Transcript
A (0:00)
Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete network stack, wired, wireless and cellular in one integrated solution that's built for performance and scale.
B (0:18)
Criminals say University of Pennsylvania hack worse than School is Admitting Western cyber agencies released guidance on securing WSUS and and exchange servers. Bad Tandy RCE plagues Cisco routers on Halloween in Australia this is Cybersecurity Today and I'm your host, David Shipley. Let's get started. The University of Pennsylvania, one of the Ivy League prestigious schools, is dealing with a cybersecurity mess this week that's both technical and reputational. It started Friday when students and alumni began receiving shocking emails with the subject line we got hacked, action required. These messages were packed with offensive, politically charged insults attacking the university's values, its policies and its leadership. But what made them so alarming wasn't just the language. It's that they came from real pen addresses sent through Connect UPenn.edu, the university's own email marketing system on Salesforce Marketing Cloud. At first, Penn labeled the emails fraudulent and, quote, obviously fake, even posting a banner asking people to ignore the messages. But the story didn't end there. A hacker later contacted bleeping computer claiming they were behind the attack and that the attack went far deeper than just sending out that message. The attackers say they've gained access to a UPENN employee's single sign on account, giving them VPN access, Salesforce data analytics tools, and SharePoint files. The hacker claims they stole data on 1.2 million donors, alumni and students, names, contact info and potentially sensitive demographic details. But so far we haven't seen independent confirmation and Upenn has not confirmed it, and the hackers have yet to show all the evidence. So for now, we're going to take these claims with a healthy dose of skepticism. The attackers say this wasn't political, even though their emails were filled with political jabs. They say their real goal was to grab Penn's wealthy donor database. That's possibly true. Or maybe this was a smaller incident being blown out of proportion to embarrass the university and grab attention. Either way, it's a reminder for everyone that cyber attacks aren't just about stealing data or denying access to systems. They're about shaping stories and sometimes stirring outrage for Penn donors and alumni. The advice here is simple. Stay cautious, but don't panic. If you get an unexpected email about donations or account changes, don't click, don't reply, go directly to the official Penn website or call the alumni or donor relations team always verify, particularly when something feels weird or different or a change. This incident highlights the importance of clear, rapid and accurate communications. How PEN communicates after the hacker's claim will make a world of difference, particularly if donors become concerned that they're not getting information quickly and accurately as well. Good reminder here. Even the best defenses, multi factor authentication, cybersecurity awareness and more can only go so far. Organizations are still going to have incidents. You need to make sure that you're training your leaders, communicators and IT teams on how to effectively respond. And if you're a higher education institution right now, this case should be your next tabletop exercise. And as the story shows, sometimes the biggest threat isn't just the hack. It's the chaos that claims around the hack can create for the PEN team. If they're listening, I've lived through something similar, not as vitriolic, offensive or political. But in 2012, when my university was hacked and I was involved in the response, the hacktivist group went to great lengths to be sarcastic and particularly insulting to the IT team. In their post hack notes on Twitter. The good news? They got caught. Turns out the leader was a sailor on a US Navy aircraft carrier. Hacking from the carrier? Bad move and he was caught by NCIS and spent a few years in prison. So fingers crossed. Hopefully the crew behind this attack will also see some justice. In the meantime, keep your head down, do the hard work of containment, assessment and response, and know particularly in higher education, there's a broad cybersecurity community that's thinking of you and is out there for your help if you need it. The US Government has issued an urgent warning to organizations still running on premise Microsoft Exchange and Windows Server Update Services servers. The Cybersecurity and Infrastructure Security Agency CISA and the National Security Agency, joined by partners in Canada and Australia, are urging IT teams to lock down and patch these systems and immediately. Why? Well, they're getting hammered. Exchange servers remain one of the most attacked pieces of enterprise infrastructure on the planet, according to CISA and the nsa. Unprotected or misconfigured Exchange servers continue to be exploited, often because they're out of date, poorly secured, or still exposed to the Internet. The agencies are telling organizations to decommission old Exchange systems, especially those past end of life and where possible, to consider moving to Microsoft Cloud versions in Microsoft 365. This is worth reminding that a bunch of Exchange servers just went end of life this fall for anyone who still needs on prem servers the guidance here is clear. Use Multi factor Authentication, restrict admin access, make sure you've got proper endpoint antivirus and endpoint detection, and make sure you've got the right encryption and ways of handling identity things like tls, hsts and Kerberos instead of outdated ntlm. And as always, keep it patched as the agencies put it. Quote Securing Exchange servers is essential for maintaining the integrity and confidentiality of enterprise communications. At the same time, CISA has updated its alert for a newly repatched Windows vulnerability, CVE2025 59287, a serious flaw in the Windows Server update services, or WSUs. The bug can allow for remote code execution. That's the worst, and researchers have already confirmed it's being exploited in the wild. Now you may be thinking WSUS wasn't supposed to be an Internet available service and you'd be run except what happened during the pandemic was thousands of organizations were forced to make this service available in order to ensure enterprise managed Windows devices got patched. And with hybrid work still a dominant form for many organizations and many professionals around the world, ensuring that devices can be managed effectively even when they're at home is still a thing. Sophos, Huntress and Palo Alto Networks all report attackers using PowerShell scripts launched from compromised WSUS servers to steal data from universities, tech firms, manufacturers, hospitals and more. Sophos says it's seen at least six confirmed incidents and believe there could be dozens more. Investigators say attacks may still be in the reconnaissance phase, testing the exploit before wider campaigns begin. So this may be one of your last warnings to act on this. Not a cause for panic, but a moment for urgent get it done. Patching if your organization still relies on on prem, exchange or WSUs, treat this as the urgent matter it is. Time is running out. Patch now and make sure your monitoring tools are watching for suspicious PowerShell or system level processes, especially WSUSservice EXE or W3WP EXE as the NSA and CISA put it. Continuous Hardening as the NSA and CISA put it, continuous hardening and vigilance are the only ways to stay ahead of today's threats, because for many organizations, Exchange and WSUS are the backbone of communications. They're always going to be in the bullseye and they're always going to demand that high level of vigilance. Australia's cybersecurity agency is sounding the alarm this time over ongoing attacks targeting unpatched Cisco iOS, XE devices. The culprit? A malicious implant known as Bad Candy the warning comes from the Australian Signals Directorate, or asd, which is Australia's version of the nsa, which says hundreds of routers across the country have been compromised since mid-2025 and attackers are still at it. The root of the problem is a critical vulnerability tracked as CVE2023 2198 that Cisco fixed back in October 2023. The flaw allows unauthenticated attackers to create fake admin accounts through the web interface, giving them full control of the router. And once they're in, they plant Bad Candy, a small LUA based web shell that lets attackers execute any command they want with root privileges. Now here's where it gets frustrating. Even though Cisco patched this issue two years ago, many organizations never applied the fix. That means those devices are still wide open to this attack. And According to the ASD, over 400 devices were hit across Australia in the summer alone. Bad Candy is sneaky. It's wiped when router reboots, but when the device remains unpatched, attackers can just slip it back in. The ASD says it's seeing signs of RE exploitation, the same routers being hacked again, sometimes days after being cleaned. The agency believes at least 150 routers remain compromised today. And even more troubling, analysts think many of these attacks may trace back to state sponsored groups, including one linked to China's SALT typhoon campaign, which has also targeted telecommunications companies in the United States and Canada. In response to this threat, the Australian Signals Directorate is notifying victims directly with patching and hardening instructions. They've even asked Internet service providers to contact affected customers when ownership can't be determined. Takeaway here is simple. If you're running Cisco iOS XE, check your firmware now. Make sure you've applied all patches, disabled unnecessary web interface, and followed Cisco's hardening guide. Of course, this isn't just an Australia problem. These routers are used around the world, and when they go unpatched, they become global liabilities. Those are your updates for Monday, November 3rd, when we step back and look at this week's stories. The pen breach, the warnings about exchange and WSUs, and the bad Candy attacks in Australia. You start to see the same thread running through all three of Vigilance. Cybersecurity isn't just about tools or patches. It's about people, processes, culture and technology. And when we're talking about people, it's our capacity to stay alert, to care, to notice when something's off. Vigilance is hard. We're human. We get tired. We're distracted. All of us are busy. And in the gaps that happen because of that, when an update waits for another day, when we keep hardware around that's not patched, when we don't update Microsoft Exchange, when warnings start to feel routine, that's when the gaps become vulnerabilities that criminals exploit. And that's why culture matters. A strong security culture isn't about blame or fear. It's about helping people stay watchful together and creating systems that can catch what, by nature, we will miss as humans. Culture doesn't grow on its own. It grows when senior leaders value and invest in security not as a checkbox or as an afterthought, but as part of how your organization succeeds. Because when leaders model that care and accountability, everyone follows that lead. So yes, vigilance is hard and it always will be. But with the right culture and leaders who treat security as being part of the mission, vigilance becomes something that can be sustained. I've been your host David Shipley, Jim Love will be back on Wednesday.