CyberWire Daily: Ghost Students “Haunting” Online Colleges
Released on June 11, 2025 | Host: Dave Bittner

Episode Overview

In this episode of CyberWire Daily, host Dave Bittner delves into a spectrum of pressing cybersecurity issues, ranging from critical software vulnerabilities and evolving botnets to the alarming rise of AI-powered fraud in online education. The episode also features an insightful conversation with Matt Radelek, VP of Incident Response and Cloud Operations at Varonis, who explores the multifaceted role of Artificial Intelligence (AI) in cybersecurity.

Patch Tuesday: A Flurry of Critical Vulnerabilities

00:45 – 04:30

The episode kicks off with an overview of the latest Patch Tuesday updates from Microsoft, highlighting over 60 vulnerabilities addressed, including an actively exploited WebDAV zero-day vulnerability deemed a top priority fix. Dave emphasizes the severity of these vulnerabilities:

"One headline grabber, a WebDAV zero day actively exploited in the wild, dubbed a top priority fix." (00:55)

Additionally, other high-risk patches target public SMB client privilege escalations and multiple Office component vulnerabilities. However, not all updates rolled out smoothly, as some Windows 11 users experienced throttling of the June cumulative update due to compatibility issues. Microsoft has assured that a revised version with all security fixes will be available by the end of the day.

Securing Operational Technology: Siemens and Schneider Electric Lead the Charge

04:31 – 06:50

Shifting focus to the industrial sector, Dave reports on critical advisories from Siemens, Schneider Electric, Aviva, and CISA regarding Operational Technology (OT) infrastructure. Siemens addressed a significant flaw in their G5 digital fault recorder, which previously allowed remote attackers to hijack recording equipment by exploiting default admin credentials. Schneider Electric and Aviva have followed suit, implementing mitigations to close these vulnerabilities and prevent their weaponization.

Mozilla and Salesforce Under the Spotlight

06:51 – 09:20

Mozilla has released an urgent Firefox update to patch two critical security flaws:

1. Memory Corruption in Canvas Rendering: This flaw could allow attackers to exploit memory issues and compromise browser stability.
2. Integer Overflow in JavaScript Engine: Specifically in the ordered hash table structure, potentially leading to heap buffer overflows.

Both vulnerabilities are rated with high severity (CVSS scores over 8), prompting Mozilla to urge immediate updates (07:15).

In parallel, a critical vulnerability in Salesforce Omnistudio has been uncovered, exposing sensitive customer data stored in plain text. This flaw, resulting from misconfigurations in Omnistudio’s data pipeline, affects thousands of organizations, particularly in healthcare, finance, and retail sectors. Researchers at Appomni have highlighted compliance risks under GDPR, CCPA, and HIPAA due to weak or missing encryption in data transmissions (08:45).

The Evolution of the Bad Box Botnet

09:21 – 11:15

Gavin Reed, CISO at Human Security, sheds light on the evolution of the Bad Box botnet. Initially discovered in 2022, Bad Box utilized backdoored firmware to spread malware across Android smart devices. Despite efforts by Human Security and the FBI to dismantle the botnet, Bad Box resurfaced in 2025 with enhanced tactics:

"Attackers have shifted from ad fraud to residential proxy services, exploiting real user IPs for attacks like DDoS and data theft." (10:05)

The latest variant employs rotating command and control domains to evade detection, signaling the imminent emergence of Bad Box 3.0.

AI-Powered Fraud: Ghost Students Exploit Online Education Systems

11:16 – 13:30

One of the most alarming trends discussed is the rise of AI-powered "ghost students" enrolling in online college courses to siphon government funds. Using stolen personal data, criminals apply for grants and loans, often targeting community colleges with low tuition fees. In 2024 alone, California reported 1.2 million fake applications, resulting in over 223,000 suspected fraudulent enrollments and at least $11.1 million in unrecoverable aid. Victims typically discover the fraud through credit score drops or loan notifications, with remediation processes stretching over years.

The U.S. Education Department has responded by mandating ID verification for new aid applicants. However, ongoing federal staffing cuts threaten to undermine these preventative measures (12:30).

Massive Data Breach at Texas Department of Transportation

13:31 – 14:56

Hackers exploited a compromised user account to steal nearly 300,000 vehicle crash reports from the Texas Department of Transportation. The stolen data included sensitive information such as names, addresses, driver’s licenses, insurance policy numbers, and license plates. Although the agency promptly disabled the compromised account and enhanced security measures, the breach highlights the importance of vigilant account monitoring and prompt response to unusual activities (13:45).

ConnectWise’s Proactive Security Measures

14:57 – 16:30

ConnectWise announced the rotation of its digital code signing certificates for Screen Connect, Automate, and RMM Tools following concerns raised by a third-party security researcher. This precautionary move addresses potential misuse of configuration data, although it is not linked to any existing security breaches, including recent nation-state attacks. Users are advised to update their builds to avoid service disruptions, with cloud users receiving automatic updates (14:15).

Leadership Change in Cybersecurity Legislation

16:31 – 19:50

Representative Mark Green, chair of the House Homeland Security Committee and a staunch advocate for cybersecurity, announced his upcoming retirement. Green’s departure could significantly impact the progress of key cyber legislation, including the reauthorization of the 2015 Cybersecurity Information Sharing Act. Potential successors like Representative Michael McCall and Representative Clay Higgins are emerging, but the future trajectory of cyber policy remains uncertain. The committee plans to maintain cybersecurity as a top priority, with Representative Andrew Garbarino expected to assume increased responsibilities (16:45).

In-Depth Conversation: AI as a Double-Edged Sword in Cybersecurity

19:51 – 28:38

The highlight of the episode is an engaging discussion with Matt Radelek from Varonis, focusing on the dual roles of AI in cybersecurity.

AI for Business and Defense vs. AI as an Attack Vector

Dave opens the conversation by addressing the multifaceted nature of AI:

"There are three main things we're all trying to do with it. One is we want to get the business gains… the second is how do we, as security professionals use it for defense? But next to that one is how does an attacker use it against us." (14:57)

Matt builds on this by emphasizing the necessity for security practitioners to balance leveraging AI for business benefits while mitigating its misuse:

"We have to see all three heads of the dog." (14:57)

Strategies for Integrating AI Securely

Matt advises organizations to:

1. Inventory AI Usage: Maintain a comprehensive overview of where and how AI is integrated within the organization, ensuring data used for training is secure and appropriately managed.
2. Promote Secure AI Adoption: Encourage businesses to adopt AI proactively while implementing robust security measures to prevent exploitation.
3. Enhance Access Control: Implement stringent access controls to prevent unauthorized data exposure through AI tools, ensuring only trusted individuals can interact with sensitive information.

Empathy for Security Professionals

Dave expresses empathy for security teams grappling with AI integration, likening the challenges to previous technological shifts like cloud adoption:

"It's just moved again. And so it's inevitable that it's going to move again..." (17:55)

Matt underscores the importance of not succumbing to resignation but instead adopting proactive security measures to harness AI’s potential safely.

Practical Recommendations

Dave advises focusing on protecting high-value data assets first, employing a precision approach to security:

"Aim small… try to protect the really important stuff first." (19:48)

He also highlights the critical need for robust access control mechanisms to prevent AI from becoming a conduit for data breaches.

Success Stories and Common Pitfalls

Matt identifies that successful organizations typically have longstanding data classification and management practices, often driven by compliance requirements. Conversely, many companies neglect security during cloud transformations, leading to pervasive vulnerabilities once AI tools like Copilot are integrated (23:27).

Key Takeaways

• Data Security Fundamentals: Emphasizing the importance of data classification, encryption, and access control.
• Proactive AI Integration: Encouraging businesses to adopt AI with a security-first mindset to stay competitive without compromising safety.
• Continuous Assessment: Regularly evaluating data exposure and access privileges to adapt to evolving AI capabilities.

Final Highlights: Government Surveillance and Data Privacy Concerns

28:23 – 30:03

The episode concludes with a report from 404 Media revealing that major U.S. airlines have been covertly selling domestic flight data to Customs and Border Protection (CBP) through their data broker, ARC. This arrangement, known as the Travel Intelligence Program, amasses over a billion records daily without public disclosure, raising significant civil liberties concerns. Advocates criticize it as a "digital age revival of the collect-it-all mentality," prompting congressional inquiries into the transparency of loyalty programs and government surveillance practices (30:03).

Conclusion

This episode of CyberWire Daily provides a comprehensive overview of the latest cybersecurity threats and innovations, underscored by a deep dive into the complex role of AI in both fortifying and challenging organizational security postures. Matt Radelek’s insights offer a roadmap for integrating AI responsibly, ensuring that businesses can leverage its benefits while safeguarding against its inherent risks.

Notable Quotes:

• “One headline grabber, a WebDAV zero day actively exploited in the wild, dubbed a top priority fix.” – Dave Bittner (00:55)
• “Attackers have shifted from ad fraud to residential proxy services, exploiting real user IPs for attacks like DDoS and data theft.” – Gavin Reed (10:05)
• “There are three main things we're all trying to do with [AI].” – Dave Bittner (14:57)
• “Aim small… try to protect the really important stuff first.” – Dave Bittner (19:48)

For more detailed insights and updates on the evolving cybersecurity landscape, tune into future episodes of CyberWire Daily.