Summary5 min read

Cyber Security Headlines – Episode Summary

Release Date: October 23, 2025
Host: Sarah Lane, CISO Series
Episode Theme:
A focused roundup of the latest developments in cybersecurity, including urgent vulnerabilities, global espionage campaigns, cybercrime penalties, and new anti-scam tools. This episode highlights real-world threats, patch advisories, and ongoing issues in both technical and regulatory spheres.

Key Discussion Points & Insights

1. TP-Link Urges Updates for Omada Gateways

[00:06 – 01:06]

Critical vulnerabilities found in TP-Link Omada Gateway devices (ER, G, FR series).
- The most severe: Arbitrary OS command execution and command injection by unauthenticated attackers or post-admin authentication.
- Two other flaws: Enable root access and further arbitrary command execution.
Mitigation advice: Install the latest firmware, update weak passwords, restrict management interface access to trusted networks.
Quote:

"TP Link has warned of critical vulnerabilities in its Omada gateway devices... urging users to update firmware immediately." – Sarah Lane [00:08]

2. MuddyWater Espionage Campaign Targets 100+ Organizations

[01:07 – 01:53]

Iran-linked threat group MuddyWater is targeting global organizations (embassies, foreign ministries, telecoms).
Attack chain:
- Compromised email account (via NordVPN) delivers weaponized Word docs.
- Docs drop a fake updater which installs Phoenix V4 backdoor.
- Additional tools: custom credential stealers, legitimate remote management tools for stealth access.
Notable Tactics: Blending custom malware and commercial software to evade detection and maintain persistence.
Quote:

"The campaign demonstrates Muddy Water's ability to combine custom malware with commercial software for stealth and persistence." – Sarah Lane [01:47]

3. ‘Session Reaper’ Flaw Actively Exploited in Adobe Commerce

[01:54 – 02:36]

Critical bug in Adobe Commerce (Magento) dubbed "Session Reaper."
- Allows hijacking of customer accounts via REST API.
- 250+ active exploitation attempts detected by Sansec.
- Despite emergency patch (released six weeks ago), 62% of stores are unpatched.
Attack patterns: Most attacks from 5 specific IPs using PHP Web Shell probes.
Quote:

"62% of Magento stores [are] still unpatched." – Sarah Lane [02:28]

4. Canada Fines Crypto Platform $176M for AML Violations

[02:37 – 03:17]

Cryptomas (crypto payment platform) fined $176 million by Fintrac (Canada’s regulator).
Violations: Failure to report suspicious transactions linked to child exploitation, fraud, ransomware, sanctions evasion.
Scale: Processed payments for at least 56 Russian exchanges/cybercrime services.
Fake addresses: Registered dozens of businesses that didn’t actually operate at claimed addresses.
Biggest penalty to date, exposing the issue with shadow money service businesses.
Quote:

"Fintrax penalty is the largest to date, highlighting ongoing challenges with shadowy money service businesses." – Sarah Lane [03:13]

5. Phantom CAPTCHA Phishing Targets Ukraine Aid Groups

[04:00 – 04:37]

SentinelOne researchers expose "Phantom Captcha" phishing campaign.
- Targets: Ukraine war relief groups (e.g., Red Cross, UNICEF).
- Attackers pose as Ukrainian President's office, sending weaponized PDFs.
- Redirects to fake Zoom pages, deploys websocket-based RAT on Russian infrastructure.
Links to: Previous "Cold River" campaigns; shows rapid infrastructure churn.
Quote:

"The campaign showed links to prior Cold River activity and reflected careful planning and rapid infrastructure turnover." – Sarah Lane [04:34]

6. Meta Launches Anti-Scam Tools for WhatsApp & Messenger

[04:38 – 05:13]

Messenger: Testing AI-powered scam detection (flags suspicious chats; suggests blocking or reporting senders).
WhatsApp: Now warns users against screen sharing with unknown contacts, provides context when added to new groups.
Meta’s stats: Disabled nearly 8 million scam accounts; deleted 21,000 fake support pages this year.
Quote:

"Messenger is testing AI powered scam detection that flags a suspicious chat... WhatsApp now warns users not to share their screens with unknown contacts." – Sarah Lane [04:39 – 04:46]

7. ‘Tarmageddon’ Rust Library Vulnerability

[05:14 – 05:39]

Critical RCE flaw in Rust library AsyncTar (and fork TokioTar).
- Attackers can execute remote code via maliciously nested TAR files.
- Both libraries "abandoned," millions potentially at risk.
Advice: Move to patched forks (e.g., Astral Tokio TAR 0.5.6) immediately.
Quote:

"Patched forks like Astral Tokyo TAR 0.5.6 have been released and developers are urged to switch immediately." – Sarah Lane [05:36]

8. pwn2own Ireland Day Two – $792,750 in Prizes

[05:40 – 06:13]

Ireland pwn2own competition: Researchers exploited 56 zero-day vulnerabilities on popular devices.
- Targets included: Samsung Galaxy S25, Synology NAS, Philips Hue Bridge.
- Notable hack: "Mobile Hacking Lab and Summoning team" chained five flaws to breach Galaxy S25 ($50,000 prize).
Vendors have 90 days to patch before public disclosure.
Quote:

"The standout hack came from Mobile Hacking Lab and Summoning team who chained five flaws to breach the Galaxy S25 for $50,000." – Sarah Lane [06:07]

Memorable Moments (with Timestamps)

[01:47] Quote: “The campaign demonstrates Muddy Water's ability to combine custom malware with commercial software for stealth and persistence.”
[02:28] Quote: “62% of Magento stores still unpatched.”
[03:13] Quote: “Fintrax penalty is the largest to date, highlighting ongoing challenges with shadowy money service businesses.”
[04:34] Quote: “The campaign showed links to prior Cold River activity and reflected careful planning and rapid infrastructure turnover.”
[05:36] Quote: “Patched forks like Astral Tokyo TAR 0.5.6 have been released and developers are urged to switch immediately.”
[06:07] Quote: “The standout hack came from Mobile Hacking Lab and Summoning team who chained five flaws to breach the Galaxy S25 for $50,000.”

Episode Takeaways

Update critical systems quickly, particularly Omada Gateways and Magento-based e-commerce platforms—real-world exploitation is active.
Espionage campaigns continue evolving, blending custom and commercial tools for stealthy intrusions.
Financial regulators are taking unprecedented action against crypto platforms for AML failures.
New anti-scam features by Meta aim to stem the tide of social engineering and fraud on messaging platforms.
Software supply chain risks are highlighted by abandoned open-source projects—prompting immediate mitigation through patched forks.

For more details on any story, visit cisoseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Thursday, October 23, 2025. I'm Sarah Lane. TP Link urges updates for Omada Gateways TP Link has warned of critical vulnerabilities in its Omada gateway devices across the er, G and FR series, urging users to update firmware immediately. The most severe flaws allow arbitrary OS command execution and command injection, potentially by unauthenticated attackers or after admin authentication. Two additional flaws enable root access and further arbitrary command execution. Users are advised to install the latest firmware, change weak passwords, and restrict management interface access to trusted networks. Muddy Water targets organizations in espionage campaign Iran linked Threat Group Muddy Water has launched a global espionage campaign targeting more than 100 organizations, including embassies, foreign affairs ministries and telecom firms. The group exploited a compromised email account via NordVPN to distribute weaponized Word documents that deploy the Phoenix V4 backdoor through a fake update loader. Phoenix, along with custom credential stealers and legitimate RMM tools, allow persistent remote access and intelligence gathering. The campaign demonstrates Muddy Water's ability to combine custom malware with commercial software for stealth and persistence. Session Reaper flaw exploited in Adobe Commerce Hackers are exploiting a critical vulnerability in Adobe Commerce, formerly Magento, known as Session Reaper, which lets an attacker hijack a customer account via the platform's REST API. Security firm Sansec detected more than 250 active exploitation attempts after Adobe released an emergency patch six weeks ago with 62% of Magento stores still unpatched. Most attacks originate from five IP addresses and involve PHP Web Shell probes. Canada finds Crypto muss Canada find Cryptomas, a crypto payments platform, $176 million for violating anti money laundering laws. Fintrac found that the company failed to report suspicious transactions linked to child sexual abuse, material fraud, ransomware and and sanctions evasion. Cryptomas processed payments for at least 56 Russian crypto exchanges and cybercrime services. Investigations revealed its listed addresses in Canada hosted dozens of MSBs and exchanges that didn't actually operate there. Fintrax penalty is the largest to date, highlighting ongoing challenges with shadowy money service businesses. Huge thanks to our sponsor, ThreatLocker. Cybercriminals don't knock. They sneak in through the cracks other tools miss. That's why organizations are turning to ThreatLocker as a zero trust endpoint protection platform. ThreatLocker puts you back in control, blocking what doesn't belong and stopping attacks before they spread. Zero trust security starts here with ThreatLocker Phantom CAPTCHA targets Ukraine relief groups Sentinel 1 researchers uncovered a phishing campaign dubbed Phantom Captcha, which targeted Ukraine war relief groups including the red Cross and UNICEF. On October 8, attackers impersonated the Ukrainian President's office using weaponized PDFs that redirected victims to a fake Zoom page to deploy a websocket based remote access Trojan hosted on Russian infrastructure. The campaign showed links to prior Cold river activity and reflected careful planning and rapid infrastructure turnover. Meta launches anti scam tools for WhatsApp and Messenger Meta introduced new anti scam features for WhatsApp and Messenger to to help protect users from fraud, messenger is testing AI powered scam detection that flags a suspicious chat and suggests actions like blocking or reporting a sender. WhatsApp now warns users not to share their screens with unknown contacts and adds context when being added to new groups. Meta says it has disabled nearly 8 million scam linked accounts this year and removed 21,000 fake support pages. Tarmageddon flaw in Rust library leads to RCE A critical vulnerability dubbed Tarmageddon was discovered in the Rust library Asynct, allowing attackers to execute remote code by smuggling malicious entries in nested TAR files. Security firm Adira, which reported the flaw, said both Asynctar and its fork Tokyo Tar are abandoned, leaving millions of downstream users at risk. Patched forks like Astral Tokyo TAR 0.5.6 have been released and developers are urged to switch immediately. PWN to own Day 2 hackers exploit 560 days Day 2 at PWN to own Ireland 2025 Researchers exploited the 56.0day vulnerabilities across devices including the Samsung Galaxy S25, Synology NAS Systems and Philips Hue Bridge, earning $792,750 in total prizes. Congrats. The standout hack came from Mobile Hacking Lab and Summoning team who chained five flaws to breach the Galaxy S25 for $50,000. Vendors have 90 days to patch the bugs before public disclosure. If you're going to be in New York City in early November, we hope you will join us for a CISO Series podcast recording. We'll be recording at Faircon 25 on November 5th at the beautiful Glass House on 12th Avenue. The conference is stacked with everything you'd ever want to know about cyber risk management. If you want to join us for the show and the podcast recording, we've got a promo code to save you 75% off of registration. Just head to our events page@cisoseries.com and register there. We also have very exciting news. We're launching a brand new show this Monday, October 27th called the Department of no. We will be live at 4:00pm Eastern Time bringing bringing together two Cybersecurity leaders to help you start out your week in Cyber security. If you want to know what cyber security news from the past week you need to integrate into your next team meeting, you've got to come to the show. It streams live at 4pm every Monday on our YouTube channel, so block out the time on your calendar. Subscribe to the CISO Series YouTube channel and join us Monday, October 27th 4pm for the debut of the Department of no. And if you have some thoughts on the news from today or about our show in general, be sure to reach out to us@feedbackisoseries.com we want to hear from you. I am Sarah Lane reporting for the CISO Series. Thank you for listening.
[08:10]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.