A

You're listening to the Cyberwire network. Powered by N2K.

B

The DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot. Think your certificate security is covered by March 2026 TLS certificate lifespans will be cut in half, meaning double today' renewals. And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal volume. That's exponential complexity, operational workload and risk. Unless you modernize your strategy, Cyberark Proven in Identity Security is your partner in certificate security. Cyberark simplifies lifecycle management with visibility, automation and control at scale. Master the 47 day shift with CyberArk Scan for vulnerabilities, streamline operations, scale Security visit cyberark.com 47day that's cyberark.com the numbers 47 day Land Rover suffers a major cyber attack ICE gains access to a powerful spyware tool Researchers find fancy bears snuffling around a new Outlook back door Cloudflare and Palo Alto networks confirm compromised Salesforce data A researcher discovers an unsecured Navy Federal Credit Union server A new click fix scam spreads Metastealer malware Specialty healthcare providers struggle to protect sensitive patient data CISA appoints a new Executive Assistant Director for cybersecurity on afternoon cybertea Ann Johnson and Harvard's Amy Edmondson discuss how psychological safety helps cybersecurity teams speak up, spot risks and learn from failure Our guest today is Tim Starks from cyberscoop discussing China's reliance on domestic firms for hacking and hackers threaten to feed stolen art to The Machines Foreign September 3, 2025 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Jaguar land Rover, the UK's leading luxury automaker, has confirmed a major cyber attack that forced the shutdown of its global IT systems. The incident has halted production lines in the UK and abroad, disrupted supply chains and temporarily closed some retail outlets and online services. While JLR says there's no evidence of customer data theft or operations have been severely impacted, the attack comes amid financial strain. Jaguar Land Rover recently reported a 49% drop in pre tax profits, delayed its new electric models to 2026, and announced 500 UK job cuts. This is the second breach in a year following a March 2025 ransomware attack linked to the Hellcat group. Jaguar Land Rover joins other UK companies like Marks and Spencer and Harrods, recently hit by cybercriminals. U.S. immigration and Customs Enforcement will gain access to Paragon Solutions spyware tool Graphite after the Trump administration lifted a hold on a $2 million contract first signed under President Biden. Graphite allegedly can hack any phone, including encrypted apps like WhatsApp and Signal, and even turn devices into listening tools. Civil rights advocates warn the move hands invasive surveillance powers to an agency already accused of due process violations. While Paragon claims it only works with democracies and cuts ties with abusive clients, its spyware has previously been misused in Italy against journalists and activists. Experts argue such tools pose security risks as multiple governments share access to the same tech. Critics say this raises threats to privacy, free speech and democratic accountability. Researchers at Spanish cybersecurity firm Estou Grupo have discovered a new Outlook backdoor dubbed Notdoor, linked to Russia backed APT28, also known as Fancy Bear. The malware uses Visual Basic for applications macros in Microsoft Outlook to monitor incoming emails for trigger words, then exfiltrate data, upload files or execute commands. NotDoor hides in Outlook's event driven processes, abuses DLL sideloading with OneDrive and disables security warnings to maintain persistence. It communicates via attacker controlled email accounts and covert callbacks, deleting traces after exfiltration. Its modular design allows dynamic updates, making detection difficult. APT28, tied to Russia's GRU, has a long record of high profile Cyberattacks, including the 2016 US election breaches. Researchers at Lab52 warn. Nottor reflects the group's evolving tactics and recommends disabling macros and monitoring Outlook activity. Cloudflare and Palo Alto Networks have confirmed that threat actors access their Salesforce data via a compromised Salesloft drift app. Cloudflare said attackers exfiltrated Salesforce case data, including customer contact details and support ticket text, between August 12th and 17th of this year. While no attachments were stolen. Sensitive information like scanning Sensitive information like keys or logs pasted into tickets may be compromised. Palo Alto reported exposure of sales and case data. Hundreds of organizations are affected, with experts warning attackers may leverage stolen data for targeted campaigns. Researcher Jeremiah Fowler discovered an unsecured Navy federal credit Union server exposing 378 gigabytes of internal files while no member data was found. The trove included usernames, emails, possibly hashed passwords and tableau workbooks with database connections and financial formulas. Fowler warned this information could give attackers a blueprint of Navy Federal's systems, enabling phishing or deeper breaches. The database was quickly secured after disclosure, but it's unclear how long it was exposed. Researchers at Huntress have uncovered a new ClickFix scam that spreads metastealer malware using a fake AnyDesk installer. Traditionally, ClickFix tricks users into copying malicious commands into Windows Run, but this campaign adds a twist called FileFix, which abuses Windows File Explorer searches. Victims searching for anydesk may land on a fake site with a counterfeit Cloudflare verification prompt. Clicking Verify triggers File Explorer to fetch a disguised file named readme anydesk PDF while it installs the real Anydesk. To avoid suspicion, it also secretly loads metastealer, which can steal credentials, files and crypto wallet data. The scam blends legitimate software behavior with social engineering, making it harder to detect. Experts stress user awareness and caution while downloading tools online. Specialty health care providers, while skilled in treating patients, often lack strong cybersecurity defenses, making them prime targets for ransomware and data theft. Three recent breaches illustrate the risks. Excelsior Orthopedics in New York disclosed nearly 395,000 patients and employees were impacted by a 2024 ransomware attack. Florida based Vital Imaging reported 260,000 individuals affected by a February 2025 hack, and the University of Iowa Community Home Care breach exposed data for 211,000 people. Together, nearly 900,000 individuals were impacted. Experts warn that specialty practices with limited budgets and sometimes outdated systems struggle to protect sensitive data like medical histories and insurance details. Cybercriminals exploit these weaknesses for fraud and extortion, often pressuring providers to pay ransoms quickly to avoid care disruptions. Researchers at Cipherma have detailed a new Python based malware called InfoSec, with a 0 for the O and a 3 for the E because, of course, it does. It's an advanced infostealer capable of harvesting a wide range of sensitive data distributed as a compressed 64 bit executable packed with PI installer, it evades detection through obfuscation, runtime code, unpacking, VM checks and self deletion. Its main component collects system info, IP data, credentials, cookies, WI fi passwords, browsing history, crypto wallets, and even webcam images. It also targets popular gaming accounts like Roblox, Steam and Minecraft. Stolen data is archived into a password protected RAR file and exfiltrated via discord persistence is achieved by copying itself to the Windows Startup folder. Cipherma noted similarities to grabbers like Blank Grabber and Umbral Stealer, suggesting shared origins. The findings highlight how easily criminals can access sophisticated automated info stealing tools. CISA has appointed Nicholas Anderson as Executive Assistant Director for Cybersecurity. A decorated Marine veteran and national security leader, Anderson brings extensive experience from both government and private sectors. He previously served as CISO at Lumen Technologies, COO at Invictus, and Senior Official at the Department of Energy, where he directed cyber and energy security efforts. Recognized as Intelligence Executive of the Year, Anderson has overseen initiatives defending against state sponsored threats and major crises. At cisa, he'll lead efforts to protect critical infrastructure amid escalating cyber risks. His arrival marks a leadership transition with Chris Butera becoming acting Deputy Executive Assistant Director. Anderson's appointment underscores CISA's push to strengthen resilience and deepen collaboration with industry partners. Coming up after the break, Ann Johnson and Harvard's Amy Edmondson discuss how psychological safety helps cybersecurity teams speak up, spot risks and learn from failure. Tim Starks from cyberscoop discusses China's reliance on domestic firms for hacking and hackers threaten to feed stolen art to the machines. Stay with us. At talas, they know cybersecurity can be tough and you can't be protect everything. But with Thales you can secure what matters most. With Thales industry leading platforms you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales. T H A L E S learn more@thalesgroup.com cyber and now a word from our sponsor, ThreatLocker, the powerful Zero Trust Enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from threat locker and it's always my pleasure to welcome Tim Starks back to the show. He is a senior reporter at cyberscoop. Tim, good to talk to you here my friend.

C

Same here my friend.

B

So, interesting story you published on cyberscoop. This is about an FBI official talking about Chinese reliance on domestic firms for hacking. Unpack this for us here Tim.

C

Yeah, so you might have seen the story about the FBI announcing in a couple different news outlets that something like 80 countries have been victimized by Chinese hackers in the salt typhoon campaign. More than 200American companies have been affected by it. So they put out this alert, the FBI, a variety of U.S. agencies, a variety of world, world cyber agencies. And that said, this campaign is larger than we've been talking about. And when they say campaign, they, it seemed, it turns out they were actually talking about just Chinese cyber espionage in general, but just kind of all kind of part of this overall indiscriminate targeting and said, okay, look, it's affecting all these sectors too. It's affecting lodging, it's affecting not just telecoms, but it's affecting the military, it's affecting transportation. And you know, I did a follow up interview to see what I could find out about what, what did, what didn't make it into that report or what didn't make it into those stories. And the part that I was drawn to by what the deputy assistant director that I spoke to in the cyber division said was invest this gave investigators an opening. You know, the report mentioned three specific companies that are sort of tech infrastructure kind of companies in China that have been assisting with this cyber espionage. And what, what Jason Bonowski told me was that these companies made mistakes and the, the Chinese reliance on these companies creates risk for them to be exposed by investigators. And that's what happened here.

B

Well, help us understand this relationship between these firms and the Chinese government.

C

Yeah, so they're, I mean they're, they're, they're companies that are essentially just kind of tech backbone kind of companies in the ISP kind of related space. But because of China's national security laws, there is a great deal more control by the Chinese government over the handling of data and sensitive information that are, that affects domestic companies, companies that are doing business in China. And so while the story that I wrote doesn't make an explicit connection between those two things, and while that wasn't something Jason said explicitly either, it's easy to read between the lines that China as an authoritarian government with a great deal of legal written leverage, not just the sort of general authoritarian, we can do what we want over these companies. It stands to reason that the combination thereof was pretty good for China, saying, hey, we need your help. You're the companies through which we're going to be able to do this, come help us probably, or else.

B

Right. So the story here is in the process of providing that help, these companies made some errors that our government was able to take advantage of exactly, Yeah.

C

I mean, certainly when you think of the plaque, at least in the early days of nation state hacking, you thought of a particularly careful organization, an organization that was very surgical. And perhaps in the reach for broader reach, China has had to go outside those sort of regimented, literal military organizations to reach out further to expand who they can target and how that created vulnerabilities for them that they did not have before. As explained by the Deputy Assistant director.

B

What do you suppose this indicates sort of for the broader ecosystem here? I mean, I think that obviously the US Government makes use of many contractors for many of the things that they need to do. The government, the military, all that sort of thing. So why does this deserve any attention at all?

C

It's a very good question. Just as from the standpoint of a cybersecurity reporter, I like knowing how we find things out. It's interesting to me.

B

Right.

C

And I think perhaps other countries can learn from it, say, oh, these are things that we were able to identify as weaknesses. I think there might have been some messaging here. And I'm speculating a little bit. I don't want to put any words in anybody's mouth, but it seemed that, that the Justice Department, the FBI, wanted this to be known. This is how we found you out. So maybe that creates some sort of counter pressure on Chinese companies saying, hey, cooperate if you will, but you're going to put yourself at risk. And I think that's some of the potential value, you know, outside of just my general nerdiness of liking cybersecurity, is that sort of political gamesmanship as far as how it pertains to US Companies. I think that's interesting. We have been seeing a few developments in this administration that are, that are fascinating. One, of course, is we saw the US Government essentially obtain a stake in a US Company, intel, which, you know, that's, that's fascinating. We do hear sometimes Trump say things about China like, oh, for them, they don't even have to do much. They just say it and it gets done. So you can look at that as some maybe harbingers. I mean, Trump has actually been almost outwardly dismissive about the idea that there's something wrong with what China is doing when it hacks US Companies. He said whatever, we do it too. He said the same thing about Russia. You think we don't do that? So, and I think also you, you, this might be a little bit of a response to China also trying to put some pressure on us. There's a little bit of an escalation of, we, hey, we're the United States. We say, you bad guys, China did this. And China has been, over the years and, and especially in the last calendar year, been saying more and more, hey, America, we know you did this. We know you exploited Microsoft. We know that you, you know, you got aid from a university. Whether these things are true or not, these are the things they're messaging. And we have also seen China accusing US Companies of creating backdoors for, for the US Government. So this, these, these geopolitical elements, and they sort of like where the fight is going. I think those are interesting ramifications for US Companies, for the federal government, and for Chinese companies and Chinese government.

B

How would you rate your level of surprise at hearing these revelations?

C

I mean, I was a little surprised because. Well, I wasn't surprised. I guess we were talking about the original revelations of the alert that they put out. It does seem like it takes time for investigators to go, oh, hey, we found some hacking. And then to find out just how far it went. So that wasn't particularly surprising to me. It was a little surprised to me, the degree to which they were willing to talk about this. And that's where I start getting into the whole. Were they wanting to get a message out through me? Were they wanting to say to an audience, hey, we're watching you, because that can be a deterrent. So I was a little surprised. But then the more I thought about it, the more I thought it made a little bit of sense. If I'm. And again, Dave, I'm speculating irresponsibly here. I am speculating irresponsibly on this cyber security blog or podcast, and it's out of control. I need to reinvent in before I get too crazy.

B

Yeah, yeah. Well, if you say they're. They're messaging through you, and now they're messaging through us.

C

So here we are, propaganda arm of the United States.

B

That's right. That's right.

C

But no, look, I mean, we're joking about those things, but I, I often am thinking about the degree to which the US Government might be trying to use me or any messenger, really.

B

Sure.

C

Everybody has a reason to want to talk to us. It's not. They don't talk to reporters of the goodness of their hearts. The important thing is, is the story accurate and did we give something valuable to the reader? And I think whatever the attempted message was here, I think that the story was valuable to publish for that reason.

B

Yeah, I agree. We'll have a link to that story in the show. Notes Tim Starks is senior reporter at cyberscoop. Tim, thanks so much for joining us.

C

Thank you, Dave.

B

On our latest afternoon Cyber Tea segment, Ann Johnson and Harvard's Amy Edmondson discuss how psychological safety helps cybersecurity teams speak up, spot risks, and learn from failure.

C

Today I am joined by Professor Amy Edmondson, the Novartis professor of Leadership and Management at Harvard Business School. Amy is not just an expert in psychological safety in the workforce, she is the expert. So can we start just by talking about psychological safety? Because it's a word that's used a lot in organizational development.

A

The term itself has a kind of implication of comfortable and cozy and nice, and that's just not what it is. So let me first give you my formal definition of psychological safety. It describes a climate in which people believe their voice is welcome, where they believe they can take the interpersonal risks of speaking up with an idea, a question, a concern, a mistake, a dissenting view. And not that will be easy and fun all the time, it usually isn't. But that they believe it's welcome. They believe it's what we do around here. Many of the case studies that I have done gone into great detail on, say, the Columbia launch failure of 2003 or many other sort of real disasters were literally avoidable had people spoken up in a timely way. So I can't tell you how much I think about and value the speaking up about early warning signs. They're not worried about, oh, how do I look? They're like, this could be a nothing, but I'm going to raise it. I'm not going to be afraid of being called Chicken Little. The sky is falling when of course, it isn't. But. So I'm much more interested in that topic, right, that people can speak up about early warning signs of a potential breakdown or failure, but early warning signs about psychological safety and whether or not it's present, I don't think about that quite as much. But to freewheel a little, it's basically, I think in today's, you know, complex, turbulent world, an early warning sign is a sign that doesn't happen. It's the bad news, the questions, the dissent, the mistakes, the failures that you're not hearing about. So if you are a leader of a team and you're hearing an awful lot of good news, you know, everything seems to be green and nothing seems to be red, that is probably a warning sign that you don't have enough psychological safety because it just can't be the case that things aren't going wrong or that people don't see things differently, but it can be the case that you're not hearing about it because this is in fact the kind of environment where psychological safety is most important. And maybe ironically, when leaders call attention to the fragility, the complexity, the ever present potential for breakdown, that makes it more psychologically safe, not less. Because fundamentally it makes it discussable. It makes the reality of the situation discussable. And when leaders don't do that, people will naturally assume or think of the situation in the old fashioned way. The conception of the work environment where people are supposed to hit their targets and always do a good job and expect certainty and be perfect like that is not the world that cybersecurity professionals live in. So when leaders call attention to that reality, so what's at stake and how much very real uncertainty and complexity and interdependence there is that gives permission for people to speak up about it? Like you're saying we should expect things to go wrong. The only real question is, will we hear about it? Will we hear about it in a timely way? Things are going to happen. There will be breakdowns, there will be coordination and communication breakdowns. But by naming it, and by naming it early and often, it gives people permission to be part of the catch and correct system.

B

Be sure to check out the Complete Afternoon cybertea podcast wherever you get your favorite podcasts.

C

Abercrombie is an official fashion partner of the NFL and I'm CeeDee Lamb, wide receiver for the Dallas Cowboys. You know I'm here for Abercrombie's Cowboys gear. That's not a question, but I need a whole wardrobe to go with it. No shade to the guys, but I'm used to having the best tunnel fits. This season, Abercrombie has me covered. Shop NFL by Abercrombie in the app, online and in store.

A

When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together. Use polls to settle dinner plans, send event invites and pin messages so no one forgets mom 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone. Learn more@WhatsApp.com.

B

And finally, ransomware gangs usually stick to the classics. Steal data, lock it up and demand cash. But Lunalock has added an avant garde twist, threatening to feed stolen artwork and personal data from online platform artists and clients. An art commission site straight into AI training data sets, the ransom note demanding $50,000 in Bitcoin. Or Monero warned that if unpaid, not only would files be leaked, but artists creations might end up teaching chatbots to doodle. For artists already wary of AI swallowing their work, it's a particularly cruel jab. As researcher Tammy Harper dryly noted, this is the first time criminals have explicitly dangled AI contamination as leverage. Whether lunaloc really has a plan or just hopes, AI crawlers are very hungry. The threat has struck a nerve in the digital art world. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. Were mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.