CyberWire Daily – "CISA Sounds the Alarm on Cisco Flaws"

Date: September 26, 2025
Host: Dave Bittner (N2K Networks)

Main Theme

This episode centers on several high-impact cybersecurity news items, with a particular focus on CISA’s emergency directive for federal agencies to patch critical Cisco firewall vulnerabilities. The show covers breaking developments across the cybersecurity landscape, including novel supply chain attacks, major data breaches, government surveillance debates, and the growing intersection of cybersecurity and space operations.

Key Discussion Points & Insights

1. CISA’s Emergency Directive on Cisco Firewall Vulnerabilities

[00:50 – 02:40]

• Key Points:

  • Federal civilian agencies must patch two actively exploited Cisco Adaptive Security Appliance (ASA) firewall vulnerabilities within 24 hours.
  • The flaws are easily exploitable, can be chained for greater impact, and persistence can survive reboots and upgrades.
  • Cisco released fixes for the ASA 5500X series, confirming attacks in progress.
  • Agencies are required not only to patch but also assess for compromise and decommission unsupported devices.
  • Canada and the UK issued parallel alerts due to critical infrastructure risk.
  • Attackers are potentially linked to sophisticated, state-sponsored groups behind the “Arcane Door” campaign.

• Notable Quote:
  “CISA warned attackers can exploit the bug with ease, chain them for greater impact and persist through reboots and upgrades.” — Dave Bittner [01:40]

2. First Known Malicious MCP Server in Supply Chain Attack

[02:41 – 04:00]

• Key Points:

  • COY Security discovered a malicious Model Context Protocol (MCP) server delivered via the NPM package ‘Postmark-mcp’.
  • The package, widely trusted, was secretly altered to quietly blind-carbon-copy all processed emails to an attacker domain.
  • Around 300 organizations were impacted, leaking thousands of sensitive emails daily, including financial records, credentials, and legal docs.
  • Highlights inherent risks of MCP servers, which have privileged access but poor containment.
  • Organizations urged to uninstall and rotate credentials.

• Notable Quote:
  “A single line of code added a blind carbon copy to every processed email, sending sensitive data to an attacker controlled domain.” — Dave Bittner [03:20]

3. New York SIM Card Threat Assessment

[04:01 – 05:30]

• Key Points:

  • Initial government alarm over a large SIM farm near New York (over 300 SIM servers, 100,000 SIM cards) was later questioned by experts.
  • While officials cited grave national security threats, assessments showed it likely supported ordinary telecom fraud (VOIP scams, SMS fraud), not major nation-state disruption.
  • The story shifted from significant sabotage to criminal activity inflated by initial reports.

• Notable Quote:
  “By day’s end, the narrative shifted from nation-state sabotage to overblown claims about an ordinary telecom fraud operation.” — Dave Bittner [05:22]

4. New Variant of XCSSet macOS Malware

[05:31 – 06:23]

• Key Points:
  • Microsoft flagged new XCSSet macOS malware, active in limited attacks via Xcode project infection.
  • The variant features improved browser data theft, cryptocurrency wallet targeting, and new persistence techniques.
  • Malicious code can redirect stolen funds and exfiltrate sensitive user information.
  • Microsoft notified Apple and GitHub, urging scrutiny of shared Xcode projects.

5. Microsoft's Suspension of Services to Israeli Defense Division

[06:24 – 07:02]

• Key Points:
  • Microsoft ceased providing Azure Storage and AI services to a division of Israel’s Ministry of Defense.
  • The decision followed revelations of Unit 8200’s use of Microsoft tech for surveillance and employee protest.
  • Israel may migrate the affected system to AWS.

6. Major Auto Insurance Claims Data Exposure

[07:03 – 08:06]

• Key Points:

  • Researcher Jeremiah Fowler identified 5.1 million files—10 TB—exposed by auto claims platform ClaimPix.
  • Data included registration documents, repair invoices, signed legal documents, and PII (names, addresses, emails).
  • Leak could facilitate identity theft, insurance fraud, VIN cloning.
  • Issue was reported and quickly secured; unclear how long it was exposed.

• Notable Quote:
  “Experts warn the leak could enable identity theft, insurance fraud OR VIN cloning.” — Dave Bittner [07:51]

7. Amazon’s $2.5 Billion FTC Settlement on Dark Patterns

[08:07 – 08:44]

• Key Points:

  • Amazon to pay $2.5 billion (with $1B civil penalty and $1.5B in refunds) for misusing “dark patterns” to enroll and retain Prime users.
  • FTC highlighted manipulative user flows and “Iliad,” a designed-to-confuse cancellation process.

• Notable Quote:
  “Amazon knowingly designed manipulative enrollment flows and a cancellation system codenamed Iliad to deter users.” — Dave Bittner [08:25]

8. North Korea’s Hybrid Cybercrime and Insider Threat Playbook

[08:45 – 09:59]

• Key Points:

  • ESET links “Deceptive Development” to Wagemol, both North Korea-aligned entities.
  • They target software developers with social engineering, malware-laden projects, and fake jobs, blending espionage with financial crime.
  • Use tools (Beavertail, Tsunamikit, etc.) and employ stolen identities, AI-powered manipulation for global job placements.

• Memorable Moment:
  “Together, these groups illustrate a hybrid model that blends financial crime, espionage and insider risk.” — Dave Bittner [09:53]

9. Surge in Exploitation of Hikvision Camera Flaw

[10:00 – 11:12]

• Key Points:
  • SANS Institute notes a surge in attacks targeting an 8-year-old, harshly rated (CVSS 10) Hikvision camera flaw.
  • Attackers use basic HTTP requests with weak credentials for device takeover.
  • Many Hikvision models, including rebrands, remain exposed; urgent patches recommended.

Interview: Space Cybersecurity with Dan Trujillo (AFRL Space Vehicles Directorate)

[15:34 – 21:43]

Background and Role

• Dan Trujillo leads the Space Cyber Resiliency Technical Area, responsible for R&D in securing US space vehicles from cyber threats.
• The Space Vehicles Directorate straddles Air Force and Space Force, supporting a broad range of cyber R&D for spacecraft.
  • “Our motto is one lab serving two services. And that's what we do… The goal is to secure our space vehicles from cyber attack.” — Dan Trujillo [15:47]

Unique Challenges of Space Cybersecurity

• Space systems must function perfectly in remote, low-resource environments.

• Integration of raw cybersecurity tech often requires intensive lab adaptation before deployment in space.

  • “These things have to work, especially when you're talking about a space vehicle that's in space and it's gotta work and it's gotta work in this low swap environment.” — Dan Trujillo [16:45]

Career Advice: Getting Into Space Cyber

• Dan describes his path as “a dream job” rooted in curiosity, R&D freedom, and mission-driven work.

• He recommends:

  • Internships via the AFRL Space Scholars program (HS through PhD)
  • Being open to both government and rapidly growing commercial space sectors.

• Early career exposure should emphasize learning and lab experience, not just outputs.

  • “The things that we solve don't take months, they take years...all we want to do is just show [students] what the lab environment is and understand the freedom to do cool things.” — Dan Trujillo [17:57]

• Explosive growth in the space sector mirrors the dot-com era, with abundant opportunities in both established industry leaders and startups.

Notable Quotes & Memorable Moments

• On Absolute Security:
  “Absolute security by definition is an oxymoron. I can secure you absolutely if you shutter your doors, wipe your computers, wrap them in Lucite and drop them …but then again, you ain't gonna make no money.” — Dan Trujillo [12:12]

• On the Future of Space Industry:
  “If you look at the .com industry in the 90s, how it exploded, now we move to the space industry and that's going to explode as well and probably dwarf .com thing.” — Dan Trujillo [20:55]

Additional Stories & Segments

• [23:57] Recount of the “Doge” government modernization debacle, critiquing Silicon Valley’s failed reform attempts in federal agencies with a humorous, biting tone.

  • “Wired asked federal workers for the inside story of DOGE, the Department of Government Efficiency, which stormed into federal agencies with all the grace of a toddler with a chainsaw.” — Dave Bittner [23:57]
  • “Was this modernization or just government by Meme stock?” — Dave Bittner [24:54]

Timestamps for Important Segments

| Segment | Timestamp | |---------------------------------------------------------|-------------| | CISA Directive on Cisco Vulnerabilities | 00:50–02:40 | | Malicious MCP Server – Supply Chain Attack | 02:41–04:00 | | New York SIM Farm / SIM Card Threat | 04:01–05:30 | | XCSSet macOS Malware Variant | 05:31–06:23 | | Microsoft Suspends Services to Israeli Defense | 06:24–07:02 | | ClaimPix Auto Insurance Data Leak | 07:03–08:06 | | Amazon FTC Dark Patterns Settlement | 08:07–08:44 | | North Korea Hybrid Playbook | 08:45–09:59 | | Hikvision Camera Flaw Exploits | 10:00–11:12 | | Interview: Dan Trujillo (Space Vehicle Cybersecurity) | 15:34–21:43 | | Federal “DOGE” Modernization Satire | 23:57–24:54 |

Conclusion

This fast-paced CyberWire Daily episode distills new threats, cyber policy shifts, and space age vulnerabilities facing security teams, with a clear warning on patching high-priority flaws and an inspiring look at careers protecting the technologies that shape the future.