Hacking the Skies, Time, and Messaging: NSO Gets Banned & The AI Escalation

Show Notes

Today. we unpack the fallout from a massive Oracle E-Business Suite hack that targeted American Airlines subsidiary Envoy Air, exposing business information from the regional carrier. We also dive into high-stakes cyberwarfare, covering China's accusation that the US attacked its critical National Time Center and Microsoft's report on how foreign adversaries are weaponizing AI.

Transcript

Welcome back to Cyber Scoops & Digital Shenanigans, the weekly deep dive into the latest digital debacles and security breakthroughs. I’m your host, Mike Housch. We’ve got a packed show today, covering everything from supply chain compromise in the airline industry to escalating geopolitical cyber tensions and a critical ruling against a notorious spyware maker.

We are living in pivotal moment where innovation is moving incredibly fast, demanding immediate investment in cybersecurity basics, according to Microsoft. And looking at the headlines this week, you can see exactly why.

Let’s jump right into the fallout from a major supply chain attack targeting enterprise software.

Segment 1: The Envoy Air/Oracle EBS Hack

Our first major story focuses on the skies, specifically American Airlines and its subsidiary, Envoy Air. Envoy Air, which operates under the American Eagle brand, confirmed recently that it was impacted by a major cybercrime campaign. This campaign targeted organizations utilizing Oracle’s E-Business Suite (EBS) enterprise management solution.

Now, interestingly, the notorious Cl0p ransomware group listed American Airlines on their Tor-based leak website. But upon closer inspection, it seems the hackers actually targeted an Oracle EBS instance specifically used by Envoy Air, the largest regional carrier for American Airlines.

The cybercriminals didn't waste any time. At the time of reporting, they made public more than 26 GB of archive files allegedly stolen from the airline.

Envoy Air issued a statement admitting that they were impacted by this Oracle EBS campaign. However, they tried to offer some reassurance, stating that their internal investigation indicated that customer data or other sensitive data was not compromised. They did, however, concede that a limited amount of business information and commercial contact details may have been compromised.

This attack isn't isolated, folks. The Oracle EBS campaign, which has been linked to both Cl0p and the FIN11 cybercrime group, has claimed other high-profile victims. Harvard University was actually the first confirmed victim. Since then, others have been listed on the Cl0p site, including the University of the Witwatersrand in Johannesburg, South Africa, and industrial giant Emerson.

It appears that dozens of victims of this campaign received extortion emails, and those companies now showing up on the Cl0p website are likely the ones that refused to pay the ransom.

It's still unclear exactly which Oracle EBS vulnerabilities were exploited. Oracle initially cited known flaws patched back in July, but later announced patches for a zero-day vulnerability, CVE-2025-61882, which was apparently exploited in the campaign. They also patched another EBS flaw, CVE-2025-61884, that exposes sensitive data. This is a massive reminder that critical enterprise systems running complex software like Oracle EBS are prime targets, and patching is non-negotiable.

Segment 2: Nation-State Escalation and the Rise of AI Weapons 

Mike Housch: Moving from cybercrime to cyberwarfare, we have significant developments regarding nation-state activity involving the U.S. and China.

China recently accused the U.S. National Security Agency, the NSA, of carrying out cyberattacks on its National Time Center. This is serious because the time center is responsible for generating and distributing China’s standard time, and it provides timing services essential to industries like finance, power, communications, transport, and defense. Any damage to these related facilities could seriously disrupt crucial services.

In a WeChat post, China’s Ministry of State Security alleged that the NSA exploited vulnerabilities in the messaging services of a foreign mobile phone brand used by staff at the National Time Service Center back in 2022 to steal sensitive information. Furthermore, they claimed the U.S. agency used 42 types of “special cyberattack weapons” to target the center’s internal network systems and attempted to infiltrate a key timing system between 2023 and 2024. China, naturally, said the U.S. is accusing others of what it does itself while hyping up Chinese cyber threats. The U.S. Embassy has not immediately commented on this accusation.

Adding fuel to this fire is a new report from Microsoft, highlighting how foreign adversaries are aggressively leveraging artificial intelligence. According to Microsoft’s annual digital threats report, Russia, China, Iran, and North Korea have sharply increased their use of AI to escalate cyberattacks against the U.S. and to deceive people online.

The U.S. is identified as the top target for cyberattacks globally. Microsoft found that the goal of 80% of cyber incidents investigated last year was the theft of data.

The exploitation of AI’s potential is key here. Adversaries are using it to automate and improve attacks. This includes things like AI translating poorly worded phishing emails into fluent, convincing English, or even generating digital clones of senior government officials. Microsoft found over 200 instances of foreign adversaries using AI to create fake content online just this July, which is more than double the number seen the prior year.

We are seeing AI weaponized not just by state actors seeking to obtain classified information or disrupt supply chains, but also by criminal gangs who often partner with countries like Russia to maximize profits through data theft and ransomware.

Critical Patches and Legal Battles

Mike Housch: In our final segment, we look at critical vulnerabilities that demand immediate attention, and a long-awaited legal decision.

First, let's talk about managed services and remote monitoring tools. ConnectWise has rolled out patches for two significant vulnerabilities in its Automate Remote Monitoring and Management, or RMM, tool. This tool is widely used by MSPs and enterprises to manage connected devices.

The most severe flaw, CVE-2025-11492, is critical-severity with a CVSS score of 9.6. This bug allowed attackers to intercept sensitive information that was being transmitted in cleartext. The second high-severity flaw involves a lack of integrity checks when downloading code. If certain configurations were used, these vulnerabilities could expose agent communications and updates to interception, allowing a threat actor performing a Man-in-the-Middle, or MiTM, attack to potentially replace updates with malicious ones. ConnectWise has fixed this by enforcing HTTPS for all agent communications in Automate version 2025.9, but on-prem servers need to ensure TLS 1.2 is enforced. If you run ConnectWise Automate on-premises, update immediately.

Next, a chilling vulnerability in audio processing. A high-severity vulnerability has been found in Dolby’s Unified Decoder. This component is used across numerous devices to process audio formats. The flaw, tracked as CVE-2025-54957, could be exploited for remote code execution. Most critically, on Android devices, this can be a zero-click attack, meaning it requires no user interaction. A malicious audio message or attachment could trigger the exploit because Android decodes audio locally using this Dolby software. Google Project Zero successfully demonstrated 0-click code execution on a Pixel 9. Microsoft and Google have issued patches, so make sure your systems are up to date.

Finally, a major update in the ongoing legal saga between WhatsApp and the controversial spyware maker, NSO Group. A judge in the US District Court has granted a permanent injunction barring NSO from hacking WhatsApp users ever again. WhatsApp filed the lawsuit in 2019 after NSO exploited a zero-day vulnerability to deliver spyware to about 1,400 users. NSO is now ordered to stop reverse engineering WhatsApp, refrain from creating new WhatsApp accounts, and must destroy any relevant WhatsApp source code they possess.

WhatsApp called this a major win after six years of litigation. However, NSO received a significant reprieve on the financial front. The judge ruled that the $167 million in punitive damages awarded by the jury earlier this year was excessive and cut that amount down sharply to just over $4 million. Despite the monetary reduction, the legal ban is a massive victory for digital privacy advocates. It's also worth noting that the NSO Group was recently acquired by a group of American investors, transferring controlling ownership out of Israel.

Conclusion

So there you have it, a week defined by large-scale enterprise attacks, high-level geopolitical sparring, and crucial patch releases.

Whether you're dealing with the ripple effect of the Oracle EBS campaign that hit Envoy Air, or protecting yourself against sophisticated zero-click vulnerabilities in audio decoders, or simply trying to stay ahead of nation-states like China and Russia who are actively escalating attacks using AI, the message remains the same: Cybersecurity awareness is non-stop work.

And if you’re a senior cybersecurity leader, remember the advice from experts: Bringing politics into professional spaces undermines decision-making and weakens security teams. Keep your focus tight on risk management and core defense strategies.

That’s all the time we have for this edition of Cyber Scoops & Digital Shenanigans. Thank you for tuning in. Be safe out there, and we'll catch you next week!