CyberWire Daily - Big tech, bigger fines.
Episode Date: September 8, 2025The EU fines Google $3.5 billion over adtech abuses. Cloudflare blocks record-breaking Distributed Denial of Service (DDoS) attacks. The Salesforce-Salesloft breach began months earlier with GitHub ac...cess. Researchers say the new TAG-150 cybercriminal group has been active since March. Hackers use stolen secrets to leak more than 6,700 Nx private repositories. Subsea cable outages disrupt internet connectivity across India, Pakistan, and parts of the UAE. Monday Business Breakdown. On our Industry Voices segment Todd Moore, Global Vice President, Data Security at Thales, unpacks the perils of insider risk. Hackers claim Burger King’s security flaws are a real whopper. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Industry Voices On our Industry Voices segment, we are joined by Todd Moore, Global Vice President, Data Security at Thales, discussing the biggest threat to your data has a badge, a password, and years of goodwill. Check out Todd's full conversation here. Selected Reading EU fines Google $3.5 billion for anti-competitive ad practices (Bleeping Computer) Cloudflare blocks massive 11.5 Tbps DDoS attack (SDxCentral) Salesloft GitHub Account Compromised Months Before Salesforce Attack (SecurityWeek) From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure (Recorded Future) Over 6,700 Private Repositories Made Public in Nx Supply Chain Attack (SecurityWeek) Red Sea cable cuts disrupt internet across Asia and the Middle East (Reuters) N2K Pro Business Briefing update (N2K Networks) Burger King hacked, attackers 'impressed by the commitment to terrible security practices' — systems described as 'solid as a paper Whopper wrapper in the rain,’ other RBI brands like Tim Hortons and Popeyes also vulnerable (Tom’s Hardware) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
The DMV has established itself as a top-tier player in the global cyber industry.
DMV rising is the premier event for cyber leaders and innovators
to engage in meaningful discussions and celebrate the innovation happening in and around the Washington
D.C. area. Join us on Thursday, September 18th, to connect with the leading minds shaping
our field and experience firsthand why the Washington, D.C. region is the beating heart of
cyber innovation. Visit DMVRising.com to secure your spot.
At TALIS, they know cybersecurity can be tough, and you can't protect every.
thing. But with TALIS, you can secure what matters most. With TALIS's industry leading platforms,
you can protect critical applications, data and identities, anywhere and at scale with the highest
ROI. That's why the most trusted brands and largest banks, retailers, and health care
companies in the world rely on TALIS to protect what matters most. Applications, data, and
identity. That's TALIS. T-H-A-L-E-S. Learn more.
at talusgroup.com slash cyber.
The EU finds Google $3.5 billion over ad tech abuses.
Cloudflare blocks record-breaking DDoS attacks.
The Salesforce sales loft breach began months earlier.
with GitHub access.
Researchers say a new Tag 150
Cybercriminal group
has been active since March.
Hackers use stolen secrets
to leak more than 6,700
NX private repositories.
Sub-C cable outages
disrupt internet connectivity
across India, Pakistan,
and parts of the UAE.
We got our Monday business breakdown.
On our industry voices segment,
Todd Moore,
Global Vice President for Data Security
at TALIS,
unpacks the perils of insider risk.
And hackers claim Burger King's security flaws are a real whopper.
It's Monday, September 8th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Hello and happy Monday. It is great to have you with us here today. The European Commission has fined Google $3.5 billion for abusing its dominance in the digital advertising technology market, citing self-preferencing and anti-competitive practices. Regulators ordered Google to stop these behaviors and prevent future conflicts of interest in ad tech.
Google disputes the ruling, calling it wrong, and vowing to appeal.
The company argues the fine is unjustified and will harm European businesses, claiming its
services face strong competition.
This marks the fourth major EU antitrust fines against Google, following penalties in 2017,
18, and 19 for abuses involving Android, search, and online ads.
Separately, France's C-Nill fined Google,
$378 million for displaying ads between Gmail users' emails without consent and violating cookie rules.
Cloudflare says it blocked record-breaking DDoS attacks, including one peaking at 11.5 terabits per second and 51 billion packets per second.
The massive attack, largely sourced from IoT devices and Google Cloud, lasted 35 seconds and resembled a UDP.
flood. It surpassed Cloudflare's previous 7.3 terabit per second record. The company says its
architecture easily handled the surge, dropping malicious traffic at the edge.
Following up on the Salesforce Sales Loft data theft campaign, new details confirm the breach
began months earlier. Sales loft revealed attackers accessed its GitHub account between March
and June of this year, laying groundwork for
the August incident where compromise drift oath tokens were used to siphon data from Salesforce environments.
Attributed to UNC 6395, the attack impacted hundreds of organizations, with stolen data
including AWS keys, passwords, and snowflake tokens, initially believed limited to the
Salesforce sales loft integration, the breach also extended to Google workspace customers.
sales force disabled the integration while drift was taken offline and restored september seventh mandiant's investigation confirmed hackers exploited github access not flaws in drift roughly 700 companies including major security vendors were affected with stolen data often tied to customer support records recorded futures insect group has identified a new cyber criminal group tag 150
active since March of this year.
The actor is notable for its rapid development, technical sophistication, and ability to
quickly adapt after public reporting.
Tag 150 operates a large, multi-tiered infrastructure with victim-facing servers running as
C2 nodes for various malware families and deeper layers supporting operations.
The group has released several self-developed tools, including Castleloader, Castlebot,
and now Castle Rat, a newly documented remote access Trojan available in Python and C.
Castle Rat enables data collection, payload delivery, and command execution through CMD and PowerShell.
Hag150 also uses third-party services such as file-sharing platforms and the anti-detection tool CleanScan.
Hackers behind the recent NX supply chain attack, dubbed Singularity, used stolen secrets to leak more than 6,700 private repositories, according to Wiz.
The attack began when threat actors used a compromised NPM token to publish eight malicious versions of NX.
These versions executed a telemetry.js script that searched infected machines for sensitive data, API keys,
GitHub and NPM tokens, SSH keys, and crypto wallets, then exfiltrated files to public GitHub repositories.
Wiz found over 20,000 stolen files from at least 225 users, with over 2,300 secrets leaked, impacting 1,700
accounts.
The malware also modified shell startup files to crash terminals and misused AI CLIs like Claude and Gemini for
reconnaissance and data theft.
In phase two, attackers leveraged compromise credentials to access over 480 accounts,
exposing thousands of secrets from organizations, including one with 700 repositories.
Whiz urges victims to rotate secrets, hunt for IOCs, and review GitHub logs,
warning that some NPM tokens remain valid.
Sub-C cable outages in the Red Sea have disrupted Internet connectivity,
across India, Pakistan, and parts of the UAE, according to net blocks.
Failures were traced to cable systems near JETA Saudi Arabia, though the cause remains unclear.
Microsoft said Azure users may see higher latency after multiple fiber cuts, as traffic
through the Middle East was rerouted to alternative paths.
While no outages occurred, Microsoft warned of slower connections for some services.
Other regions not routed through the Middle East remain unaffected.
It's Monday, which means it's time for our weekly business breakdown.
Last week saw just over $65 million raised across three investments and six acquisitions.
On the investment front, the majority of the fundraising came from Cato Networks,
which raised an additional $50 million after expanding its Series G round from July,
bringing the round's total funding to $409 million.
The additional fundraising came alongside Cato acquiring AIM security and AI security firm.
This is Cato Network's first ever acquisition.
Octa, a U.S. IAM platform, also acquired Israeli privileged access management firm Axiom security for $100 million.
With this acquisition, Octa aims to integrate Axiom's technology.
into its identity security fabric.
Image Source, a U.S. Enterprise Content Management Company, acquired U.S. cybersecurity company
ZORCE Cyber.
This acquisition included ZORCE's threat detection and prevention platform Bouncer,
which adds advanced email, web, and file-based security technologies
to the company's platform portfolio.
Also making headlines, eight U.S. and Indian VCs and P.E.s are teaming up
to provide additional support for India's growing tech startups.
And that wraps this week's business breakdown.
For deeper analysis on major business moves shaping the cybersecurity landscape,
subscribe to N2K Pro, and check out thecyberwire.com every Wednesday for the latest updates.
Coming up after the break, Todd,
more from Talas unpacks the perils of insider risk, and hackers claim Burger King's security
flaws are a real whopper. Stick around.
Compliance regulations, third-party risk, and customer security demands,
are all growing and changing fast.
Is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient
than spreadsheets, screenshots, and all those manual processes,
you're right.
GRC can be so much easier.
And it can strengthen your security posture
while actually driving revenue for your business.
You know, one of the things I really like about Vanta
is how it takes the heavy lifting out of your GRC program.
Their trust management platform automates those key areas, compliance, internal and third-party risk, and even customer trust, so you're not buried under spreadsheets and endless manual tasks.
Vanta really streamlines the way you gather and manage information across your entire business.
And this isn't just theoretical.
A recent IDC analysis found that compliance teams using Vanta are 129% more productive.
It's a pretty impressive number.
So what does it mean for you? It means you get back more time and energy to focus on what actually
matters, like strengthening your security posture and scaling your business. Vanta, GRC, just imagine
how much easier trust can be. Visit vanta.com slash cyber to sign up today for a free demo. That's
v-a-n-ta.com slash cyber.
As a BMO Eclipse Visa Infinite cardholder, you don't just earn points.
You earn five times the points.
On the must-haves like groceries and gas, and little extras like takeout and ride share.
So you build your points faster.
And then you can redeem your points on things like travel and more.
And we could all use a vacation.
Apply now and get up to 60,000 points.
So many points.
For more info, visit bemo.com slash eclipse.
Visit us today.
Terms and conditions apply.
Todd Moore is Global Vice President of Data Security at TALIS.
On today's sponsored industry voices segment,
he explains why the biggest threat to your data has a badge,
a password, and years of goodwill.
An insider thread is something that comes within an organization.
It's a privileged user or a machine doesn't necessarily have to be human.
Someone that has the right credentials to have access to information, data, that's critical maybe to the organization.
And those individuals or machines may accidentally do something inappropriate with that data,
or they may try to extract that data, or they may try to take it outside the organization.
So from an insider threat perspective, it's really someone.
that you trust inside your organization that either accidentally, because good things do happen
to people, they make mistakes, they put data in places they shouldn't, like in a public
repository, like in a public cloud, or it's a person or a machine that is maliciously trying
to extract data from an organization, but they do have access.
Yeah, it's an interesting, I think, nuance there, because I think for a lot of folks, particularly
if they're not in this sort of stuff every day, they hear the term insider threat and they
automatically think that it's someone or something that's malicious. But as you point out,
that's not necessarily the case. It could just be someone making an innocent or ignorant mistake.
Absolutely. And it happens all the time and it's happening more and more, right?
As we continue to use different SaaS applications, software as a service applications and
storage and public cloud, we typically just want to get our jobs done as employees within
organizations. And sometimes, you know, what we're in a hurry, or we're
we have a deadline and we're in that panic type mode, we'll move data around an organization,
we'll send it through an email or copy it to a shared drive, and that information is lost
once it goes into the wild.
And so, again, it's not that someone was trying to do something necessarily bad or evil,
but just trying to get their job done.
And unfortunately, it puts organization data at risk, and it creates a breach opportunity
for an organization and puts our crown jewels out there for the world to see.
you know sometimes when i think of insider threats i go back to that that old horror movie
chestnut about how the call is coming from inside the house right it's scary it's me right well
i think it is because we think about a moat or a fence or you know defending from the the bad guys
who are coming at us from outside of our organization but this is a different thing when
the potential trouble is someone who has uh certain privileges within
in the company. Absolutely. And what we're hearing a lot about now, it's a huge buzz in the industry
is this thing called agentic AI. I don't know if we'll go into that too much today. But at a very,
very high level, agent is an agent that has all of those credentials and all those accesses that you
have. So it's really a mirror of you as a person or again, as a machine. And this agent is going to go
off and do tasks on your behalf. And they have all the credentials and all the access to go off
and do those tasks, and they can make mistakes as well, too.
By moving data, it looks like it's a valid request for data or a valid movement of data,
but they could put it in a place they weren't supposed to.
So it's an interesting time right now in this world about how agentic AI is allowing access to data
that when you would have access to, machines and persons would have access to,
and it's getting moved in places that should be moved to.
Well, let's talk about some of the basics here.
I mean, an organization faced with a reality that this is a possibility, what are the basic things that they can do to minimize their exposure when it comes to insider threats?
Sure.
So, you know, for many years now, organizations would put a lot of their most secure, most sensitive data into databases because they may call that structured data, because the data is put in columns and rows within a database.
And we would watch those databases very carefully.
We would make sure the persons who had access to the database didn't have access to everything in that database.
We would monitor them and we would look for behaviors that didn't make sense.
Someone was accessing the database at off hours or they were extracting a lot of information.
And so there's even compliance and regulations around databases, but it gave us a single point of kind of failure in our organizations if we could watch and monitor.
In this new world where we're using, again, the social media apps and we're using public cloud and all these different tools at our disposal,
So there's this huge explosion on structured data, you know, a billion files, videos, chat,
emails, and there's a lot of sensitive data out there as well, too.
But we don't really have the same rigor in most organizations that watching and monitoring that
data to see that things aren't happening is the way they should be happening.
And so I think to answer your question, David, it's really about having visibility.
And we're seeing that the fundamental things that organizations need is to have visibility
across all their data, whether it's in a database, which is very controlled in one location,
or also in unstructured data, which in all these files, that can be anywhere.
They can be on-prem and file servers.
They can be in cloud.
They can be in SaaS applications just everywhere.
And having that visibility, and then when I say watching, it's really monitoring on an ongoing basis,
continuous monitoring to make sure that appropriate behaviors, that the data is being accessed
and used appropriately.
You know where that data is coming from.
Who should have access to it?
Why are they accessing?
And it's really asking those basic questions
while you're looking and monitoring
who and how people are using the data in your organization.
You know, it's a really interesting point.
And it strikes me that, certainly for my own use,
I feel as though as on-device search
has gotten more sophisticated and more accurate,
that that has enabled me to have more unstructured data.
Right?
Like, I can just leave anything anywhere.
I hardly ever delete an email anymore.
Right.
But if I need something,
my first thing to do is to go just searching for it,
and chances are it's going to pop up.
So it's sort of a combination of convenience,
but also a bit of a pack rat mentality.
And I suspect that's fairly common these days.
Yeah, absolutely.
And we're seeing that 80% of all data that's out there,
is unstructured data, things like you just said, emails, files, pictures.
And with advent of artificial intelligence and us using all these chatbots, AI is creating 90%
of all new unstructured data.
It's just an amazing amount of data that's being created by using these new techniques
and tools available to us.
And again, that data is going everywhere.
In many cases, it's data that's important to us as persons, but even more important to
our companies.
And so from an insider perspective, you've got to have visibility.
where employees and machines are putting that data.
You want to watch and make sure it's being used and accessed appropriately,
and you want to put controls around that.
So in many aspects and what you're talking about,
and this is in many organizations, it's around data retention,
that especially in the finance and government-type worlds,
there's rules around how long you can keep data.
And even in personal privacy laws,
there's roles around how long we as individuals want our data to be kept within an organization.
And so, you know, we need tools to be able to keep.
be able to find the data, understand what that data is, you know, put controls around it,
whether we want it to be protected for a long period of time, we might encrypt it or tokenize
it. Those are different types of controls to really protect the information. Or in some case,
if it's been out there for a long time and it doesn't belong there, you can delete it. So
there is, you know, a data retention piece to this whole hygiene when it comes to unstructured
data and reducing the number of insider threats, the number of bridges that can occur
through the sprawl of unstructured data.
What about the stigma of making a mistake?
I can imagine somebody who accidentally clicks on something
or puts a file in the wrong place.
And depending on the culture of the security team,
they may be hesitant to reach out and say,
hey, I think I messed up here.
That's a great question.
We have a video, a little snippet of a video
that shows a typical use case of a person
that's, you know, trying to do the right thing.
And they accidentally take a very critical piece of information.
It's a spreadsheet, and they put it out into a public cloud repository.
And tools that Talas has and other vendors, you know, we would detect the criticality
that file being put into a public cloud repository.
And we would essentially alert the SOC, the operation center that this has occurred.
We would have processes in place to immediately protect that file by encrypting it.
So we would basically revoke access as well as encrypt that information.
And then there would be, you know, a little bit of learning that came from that so that that person would never make that mistake again.
I think that there is a little bit of a stigma about that.
The funny thing I was getting to, Dave, is when I show that video to folks, after I get done showing the video, a lot of people raised their hands and asked, did the person lose their job?
And my answer is, I don't think so.
I don't think the person should lose their job.
But I think in this case, it was a woman.
She made a mistake.
She moved a file in the wrong place.
We had the right controls in place as an organization to protect her and our organization.
And I think there is a little bit of training that comes following that to remind her not to do that again.
Now, if this is something that happens over, you know, multiple times and in different ways,
then perhaps there's other problems that we have there.
But I think that, you know, people making mistakes happen every day.
We have to admit that and how we'd handle those mistakes and respond to them.
I think is important, and the tools, the cyber tools, are available to data help with that.
What about for the security professional within the organization?
When these sorts of things are implemented, what are the changes that they will see in their day-to-day?
I think most large organizations already have risk management or they have security operation centers.
They're already looking at audit data.
they're already looking at databases that we talked about because they need to from a compliance
perspective. This is really just adding to that. It's really from a risk intelligence or a risk
analysis perspective, getting that insight across your networks, across all of your different
applications, storage, infrastructure, and then being able to detect where there might be a potential
issue, putting remediation plans in place and executing on this remediation plan. So I think
you asked about a security professional, I think this is what they've been doing in the security
world for a very long period of time. Unfortunately, it's been very focused on, you know, again,
databases, structured data and other parts, other risks. And with this explosion of unstructured
data in the advent of artificial intelligence and creating more and more unstructured data,
it's been a blind spot for many organizations. And I think now folks really have to take
account that there's critical data out there in those files and those images, video, and email,
and really start monitoring it like they were monitoring other data in their organization
in the past.
So it's an extension of what they're already doing today.
What are your recommendations then for folks who want to go down this path
and explore the possibilities for themselves?
What's the best way to get started?
Well, I think that we always use three or four words to describe a basic getting started
process. You know, it's discover, protect, control, and monitor. And so the first step is really
that disability step, discovering what you have in your organization, who has access, what are
they accessing. And that is something that does take a little bit of time. You have to really
kind of do a discovery throughout your systems, understanding where things are going and how
things are moving from a data lineage perspective. But you can put the right sort of analysis
in place to get that initial visibility.
So once you have the discovery done,
then you understand where there's potential gaps
or places that are higher risk within your organization.
You put the appropriate protections in place.
In some cases, it's like we already said,
it's encrypting data that's very critical.
It might be encrypting drives and file systems,
web applications.
It may be tokenizing data.
It might be masking or may be leading data
if it doesn't belong in places it is.
From a control perspective,
It's really managing the access and the control who has and what has access to that data
and making sure you have all the appropriate things in place.
And last by and at least, it's that monitoring piece of continuously monitoring.
But to get started, and there was a lot of words there today, but to get started, you know,
companies like Talas, we have tools today.
We have a data security platform that supports all four of those elements.
And, you know, we really, we really encourage people not to ignore the fact that there's a lot of a sense of
data in their organization, as well as outside their organization that they need to protect.
And making that first step through discovery is really that first step to get an idea of what
and where your problems are.
That's Todd Moore, Global Vice President of Data Security at Talas.
Did you lock the front door?
Check.
Close the garage door?
Yep.
Installed window sensors, smoke sensors, and HD cameras with night vision?
No.
And you set up credit card transaction alerts,
a secure VPN for a private connection,
and continuous monitoring for our personal info on the dark web?
Uh, I'm looking into it.
Stress less about security.
Choose security solutions from TELUS for peace of mind at home and online.
Visit tellus.com slash total security to learn more.
Conditions apply.
You can get protein at home.
a protein latte at Tim's. No powders, no blenders, no shakers. Starting at 17 grams per medium
latte, Tim's new protein lattes, protein without all the work, at participating restaurants in Canada.
And finally, two self-styled white hats, Bob DeHacker and Bob the shoplifter, say they uncovered security so flimsy at restaurant
Brands International, that even a soggy napkin might have put up more resistance. RBI, the parent
company of Burger King, Tim Hortons, and Popeyes, runs systems across over 30,000 restaurants
worldwide, and according to The Bob's, every one of those systems could be exploited with
laughable ease. Among the goodies they claim to have found, passwords hard-coded into HTML,
a sign-up-for-any-one API and drive-through tablets that politely accepted admin as the password.
Once inside, they could edit employee accounts, order equipment, and even eavesdrop on raw drive-thru audio,
including the occasional personal detail slipped in between orders of fries and nuggets.
The bobs insist they followed responsible disclosure, keeping customer data safe.
RBI, however, apparently didn't acknowledge their report.
The final jab from the Bob's, a simple verdict in their blog's closing line, Wendy's is better.
And that's the site. And that's the site.
Cyberwire. For links to all of today's stories, check out our daily briefing at the cyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment on Jason
and Brian's show every week. You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights
that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
You know,