CyberWire Daily - Espionage in the airwaves.
Episode Date: September 23, 2025The Secret Service dismantles an illegal network. Jaguar Land Rover (JLR) extends the shutdown production plants. The EU probes tech giants over online scams. Iranian APT Nimbus Manticore expands oper...ations in Europe. North Korean Kimsuky deploys a shortcut-based espionage campaign. Github and Ruby Central roll out supply-chain security upgrades. Lastpass warns of macOS ClickFix campaign using fake GitHub repos. AT&T’s CISO warns hackers mimic Salt Typhoon's unconventional tactics. CISO Perspectives host Kim Jones previews the upcoming season. An attorney pays $10K for AI hallucinations. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest CISO Perspectives host Kim Jones previews the upcoming season, sharing what’s ahead for listeners. From leadership challenges to the evolving role of the CISO, Kim highlights the conversations and insights you can expect this season.You can check out the season opener here. Selected Reading Cache of Devices Capable of Crashing Cell Network Is Found Near U.N. (The New York Times) Secret Service Disrupts Threat Network Near UN General Assembly (YouTube) JLR extends shutdown – again – as toll on workers laid bare (The Register) The EU is scrutinizing how Apple, Google, and Microsoft tackle online scams (The Verge) Nimbus Manticore Deploys New Malware Targeting Europe (Check Point Research) Kimsuky attack disguised as sex offender notice information (Logpresso) GitHub tightens npm security with mandatory 2FA, access tokens (Bleeping Computer) NPM package caught using QR Code to fetch cookie-stealing malware (Bleeping Computer) LastPass: Fake password managers infect Mac users with malware (Bleeping Computer) Telecom exec: Salt Typhoon inspiring other hackers to use unconventional techniques (CyberScoop) Attorney Slapped With Hefty Fine for Citing 21 Fake, AI-Generated Cases (PCMag) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
AI adoption is exploding, and security teams are under pressure to keep up.
That's why the industry is coming together at the Datasec AI conference,
the premier event for cybersecurity data and AI leaders, hosted by data security leader,
Saira, built for the industry by the industry by the,
the industry, this two-day conference is where real-world insights and bold solutions take
center stage. Datasec AI 25 is happening November 12th and 13th in Dallas. There's no cost to
attend. Just bring your perspective and join the conversation. Register now at Datasek AI
2025.com backslash cyberwire.
The Secret Service dismantles an illegal network.
Jaguar Land Rover extends the shutdown production plants.
The EU probes tech giants over online scams.
Iranian APT Nimbus Mantikor expands operations in Europe.
North Korean Kimsuki deploys a shortcut-based espionage campaign.
GitHub and Ruby Central rollout supply chain security upgrades.
Last Pass warns of a macOS click-fix campaign using fake GitHub repos.
AT&T's SISO warns that hackers are mimicking salt typhoons unconventional tactics.
CISO Perspectives host Kim Jones previews his upcoming season,
and an attorney pays 10 grand for AI hallucinations.
It's Tuesday, September 23rd, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great as always to have you with us.
The Secret Service announced it dismantled a claim
clandestine communications network in the New York region that was capable of disabling the cellular
system as world leaders gathered for the UN General Assembly, the New York Times reports.
Investigators seized more than 100,000 SIM cards and 300 servers across multiple sites within 35
miles of UN headquarters. Officials said the system could send 30 million texts per minute
anonymously, disrupt emergency services, and support encrypted communication.
Analysis has already revealed ties to at least one foreign nation and links to known criminals,
including cartel members. While there's no evidence, it directly threatened the UN conference,
experts suggested the scale and sophistication point to state-backed espionage.
The operation followed threats made to senior U.S. officials earlier this year.
Multiple agencies are now investigating, with officials warning similar networks may exist elsewhere.
Special agent in charge of the New York field office Matt McCool had this to say.
The investigation led us to the New York Tri-State area where investigators discovered tens of thousands of co-located and networked cellular devices capable of carrying out nefarious telecommunications attacks.
These devices allowed anonymous encrypted communications,
between potential threat actors and criminal enterprises,
enabling criminal organizations to operate undetected.
This network had the potential to disable cell phone towers
and essentially shut down the cellular network in New York City.
These devices were concentrated within 35 miles
of the global meeting of the United Nations General Assembly
now underway in New York City.
Given the timing, location, and proximity
and potential for significant disruptions
to the New York telecom system,
We move quickly to disrupt this network.
To be clear, these recovered devices no longer pose a threat to the New York tri-state area.
We will continue working towards identifying those responsible and their intent,
including whether their plan was to disrupt the UN General Assembly
and communications of government and emergency personnel during the official visit of world leaders in and around New York City.
That special agent in charge of the New York field office Matt McCool.
Jaguar Land Rover has extended the shutdown of several of its plants until at least October 1st,
leaving production idle for a month following a major cyber attack.
The company, working with the UK's National Cyber Security Center and law enforcement,
says it's prioritizing a safe restart,
but the disruptions could cost an estimated $2.9 billion in revenue
and $202 million in profits.
Reports suggest JLR may lack adequate cyber insurance, potentially deepening losses.
The crisis has triggered layoffs in its supply chain, which employs more than 100,000 workers,
raising concerns for local businesses that depend on the plants.
Experts warn that without emergency government support,
the prolonged disruption could be one of the worst crises in JLR's history.
The European Union is pressing Apple, Google, Microsoft, and booking to prove they're doing enough to stop online scams.
Regulators issued formal information requests under the Digital Services Act, focusing on fraudulent apps, manipulated search results, and fake accommodation listings.
The inquiry highlights growing concern about criminal activity online and could open the door to official investigations.
found lacking the company's risk fines of up to 6% of global annual revenue.
Checkpoint research reports that Iranian threat actor Nimbus Mantikor, also tracked as
UNC 1549 and Smoke Sandstorm, is intensifying attacks on European defense, telecom, and aviation
sectors. Recent campaigns target Denmark, Sweden, and Portugal, with spearfishing from fake recruiters
directing victims to fraudulent career portals. Each target receives unique credentials,
enabling precise victim tracking and strong operational security. The group employs a sophisticated
dLL side-loading chain, deploying evolving tools like the mini-junk back door and mini-brouse
Steeler. These payloads leverage valid code-signing, obfuscation, and multi-stage side-loading
to evade analysis. Nimbus Manticor's activity reflects nation-state tradecraft,
stealthy delivery, resilient infrastructure, and custom implants like minibike, which continues to evolve.
Analysts warn this campaign signals a mature, well-resourced adversary aligned with Iran's strategic
priorities.
Researchers at LogPresso report that in July 2025, North Korea-linked threat actor Kimsuke
launched a new espionage campaign using malicious shortcut files.
The operation spreads through compressed archives disguised as official or sensitive documents,
luring victims to execute hidden shortcuts.
These trigger an executable which retrieves encrypted payloads from command and control servers,
then installs multi-stage scripts and DLLs.
The malware harvests browser data, wallet extensions, telegram sessions,
certificate files, documents, and keystrokes,
transmitting them in encrypted fragments.
It also maintains persistence,
avoids virtual machines, and executes remote commands.
Researchers note this attack demonstrates advanced tradecraft
with obfuscation, encryption, and reflective DLL injection,
enabling long-term access and intelligence collection.
The campaign highlights Kimsuki's continued focus on covert surveillance
and credential theft across multiple sectors.
GitHub is introducing stricter defenses after multiple large-scale supply chain attacks,
including singularity, ghost action, and shy Hulud,
which spread from GitHub to NPM and compromised thousands of accounts.
To reduce risk, GitHub will require two-factor authentication for local publishing,
shorten token lifetimes, deprecate older authentication men,
methods and expand trusted publishing.
These changes aim to minimize token misuse and strengthen publishing workflows.
Meanwhile, Ruby Central is tightening governance of the Ruby Gems ecosystem following recent
malicious gem campaigns, temporarily limiting admin access to staff while transitioning toward
a more transparent community-driven model.
Together, the moves highlight growing recognition that ecosystem security requires
both stronger platform safeguards and active developer participation.
Documentation and migration guides will accompany GitHub's rollout to ease adoption.
In related news, researchers at Socket Threat Research discovered a malicious NPM package named
Fezbox that used QR codes to deliver cookie-stealing malware.
Masquerading as a utility library, the package fetched a JPEG image containing a dense QR code,
which unpacked and obfuscated payload.
The malware targeted credentials stored in cookies,
then exfiltrated usernames and passwords via HTTP.
To evade detection, the code reversed embedded URLs and strings.
Before removal, Fezbox was downloaded at least 327 times,
highlighting continued supply chain risks in open-source ecosystems.
Last Pass is warning of a campaign targeting Mac OS.
users through fake GitHub repositories impersonating more than 100 popular apps, including
One password, Dropbox, Robin Hood, and Sentinel One. The sites push atomic stealer malware through
click-fix attacks, where users are tricked into pasting malicious commands into terminal.
Atomic stealer malware, sold as malware-as-a-service, now includes a back door for persistent access.
attackers use search engine optimization and mass-created GitHub repos to evade taked downs and boost visibility.
Victims who execute the curl-based command unknowingly install the payload.
LastPass advises downloading software only from official vendor sites
and warns that automated repository creation makes these attacks difficult to contain.
The campaign highlights rising threats to macOS users from well-orchestrated supply chain deception.
AT&T's Chief Information Security Officer warns that hackers are increasingly copying Salt Typhoon,
the Chinese group behind last year's telecom breaches.
Speaking at Google's Cyber Defense Summit, Rich Bosch said attackers now hunt for weak points
outside traditional endpoint detection, exploit platforms without logging,
and use living off-the-land tactics with legitimate administrative tools.
These methods, combined with careful,
evasion of forensic probes make intrusions harder to detect. Former NSA cyber chief Rob
Joyce added that stronger defenses in common technologies are forcing adversaries to innovate
with chained exploits and stealthy tradecraft. Security leaders stress that defenders must adapt,
expanding protections beyond conventional endpoints, and anticipating how attackers may turn
everyday tools into attack vectors.
Coming up after the break,
SISO Perspectives podcast host Kim Jones
previews his upcoming season
and an attorney pays 10 grand for AI hallucinations.
Stick around.
At TALIS, they know cybersecurity can be tough and you can't protect everything.
But with TALIS, you can secure what matters most.
With TALIS's industry-leading platforms, you can protect critical applications, data and identities,
anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks, retailers, and healthcare companies in the world
rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALIS.
T-H-A-L-E-S.
Learn more at TALIS Group.com slash cyber.
Compliance regulations, third-party risk, and customer security demands are all
growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking
there has to be something more efficient than spreadsheets, screenshots, and all those manual
processes, you're right. GRC can be so much easier, and it can strengthen your security
posture while actually driving revenue for your business. You know, one of the things I really
like about Vanta is how it takes the heavy lifting out of your GRC program.
Their trust management platform automates those key areas, compliance, internal and third-party
risk, and even customer trust, so you're not buried under spreadsheets and endless manual tasks.
Vanta really streamlines the way you gather and manage information across your entire business.
And this isn't just theoretical.
A recent IDC analysis found that compliance teams using Vanta are 129% more productive.
It's a pretty impressive number.
So what does it mean for you?
It means you get back more time and energy to focus on what actually matters,
like strengthening your security posture and scaling your business.
Vanta, GRC, just imagine how much easier trust can be.
Visit Vanta.com slash cyber to sign up today for a free demo.
That's V-A-N-T-A-com slash cyber.
It is always my pleasure to welcome back to the show.
Kim Jones, he is the host of the SISO Perspectives podcast, part of CyberWire Pro.
Kim, welcome back.
Always good to be here, Dave.
How have you been?
I have been fine, thanks.
And, you know, I was thinking about how quickly time has flown since you took the reins at SISO Perspectives.
And you're heading into a new season.
here. Take us through the thought process of as you were assembling what your goals were for
this new season of SISO perspectives. Yeah. So I still am focused on taking some time to take
the half step back that senior cyber leaders often don't have the time to take because
we're dealing with the fire of the day, the week, the hour, etc.
This time, when I looked at this season, if I were to put a tagline on it, I wanted to look at Brave New World, and with apologies to either Huxley or Shakespeare, depending on how far back you want to go for that reference.
And I sat back and said, okay, let's think about the pace of change in just the past five years.
I mean, we all understand the change is the only constant out there, and we've seen massive amounts of changes just in my 35 years.
years doing this. But just in the past five years, you start with a pandemic with COVID and forcing
people to actually leave the office and work from home and having to figure out how we create
security and compliance and environments that never envisioned having to work remotely or work from
home. You have the aftermath of that in terms of the hybrid work environment, et cetera.
For those keeping track on the buzzword bingo card, you have the emergence of AI within the
environment and generative AI being pushed to agentic AI and what that can do for data analytics
within the environment, you have a resurgence of concern regarding privacy within the environment.
As people who are very protective of their identities and the access to the data, we're seeing
concerns rise regarding what can be done with that data, exacerbated by the processing power
associated with AI. You add to this a change, and I'm not going to categorize this as good
or bad, but a change in the perspective of the regulatory entities as well as the federal
government regarding that data, what it can be used for, breaking down those silos, and
potentially creating risk to individuals within the environment. We've seen some ripples of that
risk happening. Around the corner, we've still got quantum coming. Remember when quantum was the big
buzzword we were talking and then all of a sudden AI came to the scene, but quantum is still there
and it is still coming down the track. And the implications among other things regarding encryption
are things that we need to think about. And then there's always fraud and scams within the
environment. We've seen the numbers go up on fraud and it's not a matter of where we're necessarily
reporting more, but we're seeing the potential impacts of that happening, whether that's linked
to AI or not, or other factors, you know, it remains to be seen. And then we also have the
struggle associated with the concept of identity online. One of the classes I teach for
University of California, Berkeley, we're talking about that in terms of when we talk about
things like deep fakes within the environment, when we talk about some of the voice fishing
that's going, the vision that's going on within the environment and the different types
of vectors that have happened, we can see the potential for fraud increase. And that's just
top of my head, Dave. And so how do we step back, look at each of these areas, learn a little
bit more about each of these areas, and potentially figure out how we strategize to tackle them?
Because again, and you and I've had this conversation, in many cases, strategize.
with big air quotes means how I deal with operational things around them versus truly be forward-looking three or four years out and prepare for that so that we're not reacting, but pro-acting, if you will, as these things come about.
So those are some of the topics that I'm actually looking at this season.
And I'm bringing in, and this is going to be mutual learning, whereas last season I had some definite opinions as well as bringing in other experts to Playpoint.
counterpoint with me on that. These are areas where I'm actually trying to learn and get answers
to those questions myself. So I've brought in deep experts in these areas to teach me as well as
the audience. And for me to poke at a little bit and say, well, what about this? And have you
thought about this so that we can really begin to get a handle on how we solve these problems? So it's
going to be a fun season. No, it sounds like you've got your work cut out for you there.
And I'm curious, you mentioned at the outset of kind of taking that half step back to be able to have the breathing room to ask these questions.
Do you see yourself as the proxy for the person out in the audience to be able to have these conversations with the subject matter experts that you're going to invite on?
Yes, absolutely.
That's why there's going to be less of him talking and setting up and more of a, hey, this.
This is why this is probably something you ought to look at, very briefly, that I'm sitting there asking the questions that I would presume, if not hope, that my audience members would be asking if they have the privilege of talking to these guests.
I was here in the studio earlier this week, and my caveat co-host, Ben Yellen was here.
He said that he very much enjoyed the time he spent chatting with you.
So he's on your guest list this year, yes?
Not only is he on my guest list, he is my first guest of the season.
So, episode one, which is talking about the shifting relationship of regulation and private sector for cyber under this new world order, what's that look like and what's that mean for us?
So he's kicking off the festivities.
All right, terrific.
Well, Kim Jones is host of the Sissau Perspectives podcast.
That is part of CyberWire Pro.
You can learn all about that on our website,
the cyberwire.com.
Kim Jones, thanks so much for joining us.
Always a pleasure, Dave.
Thank you.
That's Kim Jones, host of the Sissau Perspectives podcast.
You can find that right here on the Cyberwire podcast network.
His first episode of the season will be included in your Cyberwire podcast feed.
Beyond that, it's part of Cyberwire Pro,
which you can find out more about on our website.
Investigating is hard enough. Your tools shouldn't make it harder.
Maltigo brings all your intelligence into one platform and gives you curated data,
along with a full suite of tools to handle any digital investigation.
Plus, with on-demand courses and live training, your team won't just install the platform,
They'll actually use it and connect the dots so fast,
cybercriminals won't realize they're already in cuffs.
Maltigo is trusted by global law enforcement,
financial institutions, and security teams worldwide.
See it in action now at Maltigo.com.
With Amex Platinum, access to exclusive Amex pre-sale tickets
can score you a spot trackside.
So being a fan for life turns into the trip of a life.
lifetime. That's the powerful backing of Amex. Pre-sale tickets for future events subject to availability and
vary by race. Terms and conditions apply. Learn more at amex.ca.com. Yanex.
And finally, a California attorney has learned the hard way that AI isn't a substitute for reading the fine print,
or in this case, the fine cases. Amir Mastafavi submitted an appeal brief in which
21 of 23 citations were either fabricated or misquoted, courtesy of his AI co-authors.
Judge Lee Smalley Edmund was unimpressed, sanctioning him with a $10,000 fine, and a reminder that
lawyers must actually read their sources. Mastafavi, who admitted he had in fact-checked the AI's
work, argued ignorance, but the court disagreed. While the judge noted, there's nothing wrong with
using AI in law, delegating due diligence to a chatbot is not a winning defense.
The cautionary tale adds to a growing list of legal professionals discovering that hallucinated
case law doesn't hold up in court.
And that's the CyberWire.
For links to all of today's stories,
check out our daily briefing at theCyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Cyber Innovation Day is the premier event for cyber startups, researchers, and top VC firms building trust into tomorrow's digital world.
Kick off the day with unfiltered insights and panels on securing tomorrow's technology.
In the afternoon, the eighth annual Data Tribe Challenge takes center stage as elite startups pitch for exposure,
acceleration and funding.
The Innovation Expo runs all day, connecting founders, investors, and researchers around
breakthroughs in cybersecurity.
It all happens November 4th in Washington, D.C.
Discover the startups building the future of cyber.
Learn more at cid.d.datribe.com.