CyberWire Daily — September 25, 2025

Critical GoAnywhere bug exposed

Episode Overview

This episode delivers a brisk, detail-oriented intelligence briefing on the day's most pressing cyber threats, vulnerabilities, and policy developments. Anchored by host Dave Bittner, the show covers headline vulnerabilities like the Fortra GoAnywhere bug, major attacks in-the-wild, evolving ransomware, and emerging risks within generative AI and supply chain platforms. The centerpiece interview (16:24) explores the privacy and legal landscape of women’s health apps in the wake of post-Dobbs reproductive rights upheaval. The episode wraps with congressional efforts to regulate neural data, contemplating the next frontier of personal privacy.

Key News & Security Developments

1. Fortra GoAnywhere Critical Flaw Exposed (~00:50)

• Issue: Fortra warns of a critical, command-injection vulnerability in its GoAnywhere Managed File Transfer (MFT) solution, rated CVSS 10/10.
• Attack Vector: Exploitation is possible via a forged license response signature, enabling malicious code during deserialization.
• Exposed Instances: Over 20,000 online, per Watchtower Labs, making it a “playground APT groups dream about.”
• Expert Concerns: “The flaw’s almost certain to be weaponized soon, echoing the widespread GoAnywhere exploit by the Clop gang in 2023.”
• Mitigations: Fortra released immediate fixes. Admins urged to upgrade, restrict console access, and monitor logs.

2. Cisco SNMP Vulnerability (~02:30)

• Flaw: Stack overflow bug in SNMP subsystem of IOS/IOS XE.
• Attack Scenarios: Remote code execution as root (if attacker has high privileges); denial-of-service possible with low privileges.
• Mitigation: Upgrade is the only full solution; interim mitigations include restricting SNMP access and disabling certain OIDs.

3. Cloudflare Mitigates Record-Setting DDoS (~03:40)

• Attack Scale: Largest DDoS yet, peaking at 22.2 Tbps and 11.6 billion packets/sec.
• Analogy: "Equivalent to streaming a million 4K videos at once.”
• Broader Trend: Follows other record attacks tied to the Isuru botnet.

4. Ransomware & New Malware Variants (~05:00)

Raisita Ransomware Hits Maryland Transit

• Scope: Stole personal data; demanded ~30 Bitcoin; core transit unaffected but critical real-time services were disrupted.

Obscura Ransomware Strain

• Discovery: Detected by Huntress after an Aug. 29 incident.
• Characteristics:
  • Written in Go, targets domain controllers, self-replicates via netlogon folder.
  • Uses Curve25519/ChaCha20 encryption.
  • Deletes shadow copies, disables security and DB processes.
  • Leaves ransom note threatening public leaks within 240 hours.

5. Retail & AI Expanding Attack Surfaces (~07:00)

• Pattern: Generative AI adoption (95% of retailers) has outpaced security, heightening risks of sensitive data leaks through unsanctioned uploads.
• Exploited Platforms: Attackers leveraging trusted services like OneDrive, GitHub, and Google Drive for malware delivery.
• Analyst Warning: “Innovation in retail is outpacing security controls.”
• Recommendations: Enforce DLP, robust app controls, remote browser isolation.

6. CI/CD Supply Chain Risk via GitHub Actions (~08:15)

• Research: Orca details systemic risk in widespread misuse of the pull_request_target trigger.
  • Allows untrusted code in PRs to execute with privileged repo context and secrets.
  • Misconfigurations found at Google, Microsoft, Fortune 500s.
• Impact: Exposure of secrets, code injection, malicious package uploads, and repo compromise from a single PR.
• Broader Implication: “A single forked PR could trigger a full repository compromise.”

7. China-Linked Espionage: Mandiant on Brickstorm (~09:15)

• Actor: UNC5221, associated with China.
• Technique: Using new backdoor “Brickstorm” on Linux appliances (VMware, ESXi), no endpoint detection.
• Target: Law firms, SaaS, technology companies, senior exec inboxes.
• Adaptation: Deploys Brickstorm even post-incident response; can extract/decrypt admin credentials.
• Concern: Used for espionage but could seed zero-day development and supply chain attacks.

8. AI Monitoring in Schools: Kansas Student Protests (~10:30)

• Context: Lawrence High’s Gaggle monitoring tool ($160K purchase) scans student content for safety.
• Controversy:
  • False positives: Art flagged as child pornography, essays mistyped as threats.
  • Accusations of surveillance, outing LGBTQ students, blocking records requests.
  • Lawsuits allege unconstitutional surveillance.
• Commentary: “Who is really watching?”

Feature Interview: Privacy & Women’s Health Apps Post-Dobbs

Segment Begins: [16:24]

Context: The Dobbs Decision & the Digital Privacy Landscape

Post-Dobbs Concerns

• Michelle Kellerman: “We were looking into how does this affect our everyday lives…that includes all reproductive health. On a lot of women’s spaces…people started talking about how you need to delete your period tracking apps. The conversation was very confusing because we were all under the impression that our health information was safe and protected. …Come to find out they’re not protected under HIPAA.” (17:00)

HIPAA Does Not Cover Apps

• Explained: HIPAA protects data by entity (e.g., doctors, clinics), not by data type.
• Michelle Kellerman: “It doesn’t matter what type of data it is, it matters who is owning the data…So it’s not covered because an application is not a doctor, is not a covered entity.” (18:11)

Legislative (In)action

• Previous Focus: Some attention post-Cambridge Analytica, but no health-specific congressional efforts.
• Federal Gap: Only about half of general privacy laws cover health data.
• Quote: “At the federal level…it’s more the absence of a data privacy law.” (19:38, Kim Jones)

2024 Federal Progress

• Kellerman: “Luckily…in 2024…[HIPAA] prohibits a HIPAA covered entity from releasing PHI for criminal, civil, or administrative investigations…and the identification of anybody involved with reproductive health. …There are amendments to it. Very recently in wake of the Dobbs decision.” (20:00)

State Law Patchwork

• Virginia (2023): Tried to ban police from using period tracker data in search warrants—bill failed.
• Massachusetts: Shield law bars cooperation with out-of-state abortion-related investigations.
• Kellerman: “We’re starting to see states get involved, but it’s very patchwork and…dependent on the political winds.” (22:39)

Prosecutorial Scenarios

• Potential ‘Horror Story’: Apps showing missed periods could be used to infer pregnancy, with prosecutions for suspected abortion or miscarriage—even absent evidence.
• Kellerman: “You would have these apps…maybe your cycle is regular and…all of a sudden you don’t [record a period], they can make the assumption you’re pregnant. …You could be potentially prosecuted for a miscarriage. Even if it’s a fallacy, it’s still a grueling, awful position to be in.” (24:16)

Why So Little Pushback?

• Social Attitude:
  • “I think people have gotten so used to being in everybody else’s business with social media…We’ve lost the desire for privacy. …It’s a given that your personal information is just out there.” (26:12, Kellerman)

Notable Quotes

“Experts warn the flaw’s almost certain to be weaponized soon, echoing the widespread GoAnywhere exploit by the Clop gang in 2023.” – News Briefing (~01:30)

“HIPAA is unique…it covers entities…not the type of information as a whole. So it’s not covered because an application is not a doctor, is not a covered entity.” – Michelle Kellerman (18:11)

“With every time we get a credit report breach…there’s been so many we don’t care anymore. And it’s a given now that your personal information is just out there.” – Michelle Kellerman (26:12)

Policy Watch: Brain Data and Regulation (~28:00)

• Congress: New bill (Management of Individuals Neural Data Act) would task the FTC with regulating how companies collect and use neural data.
• Intent: Prevent tech firms from harvesting, bundling, and selling brain signals.
• Concern: “Privacy now means guarding not just your inbox, but also your cortex.”

Timestamps for Key Segments

• GoAnywhere flaw & major vulnerabilities: 00:50–04:00
• Ransomware & new strains: 05:00–07:00
• Retail AI attack surfaces & GitHub Actions: 07:00–09:00
• Espionage campaign (Brickstorm): 09:15–10:30
• AI in schools controversy: 10:30–12:00
• Feature Interview: Women’s health apps, HIPAA & privacy: 16:24–27:09
• Neural data regulation update: ~28:00

Summary

This episode delivers rapid-fire updates on active, high-profile cybersecurity incidents and vulnerabilities with global impact. The panel’s legal deep-dive on women’s health apps and the loopholes in digital health privacy is both timely and urgent, shedding light on the unknown risks facing women post-Dobbs. The looming debate over neural data and privacy signals how fast technology—and its regulation—continues to outpace society’s ability to adapt.

For those in cybersecurity, policy, or privacy advocacy, this episode offers a must-hear blend of technical vigilance and legal foresight.