A

You're listening to the Cyberwire Network powered by N2K.

B

At Talas, they know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Talas to protect what matters most applications, data and identity. That's Talas T H A L E S learn more@talasgroup.com cyber A fast spreading malware campaign is abusing WhatsApp as both lure and Launchpad. Carmaker Renault suffers a data breach. Draytek patches a critical router flaw. CISA alerts cover a range of vulnerabilities. A new phishing kit lowers the bar for convincing lures. A Catholic hospital network pays 7.6 million to settle data breach litigation. A major breach at FEMA exposes employee data. Google expands Gmail's end to end encryption capabilities. On our Industry Voices segment, we're joined by Brian Vecchi, field CTO at Varonis, discussing how to move fast but not break things, innovating at light speed without putting data at risk. And the UK's digital ID is a solution in search of a mandate. Foreign October 3, 2025 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. Happy Friday. It is great to have you with us. A fast spreading malware campaign is abusing WhatsApp as both lure and Launchpad. First seen in September in Brazil, the self propagating malware known as Sorva Potel spreads through phishing messages with malicious zip files disguised as receipts or budgets. Once opened, a hidden Windows shortcut triggers encoded powershell commands that fetch additional payloads, establish persistence and connect to attacker controlled domains. The malware then hijacks active WhatsApp web sessions, replicating itself automatically to all contacts and groups, rapidly multiplying infections and sometimes leading to account bans. Analysts note that attackers also distribute similar zips via phishing emails appearing to come from trusted institutions. The campaign highlights growing risks from messaging platforms used in enterprise environments where social engineering can amplify disruption. The personal data of Renault and Dacia customers in the UK has been compromised after a cyber attack on a third party data processor used by the carmaker. Renault confirmed the breach in emails to affected drivers, noting that while no financial or password information was exposed, attackers accessed sensitive personal details including names, addresses, birth dates, gender, phone numbers and vehicle registration data. The company has not disclosed the total number of customers impacted, but stressed that its own systems were not directly compromised. Renault says it's contacting those affected and urging caution against unsolicited requests for information. The incident adds to a growing list of major automotive cyber breaches, as Jaguar Land Rover also contends with a separate disruptive attack. Draytek has released patches for a critical remote code execution flaw in Drayos routers. The bug can be triggered via crafted HTTP or HTTPs requests to the web interface, potentially leading to memory corruption, crashes or remote code execution. While WAN attacks are blocked if remote Web UI and VPN services are disabled or ACLS configured, local exploitation remains possible. Firmware updates for 35 Vigor models are available, with no evidence yet of active exploitation. CISA has added a meteobridge vulnerability to its known exploited vulnerabilities catalog after confirming active attacks. Meteo Bridge devices connect local weather stations to public networks and are managed through a web interface. The flaw scored 8.7 stems from unsanitized user input in a CGI script exposed without authentication, allowing command injection and remote code execution. Researchers at one key warned in May that exploitation could occur via simple get requests with a proof of concept publicly available, roughly 100 devices remain exposed online due to misconfiguration. Despite Smart bedded releasing a patch months earlier, CISA now requires federal agencies to remediate within three weeks. The agency has not disclosed the scope of observed exploitation. Meanwhile, CISA has issued two new ICS advisories covering Raise 3D Pro 2 Series 3D printers and Hitachi Energy MSM products. The Raise 3D flaw is an authentication bypass through an unauthenticated debug port, potentially enabling file system access and data exfiltration. Raise3D advises disabling developer mode until a firmware patch is released. Hitachi Energy MSM devices fake cross site scripting and assertion vulnerabilities risking injection or crashes. CISA urges organizations to apply mitigations, restrict Internet exposure and follow defense in depth practices. A newly advertised phishing kit called Impact Solutions is lowering the bar for cybercrime by giving attackers a point and click way to build convincing lures. First observed in September, the tool provides ready made templates for malware delivery through LNK shortcuts, SVG files and HTML attachments. It also includes evasive features such as file type masking, UAC bypass techniques and and anti sandbox checks. With a few clicks, even low skilled actors can disguise malicious files as PDFs, videos or invoices and distribute them in phishing campaigns. Impact Solutions also offers modules like fake login pages and a click fix feature that tricks users into running base 64 encoded PowerShell commands. Abnormal AI warns that commercialized kits like this expand social engineering risks and and recommends behavior based detection tools. Hospital Sisters Health System, a Catholic hospital network in the Midwest, will pay $7.6 million and strengthen data security to settle litigation over its 2023 breach. Affecting nearly 900,000 people, the attack exposed sensitive personal and health information. Under the settlement class, members can claim up to $5,000 for documented losses for or opt for smaller prorated payments. The hospital network denies wrongdoing but agreed to implement security improvements. Legal experts say settlements like this highlight mounting pressures on healthcare providers to bolster cybersecurity. A breach at FEMA exposed employee data from both FEMA and U.S. customs and Border Protection. Nextgov reports hackers exploited compromised credentials and the Citrix bleed 2.0 flaw beginning June 22, exfiltrating data from Region 6 servers covering five states and nearly 70 tribal nations. DHS cited FEMA's failure to enforce Multi factor authentication and patch critical vulnerabilities, dismissing its IT staff in August. FEMA has since restructured leadership, naming acting CIO Diego Lapidus and implementing stronger security controls. Google is expanding Gmail's end to end encryption capabilities, allowing enterprise users to send encrypted emails to recipients on any platform. Users can enable additional encryption when composing a message, ensuring seamless decryption for Google Workspace subscribers. Non Gmail recipients instead receive a secure link to view and reply through a guest workspace account, removing the need for key exchanges or third party tools. The feature, rolling out over the next two weeks to Enterprise plus customers with assured controls, is powered by client side encryption, which keeps encryption keys outside Google's servers. This design helps organizations meet regulatory requirements for data sovereignty, HIPAA compliance and export controls by ensuring that even Google cannot access message contents. Google first piloted the approach in 2022 across workspace services. Coming up after the break, my conversation with Brian Ve Field, CTO at Varonis. We're discussing innovating at light speed without putting data at risk, and the UK's digital ID is a solution in search of a mandate. Stay with US Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo that's v a n-t a.com cyber.

A

Foreign.

B

Adoption is exploding and security teams are under pressure to keep up. That's why the industry is coming together at the Data SEC AI Conference, the premier event for cybersecurity, data and AI leaders. Hosted by data security leader ciara. Built for the industry by the industry, this two day conference is where real world insights and bold solutions take center stage. Datasec AI25 is happening November 12th and 13th in Dallas. There's no cost to attend. Just bring your perspective and join the conversation. Register now@datasecai2025.com CyberWire Brian Vecchi is Field CTO at Varonis and in today's sponsored Industry Voices segment, we discuss how to move fast but not break things. Innovating at light speed without putting data at risk.

A

Well, I'm not against the idea of moving fast and breaking things, but I think it depends on what exactly you're breaking. The idea of tossing aside or disrupting old ways of doing things can be incredibly useful and generate a lot of innovation and a lot of productivity. But you need to be conscious of, of course, balancing productivity and security because the the costs of a security breach or an incident are only going up. Companies have more and more data in more and more places. It used to be that they could secure themselves primarily by focusing on what we think of as perimeters. If I've got all of my infrastructure and applications and data in a big building like a data center, and all my people are using workstations in another big building like an office that I control well, if I've got good firewalls, good perimeters, big fences to keep the bad guys out, well, then I'm doing a pretty good job of protecting myself. And that kind of worked. We still had the notion of insider threats, and we still had, of course, threat actors, attackers that would breach these perimeters. But more and more these days, the issues we face aren't with a single or a small number of really big and powerful perimeters. We live in a world where we've got data on premises and in data centers. We've got data in various cloud platforms like the hyperscalers. We've got data in innumerable SaaS applications, big and small. Our users, our employees, are expected to work from anywhere now. We're expected to be able to do our jobs from almost any device, our personal device, our corporate device. Every user has multiple devices. I've got three in front of me right now that I use as part of my daily workflow. I interact and collaborate with people inside the company, both within my team and cross functionally. I collaborate and interact like I am with you right now, with people outside of our company, with third parties. So the problems that IT and IT security organizations are facing is that we want our people and our businesses to be highly productive. We want people to be able to collaborate and work from anywhere. Nobody wants to go back to being required to work in an office. Nobody wants to go back to being, you know, no IT organization wants to bring everything back on premises and have to manage all of the infrastructure themselves. That's not the world that we live in. But we need to do so safely. We need to balance productivity with security. We need to make sure that things are done safely because not only the costs of a breach, but the incentives to monetize malicious access, either by nation states, by cybercriminal groups, by insider threats. The incentives are greater than they've ever been. It's easier than ever to monetize access to a system if you get in maliciously to, to steal data, to encrypt data, to get access to intellectual property and trade secrets. The incentives are greater than they've ever been. The complexity is as high, is higher than it's ever been, and it's only going to go up. Things aren't going to get simpler, which means that the risks and risk is a calculation of, you know, what's the impact of something happening and what's the likelihood of it happening. Well, as organizations move fast and break things, the likelihood of something goes. Going wrong continues to go up. So the risks are greater to. Going back to your initial point, I think I would not caution against moving Fast and breaking things. But I would certainly encourage organizations to think very critically about managing risk, which I think good organizations, good enterprises, that's what they do.

B

You know, I think it's fair to say that we are in an era of rapid innovation and I think with that comes the impulse for high velocity. I'm curious, as you're out and about talking with CISOs, what are their biggest concerns? What are the things that are top of mind for them?

A

You know, I've asked a version of that question to CISOs in the past. Sometimes it's phrased as what keeps you up at night? Because it's a good question and it's an interesting one. We'd like it, I mean kind of the royal we, we'd like someone like a chief information security officer to say something like, you know, what keeps me up at night? You know what I'm most concerned about? North Korea, nation state actors or you know, what really keeps me up at night? Insider threats. We've got intellectual property and boy, if an insider gets a hold of it, it could really bury us. Or you know what keeps me up at night? This, this one cyber criminal group that, that's in the news. Or you know, what keeps me up at night? The, the vulnerability in this one platform or application, whether it's Salesforce or Snowflake or something like that. But if we're intellectually honest, I, I stopped asking that question a while ago of CISOs directly because the ones that were really smart and forward thinking always gave some version of the exact same answer. It wasn't one of these things that, that we would tell like an immediately a good story. The answer that I got most commonly and the answer that I'm going to give you now is it's not one of these things that we can quantify. It's the unknown unknowns, to paraphrase Donald Rumsfeld. It's the things that we don't know about. And I think in a world of rapid innovation of, as you put it, velocity, the number and the scale of the unknown unknowns continues to increase. That's what security leaders I find are the most concerned with. And what's really interesting about what's happened over the last couple of years now with the, I don't want to say the advent, but the evolution of generative AI and I use that word really specifically because we've been using not just Varonis as a technology, but I mean again the royal we, we've been using machine learning and neural network techniques for a long time to do a variety of different things. But ever since ChatGPT dropped and generative AI built on large language models became such a part of all of our daily lives, what I'm finding is that for a lot of CISOs, the unknown unknowns are growing faster than they ever were before for a few reasons. It's suddenly all of the issues related to the lack of a perimeter and the lack of visibility into what data they have and where it is and how it's being used is suddenly a problem that they can no longer ignore. The ostrich defense of putting your head in the sand. I don't think it ever worked, but it's even less relevant these days. And at the same time, you've got enterprises and organizations and boards that are pushing very hard to realize the benefits of these technologies. They want to monetize their data, they want to make their people more productive, they want to move fast, they want to take advantage of all this velocity. So if you're a security leader, suddenly the problems are getting bigger, faster, you have less time to solve them, and you're being told you better solve them right away. All of those. It's been an interesting confluence of all of those factors over the last, I'd say, two, three years.

B

Yeah, you mentioned AI, and no question again, generative AI is everywhere these days. But we've got both the sanctioned co pilots. But then also that shadow it, or as I've heard people referring to it lately, shadow AI that kind of slips in under the radar. What are you seeing in customer environments? How are they handling this?

A

Well, that's a great question. Different folks are handling different pieces of this problem in different ways. In addition to the, to the two, I would call them, pillars of AI security issues that you just brought up, there's the sanctioned co pilots and chatbots, the Microsoft copilots, the agents the companies are trying to deploy. There's. There's also the sanctioned public chat bots, the ChatGPT of the world, the. The clods, the. The Geminis. There's. There's the shadow AI and shadow It's. There's also companies that are trying to build big it, big AI infrastructure to get more use out of their enterprise data. All of those have potential productivity and convenience and monetization gains, but all of those certainly have security risks. I think the story that illustrates a lot of this problem best is, so I was at one of the big banks before I came to varonis, which was 15 years ago now. I was in architecture for People can go on my LinkedIn you can see it. I was at ubs. And what's interesting when you work at a big bank is you. And I was in it. So I was in architecture, but I also worked really closely with our service desk because I helped with a lot of the desktop productivity tools that a lot of the bank used. And what I learned was that if you want to see who gets the most love from it, go to the trading floor of a bank. UBS at the time had the biggest trading floor in the world at Stanford, Connecticut. And it's true at most big banks they've got a trading floor somewhere. And those users, those people, those men and women, they get the most love. They have nine monitors, they've got the latest devices. If they open a help desk ticket, somebody is in front of them in a couple of minutes. And it's. The reason for this is it's kind of obvious when you think about it, because if you can make a trader more productive or the flip side of it is if they are not productive, if they can't work, the bank makes money. If they're productive, the bank loses money if they can't work. So one of these banks that we were working with, not ubs, but another one they were piloting at the time, this brand new AI technology called Microsoft Copilot for 365. Pretty common now. A lot of knowledge workers have it these days, but at the time it was relatively expensive, it was relatively new. And I met the VP of Modern Workforce at this bank and she told me an interesting story. She said, yeah, we gave it to users on our trading floor because of course we do, we pilot everything with them because if we can make them more productive, then it proves the ROI of the investment in this technology or this tool. And they gave Copilot to a few of these users to see what would happen. And one of them asked, what I come to think of is actually kind of a smart question. Banks have a lot of data. Banks have a lot of smart people. Banks create a lot of analysis. They, they, they, they do a lot with data. So he asked a question of copilot, what stocks do our employees invest in? Because you figured the bank has a couple hundred thousand employees. There's probably some patterns in how these employees invest personally and maybe that'll give him some edge. He was, he was expecting, because he'd been using ChatGPT for a few months, he'd been expecting a couple of hours or a couple of paragraphs of, you know, here's the, the kinds of equities that the bank's employees tend to invest in at certain times of year. And maybe he would get some insight that would help him. Instead, what he got were thousands of lines of names, account numbers, Social Security numbers and positions of employee 401ks, which he was surprised to see didn't really help him all that much. And as soon as he saw, he called, you know, the, the co pilot team and said, wait, should I be seeing this? They immediately turn it off.

B

Yeah, change the trajectory of his day, right?

A

Yeah. Well, he just, he turned it off and ignored and went on the rest of his day. They immediately switched it off because in her words, like, this is a privacy nightmare, we can get sued out of business. And I told that story to other technologists and I've gotten a lot of, over the years, I've told that story. It happened a couple years ago. And people would say that's ridiculous because Copilot doesn't. And these AI tools, they don't punch holes in systems. They're not going to get you access to something that you're not supposed to have access to. And I said, that's exactly right. But what happened in this case, and I know this is, this is how I'm going to answer your question. What happened in this case was somebody on their comp team had created a spreadsheet, done an analysis of employee 401k data. It was totally within their bounds of their role. They had access to that data, they created that spreadsheet and they saved it in a Microsoft Teams site. And for those that don't know, Microsoft Teams is built on top of Microsoft SharePoint and it's basically a big data store with its own directory. And they had saved this spreadsheet inside a team site. And in Microsoft 365 there's a share button on top of all of your documents. And that lets you collaborate really easily with other people. You click share. And like I can share something with you or with somebody else on my team or internally at Varonis, and suddenly we can work on it together. But what that means is it doesn't really matter where data is anymore. And it also makes it really easy for things to be opened up to people who aren't supposed to see it. And in this case, somebody had shared it with an email distribution list that included, by accident, everybody in the company. So they had this spreadsheet with all these employee 401k positions and it was open to every single person in the bank. It would be like leaving the bank vault wide open. To every employee. But the problem was nobody or not the problem, it wasn't an issue because nobody knew about it. And so nobody had gone hunting for this data. No insider had found it, no attacker got a hold of it. And this trader, he wasn't an insider threat or an attacker either. He asked a pretty innocent question using a new tool. But because he had access to this, and because Copilot is the greatest information retrieval tool that we've probably ever created as a species, suddenly that data got presented to him, even though he wasn't supposed to have access. And it highlights the issues that security teams are facing in the face of. We want to innovate, we want to take advantage of these new technologies. But a lot of the security, observability, visibility, the preventive controls, the detective controls that we have in place to try to prevent this kind of thing from happening are a little outdated. The ways that we think about collaboration and access and behavior and security holistically, I've gone through that scenario with security leaders and I've gotten into the weeds of here's exactly how this happened and exactly why this could happen to you. And they'll, they'll often stop me and say, you're talking about issues that we've had for 20 years, like we don't know where all of our data is. And people generally have access to way too much because of course they do. That's just the way, you know, our world works these days. And of course, we don't know where all of our most sensitive data is, because how could you. It could be anywhere. Data's like life in Jurassic Park. It finds a way. It's in OneDrive shares and SharePoint sites, it's on devices, it's in emails, it's in. It's in applications, it's in records, it's in databases, it's in all the hyperscalers. Like, it ends up everywhere. How could we possibly control it? And I would say, yeah, you're right, but you better, or else your co pilot pilot's going to get stuck in pilot and you're never going to use it or you're going to suffer your first AI data breach. So it's kind of choose your pick your poison. You've got to do one or the other or you have to rethink a lot of what you thought you knew about security and about observability and about controls and honestly about automation. Because robots created this problem. Robots are going to have to solve it.

B

That's Brian Vecchi, field CTO at Varonis. Think your certificate security is covered by March 2026 TLS, certificate lifespans will be cut in half, meaning double today's renewals. And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal volume. That's exponential complexity, operational workload and risk. Unless you modernize your strategy. Cyberark Proven in Identity security is your partner in certificate security. Cyberark simplifies lifecycle management with visibility, automation and control at scale. Master the 47 day shift with CyberArk Scan for vulnerabilities, streamline operations, scale security visit cyberark.com 47day that's cyberark.com the numbers 47d a y.

A

Foreign.

B

And now a word from our sponsor Threat Locker, the powerful Zero Trust enterprise solution that stops ransomware in its tracks. Allow Listing is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker and finally, the UK government has finally put flesh on the bones of its digital ID plan, perhaps hoping to reassure the 2.7 million citizens who've already signed a petition demanding it be scrapped. Prime Minister Keir Starmer, who somehow forgot to mention the idea during his election campaign, now says the digital credential will streamline bureaucracy and make right to work checks easier. Palantir, often accused of being too cozy with government, has declined to bid, citing its policy of only supporting initiatives with an electoral mandate. The move echoes Estonia's efficiency drive but arrives under the shadow of Big Brother Watch, which warns of creeping state surveillance. Officials insist it won't be compulsory, police can't demand it, and privacy will be respected. Still, skeptics say Starmer must explain why Britons should trust yet another government IT scheme or risk watching his flagship digital ID wither before it even launches. Whether it becomes a passport to convenience or just another card nobody asked for, the fate of Britain's digital ID may hinge less on technology and more on Trust. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at TheCyberWire.com be sure to check out this weekend's research Saturday and my conversation with Asaf Dahan, director of threat research at Palo Alto Networks. We're discussing Phantom Taurus, a new China apt uncovered by unit 42. That's research Saturday. Do check it out. A quick note before we wrap up I don't like to toot my own horn, but I've been nominated for the Sans Difference Maker Award in the Media Creator of the Year category. I'm honored to be recognized and would appreciate your support. You'll find a link to vote in our show Notes and Voting is open until Wednesday, October 8th at 11:59pm Eastern. Thanks for listening and for being part of the N2K CyberWire community. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send Any email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.

A

And Doug Limu and I always tell you to customize your car insurance and save hundreds with Liberty Mutual, but now we want you to feel it. Cue the emu music. Limu Save yourself money today. Increase your wealth, Customize and save. We say that may have been too much feeling.

B

Only pay for what you need@liberty mutual.com Liberty Liberty Liberty Liberty Savings Very underwritten by Liberty Mutual Insurance Company and affiliates Excludes Massachusetts Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more at cid Datatribe. Com.