CyberWire Daily – “Grounded by ransomware.”

Date: September 22, 2025 | Host: N2K Networks

Episode Overview

In this episode, CyberWire Daily delivers a rapid-fire roundup of critical cybersecurity news, with special attention to a massive ransomware attack that crippled major European airports. The show also highlights legislative uncertainty in U.S. cyber law, recent high-severity vulnerabilities, data breaches, child exploitation crackdowns, and the shifting landscape of industry security testing. The episode concludes with a deep-dive interview featuring Vision Space’s cybersecurity experts discussing real-world vulnerabilities in space mission software, capped with a cautionary tale about youthful cybercrime.

Key News Stories & Analysis

1. Ransomware Halts European Airports

[00:45] A major ransomware attack struck airport operations in Europe, disrupting check-in and boarding systems at airports including Heathrow, Berlin, and Brussels.
- Collins Aerospace’s Muse software was compromised, forcing airports into manual operations.
- “Heathrow warned staff that more than 1,000 computers may be corrupted, with recovery requiring in-person fixes.” (Dave Bittner, 01:01)
- Brussels Airport cancelled nearly 140 flights in one day.
- Collins has issued patches but admits threat actors may still be present—even after system rebuilds.
- The incident illustrates the explosive growth of ransomware in aviation: attacks up 600% year-over-year (source: Talas).
- Criminal groups are “reaping hundreds of millions annually.” (01:48)

2. U.S. Cyber Legislation in Jeopardy

[02:05] The 2015 Cybersecurity Information Sharing Act is set to expire, threatening key liability protections for firms sharing threat intelligence.
- Legislative gridlock centers around proposed changes that critics say would “gut protections and chill sharing.”
- The looming lapse could “have immediate consequences—hesitation to share critical threat data heightened exposure to attacks.” (02:40)
- Senator Rand Paul has specifically objected, advocating for changes at odds with industry consensus.

3. Critical Vulnerabilities and Data Breaches

Microsoft Entra ID Flaw ([03:04])
- Researcher Dirkjean Molema uncovered a design flaw permitting the forging of access tokens—potentially enabling global admin impersonation on victim tenants.
- Microsoft patched the vulnerability swiftly, but the case underscores dangers in legacy and deprecated APIs.
- “Legacy auth paths and deprecated APIs are high risk inventory—remove and monitor them urgently.” (04:01)
Stellantis Data Breach ([04:22])
- Breach through a third-party vendor exposed customer names and emails; no sensitive info reported.
- Stellantis is warning customers to watch for phishing attempts.
Fortra ‘GoAnywhere’ Flaw ([04:46])
- A major vulnerability fixed, related to command injection and remote code execution via deserialization.
- Past ransomware abuses of this software make the issue more urgent.

4. Europol Targets Online Child Sexual Exploitation

[05:05] International investigation identified 51 children and led to action against 60 suspects across 18 countries.
- Used a blend of classic police work and “AI-driven forensic tools.”
- “The cross border nature… underscored the need for real time intelligence sharing.” (05:47)

5. MITRE ATT&CK Evaluation Opt-Outs Signal Industry Shift

[06:15] Microsoft, SentinelOne, and Palo Alto Networks withdraw from MITRE’s 2025 attack evaluations.
- Officially, they cite “resource prioritization and innovation,” but concerns over the test’s relevance and complexity also loom.
- MITRE intends to “reboot its vendor forum” and refine the process for 2026.

6. Crypto Crime Hits Cancer Patient—Streaming Fundraiser Hijacked

[07:01] A Latvian streamer with stage four cancer had $32,000 in crypto donations stolen after downloading a seemingly safe Steam game.
- The game, “Blockblasters,” was updated with a crypto drainer targeting high-value users.
- Researchers traced the theft to larger campaigns totalling $150,000 and involving sophisticated dropper and payload techniques.
- Crypto influencer Alex Becker stepped in, “quickly replaced the stolen funds with a $32,500 donation.” (08:05)
- Underlines vulnerabilities even on trusted gaming platforms.

7. Monday Business Breakdown

[09:00] $390 million raised in recent investments, along with six notable acquisitions:
- Vega: $65 million for R&D and U.S. expansion.
- Irregular: $80 million to secure frontier AI models.
- CrowdStrike: Acquired Pangea to enhance Falcon’s AI capabilities.
- Accenture: Acquired IAM Concepts, enhancing identity offerings in Canada.
For further business details, Dave directs to N2K Pro and TheCyberWire.com.

Expert Interview: Hacking Satellites with Vision Space

Maria Varmazes (Host, T Minus Space Daily) talks to:

Milenko Starchyk — Head of Cybersecurity, Vision Space
Andrei Olchawa — Cybersecurity Engineer, Vision Space

Background & Research ([14:38]–[15:58]):

Vision Space undertook a systematic, multi-year review of mission control and onboard spacecraft software.
Major focus: Open source mission control systems (e.g., NASA’s Core Flight System, F Prime).

Major Insights:

“There’s a lot that could be found potentially… from a cybersecurity perspective, like low hanging fruits.” (Milenko Starchyk, 16:18)
Dominant issue: Space industry still relies heavily on security by obscurity.
- “If you say like, ‘Oh no, my software is so complex only I can use it,’ that’s definitely not the case. Attackers will download all your files… with large language models, even millions of pages of documents in hours and days.” (16:54)
In open source NASA frameworks, “we found quite a lot of vulnerabilities… more general security issues, partially due to the lack of embedded security in these frameworks.” (17:59)

Vulnerability Findings ([18:37]–[19:06]):

Nearly 40 CVEs and “almost 400 days” of analyst time invested.
Vulnerabilities ranged in severity, with several rated 9.8 or 9.9/10.
- Impacts included everything from “information disclosure to actually getting remote code execution on spacecraft platforms.” (Andrei Olchawa, 19:12)
Three impactful Black Hat demos: Compromising mission control via phishing and demonstrating potential for direct spacecraft takeover.

Disclosure & Solutions ([20:35]):

“We followed the response and disclosure process… worked with NASA… to fix those issues.” (Andrei Olchawa, 20:35)
All disclosed vulnerabilities have since been remediated.

Key Takeaways for the Sector ([21:32]):

Compliance ≠ Security:
- “There’s a big risk with going for strictly compliance… you can still get hacked, but it will not affect you on a legal basis, basically.” (Milenko Starchyk, 21:32)
Lack of actual software testing is widespread. “Your security controls are nice, but if you haven’t tested the software… you’re missing the point.”
- Many issues found could have been resolved early with even basic static analysis.
Commercial sector pitfalls:
- Proprietary software: “It often happens that security is at the very low end of the requirement list… left at the end or not considered at all.” (Andrei Olchawa, 23:35)
- Open source: “Software companies would easily assume… it must be secure because it’s from NASA. Actually, this is the software we find the most vulnerabilities in.” (24:03)

Closing Advice ([24:35]):

Build security in from the start—“it’s never too late,” but don’t let checklists lead to false confidence.
- “Not to go with… crazy requirements, but focus on threats that actually can impact your business severely.” (Milenko Starchyk, 24:51)

Notable Quotes & Memorable Moments

On airport ransomware:
“Law enforcement is investigating. The incident highlights the growing ransomware threat, with aviation cyber attacks up 600% in the last year.” — Dave Bittner, [01:38]
On space software obscurity:
“Security by obscurity… is still very popular in the space industry. That’s a very risky assumption.” — Milenko Starchyk, [16:54]
On high-impact vulnerabilities:
“The highest one we have is 9.9 or 9.8 [severity].” — Andrei Olchawa, [18:58]
On compliance-centric approaches:
“You can still get hacked, but it will not affect you on a legal basis, basically.” — Milenko Starchyk, [21:53]
On overlooked software testing:
“A lot of the issues we found could have been easily caught early on and not kept in the software for many years.” — Milenko Starchyk, [22:55]
On commercial space security attitudes:
“Companies would easily assume… it must be secure because it’s from NASA. Actually, this is the software we find the most vulnerabilities in.” — Andrei Olchawa, [24:03]

Final Story: Youthful Cybercrime and Consequences ([26:00])

Noah Urban’s story: From Minecraft SIM swapping as a teen to “Scattered Spider” gang member behind high-profile ransomware attacks.
- “Noah says he wasn’t a coder, just a smooth talking Floridian who discovered sim swapping through Minecraft… tricking Fortune 500 firms may look like a game to teens, but it’s still fraud.” (Dave Bittner, 26:27)
- Noah gets a 10-year sentence, surpassing the prosecutor’s recommendation, serving as a cautionary tale.

Timestamps: Major Segments

00:45 Ransomware grounds European airports
02:05 U.S. cyber legislation at risk
03:04–04:46 Critical vulnerabilities and data breaches
05:05 Europol operation (child exploitation)
06:15 MITRE ATT&CK evaluation opt-outs
07:01 Streamer’s crypto fundraising heist
09:00 Cybersecurity business funding & acquisitions
14:38–25:22 Vision Space on hacking satellites
26:00 The story of Noah Urban and Scattered Spider

Tone & Style

The episode maintains a brisk, pragmatic, and news-driven tone, blending expert commentary with real-world stakes and just enough narrative flair to make the host’s transitions memorable and approachable.

Summary Takeaway

This episode brings into sharp relief the expanding threat and complexity in today’s cybersecurity landscape—from airports and automotive giants to the cutting edge of space technology—while reinforcing that compliance isn’t a substitute for genuine, ongoing security scrutiny. The Vision Space interview particularly brings home the real risks lurking in inherited software and the ever-dangerous lure of “security by obscurity.”

Transcript

A (0:02)

You're listening to the Cyberwire Network powered.

B (0:04)

By N2K.AI Adoption is exploding and security teams are under pressure to keep up. That's why the industry is coming together at the Data SEC AI Conference, the premier event for cybersecurity, data and AI leaders. Hosted by data security leader Ciera. Built for the industry by the industry, this two day conference conference is where real world insights and bold solutions take center stage. Datasec AI25 is happening November 12th and 13th in Dallas. There's no cost to attend, just bring your perspective and join the conversation. Register now@datasecai2025.com CyberWire a major ransomware attack disrupts airport operations across Europe Congress is on the verge of letting major cyber legislation expire. A critical flaw nearly allowed total compromise of every entra ID tenant. Automaker Stellantis confirms the data breach. Fortra patches a critical flaw in its Go Anywhere MFT software. Europol leads a major operation against online child sexual exploitation. Three of the cybersecurity industry's biggest players opt out of MITRE's 202025 attack evaluations. A compromise steam game drains a cancer patient's donations. We've got our business breakdown. Andres Olchawa and Malenko Starchyk from Vision Space join Maria Vermazes, host of T Minus Space Daily on hacking satellites and how one kid got tangled in scattered spider's we Monday, September 22, 2025 I'm Dave Buettner and this is your CyberWire Intel Briefing. Thanks for joining us here today. Happy Monday. It's great to have you with us. A major ransomware attack has disrupted airport operations across Europe, targeting check in and boarding software supplied by Collins Aerospace. The European Union agency for cybersecurity confirmed that the malware scrambled automated systems, forcing manual workarounds at airports including Heathrow, Berlin and Brussels. Heathrow warned staff that more than 1,000 computers may be corrupted, with recovery requiring in person fixes. Although about half of Heathrow's airlines, including British Airways, restored partial service. Brussels airport canceled nearly 140 flights on Monday. Collins, whose Muse software was attacked, has issued patches but acknowledged hackers remain inside systems even after a rebuild. Law enforcement is investigating. The incident highlights the growing ransomware threat, with aviation cyber attacks up 600% in the last year, according to Talas, and criminal gangs reaping hundreds of millions annually. Congress is on the verge of letting the 2015 Cybersecurity Information Sharing act expire at the end of this month, and the stakes are high. The law gives companies liability protections when sharing cyber threat intelligence with each other and the government essential to timely detection and response. While industry, the Trump administration and many lawmakers favor a clean, multi year reauthorization, repeated attempts at both short and long term extensions have collapsed. Senator Rand Paul has objected to straightforward renewals, pushing instead for changes that industry and colleagues argue would gut protections and chill sharing. With no clear legislative path and the clock ticking, a lapse could have immediate consequences. Hesitation to share critical threat data heightened exposure to attacks and amplified political fallout if a major breach occurs during the gap. A critical design flaw in legacy Microsoft components nearly allowed total compromise of every entra ID tenant. Researcher Dirkjean Molema found undocumented unsigned actor tokens issued by the old access control service and used for internal service to service calls that can impersonate any user for 24 hours and aren't logged or revocable. Coupled with a defect in the deprecated Azure Ad Graph API, an attacker could craft an actor token, target a tenant, impersonate a global admin, and change users, reset passwords or alter configurations with almost no trace in the victim tenant. Microsoft was notified July 14. The company fixed the issue within nine days and issued a public patch on September 4. The takeaway here is legacy auth paths and deprecated APIs are high risk inventory remove and monitor them urgently Automaker Stellantis has confirmed a data breach stemming from a third party vendor supporting its North American customer service operations. The intrusion exposed customer names and email addresses, but no financial or sensitive information. The automaker launched an investigation, alerted law enforcement and began notifying affected customers, warning them to watch for phishing attempts. Stellantis has not disclosed the vendor or number of victims. Fortra has patched a critical flaw in its Go Anywhere MFT software that could enable remote code execution through command injection. The issue stems from deserialization of untrusted data in the licensed servlet, exploitable with a forged license signature. Recent versions include fixes and Fortra urges customers to block public access to the admin console, monitor audit logs and check for suspicious errors while no active exploitation is reported. Past clop ransomware abuses make this vulnerability a serious risk. An international task force coordinated by Europol has identified 51 children and launched proceedings against 60 suspects in a major operation against online child sexual exploitation. Bringing Together officers from 18 countries, investigators met in the Hague to analyze over 5,000 pieces of material using both traditional police work and AI driven forensic tools. The effort produced 276 intelligence packages leading to arrests across multiple jurisdictions. The cross border nature of the crimes, servers, platforms and victims spread across countries underscored the need for real time intelligence sharing. Europol says this collaborative model combining advanced forensics with multinational coordination will guide future efforts. Authorities stress that while police pursue offenders, parents must also take proactive steps, educating children about online risks, setting clear boundaries and encouraging safe reporting of suspicions. Suspicious contact Three of the cybersecurity industry's biggest players Microsoft, SentinelOne and Palo Alto Networks have opted out of MITRE's 2025 Attack Evaluations Enterprise test, raising questions about the program's future relevance. All three cited resource prioritization and innovation as reasons, though experts suggest concerns about the evaluations becoming more promotional than practical also played a MITRE admitted the test may have grown too complex, with tougher scenarios, including cloud environments and alert volume tracking. Despite the withdrawals, a dozen vendors remain in the 2025 round, and Mitre plans to reboot its vendor forum for 2026 to restore industry engagement and refine testing objectives. A latvian streamer fighting stage four cancer lost $32,000 in life saving treat after downloading what appeared to be a verified Steam game during a live fundraiser. Blockblasters, a retro style platformer with very positive reviews, silently drained his cryptocurrency wallet. Initially benign, the game was updated with a crypto drainer on August 30, targeting high value crypto users. Security researchers later tied it to broader thefts of up to $150,000 across hundreds of accounts using a Dropper script, backdoor and Steal C payload. The loss struck during a GoFundMe campaign, but crypto influencer Alex Becker quickly replaced the stolen funds with a $32,500 donation. The case highlights how trusted platforms like Steam can be weaponized, underscoring the need for caution with lesser known or lightly reviewed titles. It's Monday, so that means it's time for our Monday business breakdown. We tracked roughly $390 million flowing into 15 investments plus six acquisitions, so a lively week on the funding side. Vega popped out of stealth with a hefty $65 million across seed and Series A, aiming to beef up R and D and build out its US footprint right alongside them. Irregular focused on securing frontier AI models debuted with an even bigger $80 million raise led by Sequoia targeting model resilience and misuse Prevention. M and A stayed busy, too. CrowdStrike snapped up Pangea to deepen Falcon's AI detection and response story. Think broader coverage across the AI Lifecycle, and Accenture picked up Canada's IAM concepts to sharpen its identity chops across critical industries north of the border. That's this week's business breakdown. If you want the deeper dive on who's buying whom and why it matters for your roadmap, subscribe to N2K Pro and swing by TheCyberWire.com every Wednesday for the latest. Coming up after the break, Maria Varmazes, host of the T Minus Space Daily, speaks with Andres Olchawa and Malenko Starchyk from visionspace. They're talking about hacking satellites and how one kid got tangled in scattered spider's web. Stay with at Talas. They know cybersecurity can be tough and you can't protect everything, but with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world are rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S learn more@thalesgroup.com cyber compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key areas compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo that's V A N T a dot com CYBER Maria Vermazes is host of the T Minus Space Daily podcast. She recently sat down with Andres Ochawa and Malenko Starchyk from visionspace to discuss hacking satellites.