Cyber Security Headlines: Week in Review (September 5, 2025)

Podcast: CISO Series — "Cyber Security Headlines"
Host: Rich (A)
Guest: Ray Espinoza, VP of Information Security, Elite Technology (B)
Sponsor: ThreatLocker Zero Trust Endpoint Protection
Focus: Analysis of the week’s top infosec stories, with expert insight and practical takeaways

Main Theme:

This week’s episode covers mounting cyber risk in legacy organizations, the unintended consequences of ransomware takedowns, new risks posed by LLMs (Large Language Models), concerns on SaaS and third-party breaches, and trends in data sovereignty and ransomware methodologies. Ray Espinoza, in his first appearance, brings a blend of leader perspective and frontline experience to unpack the why behind each story.

Key Discussion Points & Insights

1. Baltimore’s $1.5 Million Business Email Compromise (BEC)

• Story: Baltimore city lost $1.5 million after falling for a sophisticated BEC scam, with one payment still unrecovered. The incident exposed lack of verification protocols and recurring vulnerability to similar fraud.

• Analysis:

  • Process — The Missing Link: Emphasis on moving beyond training and tech to shore up fundamental business processes and controls.
    • Quote (Ray):

      "Did we actually try to address some of the processes that can create a much stronger gate for these types of threats to occur?" [03:15]

  • Security Culture Matters:
    • Quote (Ray):

      "Is there a security culture there?...I've been at organizations where I had to go in. I'm like, wow, okay, I have my work cut out for me, but I need to change the culture here." [05:21]

  • Resource Constraints: Municipal IT teams often lack funding and internal motivation, increasing risk.

• Takeaway: Process and security culture are foundational—tech alone is not enough.

• Timestamps:

  • [01:45] — Story Overview
  • [03:15] — Process Gaps and Missed Opportunities
  • [05:21] — Security Culture and Empathy

2. Ransomware Takedowns: Hydra Effect

• Story: Law enforcement has disrupted major ransomware gangs (e.g., Lockbit, Black Cat), but this splintering leads to “many-headed hydra” — 60+ new groups formed, many leveraging AI and commoditized malware.

• Analysis:

  • Underground 'Business' Model: Crimeware-as-a-service makes it easy for less skilled actors to get involved.
    • Quote (Ray):

      "Rather than them taking on the risk...it's like, well, I'll just create the software to enable you ... for a fraction of a bitcoin, they can now go and start to exploit ..." [07:22]

  • Perpetual Cat-and-Mouse:
    • Barrier to entry is lower than ever; the landscape will keep worsening as long as cybercrime is lucrative.
  • Education and Awareness: Sustained investment in user education is key to resilience.

• Takeaway: Takedowns must target both infrastructure and core personnel; attacker ecosystems adapt rapidly.

• Timestamps:

  • [06:22] — Ransomware Hydra and Law Enforcement
  • [07:22] — Business Model and Proliferation

3. Legal PWN: LLM Jailbreaks via Contract Legalese

• Story: Attackers are hiding malicious prompts in the dense “legalese” of contracts, exploiting how LLMs (like ChatGPT) fail to distinguish between user input and ingested content.

• Analysis:

  • Threat Evolution: AI is being targeted via sophisticated, subtle prompt injection.
    • Quote (Ray):

      "Threat actors are trying to figure out, well, where are those bounds? Where can I push, where can I exploit? How long will it take for these AI providers to catch up?" [10:32]

  • Fixing the Plane in Flight: Rapid AI adoption means defenders must “stack” AIs to referee each other and hope for the best, while governance and process lag.
    • Quote (Host):

      "It's kind of like fixing the plane while it's in flight ... you're being asked to secure the tools that you also need to use because your adversaries are using AI and increasing scale." [11:47]

  • Creativity on Both Sides: Defenders are starting to match attacker creativity by using AI to counter AI-driven threats.

• Takeaway: Defensive innovation must pace with attacker creativity—AI security is a game of leapfrog.

• Timestamps:

  • [09:13] — LLM Prompt Injection Story
  • [10:32] — Exploiting the Bounds of AI
  • [13:00] — Enablement vs. Governance

4. Workiva-Salesforce SaaS Data Breach

• Story: Workiva, a widely used SaaS platform, was breached via a third-party CRM (connected to Salesforce). The attack impacted major enterprise clients.

• Analysis:

  • Third-Party Risk: The weakest link principle is alive and well in the cloud/SaaS era.
  • Response & Comms are King:
    • Quote (Ray):

      "Many organizations now seem to be judged on how well do they communicate, how fast do they respond and how transparent are they about the process and do they actually take meaningful steps to get better after they're breached." [15:31]

  • Rebuilding Trust: Mishandling breach disclosure (as in the cited 23andMe incident) can do more damage than the breach itself.

• Takeaway: Never assume your partners are secure; plan for incident response and transparent comms as part of your security program.

• Timestamps:

  • [14:45] — Workiva/Salesforce Breach Overview
  • [15:31] — Communication and Transparency
  • [16:59] — Examples and Best Practices

5. SAP’s €20B Sovereign Cloud Gambit—and Internal Disagreement

• Story: SAP intends to spend €20B on European sovereign cloud, but faces internal dissent (notably from CEO Christian Klein, who would rather focus on AI).

• Analysis:

  • Old vs. New Thinking: Some see data sovereignty as a vestige—a “my data in my borders” default—but still a regulatory and perception issue (e.g., GDPR, Schrems).
    • Quote (Ray):

      "Do I feel better if our data is in country? Because why? ... there's a certain level of protections, I don't have to worry about spying governments, etc." [19:31]

  • Internal Rift Signals Market Uncertainty: Disagreement at SAP's top could affect their direction and customer confidence.

• Takeaway: Data sovereignty debates aren’t purely technical—they’re strategic, regulatory, and cultural.

• Timestamps:

  • [18:18] — SAP Investment Story
  • [19:31] — Data Sovereignty & Internal Disagreement

6. Cephalus Ransomware Disguised as SentinelOne

• Story: New ransomware group "Cephalus" targets firms in the US and Japan, exploiting vulnerable RDP accounts and dropping a real SentinelOne executable to disguise a sideloaded malicious DLL.

• Analysis:

  • Living-off-the-Land: Attackers are using trusted software as a cover, making threats harder to spot.
  • Credential-based Attacks Surpassing Phishing: Verizon's Data Breach Report now shows credential compromise as the top attack vector for the first time.
    • Quote (Ray):

      "The scary point of that entire story is utilizing a well known and trusted endpoint protection solution ... and then using a side load attack ... it is really scary." [22:22]

  • Empathy for Victims: Even diligent employees can fall for cleverly disguised threats.

• Takeaway: Multi-factor authentication and strong credential hygiene are as critical as ever; even the most sophisticated tools can be used against you.

• Timestamps:

  • [21:29] — Cephalus Ransomware Details
  • [22:22] — Threat Actor Tactics and Credential Hygiene

Notable Quotes & Memorable Moments

• On Ransomware-as-a-Service:

  "Now somebody sitting a teenager in their mom's basement ... for a fraction of a bitcoin, they can now go and start to exploit and sort of drive some of these attacks." — Ray Espinoza [07:22]

• On The Need for Security Culture:

  "I've been at organizations where I had to go in ... I need to change the culture here." — Ray [05:21]

• On Incident Response:

  "Many organizations now seem to be judged on ... how transparent are they about the process and do they actually take meaningful steps to get better after they're breached." — Ray [15:31]

• On AI Security:

  "It's that cat and mouse game that we've been seeing for as many years as I've been around in the technology space." — Ray [10:32]

• On Empathy for Those Hit:

  "My heart goes out to folks who are compromised and have some level of breach ... a lot of people are going to do a lot of really hard work to try to get the company back to earn trust again." — Ray [25:03]

Timestamps for Major Segments

| Topic | Timestamp | |----------------------------------------------------------|------------| | Baltimore BEC fraud | 01:45–06:22| | Ransomware takedowns' unintended effect | 06:22–09:13| | LLM contract prompt injection | 09:13–13:46| | Workiva/Salesforce SaaS third-party breach | 14:45–18:18| | SAP's sovereign cloud investment and leadership split | 18:18–21:29| | Cephalus ransomware/SentinelOne sideload technique | 21:29–23:44| | Closing reflections/Empathy for breach responders | 25:03 |

Episode Flow and Tone

• Conversational, candid, with honest reflections and anecdotes from Ray Espinoza’s own security journey.
• Clear intent to both inform and show compassion for "those in the trenches."
• Engaging banter on the escalation of threats, the limits of tech, and the necessity of culture and communication.

Final Thoughts

• Empathy & Perspective: No cheap criticism; focus on learning and the shared challenges all orgs face.
• Security is cultural, not just technical: True protection comes from process, transparency, and enabling people.
• Attackers adapt, defenders must too: Whether it’s AI-driven attacks, sideloaded malware, or good old-fashioned BEC, cyber risk is a moving target.
• Clear Communication Wins: How you respond and communicate in a breach is as important as how you prevent it.

For more, visit CISOseries.com or find Ray Espinoza on LinkedIn (“the only one in cybersecurity!”).