CyberWire Daily - Brute force break-in.
Episode Date: September 18, 2025SonicWall confirms a breach in its cloud backup platform. Google patches a high-severity zero-day in Chrome. Updates on the Shai-Hulud worm. Chinese phishing emails impersonate the chair of the House ...China Committee. The UK’s NCA takes the reins of the Five Eyes Law Enforcement Group. RevengeHotels uses AI to deliver VenomRAT to Windows systems. A major VC shares details of a recent ransomware attack. A lawsuit targets automated license plate readers. Our guest is Brock Lupton, Product Strategist at Maltego, discussing the human side of intelligence work. From mic check to malware, a crypto phishing story. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today on our Industry Voices segment, we are joined by Brock Lupton, Product Strategist at Maltego, discussing the human side of intelligence work. You can hear the full conversation with Brock here. Selected Reading SonicWall MySonicWall platform breached, firewall config files exposed (Beyond Machines) Google patches sixth Chrome zero-day exploited in attacks this year (Bleeping Computer) "Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Palo Alto Networks) China-backed attackers spoof Congressman for US trade data (The Register) NCA Singles Out “The Com” as It Chairs Five Eyes Group (Infosecurity Magazine) New RevengeHotels attack targets Windows with VenomRAT (SC Media) VC Firm Insight Partners Notifies Victims After Ransomware Breach (Infosecurity Magazine) Police cameras tracked one driver 526 times in four months, lawsuit says (NBC) Fake Empire Podcast Invites Target Crypto Industry with macOS AMOS Stealer (HackRead) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Think your certificate security is covered.
By March 26, TLS certificate lifespans will be cut in half, meaning double today's renewals.
And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal volume.
That's exponential complexity, operational workload, and risk, unless you modernize your strategy.
CyberArk, proven in identity security, is your partner in certificate security.
CyberArc simplifies life cycle management with visibility, automation, and control at scale.
Master the 47-day shift with CyberArk.
Scan for vulnerabilities, streamline operations, scale security.
Visit CyberArk.com.
slash 47 day. That's cyber arc.com slash the numbers 47DAY.
Sonic Wall confirms a breach in its cloud backup platform. Google patches a high severity
zero day in Chrome.
Updates on the shy Hulud worm.
Chinese fishing emails impersonate the chair of the House China Committee.
The UK's NCAA takes the reins of the Five Eyes Law Enforcement Group.
Revenge Hotels uses AI to deliver venom rat to Windows systems.
A major VC shares details of a recent ransomware attack.
A lawsuit targets automated license plate readers.
Our guest is Brock Lupton, product strategist at Maltigo, discussing the human side of intelligence work.
And from Mike Check to malware, a crypto fishing story.
It's Thursday, September 18, 2025. I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great to have you with us.
Sonic Wall has confirmed a breach in its My Sonic Wall cloud backup platform.
Attackers launched brute force attacks against its API service,
gaining access to firewall configuration files.
Those files may include network maps, VPN,
credentials, API keys, encrypted passwords, and firewall rules.
While Sonic Wall says fewer than 5% of firewalls are affected, it hasn't shared exact numbers.
If you use Sonic Wall with cloud backup, check your My Sonic Wall account.
If your devices are flagged, you need to reset all passwords, keys, and shared secrets,
not just on your firewall, but also with ISPs, dynamic DNS providers, VPN peers,
and L-DAP or radius servers.
Sonic Wall has shut down the attack vector and is working with law enforcement.
Google has issued emergency patches for a high-severity zero-day in Chrome's V8 JavaScript engine.
It's the sixth exploited zero-day fixed in Chrome this year.
Google confirmed the flaw has a public exploit,
a strong sign of active abuse, often linked to state-backed spyware campaigns
targeting high-risk individuals.
The issue was reported by Google's threat analysis group and patched within a day.
Users are urged to update Chrome immediately.
Yesterday, we shared news of a new self-replicating worm dubbed Shy Hulud
that has compromised over 180 packages,
including the popular at-control tiny color library.
The malware spreads automatically by stealing developer credentials,
publishing malicious code to NPM and creating GitHub repos that expose stolen secrets.
Harvested data includes API keys, cloud credentials, GitHub tokens, and SSH keys,
potentially enabling ransomware, crypto mining, and cloud data theft.
Analysis from Palo Alto Networks Unit 42 indicates a large language model
likely helped generate the malicious bash script based on unusual comments and emojis in the code,
The Worm currently targets Linux and MacOS systems. Developers are urged to rotate all
credentials, audit dependencies, review GitHub accounts, and enforce MFA immediately. This incident
highlights the escalating risk of AI-assisted malware and the growing speed of C-I-CD-driven
supply chain compromises across open-source ecosystems.
ProofPoint has uncovered a new Chinese state-aligned cyber campaign targeting U.S. government
agencies, think tanks, law firms, and academics focused on trade policy.
The activity is attributed to TA 415, also known as APT 41, Wicked Panda, and Brass Typhoon.
Attackers used fishing emails themed around U.S.-China Economic Relations,
sometimes impersonating Representative John Moulinard, chair of the House China Committee.
The emails invited recipients to close-door briefings with malicious attachments delivering a python loader called Whirlcoil.
Instead of noisy malware, the group leaned on Visual Studio Code Remote Tunnels and legitimate cloud services
like Google Sheets and Zoho WorkDrive for persistence and command and control.
The campaigns ran during summer trade.
negotiations, suggesting a clear intelligence-gathering motive. The findings echo a recent
congressional advisory about ongoing Chinese fishing operations. Together, they highlight Beijing's
continued push for insights into U.S.-China economic strategy and its willingness to use
stealthy, creative methods. The U.K.'s National Crime Agency will chair the Five Eyes Law Enforcement
group for the first time since 2015, pledging.
to use the Alliance to disrupt cybercrime, money laundering, and online child sexual abuse.
The Five Eyes Law Enforcement Group, or Felig, unites major policing bodies, including the FBI,
DEA, AFP, RCMP, and New Zealand Police. A key target is The Calm, the loosely connected network
of online groups spreading violent, extremist, and child abuse material, often run by young men on gaming
platforms and messaging apps. These groups are also tied to major cybercrime outfits like
scattered spider, shiny hunters, and lapsus, linked to high-profile data thefts and extortion
campaigns against global retailers and fashion brands. NCA director Graham Biggar stressed that
international cooperation is vital as criminals exploit new technologies, highlighting successes
such as the lock-bit ransomware take-down
as proof of what joint action can achieve.
Revenge Hotels, also known as TA-558,
is using AI-generated loader scripts
plus JavaScript and PowerShell downloaders
to deliver Venom Rat to Windows systems.
Targets include hotel reservation and HR inboxes,
lured with overdue invoice or job application links
that redirect to fake document portals.
Visiting the site auto downloads an AI-crafted W-Script.js that drops a power-shell loader
leading to Venom rat execution.
The rat hardens itself, kills debuggers, and forensic tools, drops a VBS for persistence,
elevates its privileges, spreads via removable media, and erases Windows event logs.
Insight Partners, a major venture capital firm,
disclosed more details of a 2024 ransomware attack affecting over 12,000 individuals.
The breach began in October 24, but was only detected in January of this year
when attackers exfiltrated data and encrypted servers after a social engineering attack.
Stolen information may include banking, tax, employee, and limited partner data.
victims face risks of identity theft and are offered free protection services.
Experts warn VC firms are prime targets due to their sensitive financial and portfolio data.
A lawsuit in Norfolk, Virginia has revealed the extent of surveillance by Flock Safety's license plate readers.
Between February and July of this year, 176 cameras tracked retired veteran Lee Schmidt 526 times,
That's about four times per day, and co-plaintive Crystal Arrington 849 times, averaging six logs a day.
Norfolk struck a $2.2 million deal with Flock, whose ALPR network spans 5,000 police agencies, 1,000 businesses, and homeowners associations nationwide.
The plaintiffs, backed by the Institute for Justice, argue warrantless tracking violates the Fourth Amendment, and are seeking to,
disable Norfolk's system. Flock, however, cites case law supporting ALPR use as public
point-in-time photography. Civil Liberties advocates warn the technology amounts to mass
surveillance with potential risks if data is shared across jurisdictions or accessed by
federal agencies such as ICE.
Coming up after the break, my conversation with Brock Lufton, product strategist at Maltigo.
We're discussing the human side of intelligence work.
And from Mike Check to Malware, a crypto fishing story.
Stick around.
And now a word from our sponsor.
The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program.
Study alongside world-class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance.
Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition,
textbooks, and a laptop, as well as providing a $34,000 additional annual stipend.
Apply for the fall 2026th semester and for this scholarship by February 28th.
Learn more at c.j.j.u.edu slash MSSI.
We've all been there. You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast? Well, it's easy. Just use Indeed. When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed. Indeed's sponsored jobs helps you stand out and hire fast.
Your post jumps to the top of search results, so the right candidates see it first. And it works.
Sponsored jobs on Indeed get 45% more applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you,
23 hires were made on Indeed, according to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75-sponsored job credit
to get your jobs more visibility at Indeed.com slash Cyberwire.
Just go to Indeed.com slash Cyberwire right now
and support our show by saying you heard about Indeed on this podcast.
Indeed.com slash Cyberwire.
Overwire. Terms and conditions apply. Hiring, indeed, is all you need.
Brock Lepton is product strategist at Maltigo, and in today's sponsored industry voices segment,
we discuss the human side of intelligence work.
Increasingly, there's this emphasis on automation.
and tools and, you know, we're being inundated with large language models and machine learning
and artificial intelligence. And the AGI is going to appear at any moment and take away all
our jobs. But I think that's a lot of noise. At the end of the day, like, we're talking about
intelligence. We're talking about open source intelligence or online investigations. It's a human
thing. Like, it always comes back to typically you're looking at some kind of criminal activity or
something that a human has done, and it takes another human to look at that situation and have
the, you know, maybe the insight and the intuition to ask why things happened the way they did
or to tease apart the different aspects of the case that they see, you know?
Like, it's not, the machines can't solve those problems yet.
Like, we still need someone who's critically thinking about what's going on and asking,
why did these things happen and what does this mean?
I think it's a really interesting point.
And this whole notion that we have sometimes just a gut feeling
and for people to have the freedom to pursue that,
to chase that down, as you say,
it seems to me is something that can get lost in automation.
What you see online as well, you know, like there's a lot of,
this is a common, I think, message that's coming out of
the open source intelligence community right down as we speak.
And I think it's really good to see that happening.
And there are a lot of voices, I think, saying the same thing.
Because we're in this space now where it's, it's, there's a lot of clout chasing, you know,
like there are a lot of these self-proclaimed OSIN experts on the internet on Twitter or X, whatever.
Trying to jump on the story right away, you know, something happened.
I'm going to get this analysis in quotes out to the world right away.
It's all this clout chasing.
And it's just like, it's just making noise.
like it's not there's no critical thought there's no analysis there's no actual as some people would say there's no tradecraft that's been applied to that you know there's no deep thought sitting there quietly thinking about why these things are happening what do they mean like that's it's it's an interesting time to be in right now and what's the potential peril of that of people can i can i say putting out their hot takes right like how does
that hurt us as an
oscent community?
Those things get amplified, you know, like people
jump on that and it just
creates noise in the environment.
We see it can spread to
politics where you have
people in positions
of power that are suddenly
amplifying and promulgating
false narratives that have come out
of, you know, like weird interpretations
of events happening.
I mean, it even, you know, there's this dead
internet theory that the internet is all
completely filled with automatons and bots.
And it feeds into that, you know, it creates this noise environment
where it's hard to find out what the truth actually is.
And I mean, that goes back to saying that this is a human endeavor, right?
Like, it just increases the importance and the need for critical thought.
What role does curiosity and healthy skepticism play in good OSINT work?
I think that curiosity is, you know, like one of the number one attributes that that you should bring into that kind of work, like asking why, constantly asking why, and being skeptical about what you see because, you know, like the information that can be presented or the information that you find can be overwhelming, you know, and you don't know what the provenance of it may be. You don't know where it's come from.
and having that kind of innate I mean I would call that investigative mindset you know like the the ability to maybe harness innate curiosity and skepticism and kind of relentlessly pursue leads to find out where that kernel of actual truth is you know like going down every lead following every every rabbit hole and figuring out you know how do these things connect do they actually connect
is important.
That's kind of critical.
Without that, you know, you're just another robot, I guess, at the end of the day.
You might just be like making assumptions and jumping to conclusions without actually actively questioning them.
And it doesn't result in intelligence.
It's just data and information being regurgitated.
Well, for you personally, how do you train or sharpen those investigative instincts?
for me personally or for teams that I've worked with you know we we spend a lot of time talking about
these very subjects you know having these conversations about as boring as it might sound like
talking about critical thinking and talking about our biases spending a lot of time reading
you know a variety of of different types of literature having conversations with other
practitioners I've been really lucky in that I have
almost a mentor, I guess, but a good friend who's, you know, a long-time investigator here in Canada,
50 years of experience, who has spent a lot of time doing online investigations, and having
somebody like that that you can talk to who has, you know, finally honed investigative instincts
is super helpful. And, you know, they call you out. Having a person like that around can
help you because that person will call you out. They'll question why you're coming to conclusions,
you know, and that's a good habit to pick up
and a good thing to pass on to other people
and it's good to kind of cultivate friends like that
that will question your assumptions
and, you know, question your conclusions.
Yeah. I'm curious, you know,
I can imagine folks saying, you know,
Brock, this is all great and curiosity and skepticism
and the personal touch for Ocent is absolutely appropriate.
But it's also really hard to scale.
And we've got so much information coming at us,
that we need to rely on automation.
What's your response to that line of thinking?
I agree.
And it's not just because I work for a tool company,
but there's only so much you can do.
And investigations online are completely reliant on tools.
A browser is a tool.
A search engine is a tool.
But there's also huge amounts of data
that you need to process and acquire and do analysis on.
And there's only so much, you know,
As you rightfully pointed out, there's only so much a human can do in that environment.
And so I think from my perspective, not relying on tools to do everything for you,
but finding those places where the tools can augment the things you need to do.
So if there's repetitive grinding work that has to be done, that you know, you could do it manually,
but you can make it happen almost instantaneously by using automation.
That's a good application of automation.
You know, it's like amplifying what the person can do to maybe highlight the things that they need to look at.
There's a risk with that as well because obviously automation that is producing massive amounts of data can also be completely overwhelming.
And then you have to figure out how to process and analyze that.
I think we're starting now to see that artificial intelligence or machine learning or whatever you want to call it is starting to maybe have some ability to clean up some of that data.
and it's very interesting to cautiously find uses for those types of tools to help with that data overload, I guess.
That's how I look at things.
You know, it's that realistic, not depending on the tooling, but definitely using it intelligently to augment your process and augment your workflow in a way that makes sense and helps to amplify your abilities.
is there an aspect of this of allowing for the reality that not every avenue is going to pay off
that sometimes someone's going to have a hunch and they're going to chase something down
and in the end it really just doesn't lead anywhere but that's okay
i guess i would i would say like encouraging people to to make mistakes is what i would call
that you know because that happens all the time like you go down you go down rabbit
holes, you find a piece of information that seems like it might make sense and you chase it down
and you might spend hours or days chasing down leads that go nowhere. You know, that's challenging
to overcome that kind of the feeling that that creates, you know, that you've wasted time. But at
the same time, that's what we want. Like investigations take time. It's not this like fast-paced thing.
It can be. There are times where it can be, but, you know, inevitably that leads to mistakes.
and we don't want to put the wrong information into the people's hands
who are consuming the intelligence reports that we're producing, right?
So it's okay to go down those paths.
You also need to be able to cut your losses too
and to recognize that this is going nowhere
and I need to take a different tack.
Working in a team that helps, you know,
to have somebody looking at what you're doing and saying,
does this really make sense?
And questioning, you know, those,
questioning the assumption
or questioning the path that you're on.
Yeah.
What does success look like to you?
A well-running team who's balancing the human side of thing,
but also taking advantage of some automation.
Can you describe what the ideal is?
That's a really good question.
Having worked on a really well-running team with automation,
I think that everybody's happy.
You have to tell them to stop,
working. You know, that's a good indicator. You have to tell them to stop. Like, you cannot continue
investigating these subjects when you're supposed to be off because you have to recover. You have to
relax. You have to get some downtime. You have to spend time with your family. You know, being
able to take on tasks to work with, you know, whoever's giving you the intelligence requirements
or the RFIs, whatever it might be, being able to work with them to develop and understand
their requirements, and then to be able to translate those into a plan, into a collection
process, gathering information, using tools maybe to help automate that information, whether
you know, it might involve scanning huge chunks of the internet to find certain pieces of
infrastructure, and then being able to process that information and glean the intelligence
out of it that you need to find, and then conducting that analysis on it and providing
it to the to the consumer at the end of the day and having them say to you you know like this is
exactly what we're looking for like when all of that's working and running as a well-oiled
machine that's that's success right like the team knows what they need to do there there might not
be that many dead ends they're they're working together like a well-oiled machine they're using the
tools to augment the work that they need to do and it's a beautiful thing to see you know what
it happens. Yeah, it feels good too. It's fun. What's that dopamine hit of success, right?
Like, I actually achieved something here. Like, it's great. That's Brock Lupton, product strategist at
Maltigo. At Talas, they know cybersecurity. At Talas, they know cybersecurity.
can be tough and you can't protect everything.
But with TALIS, you can secure what matters most.
With TALIS's industry-leading platforms,
you can protect critical applications, data and identities,
anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks,
retailers, and healthcare companies in the world
rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALIS.
T-H-A-R-E-H-A.
LES. Learn more at talusgroup.com
slash cyber.
With Amex Platinum, access to exclusive Amex pre-sale tickets can score you a spot trackside.
So being a fan for life turns into the trip of a lifetime.
That's the powerful backing of Amex.
Pre-sale tickets for future events subject to availability and varied by race.
Terms and conditions apply.
Learn more at MX.ca.ca.
And finally, in a story that hits uncomfortably close to home, it seems cybercriminals have decided that if you can't get on a podcast, you might as well pretend to host one.
A new fishing campaign is making the rounds in the crypto world, with attackers impersonating the popular empire podcast to lure developers and influencers into
exclusive interviews. The pitch arrives via DMs, complete with fake flattery and calendar invites,
but instead of market insights, the victims are nudge towards convicting lookalikes of platforms
like Streamyard or Huddle, where they're told to download a desktop client. Spoiler alert,
it's not a client, it's Amos Steeler, neatly wrapped in a DMG file. Once installed, the malware
dutifully rifles through credentials, cookies, and crypto wallets, handing them over to cybercriminals
for resale. This scheme follows hot on the heels of August's fake coin market cap journalist stunt,
proving scammers are nothing if not creative. Perhaps the moral is that not every podcast invitation
is worth accepting, especially if it comes with a download link. Present company accepted, of course.
And that's the Cyberwire.
For links to all of today's stories, check out our daily briefing at the Cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Eibon.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Attention
Attention
Attention security startups.
There's less than a week left to apply for the 2025
Data Tribe Challenge.
This unique program accelerates
early stage cyber companies, refine your messaging with startup veterans, then pitch to top
venture firms shaping the future of cyber. The live pitch competition takes center stage at
Cyber Innovation Day, November 4th in Washington, D.C. Applying is easy. Go to challenge.datatribe.com,
share your company info, and upload your pitch. Submissions closed September 19th. Submit your
entries today.
And now, a word from our sponsor, Threat Locker,
the powerful zero-trust enterprise solution that stops ransomware in its tracks.
Allow listing is a deny-by-default software that makes application control simple and fast.
Ring fencing is an application containment strategy, ensuring apps can only access the files,
registry keys, network resources, and other applications they truly need.
to function. Shut out cybercriminals with world-class endpoint protection from threat locker.