State Spies, Autonomous Malware, and Why Your Password is Still '123456'

Show Notes

Today we dive into alarming new reports, including how state-sponsored hackers stole firewall backups and how AI is enabling malware to mutate autonomously during execution. We also cover the costly Nevada ransomware recovery, critical Cisco patches, and the perennial problem of weak passwords.

Transcript

Welcome back to Cyber Scoops & Digital Shenanigans, the podcast dedicated to tracking the wild ride of cybersecurity news. I’m your host, Mike Housch, and we have a jam-packed show today, covering everything from nation-state espionage targeting security vendors to critical infrastructure attacks and the frightening rise of autonomous, AI-powered malware. Plus, a quick check-in on the state of human laziness when it comes to passwords.

Let’s start with a major revelation from the network security firm SonicWall. They wrapped up their investigation into an intrusion discovered back in September, and they now confirm the attackers were a state-sponsored threat actor.

This wasn't a run-of-the-mill cybercrime group. These were spies, who managed to compromise SonicWall’s cloud backup service. The intrusion was limited to an API call used to access backup files within a specific cloud environment.

Initially, SonicWall thought fewer than 5% of their firewall installed base had files accessed. But here’s the kicker: they later revised that update, admitting that all customers who utilized the MySonicWall cloud backup feature were affected. That's right—all of them.

What did the nation-state actors get? They stole firewall configuration files. These files contain highly sensitive data, including encrypted credentials and configuration data. SonicWall has emphasized that the intrusion was isolated to the backup service and did not affect their products, firmware, source code, or customer networks. They called in Google-owned Mandiant to investigate and took all recommended remediation actions.

The immediate advice for customers remains to check their accounts and reset all passwords. This incident is a harsh lesson that even defensive infrastructure, especially supporting cloud services, is a prime target for geopolitical cyber operations.

Next, let's look at the ongoing issue of public sector ransomware. The State of Nevada recently released an after-action report detailing a massive cyberattack that severely impacted services, causing residents to be unable to receive driver’s licenses and employers to struggle with background checks.

While the attack was discovered in August 2025, the investigation revealed it actually began much earlier—as early as May—when a state employee mistakenly downloaded malicious software. That software installed a hidden backdoor. By August, the attacker had established encrypted tunnels, moved across the state's system using remote desktop protocol, and gained access to the state's password vault server.

The state reportedly did not pay the ransom. However, the cost to recover was substantial: at least $1.5 million, including 4,212 overtime hours ($211,000 in wages) and $1.3 million paid to contractors. Thankfully, the $1.3 million was covered by the state’s cyber insurance.

Interestingly, one expert noted that detecting the attacker in about three months (May to August) was actually faster than the typical dwell time, which often takes between seven and eight months. But for organizations, catching it three months after the initial compromise is still far too long. The attack was able to spread quickly due to the decentralized nature of Nevada’s cyber systems.

The recommendations coming out of this incident, such as creating a centrally-managed Security Operations Center (SOC) and deploying Endpoint Detection and Response (EDR), are critical. But as one cybersecurity expert, Cameron Call, pointed out, these are standard protocols that the state should have been doing for years. It sounds like Nevada got lucky that the financial cost wasn't higher, especially compared to breaches like the MGM Resorts attack, which was expected to cost over $100 million.

Shifting gears to future threats, Google’s Threat Intelligence Group (GTIG) just released a concerning report on how malware is now leveraging AI during execution—not just during the development phase. This represents a significant step toward more autonomous and adaptive malware.

We’re moving beyond AI simply helping criminals write better phishing emails. We are seeing malware use AI to evade detection.

For example, there’s PromptFlux, an experimental dropper written in VBScript. It interacts with Google’s Gemini API to request specific VBScript obfuscation and evasion techniques. Why? To facilitate 'just-in-time' self-modification and evade static signature-based detection. Think of it as shape-shifting malware.

Even more worryingly, some examples have been seen in the wild. Take FruitShell, a PowerShell reverse shell that uses hardcoded AI prompts specifically designed to bypass analysis and detection by AI-powered security solutions.

Another malware family, PromptSteal, is a Python-based data miner that uses the Hugging Face API and a large language model (Qwen2.5-Coder-32B-Instruct LLM) to generate one-line Windows commands on the fly for collecting system data. And QuietVault, a credential stealer, uses AI prompts and command-line interface tools installed on the compromised host to look for additional secrets.

Threat actors are also bypassing mainstream AI guardrails by moving to unrestricted models available in the criminal underground. This move is expected to lower the barrier to entry for many less advanced criminals.

Our final segment covers two more high-stakes security incidents. First, a crucial warning from Cisco, who released patches for nearly a dozen vulnerabilities this week.

Two of these flaws are classified as critical and impact the Cisco Unified Contact Center Express (Unified CCX) appliance. These critical bugs could allow attackers to execute arbitrary code remotely and elevate their privileges to root on the affected system.

One of the flaws (CVE-2025-20354) is particularly dangerous because it can be exploited remotely, without authentication, via the Java Remote Method Invocation (RMI) process to upload arbitrary files and execute commands with root privileges. The improper authentication mechanisms associated with specific Unified CCX functions enable this abuse. While Cisco is not currently aware of these vulnerabilities being exploited in the wild, the severity means immediate patching is necessary.

And finally, we have another major data breach, this time affecting the automotive sector. Hyundai AutoEver America (HAEA), the North American arm of the IT and software company for the Hyundai Motor Group (which includes Hyundai, Kia, and Genesis brands), disclosed a data breach.

HAEA detected an intrusion in its IT environment on March 1, 2025. The hackers had access to their systems since February 22. Although the company could not confirm if the data was exfiltrated, the exposed information includes extremely sensitive personal data: names, Social Security numbers (SSNs), and driver’s license numbers. This adds HAEA to a growing list of related automotive breaches recently reported, alongside Stellantis, Jaguar Land Rover, and Volvo Group.

So, what are the takeaways from this week? Patch your critical systems immediately, especially if you run Cisco Unified CCX. And if you're a SonicWall customer, change those credentials.

But let's finish with the simplest, yet most ignored problem: passwords.

A new study by Comparitech, analyzing over two billion passwords leaked on breach forums in 2025, shows that for all our advancements in cyber defense, human laziness is still rampant. The most popular passwords are exactly what you expect: "123456," "admin," and "password" all rank in the top ten. A full quarter of the passwords analyzed consisted solely of numbers.

Experts continue to stress that length is the most important factor, even more than complexity or randomness. Using long passphrases, or better yet, moving toward biometric passkeys, is the advised path. If you’re an administrator, Comparitech notes that stricter enterprise requirements lead to better passwords from users.

So, if you remember nothing else from this episode: Patch, watch for AI, and for goodness sake, stop using "123456".

That’s all the scoops we have time for today. Thank you for joining me on Cyber Scoops & Digital Shenanigans. Stay safe out there, and we'll catch you next time.