Cybersecurity Today – "Alarm Bells in Ivy League School"

Host: David Shipley (substituting for Jim Love)
Date: November 3, 2025

Episode Overview

This episode delivers urgent updates on several major cybersecurity threats facing businesses and institutions. The main focus is on a disruptive breach at the University of Pennsylvania that combines technical compromise with reputation attacks, alongside fresh government warnings about vulnerabilities in Microsoft Exchange, Windows Server Update Services (WSUS), and Cisco routers globally. Throughout the episode, host David Shipley emphasizes the need for vigilance, rapid response, and security culture to keep organizations resilient against current cyber threats.

Key Discussion Points & Insights

1. University of Pennsylvania (UPenn) Breach: A Crisis of Data and Reputation

(Starts ~00:18)

Incident Timeline:
- On Friday, students and alumni received seemingly official emails from UPenn addresses, packed with offensive political insults and attacks on university leadership.
- Emails originated from UPenn’s own Connect UPenn (Salesforce Marketing Cloud) system, lending them authenticity.
University's Initial Response:
- UPenn labeled the messages “obviously fake,” urging recipients to ignore them.
Escalation:
- A hacker claimed responsibility to Bleeping Computer, alleging a far deeper breach:
  - Compromised employee single sign-on credentials enabled VPN, Salesforce, analytics, and SharePoint access.
  - Claimed theft of data from 1.2 million donors, alumni, and students—including possibly sensitive demographic details.
  - As of the episode, these claims are unconfirmed by UPenn or independent sources.
Motives & Damage:
- Although emails were politically charged, attackers stated the real motive was to grab the donor database.
- Shipley cautions that attack narratives can be manipulated to sow chaos or embarrassment as much as to steal data.

“Either way, it’s a reminder for everyone that cyber attacks aren’t just about stealing data or denying access to systems. They’re about shaping stories and sometimes stirring outrage.”
— David Shipley (02:40)

Advice to UPenn Donors and Alumni:
- Remain vigilant but don’t panic.
- Do not click on suspicious emails; verify changes via official channels.
- Recognize the essential role of clear, rapid, and accurate communication following cyber incidents.
Lessons for Universities and Beyond:
- Even robust controls like multi-factor authentication can’t guarantee incident prevention.
- Incident response training is essential for leadership, communications, and IT teams.
- This should serve as a “tabletop exercise” scenario for other higher-ed institutions.
Personal Anecdote:
- Shipley shares his 2012 experience responding to a university hack, noting the emotional and reputational toll of such events.

“In 2012, when my university was hacked...the hacktivist group went to great lengths to be sarcastic and particularly insulting to the IT team...Good news? They got caught...Hacking from the carrier? Bad move.”
— David Shipley (06:02)

2. Critical Guidance on Microsoft Exchange & WSUS Servers

(Starts ~07:45)

CISA, NSA, and International Partners Warning:
- Legacy, on-premise Microsoft Exchange and WSUS servers face intense attacks globally.
- Unpatched, internet-facing Exchange servers are routinely breached—agencies urge rapid decommission or migration to Microsoft 365 cloud solutions.
Mitigation Advice:
- Apply all patches immediately.
- Use multi-factor authentication.
- Restrict admin access, use modern authentication/encryption standards (TLS, HSTS, Kerberos), and upgrade endpoint defenses.

“Securing Exchange servers is essential for maintaining the integrity and confidentiality of enterprise communications.”
— CISA Guidance cited by David Shipley (09:10)

WSUS Vulnerability CVE2025-59287:
- Allows remote code execution. Exploited in the wild, especially by attackers leveraging PowerShell scripts from compromised WSUS servers.
- Organizational shift to hybrid work post-pandemic left many WSUS servers exposed.
Urgency:
- Sophos, Huntress, Palo Alto report active exploitation, mostly in reconnaissance phase; incidents confirmed in tech, manufacturing, hospitals, and universities.
- Shipley warns this may be the "last warning to act," implying attackers may escalate soon.

“Not a cause for panic, but a moment for urgent get-it-done patching if your organization still relies on on-prem Exchange or WSUS.”
— David Shipley (10:45)

Monitoring Tips:
- Watch for suspicious PowerShell activity, especially involving WSUSservice.exe or w3wp.exe.
- “Continuous hardening and vigilance are the only ways to stay ahead of today’s threats.”
  — NSA & CISA guidance cited (11:12)

3. Bad Candy: Cisco Router Exploits Plague Australia

(Starts ~12:00)

Attack Details:
- Australia’s ASD warns of a malicious implant (“Bad Candy”) on hundreds of unpatched Cisco IOS XE routers.
- Vulnerability (CVE2023-2198) allows attackers to create fake admin accounts and install persistent web shells.
- Despite a patch issued in October 2023, many organizations failed to update, leaving routers vulnerable.
Attack Dynamics:
- Bad Candy is wiped upon reboot, but unpatched routers are easily re-compromised.
- Some routers have been exploited repeatedly, sometimes just days after previous clean-up.
Scale & Attribution:
- Over 400 known cases in summer 2025; at least 150 routers still compromised.
- Many attacks reportedly linked to China’s SALT Typhoon, which has also targeted telecoms in the US and Canada.
Remediation:
- Patch all affected routers immediately.
- Follow Cisco's hardening guidance, disable unnecessary web interfaces.
- ISPs have been enlisted to notify owners.

“Takeaway here is simple. If you’re running Cisco IOS XE, check your firmware now...unpatched, they become global liabilities.”
— David Shipley (13:12)

4. The Common Thread: Culture and Vigilance

(Starts ~13:45)

Across all stories—the UPenn breach, Exchange/WSUS warnings, and Cisco router attacks—a central motif emerges: vigilance is everyone’s responsibility.
Cybersecurity is not just about the right tools or patches but about people, processes, and especially organizational culture.

“Vigilance is hard. We’re human. We get tired. We’re distracted...when we don’t update Microsoft Exchange, when warnings start to feel routine, that’s when the gaps become vulnerabilities that criminals exploit.”
— David Shipley (13:55)

Emphasizes that a strong security culture is not borne out of blame or fear, but of communal watchfulness and leadership investment.

“When leaders model that care and accountability, everyone follows that lead...with the right culture and leaders who treat security as being part of the mission, vigilance becomes something that can be sustained.”
— David Shipley (14:10)

Notable Quotes & Memorable Moments

“Attackers say this wasn’t political, even though their emails were filled with political jabs. They say their real goal was to grab Penn’s wealthy donor database. That’s possibly true. Or maybe this was a smaller incident being blown out of proportion to embarrass the university and grab attention.” (03:50)
“If you get an unexpected email about donations or account changes, don’t click, don’t reply, go directly to the official Penn website or call...” (04:50)
“In the gaps that happen because of [being busy], when an update waits for another day...that’s when the gaps become vulnerabilities that criminals exploit.” (13:55)
“A strong security culture isn’t about blame or fear. It’s about helping people stay watchful together...” (14:00)

Timestamps for Important Segments

00:18 – UPenn breach overview and escalation
03:30 – Hacker’s claims and analysis of possible motives
05:40 – Advice for UPenn stakeholders and other institutions
06:02 – Host’s personal experience with university breaches
07:45 – CISA/NSA warning about Exchange & WSUS
09:10 – Key mitigations for Exchange and WSUS vulnerabilities
10:45 – Active exploitation details and urgent call to action
12:00 – Australia’s “Bad Candy” Cisco router exploit explained
13:12 – Global impact and remediation guidance for Cisco routers
13:45 – The importance of vigilance and culture in cybersecurity

Final Takeaway

David Shipley wraps up with a reminder: None of these threats are one-off incidents. They are part of a continuing pattern—cybersecurity is as much about maintaining vigilance, building a robust culture, and investing in people and processes, as it is about technical defense.

For more practical recommendations, urgent advisories, and expert insights, follow Cybersecurity Today—Jim Love returns next episode!

Cybersecurity Today – "Alarm Bells in Ivy League School"

Host: David Shipley (substituting for Jim Love)
Date: November 3, 2025

Episode Overview

Key Discussion Points & Insights

1. University of Pennsylvania (UPenn) Breach: A Crisis of Data and Reputation

(Starts ~00:18)

Incident Timeline:
- On Friday, students and alumni received seemingly official emails from UPenn addresses, packed with offensive political insults and attacks on university leadership.
- Emails originated from UPenn’s own Connect UPenn (Salesforce Marketing Cloud) system, lending them authenticity.
University's Initial Response:
- UPenn labeled the messages “obviously fake,” urging recipients to ignore them.
Escalation:
- A hacker claimed responsibility to Bleeping Computer, alleging a far deeper breach:
  - Compromised employee single sign-on credentials enabled VPN, Salesforce, analytics, and SharePoint access.
  - Claimed theft of data from 1.2 million donors, alumni, and students—including possibly sensitive demographic details.
  - As of the episode, these claims are unconfirmed by UPenn or independent sources.
Motives & Damage:
- Although emails were politically charged, attackers stated the real motive was to grab the donor database.
- Shipley cautions that attack narratives can be manipulated to sow chaos or embarrassment as much as to steal data.

“Either way, it’s a reminder for everyone that cyber attacks aren’t just about stealing data or denying access to systems. They’re about shaping stories and sometimes stirring outrage.”
— David Shipley (02:40)

Advice to UPenn Donors and Alumni:
- Remain vigilant but don’t panic.
- Do not click on suspicious emails; verify changes via official channels.
- Recognize the essential role of clear, rapid, and accurate communication following cyber incidents.
Lessons for Universities and Beyond:
- Even robust controls like multi-factor authentication can’t guarantee incident prevention.
- Incident response training is essential for leadership, communications, and IT teams.
- This should serve as a “tabletop exercise” scenario for other higher-ed institutions.
Personal Anecdote:
- Shipley shares his 2012 experience responding to a university hack, noting the emotional and reputational toll of such events.

“In 2012, when my university was hacked...the hacktivist group went to great lengths to be sarcastic and particularly insulting to the IT team...Good news? They got caught...Hacking from the carrier? Bad move.”
— David Shipley (06:02)

2. Critical Guidance on Microsoft Exchange & WSUS Servers

(Starts ~07:45)

CISA, NSA, and International Partners Warning:
- Legacy, on-premise Microsoft Exchange and WSUS servers face intense attacks globally.
- Unpatched, internet-facing Exchange servers are routinely breached—agencies urge rapid decommission or migration to Microsoft 365 cloud solutions.
Mitigation Advice:
- Apply all patches immediately.
- Use multi-factor authentication.
- Restrict admin access, use modern authentication/encryption standards (TLS, HSTS, Kerberos), and upgrade endpoint defenses.

“Securing Exchange servers is essential for maintaining the integrity and confidentiality of enterprise communications.”
— CISA Guidance cited by David Shipley (09:10)

WSUS Vulnerability CVE2025-59287:
- Allows remote code execution. Exploited in the wild, especially by attackers leveraging PowerShell scripts from compromised WSUS servers.
- Organizational shift to hybrid work post-pandemic left many WSUS servers exposed.
Urgency:
- Sophos, Huntress, Palo Alto report active exploitation, mostly in reconnaissance phase; incidents confirmed in tech, manufacturing, hospitals, and universities.
- Shipley warns this may be the "last warning to act," implying attackers may escalate soon.

“Not a cause for panic, but a moment for urgent get-it-done patching if your organization still relies on on-prem Exchange or WSUS.”
— David Shipley (10:45)

Monitoring Tips:
- Watch for suspicious PowerShell activity, especially involving WSUSservice.exe or w3wp.exe.
- “Continuous hardening and vigilance are the only ways to stay ahead of today’s threats.”
  — NSA & CISA guidance cited (11:12)

3. Bad Candy: Cisco Router Exploits Plague Australia

(Starts ~12:00)

Attack Details:
- Australia’s ASD warns of a malicious implant (“Bad Candy”) on hundreds of unpatched Cisco IOS XE routers.
- Vulnerability (CVE2023-2198) allows attackers to create fake admin accounts and install persistent web shells.
- Despite a patch issued in October 2023, many organizations failed to update, leaving routers vulnerable.
Attack Dynamics:
- Bad Candy is wiped upon reboot, but unpatched routers are easily re-compromised.
- Some routers have been exploited repeatedly, sometimes just days after previous clean-up.
Scale & Attribution:
- Over 400 known cases in summer 2025; at least 150 routers still compromised.
- Many attacks reportedly linked to China’s SALT Typhoon, which has also targeted telecoms in the US and Canada.
Remediation:
- Patch all affected routers immediately.
- Follow Cisco's hardening guidance, disable unnecessary web interfaces.
- ISPs have been enlisted to notify owners.

“Takeaway here is simple. If you’re running Cisco IOS XE, check your firmware now...unpatched, they become global liabilities.”
— David Shipley (13:12)

4. The Common Thread: Culture and Vigilance

(Starts ~13:45)

Across all stories—the UPenn breach, Exchange/WSUS warnings, and Cisco router attacks—a central motif emerges: vigilance is everyone’s responsibility.
Cybersecurity is not just about the right tools or patches but about people, processes, and especially organizational culture.

“Vigilance is hard. We’re human. We get tired. We’re distracted...when we don’t update Microsoft Exchange, when warnings start to feel routine, that’s when the gaps become vulnerabilities that criminals exploit.”
— David Shipley (13:55)

Emphasizes that a strong security culture is not borne out of blame or fear, but of communal watchfulness and leadership investment.

“When leaders model that care and accountability, everyone follows that lead...with the right culture and leaders who treat security as being part of the mission, vigilance becomes something that can be sustained.”
— David Shipley (14:10)

Notable Quotes & Memorable Moments

“Attackers say this wasn’t political, even though their emails were filled with political jabs. They say their real goal was to grab Penn’s wealthy donor database. That’s possibly true. Or maybe this was a smaller incident being blown out of proportion to embarrass the university and grab attention.” (03:50)
“If you get an unexpected email about donations or account changes, don’t click, don’t reply, go directly to the official Penn website or call...” (04:50)
“In the gaps that happen because of [being busy], when an update waits for another day...that’s when the gaps become vulnerabilities that criminals exploit.” (13:55)
“A strong security culture isn’t about blame or fear. It’s about helping people stay watchful together...” (14:00)

Timestamps for Important Segments

00:18 – UPenn breach overview and escalation
03:30 – Hacker’s claims and analysis of possible motives
05:40 – Advice for UPenn stakeholders and other institutions
06:02 – Host’s personal experience with university breaches
07:45 – CISA/NSA warning about Exchange & WSUS
09:10 – Key mitigations for Exchange and WSUS vulnerabilities
10:45 – Active exploitation details and urgent call to action
12:00 – Australia’s “Bad Candy” Cisco router exploit explained
13:12 – Global impact and remediation guidance for Cisco routers
13:45 – The importance of vigilance and culture in cybersecurity

Final Takeaway

For more practical recommendations, urgent advisories, and expert insights, follow Cybersecurity Today—Jim Love returns next episode!

wavePod

Alarm Bells in Ivy League School

Powered by Wave AI

Summary

Cybersecurity Today – "Alarm Bells in Ivy League School"

Episode Overview

Key Discussion Points & Insights

1. University of Pennsylvania (UPenn) Breach: A Crisis of Data and Reputation

2. Critical Guidance on Microsoft Exchange & WSUS Servers

3. Bad Candy: Cisco Router Exploits Plague Australia

4. The Common Thread: Culture and Vigilance

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Final Takeaway

Summary

Cybersecurity Today – "Alarm Bells in Ivy League School"

Episode Overview

Key Discussion Points & Insights

1. University of Pennsylvania (UPenn) Breach: A Crisis of Data and Reputation

2. Critical Guidance on Microsoft Exchange & WSUS Servers

3. Bad Candy: Cisco Router Exploits Plague Australia

4. The Common Thread: Culture and Vigilance

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Final Takeaway