Policy Lapses, Sudo Root, and the Ransom of the Ryes

Show Notes

The feds are nuking essential threat sharing programs just as core security legislation lapses, leaving state and local governments scrambling for defenses and exposed to novel threats. Plus, we explore a critical Sudo flaw exploited in the wild, and ask why international brewing giant Asahi couldn't keep its production lines—and its delicious beer—safe from digital shenanigans.

Transcript

 

Welcome back to Cyber Scoops & Digital Shenanigans, the only podcast that gives you the dirty details on who’s getting hacked and who’s letting it happen. I’m your host, Mike Housch.

 

Today, we're talking about failure on a grand scale. We're looking at what happens when the very agencies tasked with protecting us decide to yank the lifeline, then we’ll check in on some high-value vulnerabilities, and finally, we’ll ask why you might have trouble getting your next pint, thanks to some malicious code.

 

Let’s jump straight into the swamp of government infosec. You want to talk about bad timing? The U.S. federal government is staring down a possible shutdown on October 1, 2025, and right alongside that potential government halt, the Cybersecurity Information Sharing Act of 2015 is set to lapse.

 

The CISA Act, by the way—that’s the one designed to encourage companies to share threat information with the government without fear of liability—it’s now in limbo. Lawyers think it’ll probably be renewed, maybe even retroactively, but maybe weeks or months from now. Until then, if you spot the "legs and the tail" of a new threat, you might think twice about sharing it to help others find the "forearms and torso" and see the whole animal.

 

But the real gut-punch this week comes from CISA itself—that’s the Cybersecurity and Infrastructure Security Agency. CISA announced it’s cutting its cooperative agreement, and crucially, its funding, with the Center for Internet Security (CIS). This transition is "planned," according to CISA, reflecting their goal to strengthen accountability and maximize impact.

Accountability? Maximizing impact? Look, CISA's giving state, local, tribal, and territorial (SLTT) partners access to grant funding and no-cost tools under this "new model". But here’s the rub: CIS runs the MS-ISAC, the Multi-State Information Sharing and Analysis Center. Since 2003, MS-ISAC has been the critical, nationwide threat-intel network for state and local officials, provided for free.

 

In March, the feds already slashed MS-ISAC's funding by $10 million, about half its budget. Now that the whole agreement is ending September 30, 2025, CIS is shifting MS-ISAC to a fee-based model.

Think about that. The federal government cuts funding to a program that boosts local digital defenses, and then tells state and local agencies to figure it out using grants. As one election expert noted, without this sharing mechanism, how are states going to communicate rapidly if Oregon sees a cyber issue, and they need to alert Michigan?

This isn't just theory. Earlier this year, Homeland Security also cut funding for the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), also run by CIS. The CIS website originally stated that the EI-ISAC was no longer supported "Due to the termination of funding by the Department of Homeland Security". They're now "exploring options" to continue vital support.

The bottom line: The feds are ripping the backbone out of state and local cybersecurity sharing infrastructure right as a critical liability protection law is lapsing. This is how you guarantee major digital vulnerabilities across the public sector.

 

Speaking of vulnerabilities, let's talk about the bedrock of system administration: Sudo. You use Sudo, you get root. You get root, you own the machine.

 

Well, CISA just issued a warning about an exploited local privilege escalation vulnerability in Sudo, tracked as CVE-2025-32463. This bug—which has a CVSS score of 9.3—is nasty. It allows a local, low-privileged attacker to execute commands with root privileges, which means full system compromise.

This exploit wasn't theoretical; CISA warned it was being used in the wild, adding it to the Known Exploited Vulnerabilities catalog. It impacts Linux and macOS systems using Sudo. Basically, if an attacker can manipulate the system to create an /etc/nsswitch.conf file under a user-specified root directory and use the chroot feature, Sudo gets tricked, and suddenly, even users not in the sudoers file are running as superuser. The good news is Sudo version 1.9.17p1 patched this back in June. But if you haven't patched, CISA is mandating federal agencies fix this within three weeks.

 

And while we're talking about privilege escalation, we have to talk about China-linked threat actors using a clever zero-day in VMware.

The threat actor, tracked by Mandiant as UNC5174, has been exploiting a local privilege escalation flaw—CVE-2025-41244—in Broadcom VMware Tools and VMware Aria Operations since mid-October 2024. This flaw lets a malicious local actor with non-administrative privileges escalate to root on the same VM.

How did they do it? It involves a function called get_version() which checks processes with listening sockets. The regex pattern used in the function was too broad, matching not just secure system binaries like /usr/bin/httpd, but also non-system binaries that an unprivileged user could place in a writable directory like /tmp.

The China-linked actors were observed specifically using the /tmp/httpd location to stage a malicious binary, spawning an elevated root shell. This highlights a frightening issue: the broad practice of mimicking system binaries could mean that countless other malware strains have been accidentally benefiting from unintended privilege escalations for years.

 

Finally, let’s talk about a real tragedy: a cyberattack on a global beer giant.

Japanese brewing behemoth Asahi Group Holdings confirmed its operations in Japan were disrupted by a cyberattack on Monday. This isn't just IT trouble; this resulted in system failures that impacted orders and shipments at all its subsidiaries in Japan, along with call center and customer service operations. Worse yet, production was suspended at some of Asahi’s 30 domestic factories.

 

Asahi is huge. They own international brands like Peroni, Grolsch, and Pilsner Urquell, and have nearly 40% market share in Japan. This kind of disruption to production is "extremely expensive" for the business and potentially for re-sellers.

While Asahi hasn't confirmed the nature of the attack, the system-wide outages and production halts strongly suggest that file-encrypting ransomware might have been the culprit. Thankfully, Asahi has stated there’s been no confirmed leakage of personal information or customer data to external parties at this time. But the fact remains: cybercriminals are now sophisticated enough to halt the production of one of the world’s major beer suppliers.

 

So, what did we learn today?

First, our own government is decommissioning core threat-sharing infrastructure, leaving local security on life support right as major legislation expires. Second, even fundamental OS tools like Sudo are being exploited in the wild for quick root access. And third, if they can disrupt the global beer supply chain, they can hit anything.

Stay vigilant, keep patching Sudo, and maybe stock up on that London Pride before the digital miscreants get to Fullers.

 

That’s it for this week’s Cyber Scoops & Digital Shenanigans. Thanks for tuning in. Remember: assume compromise, and keep your beer cold. I’m Mike Housch, signing off.