Hello, hacker speaking.

Dave Bittner

You're listening to the Cyberwire network, powered by N2K.

Marty Momjian

And now a word from our sponsor, ThreatLocker, the powerful Zero Trust Enterprise Solution that stops ransomware in its tracks. Allow Listing is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only act access the files, registry keys, network resources and other applications they truly need to function Shut out cybercriminals with world class endpoint protection from Threat Locker Cisco reveals a phishing related data breach Sonicwall warns users to disable SSL VPN services After reports of ransomware gangs exploiting a likely zero day. Researchers uncover a stealthy Linux backdoor and new vulnerabilities in Nvidia's Triton inference server. A new malware campaign targets Microsoft 365 users with fake OneDrive emails. The US treasury warns of rising criminal activity involving cryptocurrency ATMs. Cloudflare accuses an AI startup of using stealthy methods to bypass restrictions on web scraping. A global infosteeler campaign compromises over 4,000 victims across 62 countries. Marty Momjian, general manager of Ready One by Semperis, joins us to talk about Operation Blindspot, a tabletop exercise taking place this week at Black Hat. On this week's Threat Vector segment, David Moulton speaks with Nigel Hedges from Sigma healthcare about how CISOs can shift cybersecurity from a technical problem to a business priority and one hospital's data ends up in the smack aisle. It's Tuesday, August 5th, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great to have you with us. Cisco has revealed that attackers stole user profile data from Cisco.com via a voice phishing scam targeting an employee. The breach, discovered on July 24, involved unauthorized access to a third party cloud CRM system. Exposed data includes names, organization details, contact info, Cisco user IDs and account metadata. Cisco emphasized that no passwords, sensitive data or proprietary information were taken and its products and services remain unaffected. The compromised CRM instance was promptly shut down and an investigation began. Cisco has notified regulators and affected users where required to prevent future incidents. The company says they're enhancing security and retraining staff on phishing threats. Cisco has not disclosed the number of affected users or whether a ransom demand was made. Sonicwall is warning users to disable SSL VPN services after reports of ransomware gangs exploiting a likely zero day flaw in Gen 7 firewalls since mid July Arctic Wolf Labs and Huntress have observed Akira ransomware attacks that may bypass MFA and and target domain controllers within hours. While a zero day is suspected, other methods like brute force or credential stuffing haven't been ruled out. Sonicwall confirmed its investigating and urged users to disable SSL VPN, restrict access by IP, enable botnet and GeoIP filters, enforce MFA and remove unused accounts. The company also recently advised patching SMA 100 appliances against a critical RCE flaw, which, while not yet exploited, is being targeted in attacks using stolen credentials to deploy overstep malware Researchers at nextron Threat have uncovered a stealthy Linux backdoor dubbed plague. It's embedded as a malicious pluggable authentication module, giving attackers persistent SSH access while bypassing system authentication. The malware deeply integrates into Linux systems, survives updates, erases traces like SSH logs and shell histories, and uses obfuscation techniques to avoid detection. It even masquerades under a legitimate library name and includes hard coded passwords for easy re entry. Worryingly, no antivirus engines flagged the malware when samples were uploaded to VirusTotal in 2024. Nextron isn't sure how it's being deployed, but the potential risk is high due to its ability to hijack authentication. So far there's no evidence it's been found in the wild, but experts warn it poses a serious threat to Linux systems. Elsewhere, researchers at Wiz have uncovered new vulnerabilities in Nvidia's Triton inference server, saying they could pose a serious risk to AI systems. Three flaws affect the Python backend and could allow remote attackers to gain full server control. Two are high severity, enabling code execution and data exposure. The third is medium severity. The attack chain starts with a minor info leak and escalates to full compromise, risking theft of AI models and sensitive data. Nvidia has patched the flaws and and Wiz has published technical details. Sublime Security has uncovered a new malware campaign targeting Microsoft 365 users with fake OneDrive emails. The attack begins with a message from a compromised account posing as a OneDrive file share. It includes a deceptive link that appears to lead to a Word document, but instead downloads a malicious installer hosted on Discord cdn. When clicked, it installs two remote monitoring Tools, Atera and SplashTopStreamer, alongside Net Runtime 8, giving attackers full remote access. These tools, often used by IT admins, appear legitimate and bypass typical security checks. The dual installation ensures persistent control even if one tool is detected. This sophisticated multi stage threat highlights the need for caution with unexpected emails and file types. Always verify file extensions and be wary of unusual Download sources. The US Treasury's financial crimes enforcement network FinCEN is warning financial institutions about rising criminal activity involving cryptocurrency ATMs. Also known as convertible virtual currency kiosks, these machines, often found in places like gas stations, allow users to buy crypto with cash and and are increasingly exploited for scams and money laundering. Many operators fail to comply with anti money laundering rules or register as required. In 2023, the FBI received nearly 11,000 complaints involving these kiosks totaling $246 million in victim losses. Criminals often target vulnerable groups, especially seniors using fake tech support scams. FinCEN urges operators and banks to watch for suspicious behavior like repeated sub threshold transactions or first time users making large deposits. Legislative efforts are underway to tighten oversight, including a bill requiring kiosk registration, transaction tracing and consumer protections. Cloudflare has accused AI startup Perplexity of using stealthy methods to bypass website restrictions on web scraping. In a blog post, Cloudflare said Perplexity ignored directives in robots Txt files, which tell bots what content they can access. After receiving complaints, Cloudflare blocked Perplexity's bots and removed them from its list of verified crawlers. The move follows Cloudflare's recent policy giving customers the option to block or charge AI scrapers. Perplexity denies the claims, calling Cloudflare's post a sales pitch and disputing the bot identification. The incident adds to Perplexity's growing controversy, including threats of legal action from the BBC over alleged unauthorized content use. A global infosteeler campaign has compromised over 4,000 victims across 62 countries, stealing more than 200,000 passwords, hundreds of credit card numbers and 4 million browser cookies, according to Sentinel Labs and Beasley Security. The attacks are tied to Vietnamese speaking actors using the Python based Pxa Stealer with data sold on Telegram based markets like Sherlock. The malware uses signed software like HiHI Soft PDF Reader and Microsoft Word 2013 to sideload malicious DNS DLLs and evade detection. Campaigns in April and July of this year revealed increasingly sophisticated tactics including decoy documents and multi stage infections. Pxa stealer targets over 40 browsers and crypto wallet extensions exfiltrating data via Telegram. The stolen information grants access to victims bank accounts, crypto apps, VPNs and more, fueling a thriving underground market for digital identity. The Coming up after the break, my conversation with Marty Momjian, general manager of Ready One by Semperis Telling us about Operation Blind Spot tabletop exercise taking place this week at Black Hat. And on this week's Threat Vector, David Moulton speaks with Nigel Hedges from Sigma healthcare about how CISOs can shift cybersecurity from a technical problem to a business priority. And one hospital's data ends up in the snack aisle. Stick around.

David Moulton

New adversary tactics and emerging tech to meet these threats is developing all the time. On Threat Vector, we keep you a step ahead. We dig deep into the threats that matter and the strategies that work. How do they help that customer know that what they just created is safe?

Nigel Hedges

The future is now and our expectations are wrong.

David Moulton

Join me David Moulton, Senior Director of thought leadership for Unit 42 at Palo Alto Networks and our guests who live this work every day.

Marcus Hutchins

We're not just talking about some encryption and paying multimillion dollar ransom.

Nigel Hedges

We're talking about fundamentally being unable to.

Dave Bittner

Operate automated eradication and containment. So being able to very rapidly ID what's going on in an IT and contain that immediately.

Marcus Hutchins

They're hiding in plain sight.

David Moulton

So if you're looking to sharpen your strategy and stay ahead of what's next, tune in and listen to Threat Vector, your front line for security insights.

Marty Momjian

CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1. And without securing them, trust uptime, outages and compliance are at risk. Cyber Arc is leading the way with the only unified platform purpose built to secure every machine identity, certificates, secrets and workloads across all environments, all clouds and all AI agents. Designed for scale, automation and quantum readiness, Cyber Ark helps modern enterprises secure their machine future. Visit cyberark.com machines to see how compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive that's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo. That's v a n-t a.com cyber Marty Momjian is general manager of Ready One by Sempris. I caught up with him to find out more about Operation Blindspot, a tabletop exercise taking place this week at Black Hat.

Marcus Hutchins

Yeah, so something we do yearly is a community tabletop exercise and a simulation that we get just a bunch of members of the cyber community together, local law enforcement, sometimes we have the FBI attend as well and just cyber law enforcement. And we pretty much get everybody together in a room and do a tabletop exercise that's generally open to the media. And our focus is based around what is really currently happening out there in the cyber industry. Right. What are the high value targets? Critical infrastructure, Healthcare, gas and oil, airlines. This year we're focusing on critical infrastructure, a water treatment facility.

Marty Momjian

Well, let's dig into that. I mean, what made you have a water treatment facility be the subject of this year's exercise?

Marcus Hutchins

There were a few incidents that occurred late last year and early this year. Some made it to the media and some did not of just state nation sponsored adversaries targeting critical infrastructure in the United States. Right. And in Europe and certain parts of the world. And we decided instead of doing the traditional tabletop exercise, let's do something that would actually have direct impact to the public from what we know is going on out there.

Marty Momjian

So for someone who's going to attend, what can they expect to see?

Marcus Hutchins

Generally we try to make it a little bit of fun and a little bit serious at the same time. What we do is step through cyber incident response framework and crisis management framework. We will assign the teams randomly assign certain individuals to certain teams and go through about a two hour tabletop exercise that we take turns on the red team and blue team and stepping through an actual incident that has occurred in the past, but also reproducing it with the attendees.

Marty Momjian

So my understanding is this year you've got, I guess a bit of a cyber celebrity is fair to label your special guest this year.

Marcus Hutchins

Yes, we got Marcus, Go on. Probably the best known cyber security practitioners out there and researchers.

Marty Momjian

Marcus Hutchins.

Marcus Hutchins

Yep. Marcus Hutchins, one of my favorites. So I would say to me is more than a celebrity.

Marty Momjian

Right.

Marcus Hutchins

Some knowing somebody like him in the industry who's an actual hands on practitioner, not just somebody who speaks about it, but he actually practices true red teaming in the industry and shares his wealth of knowledge. So we're going to have him in attendance as well, more than likely signed to the red team because that's what Marcus is good at. Of course.

Marty Momjian

Is there an educational component to this as well? I mean, is this something that someone who's looking to learn more about these sorts of tabletop exercises, would they be able to get something out of it?

Marcus Hutchins

Yeah, yeah, absolutely. One thing that we do is we try to stay away from the theoretical. So there's a lot of tabletops that occur that's kind of a make believe theoretical. What if this happens? What if that happens? We do our due diligence that we actually step through, de identified and not sharing any personal information or identifiable information whatsoever about the incident, but actually stepping through the real time tactics of threat actors and adversaries for these incidents and the real time tactics that the good guys, the blue team, would use. Right. So we try to make it a mix of consultative approach plus very, very tactical when it comes to the red and blue team as well, to make everybody participate as much as they can and absorb as much knowledge as they can for us as well. And we try to have it be as engageful as possible.

Marty Momjian

What do you hope that people get out of this? What do you hope they walk away with?

Marcus Hutchins

Mainly awareness. And the attendees are a mix of different industries. So we have attendees from all different types of industries from around the world. What I generally look to get out of it. And the attendees is learning from each other. What are different organizations doing, different industries doing in of handling cyber threats that are out there and how they really put their incident response plans together. Because there's a lot that we can learn from each other.

Marty Momjian

That's Marty Momjian, general manager of Ready One by Sempras on this week's Threat Vector segment. And David Moulton speaks with Nigel Hedges from Sigma healthcare about how CISOs can shift cybersecurity from a technical problem to a business priority.

David Moulton

Hi, I'm David Moulton, host of the Threat Vector podcast where we break down cybersecurity threats, resilience and the industry trends that matter most. Right now we're facing a perfect storm of sophisticated attacks. Chinese state actors exploiting SharePoint flaws to deploy ransomware, affecting over 4,600 compromise attempts on more than 300 organizations worldwide. New shade bios techniques that run malware in places where no security software can reach And AI generated malicious packages that are stealing cryptocurrency from thousands of users. CISOs need more than technical expertise. They need to be storytellers who can translate these complex threats into language that boards understand and act upon. What you're about to hear is a snapshot from my conversation with Nigel Hedges, Executive General Manager of Cyber and Risk at Chemist Warehouse, about this challenge. If you like this short segment, you'll love the full episode. The link is in the show notes. Nigel Hedges, welcome to Threat Vector. I am so excited to have you here today.

Nigel Hedges

Let's do it. Yeah.

David Moulton

You've held CISO roles at major Australian enterprises. What does it take to elevate cybersecurity from just an IT issue to a business issue in these types of environments?

Nigel Hedges

Yeah, it's a good question because I have more and more described cyber to anyone who will listen that it's not a technology risk, it's a technology enabled business risk, just like any other business risk. So that's the start of that conversation. But I typically try to address it in my first hundred days of any new role, which is making a conscious effort to spend equal time on trying to understand the environment and the cyber risks that I'm inheriting, as well as going and meeting with key stakeholders from the business units. And that way having the dialogue explaining the philosophy around my approach to cyber, you know, with the gems of marketing, sales, supply chain, whatever it might be, but actually just starting with the question, how can I help you? And so that's the way that I try to elevate cybersecurity is by getting in there and right from the get go appearing like somebody who wants to help in their domain.

David Moulton

So, Nigel, you've worked across retail, higher ed, professional services, a lot of different domains. How do the conversations around cyber risk shift across these sectors? At the executive level?

Nigel Hedges

Yeah, so I think that at the executive level, for me, at least in my experience, that it hasn't been as different as one might think. The industry is different. Different complexities, of course, but I found the types of concerns and questions are the same. I think the only difference I would probably point to is culture. And take retail for example. It's high stakes, quick to market, try to get things done really quickly. So therefore your approach to inserting cyber into those conversations level needs to be done in a certain way. With professional services, higher education, there's a little bit more regulation and compliance in there, so there's a little bit of a slowdown to speed up type of thing. And so again, that's kind of just going with the flow with what are the carrots and the sticks that you have available to work with the executives.

David Moulton

Now, Joe, I like the idea that there are unifying documents out that help coach an important group like your board on how to have a conversation with you. And I think maybe it helps you understand the types of questions you should answer. And I suppose when I say you, not just you specifically, but security leaders in general. I'm curious though, when you're preparing for those board level presentations, how do you decide what to include and what to leave out?

Nigel Hedges

Yeah, so for me, I always try to go in with that materiality perspective again. So I am thinking about the types of incidents that have occurred possibly in that period. I'm looking at things that have happened in the market that are of interest and I will put them into my presentation and sometimes going into a very busy audit risk committee type of environment where I think that they've probably going to be spending about four hours together talking about all sorts of things. So I try to think of it like I've got 10 minutes to talk and in fact, out of that 10 minutes I've got five minutes to talk and five minutes for questions. The reality is, even with that perspective, I've typically gone into audit risk committee and come out 45 minutes later or longer. But I've basically tried to apply that approach because when I look at my material I suddenly say to myself that there's no way I can cover these eight or nine things in five minutes. So what can I. What should I cut out? You have to just be brutal and go back to that material sort of thing. They've got a fiduciary duty of care at the board level, especially to protect the organisation and the organization's interests. So what connects to that? And that's helped me.

David Moulton

And Agile. Talk to me about your experience. What are the keys of making cybersecurity spending a priority in annual budgets?

Nigel Hedges

Yeah, so that is a good one. And I think it goes back to starting in the first 100 days. So I typically will look at the annual reports and I will try to connect business strategy and typically technology strategy, but definitely business strategy and connect that back to cyber priorities. So if I find that I'm proposing something that really doesn't very clearly resonate with a business strategy and how it's supporting that, that's probably something that I can't prioritize. It might be still something I do in BAU or enhancement, but it'd probably be best effort. So I'LL put things in that map to the business strategy. That's something I kind of learned from the Sherwood Applied Business Security Architecture or sabhsa. You know, when I first made the transition out of sales engineering, I went into a security engineering role and SABSA was really helpful in connecting what we do from a security perspective to the business. And that stuck with me. And then if that's clearly in there, then there's some of that kind of hive mind perspective. Like are we spending 10% of technology budgets versus everything else that we spend on? So out of the technology budget, are we spending 10% on cyber? These are some of the sort of statistics you might pull from industry research like Gartner. And then from there kind of just map out plus or minus how that stacks up to current spend in available resources. Because we're all dealing with scarcity of resources. So you can only do what you can do. And the best thing you can actually present is that with this spend, I will not be able to do this. And then when you do that, what I found is sometimes folks in the board and the executives will say, well, I'm not actually really prepared to accept that I actually want to do that thing over there you said you can't do. Well, thanks you know Sarah Madame, but that's going to cost a little extra and this is what will bring you so if this is what you want me to deliver, this is what we have to do.

David Moulton

If this got your attention, don't wait. Listen to the full episode now in your Threat Vector podcast Feedback. It's called Speaking Security in Board Language and it's live now. You don't want to miss Nigel's game changing approach to making cybersecurity a business conversation when it matters most.

Marty Momjian

And be sure to check out the complete episode of Threat Vector wherever you get your favorite podcasts.

Dave Bittner

Abercrombie Denim is everything right now. Denim should feel like this. Confident, easy, like your butt has never looked better. If you didn't know Abercrombie's Curve Love Denim went viral in 2019 for eliminating waist gap, and it's still a game changer. Between that and their classic fits with a straighter line from waist to hip, the perfect denim does exist. Shop Abercrombie Denim in the app, online and in store on WhatsApp, no one can see or hear your personal messages. Whether it's a voice call message or sending a password to WhatsApp, it's all just this. So whether you're sharing the streaming password in the family chat or trading those late night voice messages that could basically become a podcast. Your personal messages stay between you, your friends and your family. No one else, not even us. WhatsApp message privately with everyone.

Marty Momjian

And finally, in a breach of both privacy and packaging standards, a major Thai hospital has been fined about $37,000 after patients medical records were found moonlighting as snack bags. The saga began when sharp eyed social media users noticed their chips came wrapped with X rays and lab results. A snack and a health check in one. Turns out the hospital had outsourced document destruction to a small family run business that thought recycling meant reusing literally over 1,000 records, including sensitive personal data, skipped the shredder and instead entered snack circulation. The contractor took the files home, skipped protocol and never mentioned the paper trail. While the hospital received the brunt of the fine, the mom and pop operation was hit with a modest $500 bill and possibly a crash course in data privacy. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August this year. There's a link in the show notes. Please take a minute and check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

Marcus Hutchins

Sa.