One flaw to rule the root.

Dave Bittner

You're listening to the Cyberwire Network powered by N2K.

Podcast Host / Announcer

At Talas, they know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Talas to protect what matters most applications, data and identity. That's Talas T H A L E S. Learn more@talasgroup.com Cyber CISA warns of active exploitation of a critical vulnerability in the pseudo utility Broadcom patches 2 High severity vulnerabilities in VMware NSX South Korea raises its national cyber threat level after a data center fire. Formbricks patches a critical token validation flaw. Microsoft blocks a credential phishing campaign that made use of malicious SVG files. Landlords are accused of scraping sensitive payroll data. Cybercriminals lay the groundwork for large scale FIFA fraud. Burnout takes a heavy toll on cybersecurity professionals. On our threat vector segment, David Moulton is joined by Kyle Wilhoit talking about the evolution of hacker culture and cybersecurity and London Police bag the biggest Bitcoin.

Dave Bittner

Bus.

Podcast Host / Announcer

Foreign September 30, 2025 I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us here once again. It's great as always to have you with us. The Cybersecurity and Infrastructure Security Agency has issued an urgent warning about active exploitation of a critical vulnerability in the Sudo utility, a core Linux and Unix tool. The flaw affects Sudo's R option, allowing attackers with limited Sudo rights to bypass restrictions and gain full root access. CISA warns that successful exploitation could result in complete system compromise, enabling data theft, service disruption, or malware installation. The agency urges administrators to identify vulnerable systems, apply vendor patches, or disable the chroot option until fixes are available. The flaw was added to CISA's known exploited vulnerabilities catalog, with mitigations required by October 20th. CISA stresses proactive patching as essential defense. Broadcom has issued security updates addressing two high severity vulnerabilities in VMware NSX. Both were reported by the U.S. national Security Agency. VMware NSX, part of VMware Cloud foundation, supports networking virtualization for private and hybrid clouds. The flaws allow unauthenticated attackers to enumerate valid usernames, potentially enabling brute force or unauthorized access. Attempts to Broadcom also patched a separate high severity SMTP header injection flaw in VMware VCenter and disclosed three vulnerabilities in VMware ARIA operations and VMware tools that could permit privilege escalation, credential theft and cross VM access. These updates follow earlier fixes to zero days exploited at PWN to own Berlin 2025 and by attackers in the wild VMware products remain frequent targets for state sponsored groups and cybercrime gangs. South Korea has raised its national cyber threat level after a fire at a government data center crippled critical digital infrastructure. The blaze, caused by ignited lithium ion batteries during replacement work shut down 647 government systems, halting email, intranet, banking, tax, real estate and healthcare services. As of Tuesday, 89 systems were restored, but 96 were destroyed and will require weeks to rebuild, leaving disruptions expected through upcoming holidays. The intelligence service warned hackers may exploit the weakened systems during recovery. President Lee Jae Myung apologized, criticizing the lack of backup protocols as foreseeable with the upcoming APEC summit. Concerns about resilience and preparedness have intensified while political leaders face growth. Criticism over South Korea's digital reliability. Formbricks, an open source experience management platform, has patched a critical flaw that could let attackers hijack accounts with forged authentication tokens. The issue stemmed from improper JSON web token validation, where the software decoded tokens instead of verifying them. Exploitation required only a victim's predictable user identifier, enabling password resets and full account takeover. Users should upgrade immediately to the latest version. It comes as no surprise that cybercriminals are leveraging artificial intelligence to create highly sophisticated phishing attacks that evade traditional defenses. Microsoft Threat Intelligence recently blocked a credential phishing campaign on Aug. 18 that primarily targeted U.S. organizations. The attack used a compromised business email account to send what looked like a PDF file but was actually an SV VG file laced with disguised malicious code. The payload redirected victims to a fake sign in page with its code structure suggesting large language model involvement. Microsoft's security co pilot determined the complexity was unlikely from a human author. Microsoft Defender for Office365 ultimately stopped the campaign by detecting behavioral anomalies. Experts warn that AI assisted phishing represents a major shift, urging organizations to focus on identity observability and behavioral detection. To counter AI scaled deception, some US Landlords are requiring prospective tenants to use screening tools that log directly into employer systems and scrape sensitive payroll data, according to 404Media. One renter in Atlanta said Approveshield, powered by a service called Argylle harvested far more than the requested four pay stubs, downloading every payslip and W4 from Workday going back to 2024. The renter described the process as credential harvesting since Argyll required corporate HR logins, raising concerns about potential violations of US hacking laws. Approved shield allegedly knew the 60 day requirement but still mined excessive data. Critics warn that refusing to participate effectively bars tenants from housing. Similar practices reportedly involve other companies, including PayScore, NovaCredit and Snapt. Neither Approveshield nor Argyll responded to requests for comment. With the 2026 FIFA World cup still months away, cybercriminals are already laying groundwork for large scale fraud. Researchers at Check Point identified more than 4,300 suspicious domains registered since August 2025, many in synchronized bursts and clustered around a few registrars. These domains mimic official branding to push counterfeit tickets, fake merchandise and malware laced streams. Evidence also suggests botnets are being prepared to flood ticket queues, distort prices and enable large scale resales. Fraudulent activity extends beyond domains into Telegram, dark web markets and social media channels, forming a multi platform ecosystem. Experts warn this isn't random opportunism, but coordinated infrastructure designed well in advance. Defenses must begin now, including registrar cooperation, anti bot protections and public awareness campaigns to prevent scams from overshadowing the tournament. Burnout is taking a heavy toll on cybersecurity professionals who often pour their passion into protecting organizations while facing relentless pressure, the BBC reports. Tony, who left his role at a major UK e commerce firm, described sleepless nights, overwhelming workloads and the strain of non stop incident response. Others, like former UK Health Security Agency leader Andrew Tillman, called cybersecurity the best job in the world, but also a dangerous place when stress mounts unchecked. Studies show declining job satisfaction with professionals asked to do more with less while remaining on call around the clock. Experts warn that constant alerts, nation state threats and blame culture fuel exhaustion, especially for younger workers. Initiatives like Cyber Minds advocate treating burnout with the seriousness of other frontline professions, urging proactive support and early recognition of warning signs. Signs coming up after the break on our Threat Vector segment, David Moulton is joined by Kyle Wilhoyt to talk about the evolution of hacker culture and London Police bag the biggest bitcoin bust Stick around. Foreign compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. It's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust trust can be. Visit vanta.com cyber to sign up today for a free demo that's V A N T a dot com Cyber AI adoption is exploding and security teams are under pressure to keep up. That's why the industry is coming together at the Data SEC AI Conference, the premier event for cybersecurity, data and AI leaders. Hosted by data security leader ciara. Built for the industry by the industry, this two day conference is where real world insights and bold solutions take center stage. Datasec AI25 is happening November 12th and 13th in Dallas. There's no cost to attend, just bring your perspective and join the conversation. Register now at datasecai2025.com CyberWire on this week's Threat Vector segment, David Bolton is joined by Kyle Wilhoyt to talk about the evolution of hacker culture.

David Moulton

Hi, I'm David Moulton, host of the Threat Vector Podcast where we break down cybersecurity threats, resilience and the industry trends that matter most. Here's a quick preview of my interview with Kyle Wilhoyt, Technical Director of threat research at unit 42. We rewind the clock and ask if we've lost something essential in cybersecurity's evolution. Kyle shared how as a 14 year old kid reading the Hacker Quarterly and building his beige box, he felt like he belonged. We explore how that same mindset is being challenged today by automation, AI and billion dollar enterprises. If you've ever wrestled with imposter syndrome, wondered how to stay curious in a high pressure role, or felt a tension between purity and pragmatism, this episode is for you. How has the rise of new tech AI automation changed hacker identity and culture?

Dave Bittner

I think the number one factor or the Number one thing that I see is lower barrier to entry for these types of criminals and these types of nation state adversaries. What I mean is automation, generative AI, whatever you want to call it, is facilitating and fueling cybercrime at a rate that we haven't seen, as well as fueling nation state espionage at a rate we haven't seen in the past. I think that that type of technology is only going to continue to increase speed in which these attackers are coming to scale and how fast they're coming to go out and actually perform initial attacks, et cetera. So I think that that's the number one thing that we're seeing is just a lower barrier to entry. I think the other thing is outside of having that lower barrier to entry for these attackers, I think also what we're starting to see is the evolution of attackers starting to use things like LLMs and generative AI to do more advanced techniques. I mean, heck, we just saw a blog recently written that Russian state sponsored group was actually using an LLM Gemini, if I'm not mistaken, to go out and actually assist it in writing actual malware that functioned. So what that really leads to is again, that lower barrier to entry attackers are able to use and manipulate LLMs, jailbreak them in some capacity, manipulate the guardrails, whatever that is, and ultimately get the LLM to do things that it wants, that the attacker wants rather. I think those are the kind of two big shifts that I'm seeing.

David Moulton

You've seen the industry shift from hobbyist forums to billion dollar enterprises. What do you think has been lost in the professionalization of cybersecurity?

Dave Bittner

It's funny you ask this because I can actually kind of think of myself to some degree, right, Because I was kind of a quote unquote hacker in the old school sense of the word, and then migrated over into the corporate world. So I kind of can look at this from my own perspective and I think one of those areas is the loss of just open and free information sharing. I think that's one of the reasons that I pursued intelligence, because a lot of intelligence work is ultimately sharing information. And I truly believe that. I think the power of threat intelligence is sharing, but I think that the concepts and kind of migrating more to that professionalization of cybersecurity. I think that that's directly related to some of the decline of open information sharing. I think also the focus for many in the cybersecurity industry has shifted from inherent curiosity, what it used to be back early, early on, to marketable skills And I'm not saying that's wrong, and I'm not saying that's right. I think that's just part of what we're starting to see kind of change in the industry. Right. I think there are some benefits though.

David Moulton

Right.

Dave Bittner

With every downside, there is a benefit. Meaning with that professionalization, you also see innovation and development that you likely wouldn't have seen in the past. Meaning we're seeing rapid growth in Innov across all industries. I think also professionalization and quality control on software and hardware that's being produced is also something that's directly a benefit of that professionalization. So I don't want to make it sound like it's all doom and gloom, because it's not. It's just the maturation of the field and the professionalization of that field. And there's goods and bads with everything. Right. And that's the way I view it. That's just a couple positives, couple negatives, I guess.

David Moulton

Yeah. I think that maturation has been required because of the landscape, because of the changes and the opportunity for profit or espionage. And the hobbyists can't keep up with that.

Dave Bittner

No, it's hard for me to keep up with it. And I'm a professional.

David Moulton

Right. But I think that there is a sense of maybe looking back at a simpler time and maybe longing for it. You know, some of the pieces of it were there, but, you know, you can't unring the bell. That's where we're. That's where we're going.

Dave Bittner

That's true.

David Moulton

I want to talk about you for a second.

Dave Bittner

Okay.

David Moulton

How do you maintain your sense of curiosity? Make time for experimentation in a high pressure role like you have here at unit 42?

Dave Bittner

The first is that question that I said early on. What if? I literally asked myself that multiple times daily, still in my current role, and that was as a people leader, as a technical leader, as everything in between. As a researcher, I still ask that question. So the what if question applies across the board. And a perfect example is what if as an example, what if I automate this task?

Podcast Host / Announcer

Right.

Dave Bittner

That right there can speak volumes in terms of being able to get time back. Which leads me to the next thing, which is schedule curiosity. I know that sounds weird, but schedule time for that what if question. Schedule time to hypothesize research and then execute on that research. I still do that. Even 15 years doing research, I still do that. Because at the end of the day, you have to be constrained in your time and you have to understand that you only have a certain amount of time to do those things. So the what if Question will ultimately hopefully lead you to that capability of scheduling that curiosity. And then the final piece is embrace intellectual humility. This is something that I think a lot of folks in our industry are not great at doing in some cases, and embracing being when you don't know something and readily admit that, say I don't know, but I'm committed to finding out what that answer is and I'll have an answer back to you within 24 hours. That says a lot about someone versus just making up an an.

David Moulton

Thanks for sticking around to hear what's coming next on Threat Vector. If we piqued your interest, the full conversation is available in your Threat Vector feed now. Trust me, you'll walk away seeing hacker culture in a whole new light. New episodes every week. Subscribe now. To stay ahead.

Podcast Host / Announcer

Be sure to check out the complete Threat Vector show wherever you get your favorite podcasts. Think your Certificate security is covered by March 2026 TLS certificate lifespans will be cut in half, meaning double today's renewals. And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal volume. That's exponential complexity, operational workload and risk unless you modernize your strategy. Cyberark, proven in Identity security is your partner in certificate security. Cyberark simplifies lifecycle management with visibility, automation and control at scale. Master the 47 day shift with CyberArk scan for vulnerabilities, streamline operations, scale security. Visit cyberark.com 47day that's cyberark.com the numbers 47 day and now a word from our sponsor, ThreatLocker, the powerful Zero Trust Enterprise solution that stops ransomware in its tracks. Allow Listing is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources, and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from ThreatLocker. And finally, it's not every day the police stumble across 5 billion pounds in Bitcoin. But that's exactly what London's Metropolitan Police bagged in the world's largest crypto seizure. At the center of it all is Jimin Chang, also known as Yadi Zhang, who pled guilty to running a scam in China that duped 128,000 victims between 2014 and 2017. She fled to the UK with false documents, tried laundering her digital fortune into property, and instead earned herself a court date along the way, her accomplice went from takeaway worker to mansion dweller before being jailed, too. Prosecutors note that criminals love crypto's cloak of invisibility, but this seven year investigation proves the blockchain isn't always the perfect hiding place. Chan's sentencing is still pending, and that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpie is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

Dave Bittner

And Doug Limu and I always tell you to customize your car insurance and save hundreds with Liberty Mutual, but now we want you to feel it. Cue the emu music. Limu Save yourself money today. Increase your wealth. Customize and save.

David Moulton

We save.

Dave Bittner

That may have been too too much feeling.

Podcast Host / Announcer

Only pay for what you need@libertymutual.com Liberty Liberty Liberty Liberty Savings Ferry Unwritten by Liberty Mutual Insurance Company and affiliates excludes.

Dave Bittner

Massachusetts.

Podcast Host / Announcer

Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more@cid.datatribe.com.