Summary6 min read

CyberWire Daily – “A storm brews behind the firewall.”

Date: November 4, 2025
Host: Dave Bittner (N2K Networks)
Guest Analyst: Ben Yellen (University of Maryland Center for Cyber Health and Hazard Strategies)

Overview

In this episode, CyberWire Daily delivers key news and expert analysis on recent high-impact cybersecurity incidents, ongoing debates concerning AI in attacks, persistent threats from nation-state actors, escalating cyber-enabled cargo thefts, and controversial government surveillance methods. Notably, the episode also includes a detailed discussion with Ben Yellen regarding ICE’s use of facial recognition, along with a cautionary tale about poor password security at a world-famous museum.

Key News & Analysis Segments

1. China-Linked Attackers Breach Cisco Firewalls

[00:53–02:15]

Storm 1849 (UAT 4356), a China-affiliated threat group, exploited known vulnerabilities in Cisco Adaptive Security Appliance firewalls.
Scope: Attacks hit US federal/state agencies, defense contractors, financial institutions, and organizations across Europe, Asia, Africa, and the Middle East.
Persistence: Attacks continued despite CISA’s emergency patch directive, with only a brief pause during China’s Golden Week.
Expert Warning: Victims must patch, reset configs, and change credentials to eradicate access.
- “Experts warn that affected entities must not only patch but also reset configurations and credentials to fully remove intrusions.”

2. MIT Sloan Retracts Controversial AI-Ransomware Study

[02:15–03:38]

Paper Withdrawn: MIT Sloan retracted a widely criticized study claiming “over 80% of ransomware attacks in 2024 involved artificial intelligence.”
Criticism: Researchers, notably Kevin Beaumont and Marcus Hutchins, slammed the report:
- Kevin Beaumont: “[The report is] ridiculous and nonsense.”
Faults: Lacked credible evidence; included obsolete malware like Emotet. Even Google’s AI found the statistic dubious.
MIT Response: Co-author Michael Siegel clarified intent was to explore AI’s growing ransomware role, not cite an exact figure.

3. Study Questions Effectiveness of Cybersecurity Training

[03:38–04:18]

UC San Diego Health Study (20,000 employees): Training barely affects phishing susceptibility.
- “Trained workers were about as likely to click phishing links as untrained ones.”
Recommendation: Emphasize technical defenses (MFA, spam filters) over training alone.

4. Hackers Exploit OpenAI API as Stealth Malware Channel

[04:18–05:10]

Microsoft Discovery: Backdoor “Sesame OP” used hijacked OpenAI’s Assistance API for covert command and control.
Technique: Attackers disguised malicious traffic as normal AI activity, bypassing traditional detection.
- “Instead of using the API for normal chatbot interactions, attackers use it as a covert command and control channel, blending malicious traffic with legitimate AI activity.”
Microsoft: It’s a misuse, not a vulnerability in OpenAI; indicators shared, OpenAI account disabled.
Warning: As AI adoption spreads, trusted cloud services become attractive for malicious repurposing.

5. Apple’s Security Mega Patch

[05:10–06:02]

Major Releases: iOS, iPadOS, and macOS patches fix 100+ vulnerabilities (including 19 in WebKit; total of 105 in iOS Tahoe 26.1).
Discovery: Many found by Google’s “Big Sleep AI.”
Potential Impact: Vulnerabilities risk data theft, memory corruption, sandbox escapes.
Coverage: Also affected: TVOS, WatchOS, Vision OS, Safari.

6. Sensitive Data Breach at Mental Health Provider

[06:02–07:00]

Oglethorpe Inc. (FL, OH, LA) notified 92,000+ patients of info breach—names, SSNs, medical details.
Remediation: Systems rebuilt, FBI notified, 12 months of credit monitoring offered.
Expert Concern:
- Dave Bailey: “Such incidents erode patient trust and urged healthcare providers to go beyond compliance by prioritizing risk based protections for sensitive health information.”

7. US Cyber Corps Scholars Get Deferment Amid Government Shutdown

[07:00–08:20]

Program Impacted: Mass deferment for federal Cyber Corps Scholarship for Service participants facing job shortages.
Scholar Fear: Potential six-figure repayments due to hiring freezes.
OPM Statement: No forced repayments yet; recruiting cybersecurity and AI expertise still national priority.

8. Lawmakers Urge FTC to Probe Flock Safety Over Security Gaps

[08:20–09:04]

Lawmakers: Ron Wyden (OR), Raha Krishnamoorthy (IL) urge FTC to investigate Flock’s weak account security (35+ known breaches).
Issue: No MFA requirement, poor protection for massive amounts of location data (Flock runs LPRs in >8,000 communities).

9. Cybercriminals & Organized Crime Target Logistical Cargo

[09:04–10:44]

Proofpoint: Modern cargo theft wave–cybercriminals infiltrate brokers, hijack shipments using RMM tools.
Impact: Escalating theft—over $111 million in losses in Q3 2025; average stolen shipment: $336,000.
- “Experts expect these cyber enabled social engineering schemes to grow more sophisticated as attackers exploit public load board data to value shipments.”

Featured Interview: The Rise of Cybercrime Enablement Services

[12:41–14:11]

Guest: Trevor Hilligoss (SpyCloud)

Trend: Proliferation of tools/services giving low-tech criminals the ability to execute complex attacks.
- “You know, we see that [capability] being given to much lower sophistication, lower tech folks… the person that's buying access to this, they basically need a phone and a Bitcoin wallet.” (Trevor Hilligoss, [13:00])
Key Takeaway: Sophisticated attack capability is now commoditized, lowering the technical barrier dramatically.

Deep Dive: ICE’s Facial Recognition Controversy

[15:27–22:38]

With: Ben Yellen (University of Maryland, Caveat Podcast co-host)

1. The Technology:

ICE/CBP’s “Mobile Fortify” App: Facial recognition checks citizenship/legal status against a DB of 200M+ faces, with results stored for 15 years.
- “This biometric data can be stored for 15 years.” (Ben Yellen, [15:43])
- “Agents take a photo… checked against Customs and Border Protection’s Traveler Verification System… system returns relevant details, name, date of birth, nationality, et cetera.” (Ben Yellen, [16:20])

2. Privacy & Civil Rights Concerns:

No way to refuse scan; potential for Fourth Amendment infringement—especially since many scanned are not confirmed as non-citizens.
- “It’s going to implicate the rights of US persons.” (Ben Yellen, [17:38])
DHS policy: facial scan non-negotiable.
Facial recognition less accurate on people of color—concern for discriminatory impact.
- “Facial recognition frequently fails ... when reviewing faces of people of color.” (Ben Yellen, [19:03])

3. Legal and Political Pushback:

Congressman Bennie Thompson (MS):
- “This practice is frightening, repugnant, and unconstitutional.” (Dave Bittner quoting, [18:34])
Supreme Court: Race considered permissible in initial screening, raising red flags for civil liberties.
Legal challenge unlikely to succeed immediately; meaningful reform may need congressional action.

4. Practical Enforcement Reality:

No “opt-out”—noncompliance may result in physical compulsion.
- “They could probably make you comply with the use of physical force.” (Ben Yellen, [21:54])

Noteworthy: The Louvre’s $90 Million Blunder

[22:56–24:48]

Incident: $90M in crown jewels stolen in daylight; investigation found the surveillance server’s password was simply “Louvre.”
Quote:
- “A password so weak it could have been guessed by a tourist in line for tickets.”
Lesson: Insider threats and password neglect can undermine even the world’s most prestigious institutions.

Memorable Quotes

Trevor Hilligoss (SpyCloud):
- “The person that's buying access to [cybercrime enablement services] … basically need a phone and a Bitcoin wallet.” [13:00]
Ben Yellen (re: facial recognition):
- “Given that this is a pretty invasive use of technology, it’s data that can be collected and used against you for up to 15 years.” [17:15]
- “They could probably make you comply with the use of physical force.” [21:54]
Dave Bittner (on the Louvre heist):
- “A password so weak it could have been guessed by a tourist in line for tickets.” [24:48]

Timestamps for Key Segments

China/Cisco Firewalls: [00:53–02:15]
MIT Sloan AI Study Retraction: [02:15–03:38]
Cybersecurity Training Ineffectiveness: [03:38–04:18]
OpenAI API Exploited: [04:18–05:10]
Apple Security Updates: [05:10–06:02]
Healthcare Data Breach: [06:02–07:00]
Cyber Corps Scholar Deferment: [07:00–08:20]
Flock Safety Security Gaps: [08:20–09:04]
Cybercriminals & Cargo Theft: [09:04–10:44]
Cybercrime Enablement Services Interview: [12:41–14:11]
ICE’s Facial Recognition Deep Dive: [15:27–22:38]
Louvre Heist, Weak Password: [22:56–24:48]

Overall Tone

The episode maintains CyberWire’s trademark mix of precise, urgent industry updates with analytically rigorous, sometimes wry, commentary—delivering both technical detail and accessible context for a broad professional audience.

Loading summary

Transcript20 lines

[00:02]
A
You're listening to the Cyberwire Network, powered by N2K. Risk and compliance shouldn't slow your business down. Hyperproof helps you automate controls, integrate real time risk workflows, and build a centralized system of trust so your teams can focus on growth, not spreadsheets. From faster audits to stronger stakeholder confidence, Hyperproof gives you the business advantage of Smarter compliance. Visit www.hyperproof.IO to see how leading teams are transforming their GRC programs. At Talas, they know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Talas T H A L E S learn more@talasgroup.com Cyber China linked hackers target Cisco firewalls MIT Sloan withdraws a controversial AI driven ransomware paper A new study questions the value of cybersecurity Training hackers exploit OpenAI's API as a malware command channel. Apple patches over 100 security flaws across devices A Florida based operator of mental health and addiction treatment centers exposes sensitive patient information. OPM plans a mass deferment for Cyber Corps scholars affected by the government shutdown. Lawmakers urge the FTC to investigate Flock Safety's cybersecurity gaps. Cybercriminals team with organized crime for high tech cartel cargo thefts Ben Yellen from the University of Maryland center for Cyber Health and hazard strategies discusses ICE's controversial facial scanning initiative and A priceless theft meets a worthless password. It's Tuesday, November 4, 2025. I'm Dave Bittner and this is your CYBERW Intel Briefing. Thanks for joining us here today. It's great as always to have you with us. China Affiliated threat group Storm 1849, also tracked as UAT 4356, has been exploiting Cisco Adaptive Security appliance firewalls used by governments and major firms worldwide. According to Palo Alto Networks Unit 42, the hackers leverage two known Cisco vulnerabilities to gain persistent control over critical network gateways. Targets include US Federal and state agencies, defense contractors and financial institutions, as well as organizations in Europe, Asia, Africa, and the Middle East. Despite CISA's emergency patch directive, attacks persisted through October. But pausing briefly during China's Golden Week, experts warn that affected entities must not only patch but also reset configurations and credentials to fully remove intrusions. MIT Sloan has retracted a working paper that falsely claimed over 80% of ransomware attacks in 2024 involved artificial intelligence. The study, co authored with cybersecurity firm Safe Security, faced strong backlash from independent researchers, including Kevin Beaumont and Marcus Hutchins, who called the report ridiculous and nonsense, citing its lack of evidence and inclusion of long defunct malware like Emotet. Even Google's AI overview disputed the statistic. Following the criticism, MIT removed the paper and said it is revising the work after recent reviews, co author Michael Siegel acknowledged that an updated version is forthcoming, emphasizing the paper's intent to explore AI's growing role in ransomware rather than assert a precise figure. Beaumont later accused MIT Sloan and Safe Security of spreading cyberslop or baseless AI claims for profit, warning that such hype misleads security leaders and undermines trust in cybersecurity research. A UC San Diego Health study of nearly 20,000 employees found that cybersecurity training had little impact on phishing susceptibility. Trained workers were about as likely to click phishing links as untrained ones, regardless of when they last took training. Popular lures included fake HR and vacation policy updates. Researcher Ariana Merian said results showed users eventually fall for a lure, suggesting organizations should emphasize technical defenses like multi factor authentication and spam filtering instead of relying on training alone. Microsoft has uncovered a stealthy backdoor dubbed Sesame OP, that hijacks OpenAI's assistance API to control infected systems. Instead of using the API for normal chatbot interactions, attackers use it as a covert command and control channel, blending malicious traffic with legitimate AI activity. The backdoor, first detected in July, employs. Net app domain manager injection, layered encryption, and heavy obfuscation to execute and exfiltrate commands invisibly by routing through OpenAI's trusted infrastructure. Sesame Op avoids traditional detection methods like suspicious IPs or domains. Microsoft emphasized that this is not an OpenAI vulnerability but a misuse of legitimate capabilities. The company shared indicators and hunting queries to help defenders flag unusual API activity. OpenAI has since disabled a compromised account linked to the attack. Experts warn that as AI integration expands, trusted cloud services will increasingly be repurposed for stealth operations. Apple has released major security updates for iOS, iPadOS, and macOS, addressing more than 100 vulnerabilities. IOS and iPadOS 26.1 fix 56 issues, including 19 in the WebKit browser engine, while iOS Tahoe 26.1 patches 105 flaws. The bugs could allow data theft memory corruption or sandbox escapes. Many were discovered by Google's Big Sleep AI, which identifies exploitable weaknesses before attackers can act. Apple also issued fixes for macOS, Sequoia, Sonoma, TVOS, WatchOS, Vision OS and Safari. Oglethorpe Inc. A Florida based operator of mental health and addiction treatment centers, is notifying over 92,000 patients of a data breach discovered in June. The company reported the incident to the main attorney general, saying attackers accessed its IT systems and stole personal data, including names, Social Security numbers and medical information. While no misuse has been confirmed, Oglethorpe is offering affected individuals 12 months of credit monitoring. The firm, which runs facilities in Florida, Ohio and Louisiana, has rebuilt compromise systems, notified the FBI and strengthened network defenses. Experts say breaches involving behavioral health data carry heightened risks of emotional and social harm. Security consultant Dave Bailey emphasized that such incidents erode patient trust and urged healthcare providers to go beyond compliance by prioritizing risk based protections for sensitive health information. The U.S. office of Personnel Management says it will coordinate a mass deferment for participants in the federal Cyber Corps Scholarship for Service program once the government shutdown ends. The program, run by the National Science foundation with OPM and dhs, funds cybersecurity students tuition in exchange for post graduation. Federal service scholars unable to find qualifying jobs must normally repay their awards due to hiring freezes and budget cuts. Many current and recent graduates fear they'll owe as much as $100,000amid limited federal openings. OPM spokesperson McLaurin Pinover said the deferment will grant more time for job placement and added that no participants have yet been sent to repayment. OPM director Scott Kupor emphasized that recruiting cybersecurity and AI specialists remain a national priority and that new guidance will urge agencies to fully leverage the SFS program once operations resume. Senator Ron Wyden, Democrat from Oregon, and Representative Raha Krishnamoorthy, Democrat from Illinois, have asked the Federal Trade Commission to probe police surveillance firm Flock Safety over alleged weak cybersecurity. Their letter cites at least 35 hacked customer accounts and criticizes Flock for not requiring multi factor authentication or supporting phishing resistant mfa. The lawmakers warn that poor security could expose location data on millions of Americans. Flock's license plate reader network spans over 8,000 communities nationwide. Both the FTC and Flock declined to comment. Researchers at Proofpoint warn that cybercriminals are teaming with organized crime groups to carry out a modern wave of cargo thefts targeting US Logistics firms. The attackers infiltrate freight brokers, load boards, post fake shipping jobs and use malicious remote monitoring and Management tools such as Enable or Screen Connect to gain network access. Once inside, they steal credentials and impersonate brokers to redirect legitimate shipments to criminal controlled addresses. Goods stolen range from electronics to energy drinks, with losses totaling millions of dollars. Proofpoint says the criminals are opportunistic, targeting carriers of all sizes. Cargo Net's latest data supports the trend, reporting over $111 million in losses across 772 thefts in the third quarter of 2025, with an average stolen shipment worth $336,000. Experts expect these cyber enabled social engineering schemes to grow more sophisticated as attackers exploit public load board data to value shipments. Coming up after the break, my caveat. Co host Ben Yellen discusses ICE's controversial facial scanning initiative and a priceless theft meets a worthless password. Stay with us.
[12:42]
B
What happens when cybercrime becomes as easy as shopping online? Spy Cloud's Trevor Hilligoss joined Dave Buettner on the Cyberwire Daily to explain how a wave of cybercrime enablement services are lowering the barrier to entry and making sophisticated attacks available to anyone.
[13:01]
C
I think it's a pretty good general term that describes kind of an umbrella of tools and services that I would kind of tag as criminal or criminal adjacent instead of having, you know, sort of the smaller pool of high sophistication actors that are able to kind of carry out these really vast and costly cyber attacks. You know, we see that being given to much lower sophistication, lower tech folks that are, you know, a much lower barrier to entry to get into this field. The person that's buying access to this, they basically need a phone and a Bitcoin wallet.
[13:41]
B
Make sure you hear this full conversation and learn how the underground economy is reshaping Cyber risk. Visit explore.thecyberwire.com spycloud that's explorer.thecyberwire.com Spycloud.
[14:11]
A
What'S your 2am Security worry? Is it do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally, get back to sleep. Get started@vanta.com cyber that's v a n t a dot com cyber it is always my pleasure to welcome back to the show Ben Yellen. He is my co host over on the Caveat Podcast and he is from the University of Maryland center for Cyber Health and Hazard Strategies. Ben, welcome back.
[15:28]
B
Good to be with you again, Dave.
[15:30]
A
We had a discussion for this week's.
[15:32]
B
Caveat show, which you should listen to.
[15:35]
A
Which you should totally listen to, about some facial recognition software that ICE is using here. Can you unpack this? Ben? What's going on?
[15:44]
B
Sure. So this comes from a story from 404 Media, which is some really interesting work in this space. And it's about an ICE application originally developed by Customs and Border Protection called Mobile Fortify. And under that application, ICE uses facial recognition scans in order to determine if a person is either a US Citizen or a lawful legal resident. And if they are not, they are eligible for detention and potential deportation. Data that's collected through the use of this app. This biometric data can be stored for 15 years. So generally how it works in practice, agents will take a photo on one of their issued mobile devices. It's checked against the Customs and Border Protection's Traveler Verification System, which has a database database of roughly 200 million faces. And the system returns relevant details, name, date of birth, nationality, et cetera. It is also capable of capturing fingerprints and GPS locations from this encounter. What's particularly controversial is that DHS has stated as a policy that you cannot refuse to be scanned by this facial recognition application. So this obviously has Fourth Amendment implications. Almost by definition, these types of searches are taking place among people for whom ICE is not sure if they're US Citizens or proper US Residents. So it's going to implicate the rights of US Persons. And I think the concern here is, given that this is a pretty invasive use of technology, it's data that can be collected and used against you for up to 15 years. If you're ever arrested for a crime, even if you have never committed a crime in the past, your face could be in national facial recognition databases and that could be used as evidence to convict you. So given those implications, you can understand, I think, why this is particularly controversial. For their part, DHS has not responded to that story for comment. I think in their minds, this is a tool that will shorten ID verification time compared to other manual methods. And most notably, they believe, at least according to this article, that the use of these Biometric tools is more reliable even than things like actual passports, birth certificates, et cetera. So they are using the results of their facial recognition search as the definitive word as to whether a person is here legally. So this is certainly something that's rankled people who believe in civil liberties and Fourth Amendment rights.
[18:35]
A
I saw this in this article. It got the attention of Congressman Benn Thompson, who's a Democrat from Mississippi. He said that this practice is frightening, repugnant, and unconstitutional. You know, we've seen concerns, justified concerns, that facial recognition is less reliable when dealing with people of color. And of course, no small irony that that's who ICE is targeting here. Right, right.
[19:04]
B
So there's very well established research that facial recognition frequently fails, as you say, when reviewing faces of people of color. And so I think that's one of the concerns that Representative Thompson has brought up and many others. We know that the Supreme Court, in one of its decisions on ICE's tactics, said that the use of race is an acceptable, at least as an initial matter, impetus for attempting to question somebody's citizenship is kind of a common sense. If most of the undocumented immigrants in this country are from Central, south and Central America and parts of South America, then by necessity, at least according to a concurrence by Justice Kavanaugh, we should be able to take the person's race into consideration. So when you combine that constitutional finding with the fact that this app is being used widely and facial recognition does poorly in circumstances with faces of people of color, I think you have the recipe for a real civil liberties disaster here.
[20:06]
A
So what could people do to push back on this? We have Congressman Bennie Thompson who's against it. I'm sure he has colleagues who agree with them. Would it be up to Congress to push back? Would someone be able to bring a case against this if they were wrongly accused?
[20:22]
B
Yes. So somebody could certainly bring a case. I can't say I would be super optimistic of a person trying to bring a constitutional Fourth Amendment case, given that it's unclear whether facial recognition of people, at least in public thoroughfares, qualifies as a constitutional search. It doesn't neatly meet the definition of search or seizure under the Fourth Amendment. And then the government could always claim that they're doing this in the interest of national security, which always weighs favorably toward the government in terms of an analysis of whether the search is reasonable. So somebody could bring that legal challenge. They'd have to have standing, which means they would have had to have been unlawfully detained, and they could challenge the circumstances around their detention. Short of that, it would be Congress who could intervene and could prevent the use of this technology or the use of this technology without proper safeguards, like giving people the right to opt out. But I certainly do not see the current Congress agreeing to something like that. So at the very least, we'd have to wait a year until there is a different Congress in place that isn't as supportive of the president's immigration policies.
[21:37]
A
Just to be crystal clear here, I'm walking down the street and I cross paths with the folks from ice. They say, hey there, sir, we need you to stop to get your face scanned. And I say, no, I'm good, and try to keep walking. What likely happens next, they will tell.
[21:54]
B
You that you have to do it. And they're the ones with the guns and the handcuffs. So they could probably make you comply with the use of physical force. We don't know exactly what would happen because DHS didn't comment for this article. But I think the implication is they could use any means necessary if they feel this is the definitive word on somebody's right to be in this country. I think they could compel through force or the threat of physical force somebody into complying, and they will put your face in front of a camera.
[22:27]
A
All right. Well, again, this is from the folks over at 404 Media, who, as you say, Ben, are doing some really good work with these sorts of things. We'll have a link to that in the show Notes. Ben Yellen, thanks so much for joining us.
[22:39]
B
Thank you, Dave.
[22:57]
A
And finally, the recent jewel heist at the Louvre Museum in Paris looked like something out of a Hollywood script. Broad daylight, the Apollo Gallery and a team of thieves coolly lifting crown jewels worth nearly 90 million euros before vanishing on a motorbike into Paris traffic two weeks later. Investigators have suspects in custody, but no trace of the treasure, only questions about how the world's most famous museum could be robbed so easily. Well, documents now reveal that the Louvre's surveillance server once required a password. Louvre? Yes, the museum guarding centuries of priceless art apparently thought security should rhyme with simplicity. Prosecutor Laura Bacow says the culprits aren't criminal masterminds, just lucky opportunists aided by what she said was the Louvre's chronic underestimation of risk. So while the thieves remain at large, the true embarrassment hangs in the network logs. A password so weak it could have been guessed by a tourist in line for tickets. And that's the cyberwire for links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. Were mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Pitner. Thanks for listening. We'll see you back here tomorrow.
[25:18]
B
Sat.