CyberWire Daily — "Brute force break-in."
Date: September 18, 2025
Host: Dave Bittner | N2K Networks
Episode Overview
In this episode of CyberWire Daily, Dave Bittner delivers the industry’s essential cybersecurity news, focusing on a brute force breach against SonicWall’s cloud backup platform and a host of critical security issues, including Chrome's latest zero-day vulnerability, a self-replicating malware worm, Chinese state-sponsored phishing, international law enforcement efforts, and attacks leveraging AI. The featured interview explores the irreplaceable human element in intelligence work, even as AI and automation proliferate. The show closes with a phishing campaign targeting the crypto industry by impersonating a podcast host.
Key News and Analysis
1. SonicWall Cloud Backup Platform Breached
[02:38]
- Incident: Attackers brute-forced SonicWall’s MySonicWall cloud backup API service, accessing sensitive firewall configuration files.
- Data at Risk: Firewall config files, including network maps, VPN credentials, API keys, encrypted passwords, and rules.
- Scope: "Fewer than 5% of firewalls are affected," but no exact numbers disclosed.
- Action Items: Users must reset passwords, keys, and shared secrets not just on firewalls but across ISPs, DNS providers, VPNs, LDAP, and RADIUS servers.
- Response: SonicWall has closed the attack vector and is cooperating with law enforcement.
“If your devices are flagged, you need to reset all passwords, keys, and shared secrets not just on your firewall, but also with ISPs, dynamic DNS providers, VPN peers, and LDAP or RADIUS servers.” — Dave Bittner [03:08]
2. Chrome Zero-Day Emergency Patch
[04:18]
- Details: Google patched a high-severity zero-day in the V8 JavaScript engine, the sixth Chrome zero-day in 2025.
- Threat Level: Public exploit exists; suggests active abuse, potentially by state-backed spyware operations targeting high-risk individuals.
- Recommendation: Update Chrome immediately; patch was shipped within a day.
“Google confirmed the flaw has a public exploit, a strong sign of active abuse, often linked to state backed spyware campaigns targeting high risk individuals.” — Dave Bittner [04:33]
3. Shy Hulud Worm: AI-Assisted Open Source Supply Chain Threat
[05:06]
- Scope: Over 180 NPM packages infected, including popular ONTROL tiny color library.
- Mechanism: Steals developer credentials, pushes malicious code to NPM, creates GitHub repos for exfiltration.
- Harvests: API keys, cloud credentials, GitHub tokens, SSH keys.
- Technique: Likely used large language model (LLM) to write malicious bash scripts.
- Targets: Linux and macOS.
- Developer Advisories: Rotate all credentials, audit dependencies, enable MFA, and review GitHub accounts for compromise.
“This incident highlights the escalating risk of AI-assisted malware and the growing speed of CI/CD-driven supply chain compromises.” — Dave Bittner [06:37]
4. Chinese State-Aligned Phishing Campaign
[07:10]
- Actor: TA415 (APT41/Wicked Panda/Brass Typhoon).
- Targets: U.S. Government, think tanks, law firms, academics focusing on trade policy.
- Tactics: Phishing emails impersonate Rep. John Moulinar (Chair, House China Committee), invite to fake “closed-door briefings.”
- Payload: Python-based loader (Whirlcoil), Visual Studio Code tunnels, Google Sheets/Zoho for persistence & C2.
- Motivation: Intelligence gathering timed with U.S.-China trade negotiations.
“The emails invited recipients to closed door briefings with malicious attachments, delivering a Python loader called Whirlcoil.” — Dave Bittner [07:44]
5. Five Eyes Law Enforcement Group: UK NCA Takes Helm
[09:26]
- Development: UK’s National Crime Agency (NCA) to chair group for first time since 2015.
- Focus: Disrupt cybercrime, money laundering, child exploitation material.
- Collaboration: Involves FBI, DEA, AFP, RCMP, NZ Police.
- Success Story: Lockbit ransomware takedown as example of joint action’s effectiveness.
“International cooperation is vital as criminals exploit new technologies, highlighting successes such as the Lockbit ransomware takedown.” — Dave Bittner [10:08]
6. Revenge Hotels: AI-Driven Venom RAT Attacks
[10:32]
- Actor: Revenge Hotels (TA558).
- Targets: Hotel and HR inboxes, via fake invoice/job application links.
- Technique: AI-generated Wscript JS downloads, PowerShell loader, Venom RAT execution.
- Persistence: RAT kills debuggers, spreads via removable media, deletes event logs to cover tracks.
7. Insight Partners Discloses Ransomware Breach
[11:13]
- Victim: Insight Partners (major VC firm).
- Timeline: Breach began in October 2024, detected January 2025.
- Impact: Data theft (banking, tax, employee, limited partner info), 12,000+ individuals affected.
- Significance: Highlights risks for VC firms due to sensitive financial and portfolio data.
8. Lawsuit Targets Automated License Plate Readers (ALPRs)
[11:54]
- Case Details: 176 ALPR cameras tracked Lee Schmidt (526 times), Crystal Arrington (849 times) over 6 months.
- Civil Liberties Concern: Plaintiffs argue mass, warrantless tracking violates Fourth Amendment.
- Scale: Flock Safety’s ALPR network spans 5,000 agencies and 1,000+ businesses/associations.
- Flock’s Defense: Cites case law equating ALPR use to public photography.
Featured Interview: "The Human Side of Intelligence Work" (with Brock Lupton, Maltego)
“At the end of the day ... when we're talking about intelligence ... it’s a human thing. ... It takes another human to look at that situation and have the ... intuition to ask why things happened the way they did.” — Brock Lupton [14:14]
Key Points and Insights
The Irreplaceable Human Element
- Critical Thinking Over Automation: Despite advances, machines can't yet match human intuition in intelligence analysis.
- Clout Chasing & Hot Takes: Instant "expert" analysis and social media hype generate noise, not intelligence.
- “There are a lot of these self-proclaimed OSINT experts ... trying to jump on the story right away. ... There’s no critical thought ... as some people would say, there's no tradecraft that's been applied.” — Brock Lupton [15:24]
Dangers of Disinformation
- Amplification Risk: Irresponsible "hot takes" can shape powerful false narratives.
- “Those things get amplified ... it creates this noise environment where it’s hard to find out what the truth actually is.” — Brock Lupton [16:35]
Curiosity and Skepticism as Core Skills
- Investigative Mindset: Constantly asking “why,” chasing leads, and vigorously questioning data’s source and relevance.
- “Curiosity is ... one of the number one attributes ... and being skeptical about what you see because ... the information ... can be overwhelming.” — Brock Lupton [17:27]
Training/Sharpening Instincts
- Deliberate Practice: Read widely, discuss critical thinking and bias, find experienced mentors.
- Mentorship: Trusted colleagues to challenge assumptions and call out flawed logic.
- “Having a person like that around ... can help you because that person will call you out ... and that's a good habit to pick up.” — Brock Lupton [19:33]
Balancing Automation and Human Judgment
- Use Tools as Augmentation: Automation is best for repetitive tasks, but can also overwhelm with data.
- Intelligent Integration: AI and ML can help clean up data, but the human analyst must interpret and judge outcomes.
- “Not depending on the tooling, but definitely using it intelligently to augment your process and workflow ... helps to amplify your abilities.” — Brock Lupton [21:43]
The Value of Dead Ends
- Embracing Mistakes: It’s OK—and often necessary—to pursue leads that go nowhere; it's part of the process.
- “Encouraging people to ... make mistakes ... that's what we want. Investigations take time.” — Brock Lupton [22:33]
Picture of Success
- Well-Functioning Team: Happy, engaged analysts; clear requirements; deft tool use; automation where helpful; meaningful, actionable finished intelligence for the consumer.
- “Everybody’s happy. You have to tell them to stop working. ... They're working together like a well-oiled machine ... using the tools to augment the work that they need to do.” — Brock Lupton [24:01 & 24:45]
Notable Quotes
- “There's a lot of noise. ... It just increases the importance and the need for critical thought.” — Brock Lupton [16:41]
- “Without that ... you might just be like making assumptions and jumping to conclusions without actually actively questioning them. ... It doesn't result in intelligence, it's just data and information being regurgitated.” — Brock Lupton [18:30]
- “Working in a team ... helps ... to have somebody looking at what you're doing and saying, does this really make sense?” — Brock Lupton [23:08]
Final Story: "From Mic Check to Malware" — Phishing in the Crypto World
[27:22]
- Tactic: Cybercriminals impersonate the popular Empire podcast, inviting developers/influencers for “exclusive interviews.”
- Payload: Victims lured to download disguised desktop clients (really Amos Stealer malware).
- Impact: Credentials, cookies, crypto wallets exfiltrated for resale.
- Trend: Follows similar CoinMarketCap phishing campaign; shows evolution and creativity of crypto-targeted scams.
“Perhaps the moral is that not every podcast invitation is worth accepting, especially if it comes with a download link. Present company accepted, of course.” — Dave Bittner [28:14]
Timestamps for Key Segments
| Segment | Timestamp | |------------------------------------------------|------------| | SonicWall Breach | 02:38 | | Chrome Zero-Day Patch | 04:18 | | Shy Hulud Worm Supply Chain Attack | 05:06 | | Chinese State-Backed Phishing | 07:10 | | Five Eyes Law Enforcement Group Update | 09:26 | | Revenge Hotels: Venom RAT Attacks | 10:32 | | Insight Partners VC Breach | 11:13 | | ALPR Surveillance Lawsuit | 11:54 | | Interview: Brock Lupton on Human Intelligence | 14:00–25:45| | Crypto Phishing: Podcast Bait Attack | 27:22 |
For further details and links, see the full daily briefing at thecyberwire.com.