CyberWire Daily: "Ransomware in the Rearview"

Date: September 3, 2025
Host: Dave Bittner, N2K Networks
Featured Guests: Tim Starks (CyberScoop), Amy Edmondson (Harvard)

Episode Overview

This episode of CyberWire Daily leads with breaking news on major cyberattacks—including a crippling strike against Jaguar Land Rover—and explores the evolving landscape of global cyberthreats. Highlights include U.S. government strategies for tracking Chinese cyber-espionage, new malware research, the systemic risks plaguing specialty healthcare providers, and the intersection of AI and ransom tactics impacting digital artists. Special interviews feature Tim Starks of CyberScoop on China’s reliance on domestic hacking firms, and Harvard’s Amy Edmondson on “psychological safety” in cybersecurity teams.

Key Cybersecurity News and Insights

Jaguar Land Rover Hit by Major Cyberattack

[00:44]

• Jaguar Land Rover (JLR) suffered a major cyberattack resulting in shutdowns of global IT systems, halting production lines, and impacting supply chains and retail outlets.
• No customer data theft confirmed, but operational impact is “severe,” especially as JLR faces financial strain (49% pre-tax profit drop, job cuts, and delayed electric models).
• Incident follows a March 2025 ransomware attack by the Hellcat group.

Quote:

“Jaguar Land Rover joins other UK companies like Marks and Spencer and Harrods, recently hit by cybercriminals.”
— Dave Bittner [01:32]

U.S. Immigration and Customs Enforcement Accesses Powerful Spyware

[02:07]

• ICE will use Paragon Solutions’ “Graphite” spyware, previously on hold, with capabilities to hack virtually any phone (bypassing WhatsApp, Signal), and turn devices into listening tools.
• Civil rights advocates warn about “invasive surveillance” powers and risks to privacy and accountability; Paragon claims it only serves democracies.
• Experts signal broader issues as multiple governments share access to such tech.

Russian APT28 (Fancy Bear) Deploys NotDoor Outlook Backdoor

[03:23]

• Spanish researchers from Estou Grupo uncover “Notdoor”—a new Outlook malware from APT28 (Fancy Bear), the Russian GRU-linked group.
• Uses VBA macros in Outlook to exfiltrate data and execute commands, hiding within event-driven processes.
• Detection is difficult due to modular design and stealth tactics.
• Recommendation: Disable macros and monitor Outlook activity.

Cloudflare and Palo Alto Networks Breaches Expose Salesforce Data

[04:17]

• Threat actors accessed Salesforce data through a compromised Salesloft Drift app.
• Stolen data includes contact information and support ticket content; potential for downstream targeted attacks noted.
• Hundreds of organizations may be affected; sensitive info could include keys or logs shared in ticket content.

Navy Federal Credit Union Exposes Internal Server Files

[05:11]

• Researcher Jeremiah Fowler found an unsecured database with 378GB of internal files; though no member financial data discovered, the leak included hashed passwords and database connections—offering attackers a “blueprint” for deeper breaches.
• Database was swiftly secured; exposure duration unknown.

ClickFix Scam Distributes MetaStealer Malware

[05:52]

• Huntress researchers reveal a “ClickFix” scam, now with a “FileFix” twist, distributing MetaStealer malware via fake AnyDesk installers.
• The scam abuses Windows File Explorer searches; prompts victims to download disguised payloads that also install legitimate software to avoid suspicion.
• Users urged to exercise caution when downloading tools.

Ransomware Targeting Specialty Healthcare Providers

[07:01]

• Recent breaches at Excelsior Orthopedics, Vital Imaging, and University of Iowa Community Home Care impacted nearly 900,000 individuals.
• Healthcare specialties with limited cybersecurity resources are prime ransomware targets.
• Attackers exploit outdated systems, seeking ransoms to avoid “care disruptions.”

New Advanced Python-Based “InfoSec” Info-Stealer

[08:43]

• Cipherma describes “InfoSec” (stylized with a 0 and 3), an advanced Python infostealer targeting system data, credentials, browsing history, crypto wallets, and even webcam images.
• Achieves persistence by copying itself to Windows Startup; exfiltrates data via Discord.
• Shares code origins with other “grabbers.”

CISA Appoints New Cybersecurity Executive

[09:57]

• Nicholas Anderson named Executive Assistant Director for Cybersecurity at CISA.
• Decorated Marine veteran and ex-CISO at Lumen Technologies.
• Anderson brings extensive crisis and threat management expertise as CISA ramps up efforts to defend critical infrastructure.

Featured Interviews & Segments

1. China’s Domestic Tech Firms & Risks of Outsourcing Hacking (Tim Starks, CyberScoop)

[14:41 – 22:44]

Main Points:

• FBI warns of vast Chinese cyber-espionage operations impacting over 80 countries and >200 U.S. companies (Salt Typhoon campaign).
• Investigation leveraged mistakes made by Chinese tech infrastructure companies assisting state operations, showing that outsourcing espionage creates exposure risks.
• Chinese national security laws enable state leverage over domestic companies (“do this, or else”).
• U.S. messaging on the exposure may serve as a deterrent for Chinese firms: “cooperate if you will, but you’re going to put yourself at risk.”
• The interview speculates on U.S.–China “political gamesmanship” as each accuses the other of cyber-operations and backdoors.

Notable Quotes:
On company mistakes leading to exposure:

“These companies made mistakes and the Chinese reliance on these companies creates risk for them to be exposed by investigators. And that's what happened here.”
— Tim Starks [16:20]

On the risks of government–industry ties in China:

“China as an authoritarian government … with a great deal of legal written leverage … it stands to reason that the combination thereof was pretty good for China, saying, 'hey, we need your help … or else.'”
— Tim Starks [16:57]

On the global implications & U.S. messaging:

“Maybe that creates some sort of counter pressure on Chinese companies … cooperate if you will, but you’re going to put yourself at risk.”
— Tim Starks [18:51]

On transparency & investigative journalism:

“The important thing is, is the story accurate and did we give something valuable to the reader?”
— Tim Starks [22:20]

2. Building Psychological Safety in Cybersecurity Teams

(Ann Johnson w/ Prof. Amy Edmondson, Harvard) [23:13 – 27:02]

Key Insights:

• Psychological safety is not about comfort—it's about enabling people to take interpersonal risks, like raising concerns, spotting early warning signs, and admitting mistakes without fear.
• Cultural barriers can stifle teams from speaking up; real-world disasters (e.g., Columbia shuttle) illustrate the costs.
• A leadership environment that “welcomes bad news” and embraces the complexity of cyber work is vital.
• Leaders need to make the fragility and uncertainty of digital ops “discussable,” encouraging open feedback as a matter of course.

Notable Quotes:
Defining psychological safety:

“It describes a climate in which people believe their voice is welcome … where they believe they can take the interpersonal risks of speaking up with an idea, a question, a concern, a mistake, a dissenting view.”
— Amy Edmondson [23:34]

On warning signs of insufficient safety:

“If you are a leader of a team and you're hearing an awful lot of good news … that is probably a warning sign that you don't have enough psychological safety because it just can't be the case that things aren't going wrong.”
— Amy Edmondson [24:22]

On the leader’s role in shaping safety:

“When leaders call attention to the fragility, the complexity, the ever present potential for breakdown, that makes it more psychologically safe, not less. Because fundamentally it makes it discussable.”
— Amy Edmondson [25:21]

3. Ransomware Threats Against Artists—AI Contamination as Leverage

[28:23]

• The Lunalock ransomware gang threatens to not only leak stolen art data, but feed victims’ artwork into AI training sets as a way to “contaminate” future chatbot outputs.
• This new tactic is viewed as especially cruel to artists, who are wary of losing control over their creations to AI models.

Notable Quote:

“…this is the first time criminals have explicitly dangled AI contamination as leverage.”
— Researcher Tammy Harper (as paraphrased by host) [28:49]

Timestamps for Critical Segments

• Jaguar Land Rover attack & news roundup: [00:44 – 10:00]
• Tim Starks: China’s cyber tactics & U.S. response: [14:41 – 22:44]
• Amy Edmondson: Psychological safety in cybersecurity: [23:13 – 27:02]
• Ransomware, AI, and artist threats: [28:23]

Memorable Moments

• Tim Starks jokes: “I am speculating irresponsibly on this cyber security blog or podcast, and it’s out of control.” [21:29]
• Host Dave Bittner dryly quips: “They’re messaging through you, and now they're messaging through us.” [21:57]
• Amy Edmondson’s wisdom: “The only real question is, will we hear about it? Will we hear about it in a timely way?” [26:00]
• The bizarre and chilling idea of ransomware gangs using “AI contamination” of stolen art: “[Lunalock] warned … not only would files be leaked, but artists creations might end up teaching chatbots to doodle.” [28:30]

Conclusion

This episode provides wide-ranging coverage of the state of cybersecurity, combining breaking news, practical advice, and deep analysis. From nation-state espionage and ransomware headaches to the human side of cyber defense and emerging AI threats, listeners are equipped with critical awareness and insights.

For more details and links to the discussed stories, visit thecyberwire.com.