This Week in Cyber 22nd August 2025

Analyst Insight

This week in cyber, we have seen justice being served on the notorious Scattered Spider collective, with a 20-year-old male being sentenced to 10 years in prison for his role in the group. This underscores the consequences of cybercrime and boasts a strong message. We also see more crackdowns on cybercrime, with the U.S DoJ seizing $2.8 million from the alleged mastermind behind the Zepplin ransomware group. Additionally, a major human resources solution “Workday” has experienced a data breach this week as part of the ongoing Salesforce CRM breaches, the impact of this incident is unknown at the time of writing. Finally, Cisco has disclosed a critical severity (CVSS 10) in their Secure Firewall Management Center software, if using this software we recommend giving their advisory a read. Read more in this week in cyber.

20-Year-Old Scattered Spider Operator Sentenced to 10 Years in Prison

Noah Michael Urban, also known by aliases like “King Bob” and “Sosa” has received a 10‑year prison sentence after pleading guilty to wire fraud and conspiracy in April. The sentence, handed down on August 21, 2025, exceeds the eight years prosecutors requested; Urban must also pay $13 million in restitution to his victims.

Urban was arrested in January 2024 in connection with his role in a cybercrime collective known as Scattered Spider, accused of stealing millions by executing SIM‑swap attacks, MFA bypasses, and phishing attempts from September 2021 to April 2023. He admitted to making several million through crypto theft but lost much to online gambling, though he claims to still have “a few million left”.

Human Resources Platform WorkDay Breached

Human resources company WorkDay disclosed a data breach this week after threat actors gained access to a third-party customer relationship management (CRM) platform, which has been linked to the recent waves of Salesforce CRM breaches, attributed to the ShinyHunters extortion group. “We recently identified that Workday had been targeted and threat actors were able to access some information from our third-party CRM platform.” the company stated. WorkDay reassured customers that “There is no indication of access to customer tenants or the data within them” but some businesses contact information was exposed, including customer data. The data obtained was “primarily commonly available business contact information”. 

U.S. Department of Justice Seizes $2.8 Million from Suspected Ransomware Operator

The U.S. Department of Justice just pulled off a major move: they’ve seized over $2.8 million in cryptocurrency, along with $70,000 in cash and a luxury car, from the alleged mastermind behind the now-defunct Zeppelin ransomware group. The man, Ianis Aleksandrovich Antropenko, is now facing charges in Texas for computer fraud and money laundering. Zeppelin was notorious for encrypting victims’ data and demanding ransom. After raking in illicit funds, Antropenko allegedly laundered them through services like ChipMixer, as well as through crypto-to-cash exchanges and sneaky, structured cash deposits.

Cisco Discloses Critical RCE Vulnerability in Secure Firewall Management Center Software

This week, Cisco disclosed a critical (CVSS 10.0) remote code execution vulnerability in the RADIUS subsystem of its Secure Firewall Management Center software, which could allow an unauthenticated, remote attacker to inject arbitrary shell commands that are executed by the device. “This vulnerability is due to a lack of proper handling of user input during the authentication phase. An attacker could exploit this vulnerability by sending crafted input when entering credentials that will be authenticated at the configured RADIUS server. A successful exploit could allow the attacker to execute commands at a high privilege level.” states Cisco. The vulnerability assigned CVE-2025-20265 impacts FMC versions 7.0.7 and 7.7.0 when RADIUS authentication is enabled.