CyberWire Daily - 404: Cybercrime not found.

Starting point is 00:00:00 You're listening to the Cyberwire Network, powered by N2K. Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full-stack, zero-trust networks, including hardware, firmware, and software, all designed to work seamlessly together. The result, fast, reliable, and secure connectivity without the constant patching, vendor juggling, or hidden costs. From wired and wireless to routing, switching firewalls, DNS security, and VPN,

Starting point is 00:00:46 every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless. Transform complexity into simplicity and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo at meter.com slash cyberwire. That's M-E-T-E-R dot com slash cyberwire.

Starting point is 00:01:29 Operation Endgame expands global takedowns. The U.S. is creating a scam-center strike force. Microsoft rolls out its delayed prevent-screen capture feature for teams. Proton Pass patches a click-jacking flaw. Researchers uncover previously undisclosed zero-day flaws in both Citrix and Cisco Identity Services engine. Android-based digital picture frames. contains multiple critical vulnerabilities.

Starting point is 00:02:01 Luma Steeler rebounds after last month's doxing campaign. Our guest is Garrett Hoffman, senior manager of cloud security engineering from Adobe, talking about achieving cloud security at scale. And X marks the spot where your pass key stops working. It's Thursday, November 13th, 2025. I'm Dave Bittner, and this is your Cyberwire Intel Briefing. Thanks for joining us here today.

Starting point is 00:02:50 It's great as always to have you with us. Authorities dismantled three major cybercrime platforms and arrested a key suspect during the last. latest phase of Operation Endgame, coordinated from Europol's headquarters in the Hague. Starting earlier this week, officials targeted the Radamanthus Info-Stealer, the Venom Rat remote-access Trojan, and the Elysium Botnet. According to the provided report, the operation removed more than a thousand servers, seized 20 domains, and included searches across Germany, Greece, and the Netherlands. Hundreds of thousands of computers were infected.

Starting point is 00:03:29 and millions of stolen credentials were stored in the dismantled infrastructure. Authorities say the Venom Rat suspect was arrested earlier on the 3rd of November in Greece. The takedown disrupts major tools used in global cybercrime and highlights the scale of compromised systems worldwide. Victims may still be unaware of infections, and the report urges them to check their devices. The U.S. is creating a scam center strike force to confront cyber scam compounds across Southeast Asia that have stolen billions from Americans in recent years.

Starting point is 00:04:06 Treasury says the team will include the Justice Department, Secret Service, State Department, and FBI personnel who will investigate, disrupt, and prosecute major scam operations in Burma, Cambodia, and Laos. Officials plan to use sanctions, asset seizures, and criminal cases, while helping victims with restitution and scam avoidance education. The government estimates Americans lost at least $10 billion in 2024 to romance scams, fake investment platforms, and fraudulent cryptocurrency sites. New sanctions target Myanmar's Democratic Karen Benevolent Army, several of its leaders and Thai companies accused of supporting scam compounds that rely on human trafficking and fund armed groups in

Starting point is 00:04:54 Myanmar's Civil War. Microsoft has begun rolling out its delayed prevent-screen capture feature for Teams Premium, designed to block screenshots and recordings during meetings. Originally planned for July of this year, the rollout shifted to early November. The feature restricts visual content capture on Windows and Android by forcing screenshots to display a black box or show a warning message. Unsupported platforms join. meetings in audio-only mode. It's off by default and must be enabled per meeting by organizers,

Starting point is 00:05:31 while Microsoft 365 admins manage device enrollment and licensing through Entra ID. Microsoft notes the feature does not stop someone from photographing a screen. The update follows similar privacy protections from WhatsApp and broader Microsoft efforts to strengthen security in Teams' chats. Proton Pass has released an updated version of its browser extension to fix a DOM-based clickjacking flaw demonstrated at DefCon 33. Researcher Toth showed that attackers could invisibly trigger password manager UI elements, tricking users into approving auto-fill or exposing sensitive data with a single misleading click. The vulnerability affected most major managers, though only some vendors have patched it. The update hardens, proton passes injected U.I against manipulation.

Starting point is 00:06:26 Users are urged to update immediately and consider disabling auto-fill on untrusted sites. Amazon's threat intelligence team has uncovered a highly sophisticated actor exploiting previously undisclosed zero-day flaws in both Citrix and Cisco Identity Services engine. Amazon's Mad Pot-Hodney Potts detected Citrix bleed-2 exploit. before public disclosure, leading investigators to a second zero-day in Cisco ISE that enabled pre-authentication remote code execution. The actor weaponized both vulnerabilities before patches were available, a sign of advanced capability. After gaining access, the attacker deployed a custom in-memory web shell tailored for Cisco ISE using reflection, encrypted communication, and Tomcat

Starting point is 00:07:19 listener registration to evade detection. Amazon notes the campaign reflects a growing focus on identity and network access infrastructure. Security teams are urged to enforce strict access controls and strengthen behavioral detection. Elsewhere, SISA is urging federal agencies to fully patch two actively exploited Cisco, ASA, and firepower vulnerabilities. The flaws allow unauthenticated access to restricted URLs and remote code. execution, and when chained, can give attackers complete control of unpatched devices. Cisco confirmed both were zero-day exploits tied to the Arcane Door campaign.

Starting point is 00:08:02 Siss's emergency directive mandates agencies secure all Cisco firewalls within 24 hours, noting some mistakenly applied incomplete updates. Shadow Server still tracks over 30,000 vulnerable devices online. Researchers at Quoka found that U-Hale Android-based digital picture frames contain multiple critical vulnerabilities, including behavior that downloads and executes malware at boot. Many frames fetch an app update from China-based servers

Starting point is 00:08:35 that installs a payload linked to the void and Mismas malware families, which then runs at every startup. Devices ship with S.E. Linux disabled are routed by default and use insecure configurations that enable remote code execution, command injection, and unauthorized file access. Zeezen, the vendor behind the platform, has not responded to repeated disclosures. Trend Micro's latest research shows Luma Steeler has rebounded after last month's doxing campaign, with activity rising again starting October 20th.

Starting point is 00:09:13 The malware now uses browser fingerprinting alongside its. traditional command and control methods, collecting extensive system, network, hardware, and browser details through JavaScript payloads and stealthy HTTP traffic. These additions help operators evaluate victim environments, guide follow-on actions, and evade detection. Trend also observed process injection into Chrome and new fingerprinting endpoints on the CNC infrastructure. Despite reduced underground visibility and signs of operational strain,

Starting point is 00:09:47 Luma Steeler remains active, continues targeting endpoints, and deploys secondary payloads like Ghost Sox. Coming up after the break, Garrett Hoffman, Senior Manager of Cloud Security Engineering at Adobe, talks about achieving cloud security at scale. And X marks the spot where your pass keys stop working. Stay with us. We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy.

Starting point is 00:10:42 Just use Indeed. When it comes to hiring, indeed. is all you need. Stop struggling to get your job post noticed. Indeed's sponsored jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first. And it works. Sponsored jobs on Indeed get 45% more applications than non-sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K Cyberwire. Many of my colleagues here came to us through Indeed.

Starting point is 00:11:19 Plus, with sponsored jobs, there are no subscriptions, no long-term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed, according to Indeed data worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed. And listeners to this show will get a $75-sponsored job credit to get your jobs

Starting point is 00:11:45 more visibility at indeed.com slash cyberwire. Just go to indeed.com slash cyberwire right now and support our show by saying you heard about indeed on this podcast. Indeed.com slash cyberwire. Terms and conditions apply. Hiring? Indeed is all you need. What's your two?

Starting point is 00:12:15 A.m. security worry. Is it, do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work, so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started at vanta.com slash cyber. That's V-A-N-T-A-com slash cyber. Garrett Hoffman is senior manager of cloud security engineering from Adobe. In today's sponsored industry voices conversation, I speak with him about achieving cloud security at scale. Let's start off by getting to know you a little bit, Garrett. Can you tell us

Starting point is 00:13:38 where you got your start and what led you to where you are today? Yeah, definitely. So I've been in Adobe for almost eight years. Prior to this, I was at Microsoft. So I've been in a variety of security roles at Adobe, both as an individual contributor and as a technical leader. So I'm currently on the cloud infrastructure security team. In the cloud security space, I've also done software development. And some of this was focused on cloud security around building platform services that increased product developer productivity and enforce security best practices. So right now, my team focuses on infrastructure security, which is pretty much everything except the software that's running on the endpoints. And since that's such a large space, we definitely work with

Starting point is 00:14:22 our partner teams to ensure that we have comprehensive security coverage. You know, there's folks in this industry when I speak with them and I say, that is a big job. And senior manager of cloud security at Adobe falls into that category. Yeah. You know, what helps me the most, though, is I have such a great team that's very proactive, very competent, you know, they're experts on the cloud security space, they're experts on what's going on in the industry. And so they really help us to lead a successful cloud security program here. Well, today we're focusing on this notion of cloud security at scale. How do you define that? What does that term mean to you? Yeah, so to me, cloud security at scale means three different things.

Starting point is 00:15:10 So the first is, you know, cloud security is a very large space and encompasses many different areas. So you really need to define what your foundation for that is. So what is your cloud security strategy or what is your standard? This is something that needs to be done as a joint effort across what's probably going to be multiple teams. So you can define a comprehensive strategy and not have different blind spots. There are some pre-established frameworks that you can use as a foundation. see as each cloud service provider has their own recommendations as well around best practices for using their services.

Starting point is 00:15:47 But at the end of the day, each company needs to define what this means for them. So that will be based on your risk tolerance, your compliance, your compliance certifications, the data you protect, and just overall the experience that you want to give to your customers. So once you define your baseline standard, the next step is really understanding how your company compares to that. So each major functional area that you've defined in your cloud security strategy or standard will have their own way of doing this. So one of the common things I see across the industry today is I talk to others in my network is using a cloud native application protection platform or a CNAP solution. So a CNAP solution helps security teams pull together visibility across multiple hearings of cloud security. So that's all the way, you know, if you think left, you know, all the way from code to detections.

Starting point is 00:16:35 you know, there's really no one-size-fits-all approach to this. Depending on your company size, a C-Nap solution might be best, or, you know, maybe you do everything in-house, or, you know, what Adobe does, what I believe most companies do, is they use a combination of both purchase tools and in-house-built tools so they can have a true, comprehensive view of how they compare to their cloud security standard. So, you know, there's really no one solution here. The outcome that you want to look for is defining a comprehensive, visibility into where you're deficient compared to what your cloud security standard is so

Starting point is 00:17:10 you know where your focus needs to be. And then the third aspect of cloud security at scale is moving your entire cloud environment closer to that standard based on your discoveries. So there are two main areas of this. The first is secure by default. And that's ensuring the all new cloud resources are deployed in a secure state. So this is looking at the full development lifecycle, you know, from code to production. So I look at the secure by default is, you know, building security into the product from the beginning, not bolting it on afterwards.

Starting point is 00:17:41 And so this requires developing relationships with the product teams, you know, building their trust, getting it into their workstream so that you can be there from the very beginning of their, you know, their ideation phase, their design phase, you know, through the entire process so that you can ensure that they're, what they're implementing follows best practices. And then the second is preventing security drift.

Starting point is 00:18:04 This is around, you know, after cloud resources are deployed, you know, over time, you know, new vulnerabilities are discovered. Things go EOL. And so ensuring that you have practices in place to constantly refresh your infrastructure and have a plan to be able to both detect those at the end of life for vulnerabilities and then fix them. So when we're talking about scaling cloud infrastructure, infrastructures. Are there any common misconceptions that you've come across, things where people

Starting point is 00:18:37 have a different idea from what may be reality out there? You know, there are a few that come to mind. So the first would be focusing so much on remediation that you don't address risk prevention. So depending on your situation, you know, focusing only on discovering risks and remedied them can keep you very, very busy, but it won't really move your security program forward. You know, I kind of see that as maintaining the status quo. So the best practice, practice in that situation would actually be to assess the risk that you're discovering and then determine how to prevent new ones from being created in the first place. And of course, along with that, you know, is thinking about, you know, risk areas you might not

Starting point is 00:19:13 have as many findings in as you would expect and then investigating why that is. You know, are you truly secure in that area or are you just not seeing things that you probably should be seeing? You know, so this is something that will look different for every company, you know, depending on your specific situation. So, for example, you know, if you're a meeting vulnerabilities, you know, you want to prevent new ones, you might think about, you know, what, what are your, what are your hardening guard rails like, you know, prior to deployment? You know, how often are you refreshing your VMs?

Starting point is 00:19:40 And then a second misconception around cloud security is that effective cloud security belongs to the security team and it is the security team's responsibility to make that happen. You know, and that's absolutely not correct. Security is everyone's responsibility. So part of a mature security program is bringing security awareness to non-secure. teams. So the entire company works together to keep customer data safe. So the misconception is that you don't have to foster a culture of shared responsibility around cloud security. You know, you really do need to in order to be successful. What's the best method that you've found for getting that sort of buy-in, for getting, you know, everyone across the organization to, to agree and

Starting point is 00:20:23 invest in this idea that it is everyone's responsibility? Yeah, that's a great question because in large companies you have such a diverse set of roles and responsibilities and functions across the entire space and so it really comes down to a couple of things one is awareness you have to make sure that everyone is aware

Starting point is 00:20:45 that the actions they take can impact our cloud security they have to understand what's okay to do what's not okay to do especially around things like social engineering they have to be able to understand what what best practices are and have that be top of mind for them.

Starting point is 00:21:04 And I think the second thing would be around trust. You know, so that's, I mentioned before that it's important for the security team to be able to work with product teams from the beginning so that they can ensure that the products are built, you know, secure by default, you know, in ways that implement best practices. And so we have to ensure that the product teams trust the security team and that that they believe that as we work with us and as we work with them, that they'll have better outcomes over time.

Starting point is 00:21:37 Well, I would love to dig into some of the nitty gritty here and some of the actual architectural decisions that you all contend with when you are building cloud security at scale. What are some of the things you've experienced? One of the biggest things I could think it would be a lack of shared standards. So not building security in from the beginning or taking a secure. by default approach. So product teams are customer first. You know, as they support and grow their product offerings to meet customer needs. So if they don't implement security best practices from the

Starting point is 00:22:09 beginning, you know, by this, I mean designing security into their product offering, you know, as it's in the design phase and then implementation phase, you know, they'll have to go back and fix the infrastructure after it's deployed. And that can be a major slowdown to the business because it takes their attention and focus away from improving the product. And it can also lead to unnecessary risks before they're remediated. You know, there's security drift that can happen over time, but ideally you'll be managing platforms, or you'll be using managed platforms

Starting point is 00:22:35 that will automatically enforce best practices, and that can help reduce the risk. Are there any specific lessons that you've learned while you're there at Adobe that have really informed how you approach scaling cloud security across an enterprise? Yeah, definitely. So Adobe is a large company, and we've been able to successfully implement

Starting point is 00:22:55 standard practices, these have brought comprehensive security and efficiency to each of our product teams. You know, if you work for a small company, you know, now is the best time to implement standardized practices so that is your company can use to grow, that will be in there from the beginning. You know, we've seen a lot of benefits from that. You know, one of them is, of course, on the security side that product teams don't have to worry about going back and remediating after the fact, our customer data is secure. And the other thing is, you know, as we implement, as we, as product teams utilize shared practice or standardized practices, it helps them be more efficient as well.

Starting point is 00:23:37 Where do you suppose we're headed when you look toward the horizon, the future of cloud security, and of course, AI and machine language are top of mind for a lot of folks? What do you suppose the future holds here? Yeah, this is a really good question, too. And one of the areas I really like to look at and think about, it's one of the things that makes cloud security fun. You know, it's not doing the same thing every day. It's, you know, it's constantly changing.

Starting point is 00:24:05 It's constantly involving. You know, the major cloud service providers are constantly releasing new features and functionality. You know, just about it seems like every week or so, there's their new features and things. And developers are constantly, you know, they're saying on top of that and they're constantly using these new features. As cloud security professionals, we need to expect that and we need to ensure that our programs cover these new areas and that we're prepared for the new risks and attack vectors that are introduced.

Starting point is 00:24:33 One of the other areas that I think about it when I hear that question is AI, artificial intelligence. It seems to be the hot topic in the industry right now. And so AI systems can present cloud security professionals with both a new risk and an opportunity. So some of these AI systems like chat box, or automated tools are increasingly being tested for weaknesses. So this means that we as security leaders need to be focused on understanding

Starting point is 00:25:00 how these systems can be manipulated to better ensure that the right safeguards are in place. Kind of shifting from just AI in general to kind of more generative AI. You know, that's, it's really transforming cybersecurity by enabling faster threat detection, automated responses, you know, predictive analytics. Adobe sees AI is a powerful tool to enhance security, but, not necessarily to replace human oversight. So while these technologies offer new efficiencies, they can also introduce new and novel risks

Starting point is 00:25:32 that have been managed with transparency, governance, and accountability. So at Adobe, our fundamental approach to AI is grounded in our AI ethics principles of accountability, responsibility, and transparency. You know, I'm curious just from a personal point of view, whenever I have the opportunity to talk to someone in a position like yours,

Starting point is 00:25:50 how do you deal with the scale of the challenges that are before you? Again, as we said, an organization, the size of Adobe, how do you break it down into manageable bite-sized pieces for you and your team to be able to tackle? Yeah, that's definitely something that we think about often and that we have to strategize around. And I think this goes back to what I was saying before around how security is really a shared responsibility.

Starting point is 00:26:20 across the whole company. So that includes, you know, all of the, every employee at Adobe or, you know, whatever company you're at, doing their part to reduce risk and prevent risks, you know, prevent attackers. But the other aspect of that is making sure that you have great relationships with your partner teams so that you can work together and put together a holistic strategy where one team isn't trying to tackle all of security by themselves, but instead, you know, you have the different pillars where each team is working together, doing their specific thing to work, to put together the larger picture. That's Garrett Hoffman, Senior Management of Cloud Security Engineering at Adobe.

Starting point is 00:27:16 at talus they know cyber security can be tough and you can't protect everything but with talus you can secure what matters most with talus's industry leading platforms you can protect critical applications data and identities anywhere and at scale with the highest ROI. That's why the most trusted brands and largest banks, retailers, and healthcare companies in the world rely on TALIS to protect what matters most. Applications, data, and identity. That's TALIS. T-H-A-L-E-S. Learn more at TALIS group.com slash cyber. And now a word from our sponsor, Threat Locker, the powerful zero-trust enterprise solution that stops ransomware in its tracks. Allow listing is a deny-by-default software that makes application control simple and fast.

Starting point is 00:28:25 Ring fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources, and other applications they truly need to function. Shut out cybercriminals with world-class endpoint protection. from Threat Locker. And finally, yesterday, reports were bubbling up across social media that users of Elon Musk's X are now trapped in an endless two-factor authentication obstacle course. The trouble started when X told anyone using pass keys or hardware keys to re-enroll on the shiny x.com domain, a necessary side effect of retiring the creaky old Twitter.com address. Unfortunately, those keys still think Twitter exists, and they refuse to make the jump.

Starting point is 00:29:25 After the November 10th deadline, many users found themselves locked out entirely, stuck between error messages and looping setup screens. It's the latest in a long string of headaches since Musk bought the platform for $44 billion, though his own account seems blissfully unaffected. X has yet to comment, perhaps still circling the login page with the rest of us. And that's the Cyberwire, for links to all of today's, stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast.

Starting point is 00:30:16 Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to Cyberwire at n2K.com. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman.

Starting point is 00:30:43 Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you.

CyberWire Daily - 404: Cybercrime not found.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.