A

You're listening to the Cyberwire Network powered by N2K.

B

At Talas, they know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Talas to protect what matters most applications, data and identity. That's Talas T H A L E S learn more@talasgroup.com Cyber CISA furloughs most of its workforce due to the government shutdown the US Air Force confirms it's investigating a SharePoint related breach. Google warns of a large scale extortion campaign targeting executives. Researchers uncover Android spyware campaigns disguised as popular messaging apps. An extortion group claims to have breached Red Hat's private GitHub repositories, a software provider for recreational vehicle and powersports dealers, suffers a ransomware breach. Patchwork Apt deploys a new PowerShell loader using scheduled tasks for persistence. A Tennessee Senator urges aggressive U.S. action to prepare for a post quantum future. Our guest is Cynthia Kaiser, SVP of Halcyon's Ransomware Research center and former deputy assistant director at the FBI's Cyber Division, joining us with insights on the government shutdown and A Malaysian man pleads guilty to supporting a massive crypto fraud and protected health information is not a marketing tool. It's Thursday, October 2nd, 2025. I'm Dave Buettner and this is your Cyberwire Intel Brief. Thanks for joining us here today. It's great to have you with us. The US Cybersecurity and infrastructure security agency, responsible for safeguarding the electric grid, water and other vital services, has furloughed most of its workforce due to the government shutdown. Only 35% of staff remain active, though more may be recalled for emergencies, according to the Department of Homeland Security. The disruption coincides with the expiration of CISA 2015, the law shielding companies from liability when sharing cyber threat information without reauthorization. Some corporations are pulling back from industry security groups, raising fears of weakened collective defense. Experts warn this could hamper efforts against ransomware and Chinese state linked hacking campaigns. The timing is especially awkward arriving during Cybersecurity Awareness Month, when collaboration and vigilance are traditionally emphasized. Be sure to stay tuned for my conversation with Cynthia Kaiser, senior vice president of Halcyon's Ransomware Research Center. We're discussing her experience with previous government shutdowns the US Air Force has confirmed it's investigating a privacy related issue after reports surfaced of a Microsoft SharePoint breach that may have exposed personally identifiable and health information. An alleged breach notice shared online warned that all Air Force SharePoint systems would be shut down service wide, potentially disabling teams dashboards for up to two weeks. The Air Force has not confirmed which services, if any, are offline, with some personnel reporting continued access. Microsoft declined to comment on any link to earlier SharePoint vulnerabilities that Chinese hackers, data thieves and ransomware gangs exploited this summer, compromising hundreds of organizations worldwide. The timing has raised concerns about operational disruptions and sensitive data exposure within the military. Google has warned of a large scale extortion campaign targeting executives after attackers claim to have stolen data from Oracle's E Business suite. Since late September, victims have received emails demanding ransoms ranging from millions to as much as $50 million. The campaign appears linked to Fin11, a group affiliated with the Clop ransomware gang, though Google says it cannot yet verify the breach claims Mandiant confirmed the extortion emails are being sent from hundreds of compromised accounts with contact details tied to Clop's leak. Site Security firm Halcyon suggested attackers may be exploiting password resets in Oracle systems, with Oracle silent. So far, Google advises companies receiving these emails to investigate for signs of Compromise. Researchers at ESET uncovered two Android spyware campaigns, Pro Spy and 2Spy, disguised as popular messaging apps Signal and Tutalk, to target users in the UAE. Spread through fake websites and app stores, the spyware steals contacts, chat backups, media and other sensitive data while reinstalling legitimate apps to avoid detection. 2Spy appears active since 2022, while ProSpy emerged in 2024. Both require manual installation via third party sites, including one impersonating Samsung's App Store, and are designed for persistent, regionally focused operations. An extortion group calling itself Crimson Collective claims to have stolen 570 gigabytes of data from Red Hat's private GitHub repositories, including 28,000 internal projects and around 800 customer engagement reports. These reports often contain detailed client infrastructure information, configuration data and authentication tokens that could be exploited to breach networks. Red Hat confirmed a security incident affecting its consulting business, but did not validate claims about the stolen repositories or CERs, stressing that its software supply chain remains intact. The attackers, who say the breach occurred two weeks ago, published repository listings and CER directories naming major corporations and US Government entities. Crimson Collective alleges Red Hat ignored their extortion demands. Responding only with automated support instructions. Motility Software Solutions, which provides dealership software for recreational vehicle and power sports dealers, is notifying just over three quarters of a million people of a ransomware breach. Hackers accessed business servers on August 19, encrypted files and stole personal data, including names, contact details, dates of birth, Social Security numbers and driver's license numbers. Motility says there's no evidence of misuse, they've restored systems from backups, and they're offering 12 months of identity protection. The pair ransomware gang later claimed 4.3 terabytes of stolen data, likely from Motility Patchwork, also known as Dropping Elephant, Monsoon and Hangover Group, an advanced persistent threat actor since at least 2015, is deploying a new multi stage PowerShell loader that abuses Windows scheduled tasks to persist and run its final payload. Infection begins with a malicious office macro that drops a shortcut and runs a PowerShell script. The script installs a faux vlce, places a decoy PDF and creates a scheduled task named Windows ErrorReport to launch the loader. The loader establishes an encrypted command and control channel, fingerprints hosts and uses layered obfuscation for communications. Capabilities include in memory payload execution, chunked resumable exfiltration and screenshot capture. In terms of defenses, experts say, enable macros only from trusted sources, monitor for suspicious scheduled tasks, enforce application whitelisting and run up to date endpoint protections. Senator Marsha Blackburn, Republican from Tennessee, is urging aggressive US Action to prepare for a post quantum future where current encryption may be broken. Speaking at a Politico event, she confirmed elements of a White House quantum initiative while promoting her own legislative push. Blackburn co sponsored the National Quantum Cybersecurity Migration Strategy act, requiring agencies to move at least one high risk system to quantum resistant encryption by 2027. She emphasized the need to counter Chinese ambitions in emerging technologies while praising White House officials leading federal quantum strategy. Blackburn highlighted workforce development, commercial involvement and stronger encryption as priorities. She's also backing bills to accelerate Defense Department quantum planning, create a quantum sandbox at nist and to establish a federal institute for quantum manufacturing. A Malaysian man pleaded guilty in a London court to supporting a massive crypto fraud tied to Chinese national Jiming Quan, also known as Yadi Zhang. Prosecutors say Hock sen Ling, age 46, acted as a fixer for Kwon, who ran a Ponzi style scheme in China that stole $6.2 billion from 128,000 victims. Ling admitted to transferring criminal property and cryptocurrency and helping evade capture by arranging accommodations across the UK Police surveillance led to their arrests in York in April 2024, seizing $15 million in assets. Authorities are now pursuing confiscation of 61,000 bitcoins valued at $7.1 billion. Both face sentencing in November. The case could set a precedent for compensating overseas victims in cross border crypto fraud. Coming up after the break, my conversation with Cynthia Kaiser from Halcyon's Ransomware Research Center. We're discussing the government shutdown and Protected health information is not a marketing tool. Stay with us. Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo that's V A n T a dot com Cyber AI adoption is exploding and security teams are under pressure to keep up. That's why the industry is coming together at the datasec AI Conference, the premier event for cybersecurity, data and AI leaders. Hosted by data security leader ciara. Built for the industry, by the industry, this two day conference is where real world insights and bold solutions take center stage. Datasec AI25 is happening November 12th and 13th in Dallas. There's no cost to attend. Just bring your perspective and join the conversation. Register now at datasecai2025.com cyberwire Cynthia Kaiser is senior vice president of Halcyon's Ransomware Research center and former Deputy Assistant director at the FBI's Cyber Division. We caught up for insights on the Government shutdown. Cynthia, thanks for taking the time for us today. I'd love to start with your own personal insights. Your time in the government with the FBI. You've experienced some of these government shutdowns. What's it like?

A

Well, at the FBI, almost all the work that we do is accepted. And what that means is it's essential for the American people so people still come into work and they continue to do the work they need to do to keep the American people safe. But that being said, there's obviously a lot of stress around not knowing when your next paycheck's going to come. It will come, but not kind of knowing that, like having that kind of personal stress on you. I mean, it's, it's trying and it was good to be able to go through that with everybody else at the same time. Right. Have that support network. But you also find that you don't necessarily have all of your counterparts across government that can help you. So sometimes it almost becomes more busy.

B

Yeah, we are dealing with the, I guess, end of legislation that allowed information sharing, CISA 2015. What do you suppose the impact of that's going to be?

A

Well, from what I'm hearing, it sounds like some of those efforts to get that legislation reauthorized, you know, whether it's in the 2015 name or in a different name, those continue apace. And I think the ideal outcome would be if, when the budget's passed, there's a way in which to include CISA 2015 reauthorization within that. And I'm hearing there's some like, good movement towards there. But right now what we find ourselves in is after a decade of having protections, liability protections, antitrust protections, those don't exist anymore. And companies are going to have to make choices about what their risk tolerance is at Halcyon, because we have faith that there are some of these ongoing efforts that it will likely be reauthorized at some point, hopefully in the near future. We're not going to change our sharing posture, our sharing posture with government, our sharing posture across industry. But not every company has that luxury. And especially if you're a company and you're dealing with like very intimate PII type type information, you just can't share the way you would have. If you don't have legal protections in place that allow you to give the information about compromises, attacks, campaigns to the government and like take that to its natural conclusion. If the government doesn't have that information, they can't warn others.

B

Yeah, well, let's switch Gears to the other cisa, Cybersecurity Infrastructure and Security Administration. They are saying that they're furloughing up to 2/3 of their folks there. What could the impact of that be?

A

Since I don't have knowledge of who may be furloughed and for what amount of time, it's hard to get into the details of impacts. But I would say that SISA was probably my closest partner when I was in government. Every day, multiple times a day, I was talking to my SISA counterparts. We were going back and forth on who was going to be able to do threat hunting, learning information from victims, especially when there's multi victim campaigns. And it kind of goes back to my point from earlier. FBI is coming in every day. You know, they're all there, a little stressed about the financial situation, but doing that same work. But if the same people at CISA aren't there, that makes that job all the more difficult because you can't just have one agency doing their activities and be the same level of effectiveness if the other agencies that have complementary activities, that's not occurring.

B

In your estimation, what is the material impact of a government shutdown like this on, on the cybersecurity of our nation?

A

In every shutdown that I was part of, whether partial or full, it felt like we weren't able to have kind of the full spectrum picture of cyber activity that was going on. We would have partial pictures, we would be able to still counter the threats, but it took longer. And when the shutdown was done, you were felt like you were playing catch up. And so really I think there's just a, there's always going to be a natural slowing, not stop, but slowing of some of the important work that we all rely on to keep ourselves safe.

B

What are your recommendations for the folks who are in the midst of this? Any words of wisdom based on your own experience?

A

Especially to the employees who may be going through their first shutdown, that's the most stressful. My advice is that most of America is really accommodating and great to these employees. And so I could remember talking to a credit card company when there was, I think that like one that was almost a month long and them saying, oh you work for the government, like that's fine, you'll just pay us when you get paid. So like don't be afraid to kind of call, ask for help would be my advice to them financially because you want to free yourself up emotionally to be able to do the important work that still has to get done. And so ultimately do what you need to do. Ask for the help that you need, because we all rely on you and we want you to be able to counter these criminals that don't care for shutdown or not.

B

That's Cynthia Kaiser, senior vice president of Halcyon's Ransomware Research Center. Think your certificate security is covered by March 2026, TLS certificate lifespans will be cut in half, meaning double today's renewals. And in 2029, certificates will expire every 47 days, demanding between eight and 12 times the renewal volume. That's exponential complexity, operational workload and risk. Unless you modernize your strategy. Cyberark Proven in Identity Security is your partner in certificate security. Cyberark simplifies lifecycle management with visibility, automation and control at scale. Master the 47 day shift with CyberArk. Scan for vulnerabilities, streamline operations, scale Security. Visit cyberark.com 47day that's cyberark.com the numbers 47day and now a word from our sponsor, ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class ENDPOINT protection from ThreatLocker. And finally, CADIA Healthcare thought it had found a clever marketing angle, a Success stories campaign showcasing patients recoveries on social media. Unfortunately, regulators saw it less as inspiration and more as a HIPAA violation. The Office for Civil Rights says the Delaware nursing home chain posted names, photos and medical details of about 150 patients without the legally required consent forms. One complaint in 2021 unraveled the entire program, leading to a $182,000 fine and a two year corrective action plan. Cadia has since pulled the campaign and now faces the less glamorous task of rewriting policies, training staff and sending belated breach notices. As OCR dryly noted, marketing is important, but valid written authorization tends to be even more so when dealing with protected health information. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwiren2k.com N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. And Doug Limu and I always tell you to customize your car insurance and save hundreds with Liberty Mutual, but now.

A

We want you to feel it.

B

Cue the emu music.

A

Limu Save yourself money today. Increase your wealth, Customize and save.

B

We say that may have been too much feeling. Only pay for what you need@liberty mutual.com Liberty Liberty Liberty Liberty Savings Very unwritten by Liberty Mutual Insurance company And affiliates Excludes Massachusetts Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more@cid.datatribe.com.