CyberWire Daily: “Workday’s Bad Day” (August 18, 2025)
Episode Overview
In this episode of CyberWire Daily, host Dave Bittner delivers a fast-paced roundup of the day's essential cybersecurity news. The centerpiece is a detailed discussion with CyberScoop’s Tim Starks about the overlooked impacts of recent Trump-era executive orders on cybersecurity policy. Additional stories include a Workday third-party data breach, new fraud techniques targeting payment systems, legal battles over ad blockers in Germany, major research disclosures, cybercrime prosecutions, and a study revealing that AI bots mimic human social media polarization.
Key Stories & Insights
1. Workday Discloses Data Breach
- [02:00] HR software giant Workday revealed a data breach after attackers accessed a third-party CRM via a social engineering campaign.
- No customer tenant data affected, but some business contact information (names, emails, phone numbers) exposed.
- Attackers impersonated HR or IT staff via phone and text to gain access.
- The breach, discovered August 6, is linked to the Shiny Hunters extortion group, known for targeting Salesforce CRM systems.
- Shiny Hunters use malicious OAuth apps to siphon data, then extort companies.
- Insight: While Workday emphasized that only widely available contact data was leaked, this information could fuel further phishing.
2. Zero-Day in Elastic’s EDR
- [03:18] Researchers at Ash's Cybersecurity found a serious, unpatched zero-day flaw (null pointer dereference in a Microsoft-signed driver) in Elastic’s endpoint detection and response (EDR) software.
- Allows for crashes, security bypass, remote code execution, or planting malicious drivers for persistence.
- Affects multiple versions; Elastic is unresponsive to disclosure attempts.
- Insight: This poses a severe risk, potentially undermining the security of users relying on Elastic’s stack.
3. Ghost Tapping: NFC Payment Card Fraud
- [04:30] Research from Recorded Future’s Insikt Group highlights “ghost tapping”—an NFC relay attack used by syndicates in China and Southeast Asia to exploit stolen payment card data via mobile wallets (Apple Pay, Google Pay).
- Burner phones are used to make high-value purchases, which are then resold.
- Fraudsters coordinate on Telegram, and since May, have shifted to marketplaces like Zinbe Guarantee and Tudao Guarantee.
- Weak “Know Your Customer” practices at retailers make prevention hard.
- Notable Quote [05:24]: “Ghost tapping's effectiveness stems from weak know your customer checks at retailers, making detection difficult.”
- Victims include retailers, banks, payment providers, and insurers.
4. Germany Considers Ad Blocker Ban
- [06:20] Germany’s Federal Supreme Court has questioned the legality of ad blockers, stemming from a long dispute between Axel Springer (publisher) and Eyeo (maker of AdBlock Plus).
- Key legal question: Do ad blockers unlawfully alter copyrighted code?
- Critics warn a ban could set a global precedent and affect all privacy-boosting browser extensions.
- Insight: Germany could become one of the few places to join China in banning ad blockers, sparking privacy concerns.
5. McDonald’s Security Flaws
- [07:24] Security researcher Bob Dehacker uncovered multiple high-severity vulnerabilities in McDonald’s employee and franchise systems worldwide.
- McDonald’s app allowed reward point abuse for free food due to lack of server-side validation.
- Weak authentication and exposed APIs/personal data on internal platforms.
- Crew accounts could escalate privileges and access executive systems.
- Reporting was hindered as McDonald’s removed its security TXT contact file; required cold-calling corporate HQ.
- Notable Quote [08:50]: “Their design hub used weak client-side protections, allowed anyone to register accounts, emailed passwords in plain text…”
- While most flaws were fixed, researcher says disclosure channels remain inadequate.
6. Open Source “Sniffject” for 5G Security Testing
- [09:45] Singapore University of Technology and Design releases “Sniffject,” an open-source tool for discovering 5G security flaws, debuted at USENIX Security 2025.
- Exploits unencrypted pre-authentication 5G traffic.
- Can sniff and inject packets with high accuracy/range.
- Demonstrated 5G-to-4G downgrade attacks and other exploits.
- Most dangerous features are restricted to vetted institutions.
- GSMA has confirmed the downgrade flaw and assigned a CVE.
7. Zelle Lawsuit by NY Attorney General
- [11:05] NY AG Letitia James sues Zelle’s banks (JPMorgan, BofA, Wells Fargo), alleging $1B in fraud from 2017-2023 due to poor registration safeguards.
- Banks allegedly failed to respond quickly to fraud, remove scammers, or compensate victims.
- Parallels ongoing regulatory scrutiny.
8. Ransomware Operator Charged
- [12:15] DOJ charges Ioannis Alexandrovich Antropenko—alleged operator of Zeppelin ransomware.
- Seized $2.8 million in crypto plus assets.
- Zeppelin mainly targeted healthcare and tech sectors since 2019.
- Charges: Computer fraud, money laundering.
In-Depth Interview: Tim Starks on Overlooked Cyber Policy Shifts
[14:13 - 24:13]
Background & Motivation
- Tim Starks, senior reporter at CyberScoop, discusses his recent article unpacking overlooked provisions in two Trump-era executive orders and their possible impacts on U.S. cybersecurity.
- [14:36] Tim Starks:
“In March they put out this preparedness executive order... the overwhelming reaction was like... that's insane. States are not prepared to deal with this.”
Key Findings
-
Policy Overhaul:
- The March 2025 “preparedness” order calls for state/local governments to take more responsibility in cyber incidents.
- The June order (released with little fanfare) also has larger implications than initially noticed.
- [16:13] Tim Starks:
“There is an order to review a great number of the most foundational policy documents governing critical infrastructure protection... those are some pretty big changes.”
-
Rollbacks and Undercut Provisions:
- Orders removed requirements for federal contractors to certify security (likened to removing “Sarbanes-Oxley for cyber”).
- NIST review of minimum security practices canceled; concern this undermines harmonization of standards.
- Notable Quote [18:13], Alexandra Reeve Givens (via Starks):
“Rolling back numerous provisions focused on improving cybersecurity and identity verification in the name of preventing fraud, waste and abuse is like claiming we need safer roads while removing guardrails from bridges.” - Jake Williams: Self-certification being abandoned weakens accountability.
-
Funding and Feasibility Issues:
- State/local governments given more tasks, but no funding.
- NIST’s budget cut 20% while being asked to do more.
- [19:55] Tim Starks (referencing Rep. Eric Swalwell):
“This administration is talking about the importance of doing cybersecurity, but they're underfunding these agencies. ... You're not giving [states/localities] any money to deal with that.”
Unusual & Puzzling Provisions ("Head Scratchers and Mysteries")
-
[21:02]
- New language says cyber sanctions can’t be used against “domestic political opponents.”
- No precedent for this—“couldn’t figure it out.”
- Some speculate this is political signaling or relates to election security anxieties.
- Removal of digital ID verification language—possibly to address concerns (real or imagined) over benefits to unauthorized immigrants, but with little concrete basis.
-
Contradictory Moves:
- Some Trump-era orders reinforce initiatives begun under the Biden administration, e.g., CyberTrustmark for labeling secure products.
-
Memorable Exchange [23:52]:
- Dave Bittner: “Well, Tim, your guess is as good as mine.”
- Tim Starks: “We're trying to figure it out, Dave. This isn't going away.”
Final Segment: AI Bots and Echo Chambers
[25:18]
- Researchers unleashed 500 AI chatbots on a plain social network (no ads/algorithms) to test polarization—expecting less division.
- Instead, bots quickly formed echo chambers, amplifying the most partisan voices.
- Tweaks like removing bios or disabling virality had little effect—sometimes making polarization worse.
- Notable Quote:
“The study suggests polarization isn’t just an algorithmic quirk, it’s a structural feature of social media itself. In other words, it’s not just the mirror that’s warped, it’s us.”
Notable Quotes
- On rollback of key provisions [18:13]:
Alexandra Reeve Givens:
“Rolling back numerous provisions focused on improving cybersecurity and identity verification in the name of preventing fraud, waste and abuse is like claiming we need safer roads while removing guardrails from bridges.” - On confusing executive order changes [21:02], Tim Starks:
“There’s this language saying you can’t use cyber sanctions against domestic political opponents. My thought was: Wait a minute, who in the world would that even pertain to? ...this seems to be existing policy.” - On AI social polarization [25:18]:
“Polarization isn’t just an algorithmic quirk, it’s a structural feature of social media itself. In other words, it’s not just the mirror that’s warped, it’s us.”
Timestamps: Key Segments
- [02:00] Workday data breach summary
- [03:18] Elastic EDR zero-day vulnerability
- [04:30] Ghost tapping NFC payment fraud
- [06:20] Germany’s ad blocker legal battle
- [07:24] McDonald’s platform security flaws
- [09:45] Sniffject 5G security tool launch
- [11:05] NY Attorney General sues Zelle banks
- [12:15] Ransomware operator indictment
- [14:13] Interview: Tim Starks on executive order impacts
- [18:13] Notable quote on rollback of cyber provisions
- [19:55] Congressional concerns on funding/state-local burden
- [21:02] “Head scratchers”—strange orders and rationale
- [25:18] AI bots and echo chambers segment
Conclusion
This episode offers dense, actionable intelligence for cybersecurity professionals, breaking news on ongoing data breaches and policy shifts, and a thoughtful interview that exposes the far-reaching, sometimes paradoxical consequences of recent government actions. It concludes with a cautionary tale from AI research about the human (and bot) tendency toward polarization, reinforcing that cybersecurity and digital trust are as much about people as technology.