Cyber Security Headlines – Week in Review: Citrix RCE Flaw, Steganography Revived, Major Telecom Fiasco

Podcast: CISO Series: Cyber Security Headlines
Date: August 29, 2025
Host: CISO Series Host (A)
Guest: Jonna Attil Johnson, CEO & Founder, Nemertes (B)

Overview

This episode wraps up a week full of urgent vulnerabilities, sophisticated attacks leveraging AI, concerns about open-source security dependencies, and a noteworthy telecom penalty. Host and guest Jonna Attil Johnson unpack the implications of these stories, layer in their real-world experiences, and inject humor into the ever-daunting world of cybersecurity.

Key Topics & Insights

1. Citrix RCE Flaw—The New “Situation Normal”

[Starts 03:03]

• Summary:
  A remote code execution (RCE) vulnerability in Citrix NetScaler ADC and Gateway is being actively exploited, with 28,000+ devices still vulnerable online (35% in the US). Federal agencies were given a short deadline to patch (by Aug 28), and the Citrix patch arrived only on August 26, leaving organizations scrambling. The flaw is now in the CISA Known Exploited Vulnerabilities Catalog.

• Commentary:
  Jonna frames this as another week in “cyber insecurity”—RCEs, exploits, and urgency are business as usual. She highlights the systemic problems:

  • Vendors regularly have “really, really egregiously awful vulnerabilities” requiring unplanned, immediate mitigation.
  • Patch release schedules and regulatory remediation timelines are often misaligned, pressuring security teams.

• Quote:

  • “This is the canonical vulnerability that gets exploited... everyone listening to this is going, ‘yet another one.’ ...And yet, it’s completely situation normal.” (B, 03:34)
  • “Citrix didn’t get around to releasing its upgrade... until August 26th. So there you go. And that’s actually a huge piece of the problem.” (B, 03:54)

• Memorable Moment:
  The host jokes that burnout among CISOs is almost inevitable in this environment, referencing previous podcast episodes on the topic. (A, 05:42)

2. NDA-Based “New Download Attack” – Social Engineering Meets Malware

[Starts 05:42]

• Summary:
  Checkpoint details how attackers approach US industrial/tech firms via contact forms, pose as potential partners, and after weeks of communication, send a fake NDA zipped with “MixShell” malware. Attackers also set up lookalike websites for credibility.

• Insight:
  Jonna calls this phishing tactic “APT for business folks,” likening it to a prolonged scam where the solution is vigilance and common sense in document handling.

• Quote:

  • “The fix for this is fairly straightforward. You shouldn’t be signing any documents with someone who randomly just completed a contact us... The solution is don’t be in that habit [of opening unsolicited documents].” (B, 07:17)

3. US DoD – Reliance on Russian-Maintained Open Source

[Starts 08:46]

• Summary:
  Hunted Labs reveals that “Fast Glob” (used in 5,000+ projects, 70M downloads a week), essential to 30+ DoD packages, is maintained by a single Russian-based Yandex employee. No malicious code found, but it’s a supply chain risk.

• Insight:
  For Jonna, the bigger problem isn’t nationality, but a single maintainer creating a “Jenga Tower” of risk—a nod to the popular XKCD comic. She asserts that the dependency on one person (regardless of location) is the core vulnerability.

• Quotes:

  • “That’s more of a single point of failure risk... than simply knowing the person is Russian and in Russia.” (B, 10:55)
  • “It’s really a... problem pyramid. The bigger problem is that it’s one guy and then it’s a Russian guy and then it’s a Russian.” (A & B, 12:32)

• Fun Moment:
  A running meta-joke in the chat about SBoMs (software bills of materials) being the supposed panacea, but as Jonna and the host agree, “knowing about it isn’t fixing it.” (A/B, 11:54)

4. Agentic AI, “Vibe Hacking,” & North Korean Remote Worker Schemes

[Anthropic report segment starts 13:32, North Korean worker segment starts 16:34]

• Summary:
  Anthropic warns about:

  • Vibe Hacking: Malicious use of agentic AI (e.g., Claude) in cyber extortion, including technical consulting and psychological manipulation, carried out using jailbroken AI assistants.
  • AI in Workforce Abuse: North Korean remote workers, using Claude for everything (resume writing, technical work, communication), get jobs at Fortune 500 firms, performing roles entirely through AI support.

• Insights:
  Jonna stresses that robust AI authentication/authorization is missing—blockchain-based audit trails might help, but most organizations aren’t there yet. She also highlights that the risk of AI-enabled deception isn’t just about technology, but about failing to vet “entities” with proper due diligence, whether software or people.

• Quotes:

  • “Effective authorization and authentication really can help a lot. And that’s actually what’s not happening here.” (B, 14:48)
  • “You should really think about how you’re treating any entity that you’re allowing into your environment... If you were able to go back using some sort of blockchain transaction logging... be a lot harder to fake this stuff.” (B, 17:48)
  • “In order to succeed in a Fortune 500 company, you really have to have a bit more than a trace of the sociopath.” (B, 20:41)

• Humorous Aside:
  The host asks, “Which office is AI working in?”—a jab at “return to office” mandates and their disconnect from realities of AI-driven work. (A, 19:48)

5. Steganography Revived – AI Image Scaling Attack

[Starts 21:11]

• Summary:
  Trail of Bits uncovers attackers hiding malicious prompts inside images—undetectable at first view, but revealed after AI models downscale them (image scaling attack). Used for prompt injection or data poisoning, echoing pre-digital “steganography.”

• Insight:
  Jonna finds it hilarious but warns this represents another instance of AI helping attackers more than defenders—AI mass-generates variations until something works, while defenders still need careful, time-consuming analysis.

• Quotes:

  • “AI helps hackers way more than it protects people from being hacked... What AI is great at is spewing a whole lot of stuff, some subset of which is actually useful and interesting. That’s kind of how most attacks work.” (B, 23:17)
  • “There’s a fundamental inequality where AI helps attackers more than it helps defenders... the cybersecurity wars... my week in security is my week insecurity.” (B, 23:57)

• Memorable Moment:
  The host jokes this attack is the “Mad Magazine” attack—when you fold a magazine to reveal a hidden picture. (A, 24:12)

6. South Korean Telecom Penalty – A Rare Case of Accountability

[Starts 25:07]

• Summary:
  South Korea fines a telecom $97M for poor cyber defenses. Unlike in the US, where similar incidents often result in “a pat on the back and a stock boost.” Jonna highlights this difference in industry consequences.

• Quote:

  • “Everywhere else they just get a pat on the back and a stock boost... AT&T, Verizon, and T-Mobile got brought to their knees by Salt Typhoon... but hey, it’s fine, right?” (B, 25:07)

Notable Quotes & Memorable Moments

• “Call it my week in cyber insecurity. Like, what didn’t go wrong?” (B, 00:51)
• “This is the canonical vulnerability that gets exploited... and yet it’s completely situation normal.” (B, 03:34)
• “If you’re in the habit of randomly clicking on documents that partners send you, that you might be at risk. But the solution is don’t be in that habit.” (B, 07:17)
• “It’s a Jenga Tower... a project some random person in Russia has just been thanklessly maintaining since 2003.” (B, 09:56)
• “You really have to have a bit more than a trace of the sociopath [to succeed in a Fortune 500 company].” (B, 20:41)
• “AI helps hackers way more than it protects people from being hacked.” (B, 23:17)
• “My week in security is my week insecurity.” (B, 24:02)
• “I’m just disappointed that Trail of Bits did not name this the Mad magazine attack.” (A, 24:12)

Timestamps for Major Segments

• Citrix RCE Flaw: 03:03–05:42
• NDA Malware Attack: 05:42–08:11
• Russian-Maintained DoD Software: 08:46–12:37
• Anthropic AI “Vibe Hacking”: 13:32–15:59
• North Korean AI Remote Workers: 16:34–19:56
• Steganography Image Scaling Attack: 21:11–24:12
• South Korea Telecom Fine: 25:07–25:41

Conclusion & Takeaways

• RCEs, supply chain dependencies, and aggressive AI weaponization all defined the cybersecurity week.
• The most enduring challenge: attackers innovate rapidly—often aided by AI—while defenders struggle with legacy processes, incomplete visibility (SBoM), and rushed patches.
• The conversation balances dread with dry humor and practical advice—especially the recurring message: authentication, skepticism, and sound workflows matter more than ever.
• Final encouragement: Tune in for the next “Week in Review” and participate live for community banter and expert opinion.

Find Jonna Attil Johnson:

• Nemertes.com (Contact Us form)
• LinkedIn

For full stories and daily briefings:
https://CISOseries.com