SVG phishing campaign, Anthropic piracy lawsuit, Qantas penalizes executives - Cybersecurity Headlines

Summary4 min read

Cyber Security Headlines

Host: Steve Prentiss
Date: September 8, 2025
Main Topics: SVG Phishing, Anthropic Piracy Lawsuit, Qantas Cyberattack Response, Sitecore Zero-Day, Chess.com Breach, AI-Powered Malware Research, Frostbyte 10 Bugs, Android Vulnerability Tool

1. Overview

This episode spotlights new threats and developments in cybersecurity, with notable stories on sophisticated phishing attacks, major legal settlements in AI training, punitive executive actions in response to breaches, critical infrastructure vulnerabilities, and cutting-edge research in both attack and defense. The episode blends global headlines with expert commentary to help listeners keep pace with the fast-moving world of information security.

2. Key Discussion Points and Insights

SVG Phishing Campaign in Colombia (00:14)

Discovery: VirusTotal researchers identified a phishing campaign in Colombia hiding malicious payloads inside SVG image files, disguised as judicial system portals.
Technique: SVG (Scalable Vector Graphics) files can contain embedded HTML and JavaScript, making them an attractive vector for threat actors.
Detection: VirusTotal detected the campaign after its AI code insight platform added support for SVG analysis.
Insight: The use of SVG files for malware underscores the evolving complexity of phishing techniques, leveraging seemingly innocuous formats for malicious ends.

“SVG stands for Scalable Vector Graphics and is used to generate images...and is already in use by threat actors because they can display HTML and execute JavaScript when the graphic is loaded.”
— Steve Prentiss [00:27]

Anthropic $1.5 Billion Book Piracy Lawsuit Settlement (00:56)

Background: AI firm Anthropic agreed to a massive settlement with authors alleging their works were used without authorization to train the Claude chatbot.
Settlement Details: Authors are to receive about $3,000 per work for 500,000 works, setting a record in copyright compensation.
Judicial Nuance: Training AI on copyrighted material isn’t illegal per se, but sourcing from piracy sites crossed the legal line.
Impact: Anthropic sidestepped a potentially larger payout by settling before trial.

"A judge previously ruled that while training AI on copyrighted works isn't illegal, Anthropic wrongfully sourced books from piracy sites."
— Steve Prentiss [01:25]

Qantas Penalizes Executives for Cyberattack (02:00)

Action Taken: Qantas cut executives’ annual bonuses by 15% after a July cyberattack compromised data of 5.7 million.
CEO Impact: Vanessa Hudson’s pay was reduced by $250,000.
Why: Public accountability and risk management improvement post-breach.
Broader Message: Reflects a trend toward organizational accountability at the leadership level for breaches.

"...the penalty reflects accountability for the incident."
— Steve Prentiss [02:30]

Additional Note: Qantas is strengthening social engineering defenses and its overall risk management framework.

CISA Orders Patch for Sitecore Zero-Day (03:01)

Urgency: U.S. federal agencies must patch a critical Sitecore CMS bug by September 25.
Flaw Details: Rooted in a sample machine key in deployment guides since 2017—often left unchanged by admins.
Risks: Attackers can leverage the unchanged key to gain unauthorized access.
Real-World Incident: Mandiant reported stopping an active exploit using this method.

Chess.com Data Breach (04:16)

Incident: Chess.com, one of the largest online chess platforms, suffered a breach via a third-party file transfer app.
Scope: Only 4,500 users affected out of 200 million; no financial data compromised.
Containment: The incident was isolated, and Chess.com’s own infrastructure was not breached.

NYU's AI-Powered PromptLock Malware Project (05:03)

Clarification: Researchers at NYU Tandon created PromptLock, dubbed the world's first AI-powered malware, as a proof of concept to demonstrate AI-enabled ransomware threats.
Malware Capabilities: Automates the entire ransomware cycle—planning, adapting, and executing attacks.
Research Output: The project is documented in a new academic paper on “ransomware 3.0.”

"The team has published an academic paper and called the project ransomware 3.0 since it exploits large language models to autonomously plan, adapt and execute the ransomware attack life cycle."
— Steve Prentiss [05:39]

Frostbyte 10 Vulnerabilities in Supermarket Refrigerators (06:10)

Discovery: Armis found 10 serious vulnerabilities ("Frostbyte 10") in Copeland E2 and E3 controllers, used in major grocers’ refrigeration and HVAC systems.
Impact: Three bugs rated critical; attackers could alter temperatures, spoil perishable goods, and disrupt supply chains.
Action: Firmware updates released; especially urgent as E2 model nears end-of-life.

AI-Powered Android Vulnerability Discovery Tool (07:16)

Innovation: Researchers from Nanjing University and the University of Sydney developed “A2,” an AI tool that mirrors expert reasoning to discover and validate Android app vulnerabilities.
Results: Tested benchmarks revealed discovery of over 100 new zero-day vulnerabilities, demonstrating significant improvement in automated vulnerability research.

3. Notable Quotes & Memorable Moments

"Many customers simply used the sample machine key and never rotated it to something new."
— Steve Prentiss on the Sitecore vulnerability [03:40]
"The incident impacted PII of just 4,500 users, a very small percentage of the platform's estimated 200 million member user base."
— Steve Prentiss on Chess.com breach [04:39]
"Researchers at NYU's Tandon School of Engineering have now confirmed they created the code as part of a project meant to illustrate the potential harms of AI powered malware."
— Steve Prentiss [05:21]
"Three of the 10 flaws were rated critical, potentially allowing attackers to alter temperatures, spoil food and medicine, and disrupt supply chains."
— Steve Prentiss on Frostbyte 10 [06:26]

4. Timestamps for Important Segments

| Segment | Timestamp | |----------------------------------------------|-----------| | SVG Phishing Campaign | 00:14 | | Anthropic Piracy Lawsuit | 00:56 | | Qantas Executive Penalties | 02:00 | | Sitecore Zero-Day Order | 03:01 | | Chess.com Data Breach | 04:16 | | NYU PromptLock AI Malware | 05:03 | | Frostbyte 10 Fridge Flaws | 06:10 | | Android Vulnerability Tool | 07:16 |

For full story links and more in-depth coverage, visit CISOseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series. It's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Monday, September 8, 2025. I'm Steve Prentiss. New malware phishing campaign hidden in SVG files Researchers at VirusTotal have identified this phishing campaign in Colombia. It is hidden inside SVG files that create convincing fake portals that resemble those of Colombia's judicial system. VirusTotal detected this campaign after it added support for SVGs to its AI code insight platform, which itself uses machine learning to generate summaries of suspicious or malicious behavior found in the files. SVG stands for Scalable Vector Graphics and is used to generate images of lines, shapes and text through textual mathematical formulas in the file and is already in use by threat actors because they can display HTML and execute JavaScript when the graphic is loaded. Anthropic agrees to pay $1.5 billion in book piracy lawsuit the AI firm has agreed to this settlement with authors who alleged the company used pirated books to train its chatbot Claude. The deal, pending judicial approval, would compensate authors to about $3,000 for each of 500,000 affected works, potentially the largest copyright. The lawsuit was brought about by authors Andrea Barths, Charles Graeber and Kirk Wallace Johnson, later expanding to represent thousands of other writers. A judge previously ruled that while training AI on copyrighted works isn't illegal, Anthropic wrongfully sourced books from piracy sites. Avoiding a December trial, the company sidesteps possible damages in the multiple billions. Qantas penalizes executives for cyberattack following up on a story we covered in July, the Australian airline Qantas has cut annual bonuses for senior leaders by 15% after the July cyber attack that exposed data of 5.7 million people. The airline reported a $1.5 billion profit for the past fiscal year, but said the penalty reflects accountability for the incident. CEO Vanessa Hudson's pay was reduced by $250,000 as part of this decision. Chairman John Mullen noted the move balances responsibility with recognition of efforts to support customers and strengthen protections. Qantas added that it is facing rising social engineering threats and is using lessons from the breach to enhance its risk management framework. CISA orders federal agencies to patch Sitecore zero day Federal civilian agencies have until September 25th to patch the vulnerability within the content management system following a recent attack involving the bug, which affects several sitecore products. This bug also has a CVE number and a place in CISA's kev catalog. A key issue with the bug is the use of a sample machine key that was included in Sitecore deployment guides from 2017 and earlier. Many customers simply used the sample machine key and never rotated it to something new. Researchers at Mandiant stated that they recently stopped an attack where hackers leveraged the exposed sample machine key to gain access, end quote Huge thanks to our sponsor Vanta. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and help you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get started at Vanta.com headlines that is V A N T A dot com headlines Chess.com discloses data breach the data breach impacted the organization, one of the world's largest chess playing portals, after threat actors gained unauthorized access to a third party file transfer application used by the platform, end quote. This occurred in June and lasted for two weeks, according to the investigation that followed. The incident impacted PII of just 4,500 users, a very small percentage of the platform's estimated 200 million member user base. Representatives from Chess.com emphasized that the incident only affected the unnamed third party app, while its own infrastructure and member accounts remain unaffected, end quote and also that no financial information has been exposed. NYU team behind AI powered Prompt lock malware on August 28th, we brought you the story of Promptlock, analyzed by Eset and thought to be the world's first AI powered malware. Researchers at NYU's Tandon School of Engineering have now confirmed they created the code as part of a project meant to illustrate the potential harms of AI powered malware, end quote. The team has published an academic paper and called the project ransomware 3.0 since it exploits large language models to autonomously plan, adapt and execute the ransomware attack life cycle. Frostbyte 10 bugs threaten refrigerators at major grocery chains Researchers at OT security firm armis have discovered 10 vulnerabilities, which they have named as the Frostbite 10, that is Frost Byte 10 located in Copeland E2 and E3 controllers. These OT controllers are widely used in supermarkets and cold storage facilities to manage refrigeration, H vac and lighting. Three of the 10 flaws were rated critical, potentially allowing attackers to alter temperatures, spoil food and medicine, and disrupt supply chains. After having been alerted, Copeland released firmware updates to fix them. Customers are urged to upgrade promptly, especially as the E2 model reaches end of life in October. Academics build AI powered Android vulnerability discovery and validation tool Two researchers from Nanjing University and the University of Sydney have developed A2, an AI powered framework that automates Android application vulnerability discovery and validation. According to the researchers, A2 mirrors human experts analysis and validation activities by first reasoning about an application's security and then validating each potential flaw through exploitation attempts. Testing on benchmarks shows A2 achieves significantly higher coverage, uncovering more than 100 true zero day vulnerabilities each and every Friday we bring you in depth hour long discussions on the biggest topics in cybersecurity. We call it Super Cyber Friday. This week we'll be talking about hacking managed services, digging into what you should expect and what you should look for with MSPs. If you've never come to a Super Cyber Friday, these are interactive discussions with a fun active chat, a few fun games, and even a chance to win some CISO Series prizes. If you want to register to join us, head on over to the events page@cisoseries.com and if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series.
[08:29]
A
Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines. It.