CyberWire Daily: “Critical GoAnywhere bug fuels ransomware wave” (October 7, 2025)
Overview
This episode of CyberWire Daily covers the latest urgent cybersecurity threats, including a critical GoAnywhere MFT flaw being actively exploited for ransomware, a newly discovered Redis vulnerability, evolving state-sponsored cyber operations, and ongoing challenges around AI in the workplace. The episode also features an in-depth "Industry Voices" interview with Alastair Patterson from Harmonic Security, focusing on the rise of shadow AI—a phenomenon where AI-driven tools proliferate in organizations outside traditional IT controls, creating both opportunities and risks. The episode maintains a brisk, informative tone while diving into both high-level trends and hands-on advice for security professionals.
Key News Briefs & Discussion Points
1. Critical GoAnywhere Vulnerability Drives Ransomware Attacks
- [00:55] Context: Fortra's GoAnywhere Managed File Transfer software is under active exploitation via a zero-day vulnerability (CVSS 10).
- Attack Details:
- Allows attackers to bypass license signature verification for remote code execution.
- No authentication required if attackers can intercept/forge license responses; high risk for Internet-facing servers.
- Threat Actor & Impact:
- Microsoft attributes exploitation to group Storm 1175, which first uses legitimate remote management and C2 tactics before deploying Medusa ransomware.
- Although Fortra patched on September 18th, many servers remain unpatched and exposed.
- Recommendations:
- "Microsoft urged immediate patching, network perimeter reviews, and running endpoint defenses in block mode."
– Host, [01:37]
- "Microsoft urged immediate patching, network perimeter reviews, and running endpoint defenses in block mode."
2. Critical Redis ‘Redishell’ Vulnerability
- [02:06]
- Redis’ 13-year-old use-after-free bug in the default LUA scripting feature (CVSS 10) enables attackers to execute code remotely after escaping the sandbox, potentially leading to data theft, ransomware, or crypto-mining.
- Over 330,000 Redis instances vulnerable; 60,000 require no authentication.
- Quote:
"Authenticated attackers can exploit it to escape the LUA sandbox, trigger memory corruption and establish a reverse shell for persistent access.”
– Host, [02:29]
- Call to Action:
- Immediate patching, especially for Internet-facing servers, is urged by Redis maintainers and researchers.
3. Beijing Institute (Bieta) Linked to Chinese State Security
- [03:07]
- Recorded Future Insect Group reports Bieta is "almost certainly" affiliated with China’s Ministry of State Security (MSS), acting likely as a public front for MSS-first research.
- Activities range from steganography and forensics to communication research.
- Risks:
- Technology transfer, covert comms support, espionage tradecraft, export controls impact.
- Quote:
“Academia and vendors should review ties and conduct strict due diligence.”
– Host, [03:54]
4. Oracle E-Business Suite Breach: Competing Narratives
- [04:10]
- Reports of exploitation against Oracle EBS spark confusion—varying claims include password issues, credential reuse, or a new zero-day.
- Analysis by Watchtower Labs suggests a remotely exploitable unauthenticated code execution flaw.
- Quote:
“The incident highlights how rumor and premature attribution can undermine coordinated response during active exploitation.”
– Host, [04:46] - Emphasis on clear, evidence-based communication as patch guidance awaits.
5. EyeMed Vision Care Settles Phishing Breach Lawsuit
- [05:08]
- EyeMed will pay $5M following a 2020 phishing attack that led to email system compromise.
- Settlement includes compensation of up to $10,000 per member for losses and requires security improvements (MFA, password policies, training, third-party HIPAA assessments).
- Note: No admission of wrongdoing, but an agreed effort to strengthen controls.
6. Trinity of Chaos Ransomware Collective Emerges
- [05:48]
- New leak site on Tor claims 1.5 billion records from 760 firms, possibly tied to Lapsus, Scattered Spider, ShinyHunters.
- Shows previously undisclosed data, not new attacks; targets include Salesforce, though Salesforce denies any current vulnerabilities.
- Tactics involve OAuth token theft and vishing, with DDoS attacks hitting the leak site and a negotiation deadline of Oct 10.
- FBI alert issued, with warnings of further data abuse and AI-driven phishing risks.
7. LinkedIn Sues Major Data Scrapers
- [06:55]
- LinkedIn files suit against Pro APIs Inc. and Netswift for creating over 1 million fake accounts and reselling data via iscraper API (up to $15K/month).
- Seeks injunctions, data deletion, damages, and vows ongoing legal enforcement.
- Quote:
“LinkedIn says it will continue aggressive legal action to protect member data.”
– Host, [07:15]
8. Nobel Prize in Physics Cites Quantum Tunneling
- [07:35]
- John Clark, Michelle DeVoret, John Martinez win for advances in quantum mechanical tunneling, underpinning quantum computing.
- Clark: “A surprise of his life,” the work underpins "technologies like smartphones."
- Award is seen as vital to digital innovation, including quantum cryptography.
Industry Voices Segment: Shadow AI and the New Era of Work
Guest: Alastair Patterson, Harmonic Security ([13:31]–[28:47])
AI’s Proliferation in the Workplace
- Generational Shift:
- “A lot of people start and finish work activities in these AI chatbots and agents...a generational shift, with profound implications for how we work and how we think about security.”
– Patterson, [13:39]
- “A lot of people start and finish work activities in these AI chatbots and agents...a generational shift, with profound implications for how we work and how we think about security.”
- AI tools are now central to problem-solving in daily office life, with or without official IT approval.
No Control Plane for AI Usage
- Visibility Challenge:
- "Traditional controls are just not set up for this era...they typically don't see the prompt-level data, the use cases around that..."
– Patterson, [15:43]
- "Traditional controls are just not set up for this era...they typically don't see the prompt-level data, the use cases around that..."
- Existing security tech (SASE, CASB, DLP) lacks contextual awareness on AI data flows, especially around prompts and non-file-based information.
Retrofitting & Blocking: Poor Fit
- Organizations try to use old-school DLP, label data, or block AI tools completely—neither works well:
- Blocking: "Employees tend to find ways around those controls. They get frustrated. The security team ends up in exception hell...we're back to security being the department of no again."
– Patterson, [19:11]
- Blocking: "Employees tend to find ways around those controls. They get frustrated. The security team ends up in exception hell...we're back to security being the department of no again."
- Anecdotes:
- A head of AI at an insurance firm resorted to using ChatGPT on his personal laptop due to corporate blocks.
- Four times as many employees use free ChatGPT versus official Copilot licenses. Much data loss is linked to personal accounts.
The Rise of Shadow AI
- "We've always talked about shadow IT, but I guess shadow AI is kind of a subset of that now."
– Host, [21:18] - Patterson asserts every enterprise app now leverages LLMs, so AI is pervasive and not limited to clearly defined “AI apps.”
What Works: Collaborative, Nuanced Security
- Successful strategies:
- "Work with the employees and meet them where they are, understanding the use cases...get that visibility...so that you can put the appropriate controls in place."
– Patterson, [22:06] - Not blanket blocking, nor unlimited access; instead, find needs/gaps and help standardize where possible, using clear policies and guardrails.
- Security’s role should shift from gatekeeper to facilitator.
- "Work with the employees and meet them where they are, understanding the use cases...get that visibility...so that you can put the appropriate controls in place."
- Guardrails & Guidance:
- Visibility is foundational—understand where and how AI is used, then educate and enable employees with policies and controls that make sense.
Mistakes to Avoid
- Four “buckets” of company approaches:
- Too permissive (“wide open”).
- Heavy-block mode (counterproductive, drives shadow adoption).
- Permissive but “risk-worried”.
- Currently blocking, striving to become more progressive.
- Most firms fall into category 4—trying to enable adoption without giving up risk management.
Looking Ahead
- Third-party AI will dominate:
- "Employees are going to be making use of agents, but it's going to be mostly third-party stuff...I think the enterprise thinks it can dictate how AI is getting deployed, but I think the reality is that the employees are going to be mostly dictating that by what they use..."
– Patterson, [27:40]
- "Employees are going to be making use of agents, but it's going to be mostly third-party stuff...I think the enterprise thinks it can dictate how AI is getting deployed, but I think the reality is that the employees are going to be mostly dictating that by what they use..."
- Browser-based AI and agentic browsers are on the rise, with engineering-specific AI tools also proliferating.
- Security models must adjust to monitor, guide, and support secure usage, not just block.
Memorable Quotes & Moments
- “Exploitation requires no authentication... posing significant risk to Internet-facing instances.” – Host, [01:29]
- “Try to block access, and then employees find ways around anyway.” – Patterson, [15:59]
- “Blocking things is never going to be the right answer.” – Patterson, [20:59]
- “Security can become an enabler again and the business is going to benefit overall.” – Patterson, [23:44]
- “You drive the behavior just outside your monitoring, which is not helpful.” – Patterson, [26:11]
- "The enterprise thinks it can dictate how AI is getting deployed, but...the employees are going to be mostly dictating that..." – Patterson, [27:40]
Additional Noteworthy Segment
AI-Authored Australian Government Report Fiasco
- [30:06]
- Deloitte refunds part of a contract after an AI-assisted report was found to contain fabricated citations and legal references.
- Commentary: Modern due diligence can be subverted by AI-driven “creative writing,” underscoring the danger of trusting outputs too readily.
- Quote:
"The irony, of course, is that this technology is being sold as a tool for efficiency and truth, yet keeps demonstrating a flair for creative writing."
– Host, [30:48]
Timestamps Index (MM:SS)
- 00:55 – Fortra GoAnywhere ransomware wave
- 02:06 – Redis (“Redishell”) vulnerability
- 03:07 – Bieta ties to China’s MSS
- 04:10 – Oracle EBS competing breach stories
- 05:08 – EyeMed Vision Care settlement
- 05:48 – Trinity of Chaos leak site
- 06:55 – LinkedIn data scraping lawsuit
- 07:35 – 2025 Nobel Prize in Physics
- 13:31 – “Industry Voices”: Shadow AI & new era of work (Alastair Patterson)
- 30:06 – AI-powered government report incident
Episode Takeaways
- The vulnerability crisis (GoAnywhere, Redis) underscores the urgent patching and monitoring needs for Internet-exposed applications.
- Shadow AI is becoming as prevalent as shadow IT—old tools and blanket policies are ill-fitted for regulating current AI-powered employee workflows.
- Security leaders should promote visibility and nuanced controls rather than futile bans, supporting AI adoption while managing sensitive data exposure.
- Vigilance is required regarding the trustworthiness of AI-powered outputs, not just who is using them, but how their results are interpreted.
- The security community’s role is shifting to enable productivity, not to block it, as employees become the main agents of tool adoption.