Michelle Kellerman

You're listening to the Cyberwire Network powered.

Narrator/Announcer

By N2K.AI Adoption is exploding and security teams are under pressure to keep up. That's why the industry is coming together at the Data SEC AI Conference, the premier event for cybersecurity, data and AI leaders. Hosted by data security leader ciara. Built for the industry by the industry, this two day conference conference is where real world insights and bold solutions take center stage. Datasec AI25 is happening November 12th and 13th in Dallas. There's no cost to attend, just bring your perspective and join the conversation. Register now@datasecai2025.com CyberWire Fortra flags a critical flaw in its Go Anywhere managed file transfer solution Cisco patches a critical vulnerability Cloudflare thwarts yet another record DDoS attack Riceta ransomware gang claims the Maryland Transit cyber attack the new Obscura ransomware strain spreads via domain controllers Retailers use of generative AI expands attack Surfaces Researchers expose GitHub Actions misconfigurations with supply chain risk Mandiant links the new Brickstorm backdoor to a China based espionage campaign Kansas students push back against an AI monitoring tool Ben Yellen speaks with Michelle Kellerman, cybersecurity engineer for air and Missile Defense at Johns Hopkins University Applied Physics Lab. They're discussing women's health apps and the legal gray zone they create with HIPAA and senators push the FTC to regulate your brain WA It's Thursday, September 25, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great to have you with us. Fortra has issued an urgent warning about a critical flaw in its Go Anywhere Manage File Transfer solution. The vulnerability carries a maximum CVSS score of 10 and could allow attackers to seize full system control through command injection in the license servlet. Exploitation involves a forged license response signature, letting malicious code run during deserialization. Watchtower Labs says over 20,000 instances are exposed online, calling the bug a playground apt groups dream about. Experts warn the flaw's almost certain to be weaponized soon, echoing the widespread Go anywhere exploit by the Klopp gang in 2023. Fortra has released fixes and urges immediate upgrades. Administrators should also restrict public access to the admin console and monitor logs for suspicious activity. Cisco has released fixes for a critical vulnerability in the Simple Network Management protocol subsystem of iOS and iOS XE software. The flaw, caused by a stack overflow, could allow an authenticated remote attacker with low privileges to trigger denial of service or with higher privileges, execute arbitrary code as root exploitation requires valid credentials. All SNMP versions are affected. Cisco warns that attackers could exploit the bug by sending crafted SNMP packets over IP4 or IP6, potentially giving them full control of affected devices. No workarounds exist, though administrators can mitigate risk by restricting SNMP access and disabling certain object IDs. The only complete fix is upgrading to patched versions. Cloudflare says they mitigated the largest distributed denial of service attack ever recorded, peaking at 22.2 terabits per second and 11.6 billion packets per second. The 42nd volumetric assault generated traffic equivalent to streaming a million 4K videos at once or refreshing every webpage on earth more than once per second. Such packet floods can overwhelm firewalls and routers, even when bandwidth is available. The attack follows other record breaking incidents in recent months, with researchers linking earlier campaigns to the Isuru botnet. The Maryland Transit Administration has confirmed data was stolen during a cyberattack last month, and the Raisita ransomware gang is now claiming responsibility. According to cybersecurity firm Venarix, the group demanded 30 Bitcoin and released samples allegedly showing passports, driver's licenses and contracts, while MTA's core bus, subway and light rail systems were unaffected. Real time tracking and the mobility service for disabled riders were disrupted. An interim call system restored some functionality on August 29th. Officials have not disclosed how many people were impacted, citing an ongoing investigation. Maryland's Department of Information Technology is working with law enforcement and cybersecurity experts. In the meantime, MTA is advising residents to watch for phishing attempts, update software and enable multi factor authentication. Analysts at Huntress have identified a previously unseen ransomware variant, Obscura, after investigating an Aug. 29 incident. The malware, written in Go, was discovered on a victim's domain controller within the netlogon folder, enabling automatic replication across controllers and scheduled execution on multiple hosts. Obscura disables recovery by deleting shadow copies, requires administrative privileges to run and and aggressively terminates security and database processes before encrypting data. The ransom note claims data theft, demands negotiation within 240 hours and threatens public leaks. Encryption relies on Curve 25, 519, Key Exchange and ChaCha 20, researchers note. Obscura joins a wave of emerging ransomware families like Crux and Cephalus, reflecting frequent rebranding in the ecosystem. Huntress advises organizations to closely monitor domain controllers for suspicious file additions or group policy modifications and enforce strong detection on endpoints to catch early activity netscope's retail Sector threat analysis warns that the rapid adoption of generative AI tools is expanding attack services 95% of retailers now use Genai, with increasing reliance on private models and APIs. Sensitive data leaks are rising as employees upload source code, regulated data and credentials into unapproved cloud services and AI platforms. Attackers are also exploiting trusted cloud services like OneDrive, GitHub, and Google Drive to host malware, capitalizing on their credibility. Personal cloud apps like Facebook, LinkedIn, and Drive are pervasive in workplaces, creating overlapping vectors of risk. The report urges retailers to boost visibility, enforce strict data loss prevention and app policies, review HTTP and HTTPs download flows, and adopt solutions like remote browser isolation. In short, innovation in retail is outpacing security controls. The Orca Research pod has uncovered systemic risks in GitHub Actions stemming from misuse of the Pull request target trigger. Unlike the safer Pull request event, this trigger executes workflows in the base repository's context, exposing secrets and granting write enable tokens by default. Researchers demonstrated that insecure workflows could let attackers escalate from untrusted forked pull requests to remote code execution on both GitHub hosted and self hosted runners. Exploits included stealing API keys, pushing malicious code to trusted branches, and abusing overly permissive tokens for package uploads or PR manipulation. ORCA found critical misconfigurations in repositories maintained by Google, Microsoft, and other Fortune 500 firms, highlighting the supply chain risk when CI CD pipelines run untrusted code with excessive privileges. These issues were disclosed responsibly, but the findings underscore how a single forked PR could trigger a full repository compromise. Mandiant says a China linked threat group, UNC5221, is using a new backdoor called Brickstorm to infiltrate organizations and steal intellectual property. Since March of this year, responders have investigated numerous intrusions affecting law firms, SaaS, providers, and technology companies, with attackers targeting the inboxes of senior executives and individuals tied to U.S. national security and trade. Brickstorm, primarily deployed on Linux appliances without endpoint detection, enables persistence and lateral movement into VMware, VCenter, and ESXi hosts. Mandiant noted. The group adapts quickly, even deploying BricStorm after incident response had begun. Evidence suggests the hackers can extract and decrypt administrator credentials and leverage compromise routers for obfuscation. Mandiant warns the campaign's value extends beyond espionage, potentially feeding zero day development and downstream supply chain compromise. Students at Lawrence High School in Kansas say the AI powered monitoring tool Gaggle is chilling speech and intruding on Privacy. Adopted in 2023 at a cost of $160,000, Gaggle scans emails and documents for signs of self harm, violence or abuse, while officials credit it with preventing suicides. Students report false positives, art portfolios flagged as child pornography, essays misinterpreted as threats, and even records requests blocked. Lawsuits now accuse the District of unconstitutional surveillance. A 2024 investigation found more than 1200 flagged cases in under a year, most later deemed harmless. Critics warn the system outs LGBTQ students and undermines journalism, while defenders call it a vital safety net for overburdened staff. For students, the question remains, who is really watching? Coming up after the break, Ben Yellen speaks with Michelle Kellerman from the Johns Hopkins University Applied Physics Lab. They're discussing women's health apps and the legal gray zone that they create with HIPAA and senators push the FTC to regulate your brain waves. Stay with us. Foreign.

Ethan Cook

Perspectives is back with an all new season. This season is all about change. Whether it be emerging technologies like AI, shifting governmental roles or evolving threats, we are sitting down with security experts and getting their insights to help you make sense of these changes.

Kim Jones

We are part of a larger ecosystem and if you look at the largest cyber incidents, they have massive downstream effects.

Ethan Cook

I'm Ethan Cook, editor of Cisco Perspectives at N2K CyberWire. This week host Kim Jones with his first guest, Ben Yellen to discuss the current state of regulation. Absolute security by definition is an oxymoron. I can secure you absolutely if you shutter your doors, wipe your computers, wrap them in Lucite and drop them in marine ass trash. But then again, you ain't going to make no money. CISO perspectives is an N2K Pro exclusive show, but for this season we're sharing the first two episodes free on the Cyberwire daily. To hear the full season, visit TheCyberWire.com and click on subscribe now to become an N2K Pro Member.

Narrator/Announcer

At Talas, they know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S. Learn more@talasgroup.com cyber compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo that's V A N T a dot com CYBER My Caveat Podcast co host Ben Yellen recently sat down with Michelle Kellerman, cybersecurity engineer for air and missile defense at Johns Hopkins University Applied Physics Lab. They're discussing women's health apps and the legal gray zone that they create with hipaa.

Kim Jones

So today we're going to be talking about period tracking apps and digital privacy, especially in the post Dobbs era. So we're now three years after the Supreme Court's decision in Dobbs, which held that Roe versus Wade was overturned. There's no constitutional right to an abortion. It's an issue left to the states. Can you just kind of talk about the context of this issue, why you became interested in it, what the implications are of these period tracking apps?

Michelle Kellerman

Yeah, so when the Dobbs decision was made, women obviously were trying to figure out what this meant for them, what this meant for their safety. But then as the dust settled from the immediate shock, we were looking into how does this affect our everyday lives and things other than just wanting a strict access to abortions, and that includes all reproductive health. So on the a lot of women's spaces on Reddit or on social media, people started talking about how you need to delete your period tracking apps. And the conversation was very confusing because we were all under the impression that our health information was safe and protected. We're all raised that Your doctor is the only one who has the right to know what's going on in your doctor's office. So this huge shift was really surprising. And to look at period tracking apps, come to find out they're not protected under hipaa.

Kim Jones

So yeah, that was going to be my follow up question. So our listeners are probably thinking like, oh, private health information that triggers hipaa. Why are period tracking apps not covered under hipaa?

Michelle Kellerman

Health information specifically is a unique case. A lot of times when we have, when we talk about tech law, a lot of the current coverage is co opted from older laws that we see over the last three or four decades. But that's because it covers a data type, a type of information. HIPAA is unique, it covers entities. It doesn't matter what type of data it is, it matters who is owning the data. So doctors, clinics, you know, psychologists, hospitals, your health plans. It only covers specific entities, not the type of information as a whole. So it's not covered because an application is not a doctor is not a covered entity.

Kim Jones

Before this became such a live issue, was there any effort in Congress or at the state level to amend HIPAA or state level equivalents to include applications? Like was this something that was on the radar or is it just an issue that's never really come up.

Michelle Kellerman

It's come up in congressional inquiries. So with Cambridge Analytica and Facebook selling your data to these data brokers. But it didn't get into health specific information. It was just your online privacy as a whole coming up in these bigger inquiries by Congress. But not an effort specifically to legislated outside of data privacy laws. But health isn't always covered in data privacy laws. Practically only about 50% of them do.

Kim Jones

Of course, at the federal level it's more the absence of a data privacy law. Anyway, that's what they're great at, as we all know. So can you kind of walk us through how period tracking apps could be used by law enforcement in a case relating to reproductive rights and if there is any case law on what happens in those scenarios.

Michelle Kellerman

Before we get to that, there was an effort to amend hipaa. Luckily by the Biden Harris administration, they added a new provision in 2024, June of 2024, that prohibits a HIPAA covered entity from releasing phi for the purpose of conducting criminal, civil or administrative investigations and the identification of anybody involved with reproductive health. It was specific to reproductive health. So HIPAA now covers, has a specific health provision for reproductive health. So they are, they, there are amendments to it. Very recently in wake of the Dobbs decision.

Kim Jones

Is that something that the Trump administration has tried to reverse? I'm kind of surprised they haven't, either through like the Congressional Review act or just through promulgating new regulations.

Michelle Kellerman

So they overturned two Biden era executive orders that were about allowing better access to reproductive health and then also protections. So there were two Biden era executive orders that have been overturned for access to reproductive health, including abortion.

Kim Jones

Gotcha. Okay, so now we can kind of go back to that original question, just walking us through what a typical case would look like and then where we are in terms of state case law, or federal case law for that matter, with these period tracking applications.

Michelle Kellerman

When you install a period tracking app, it asks for standard health information about you, your name, your age, your gender. And then it gets into date of last period on the most basic level. And then you have other, you have some applications that get more into it, your mood swings, how heavy your, how like heavier, other your period symptoms are or your symptoms when you're not having your period. Are you tracking fertility? Are you attempting to have a child? Even things like fertility monitors like Anito is one of them where you can have all that information and you can have your body temperature, blood work, you can have any like a wealth of information that go to these applications that are not doctors in ITO and other fertility monitors. And peer tracking apps are completely separate.

Kim Jones

Can you talk about state laws or state applications where law enforcement has been trying to use data from either period tracking apps or otherwise in criminal or civil cases relating to reproductive rights?

Michelle Kellerman

We haven't seen any cases at this moment where they specifically name period tracking apps, but we are seeing a patchwork of laws try to come from the states. So Virginia in 2023 presented a bill that would have banned police from looking at data in period tracker apps when executing a search warrant. As you know, search warrants are very broad. It can be on device in general. And this bill would have barred period tracking and health apps from the scope of a search warrant. Unfortunately, Governor Youngkin's administration opposed it and it died in chambers. We're also seeing Massachusetts just updated their shield law, strengthening protections for providers and patients. And actually the law prohibits Massachusetts state and local authorities from cooperating with any federal or out of state investigation. So it's not just up to the local municipality if they want to get involved in helping an additional, a different state like Texas, for example, who is attempting to criminalize out of state abortions. This law actually bars the process altogether from cooperating with other states. So we're starting to see States get involved, but it's very patchwork and it's very dependent on the political winds.

Kim Jones

What is kind of the horror story that you're anticipating with period tracking apps? Like, what is the data that they are going to pull out to potentially use in a prosecution? Like, how would a prosecutor try and build a case based on a period tracking app? And then I think with that context, we can talk about remedies and potential solutions to this issue.

Michelle Kellerman

I would be concerned about criminalizing miscarriages and abortions. So somebody that, because we see a lot of times there's just an idea of like, oh, we think that she's pregnant. People will make assumptions on a woman's fertility status constantly for free, just with. Even though it's none of their business. That's just the natural state of how people are. So I'm concerned of people making assumptions about somebody else. We saw with Texas, they, one of the private entities involved in this released a website where you could snitch or report other people who were getting out of state abortions. So we're already in this state of reporting other people based purely on speculation. And then you would have these apps where you would have a consistent. Maybe if your cycle is regular and you have a monthly period and then all of a sudden you don't, they can make the assumption that you're pregnant. And then if you don't have a child, you could be potentially prosecuted for a miscarriage. Even if it's a fallacy, it's still a grueling, awful position to be in. Even if eventually the evidence comes out that you were never pregnant or never miscarried or had an abortion, it's still criminalizing just a woman's body functioning.

Kim Jones

This is what sort of gets me about this is obviously in this country, abortion and reproductive rights generally are a divisive political issue. I wouldn't think that even for those who are rabidly pro life, there would be a lot of enthusiasm about obtaining data from private period tracking applications. Like, I guess maybe this is an unfair question, but how is this an issue? Like, where is the opposition to keeping this data private or adding some type of HIPAA level protection on these applications.

Michelle Kellerman

I think people have gotten so used to being in everybody else's business with social media and everything that you do being somehow available for public comment. We've lost the desire for privacy. And we also have come to expect that we just don't really have it anymore. With every time we get a credit report breach and monitoring your credit cards at this point. There's been so many we don't care anymore. And it's a given now that your personal information is just out there. And we still hold the criminalizing a woman's body as this far fetched ideas if it's not really happening. Whereas a baby can be right in front of you and you only see what's directly in front of you. So I think there's just not an appetite for fighting for this amorphous idea of privacy when we already exist in a world where we don't expect it.

Narrator/Announcer

That's Michelle Kellerman from the Johns Hopkins University Applied Physics Lab. Be sure to check out their full conversation over on the Caveat podcast. Wherever you get your favorite podcasts, Investigating is hard enough. Your tools shouldn't make it harder. Maltego brings all your intelligence into one platform and gives you curated data along with a full suite of tools to handle any digital investigation. Plus, with on demand courses and live training, your team won't just install the platform, they'll actually use it and connect the dots so fast cybercriminals won't realize they're already in cuffs. Maltego is trusted by global law enforcement, financial institutions, and security teams worldwide. See it in action now@maltego.com and finally on Capitol Hill, lawmakers are turning their attention to a frontier that sounds more like science fiction than policy. Your brain Senators Schumer, Cantwell and Markey have introduced the Management of Individuals Neural Data act, tasking the FTC with writing the rulebook for how companies can handle neural data. The bill aims to prevent tech firms and data brokers from harvesting, bundling, and selling brain signals to nudge you what to buy or how you feel about it. With companies like neuralink and consumer wearables already dipping into this territory without guardrails, senators warn of manipulative ads and predatory schemes pitch straight into your neurons. The FTC would be asked to coordinate with researchers, advocates, and industry to design protections. Apparently, privacy now means guarding not just your inbox, but also your cortex, and that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Heltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher and I'm Dave Buckner. Thanks for listening. We'll see you back here tomorrow. Foreign Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration, and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more@cid.datatribe.com.