded HTML and JavaScript, making them an attractive vector for threat actors.
Detection: VirusTotal detected the campaign after its AI code insight platform added support for SVG analysis.
Insight: The use of SVG files for malware underscores the evolving complexity of phishing techniques, leveraging seemingly innocuous formats for malicious ends.

“SVG stands for Scalable Vector Graphics and is used to generate images...and is already in use by threat actors because they can display HTML and execute JavaScript when the graphic is loaded.”
— Steve Prentiss [00:27]

Anthropic $1.5 Billion Book Piracy Lawsuit Settlement (00:56)

Background: AI firm Anthropic agreed to a massive settlement with authors alleging their works were used without authorization to train the Claude chatbot.
Settlement Details: Authors are to receive about $3,000 per work for 500,000 works, setting a record in copyright compensation.
Judicial Nuance: Training AI on copyrighted material isn’t illegal per se, but sourcing from piracy sites crossed the legal line.
Impact: Anthropic sidestepped a potentially larger payout by settling before trial.

"A judge previously ruled that while training AI on copyrighted works isn't illegal, Anthropic wrongfully sourced books from piracy sites."
— Steve Prentiss [01:25]

Qantas Penalizes Executives for Cyberattack (02:00)

Action Taken: Qantas cut executives’ annual bonuses by 15% after a July cyberattack compromised data of 5.7 million.
CEO Impact: Vanessa Hudson’s pay was reduced by $250,000.
Why: Public accountability and risk management improvement post-breach.
Broader Message: Reflects a trend toward organizational accountability at the leadership level for breaches.

"...the penalty reflects accountability for the incident."
— Steve Prentiss [02:30]

Additional Note: Qantas is strengthening social engineering defenses and its overall risk management framework.

CISA Orders Patch for Sitecore Zero-Day (03:01)

Urgency: U.S. federal agencies must patch a critical Sitecore CMS bug by September 25.
Flaw Details: Rooted in a sample machine key in deployment guides since 2017—often left unchanged by admins.
Risks: Attackers can leverage the unchanged key to gain unauthorized access.
Real-World Incident: Mandiant reported stopping an active exploit using this method.

Chess.com Data Breach (04:16)

Incident: Chess.com, one of the largest online chess platforms, suffered a breach via a third-party file transfer app.
Scope: Only 4,500 users affected out of 200 million; no financial data compromised.
Containment: The incident was isolated, and Chess.com’s own infrastructure was not breached.

NYU's AI-Powered PromptLock Malware Project (05:03)

Clarification: Researchers at NYU Tandon created PromptLock, dubbed the world's first AI-powered malware, as a proof of concept to demonstrate AI-enabled ransomware threats.
Malware Capabilities: Automates the entire ransomware cycle—planning, adapting, and executing attacks.
Research Output: The project is documented in a new academic paper on “ransomware 3.0.”

"The team has published an academic paper and called the project ransomware 3.0 since it exploits large language models to autonomously plan, adapt and execute the ransomware attack life cycle."
— Steve Prentiss [05:39]

Frostbyte 10 Vulnerabilities in Supermarket Refrigerators (06:10)

Discovery: Armis found 10 serious vulnerabilities ("Frostbyte 10") in Copeland E2 and E3 controllers, used in major grocers’ refrigeration and HVAC systems.
Impact: Three bugs rated critical; attackers could alter temperatures, spoil perishable goods, and disrupt supply chains.
Action: Firmware updates released; especially urgent as E2 model nears end-of-life.

AI-Powered Android Vulnerability Discovery Tool (07:16)

Innovation: Researchers from Nanjing University and the University of Sydney developed “A2,” an AI tool that mirrors expert reasoning to discover and validate Android app vulnerabilities.
Results: Tested benchmarks revealed discovery of over 100 new zero-day vulnerabilities, demonstrating significant improvement in automated vulnerability research.

3. Notable Quotes & Memorable Moments

"Many customers simply used the sample machine key and never rotated it to something new."
— Steve Prentiss on the Sitecore vulnerability [03:40]
"The incident impacted PII of just 4,500 users, a very small percentage of the platform's estimated 200 million member user base."
— Steve Prentiss on Chess.com breach [04:39]
"Researchers at NYU's Tandon School of Engineering have now confirmed they created the code as part of a project meant to illustrate the potential harms of AI powered malware."
— Steve Prentiss [05:21]
"Three of the 10 flaws were rated critical, potentially allowing attackers to alter temperatures, spoil food and medicine, and disrupt supply chains."
— Steve Prentiss on Frostbyte 10 [06:26]

4. Timestamps for Important Segments

For full story links and more in-depth coverage, visit CISOseries.com.

wavePod

Powered by Wave AI

Summary

Cyber Security Headlines

1. Overview

2. Key Discussion Points and Insights

SVG Phishing Campaign in Colombia (00:14)

Anthropic $1.5 Billion Book Piracy Lawsuit Settlement (00:56)

Qantas Penalizes Executives for Cyberattack (02:00)

CISA Orders Patch for Sitecore Zero-Day (03:01)

Chess.com Data Breach (04:16)

NYU's AI-Powered PromptLock Malware Project (05:03)

Frostbyte 10 Vulnerabilities in Supermarket Refrigerators (06:10)

AI-Powered Android Vulnerability Discovery Tool (07:16)

3. Notable Quotes & Memorable Moments

4. Timestamps for Important Segments

Summary

Cyber Security Headlines

1. Overview

2. Key Discussion Points and Insights

SVG Phishing Campaign in Colombia (00:14)

Anthropic $1.5 Billion Book Piracy Lawsuit Settlement (00:56)

Qantas Penalizes Executives for Cyberattack (02:00)

CISA Orders Patch for Sitecore Zero-Day (03:01)

Chess.com Data Breach (04:16)

NYU's AI-Powered PromptLock Malware Project (05:03)

Frostbyte 10 Vulnerabilities in Supermarket Refrigerators (06:10)

AI-Powered Android Vulnerability Discovery Tool (07:16)

3. Notable Quotes & Memorable Moments

4. Timestamps for Important Segments