CyberWire Daily - From cryptomixers to recipe mixers.
Episode Date: December 1, 2025European authorities take down an illegal cryptomixer. An Australian man is sentenced for running an airport evil twin WiFi campaign. Researchers unmask a Scattered LAPSUS$ Hunters impresario. CISA fl...ags a cross-site scripting flaw in OpenPLC ScadaBR. A major South Korean retailer suffers a data breach affecting over 33 million customers. Threat actors abuse digital calendar subscription features. New York’s new hospital cybersecurity mandates may raise the bar nationwide. Scammers target Cyber Monday shoppers. Monday business brief. Ann Johnson speaks with Microsoft’s Amy Hogan-Burney on the Afternoon Cyber Tea segment. Google gets caught reheating someone else’s holiday recipe. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Afternoon Cyber Tea segment Afternoon Cyber Tea host Ann Johnson speaks with Amy Hogan-Burney, Corporate Vice President of Customer Trust and Security at Microsoft, about how Microsoft Is redefining global cyber defense. Ann and Amy discuss Microsoft’s evolving approach to combating global cybercrime and the importance of collaboration across the private and public sectors. You can listen to their full conversation here and catch new episodes of Afternoon Cyber Tea every other Tuesday on your favorite podcast app. Selected Reading Cryptomixer crypto laundering service taken down by law enforcement (Help Net Security) Man behind in-flight Evil Twin WiFi attacks gets 7 years in prison (Bleeping Computer) Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’ (Krebs on Security) U.S. CISA adds an OpenPLC ScadaBR flaw to its Known Exploited Vulnerabilities catalog (Security Affairs) Data breach hits 'South Korea's Amazon,' potentially affecting 65% of country’s population (The Record) Threat Actors Exploit Calendar Subscriptions for Phishing and Malware (Infosecurity Magazine) New York Hospital Cyber Rules to 'Raise the Bar' Nationwide (GovInfo Security) Over 2,000 Fake Shopping Sites Spotted Before Cyber Monday (Hackread) Guardio secures $80 million in new funding. (N2K Pro Business Briefing) Google deletes X post after getting caught using a ‘stolen’ AI recipe infographic (Bleeping Computer) Share your feedback.What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
AI agents are now reading sensitive data, executing actions, and making decisions across our environments.
But are we managing their access safely? Join Dave Bittner and Barack Shalef from Oasis Security on Wednesday, December 3rd, at 1-Py,
Eastern for a live discussion on agentic access management and how to secure non-human identities
without slowing innovation. Can't make it live? Register now to get on-demand access after the event.
Visit events.thecyberwire.com. That's events with an s.thecyberwire.com to save your spot.
Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple?
Meet Meeter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack, zero-trust networks, including hardware, firmware, and software,
all designed to work seamlessly together.
The result?
Fast, reliable, and secure connectivity without the constant patching, vendor-juggling, or hidden costs.
From wired and wireless to routing, switching firewalls, DNS security, and VPN, every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles.
Meter even buys back your old infrastructure to make switching effortless.
Transform complexity into simplicity and give your team time to focus on what really matters.
helping your business and customers thrive.
Learn more and book your demo at meter.com slash cyberwire.
That's M-E-T-E-R dot com slash cyberwire.
illegal crypto mixer. An Australian man is sentenced for running an airport evil twin Wi-Fi
campaign. Researchers unmask a scattered Lapsis hunter's impresario. Sissa flags a cross-site
scripting flaw in Open PLC SCADA BR. A major South Korean retailer suffers a data breach affecting
over 33 million customers. Threat actors abuse digital calendar subscription features. New York's new
hospital cybersecurity mandates may raise the bar nationwide.
Scammers target Cyber Monday shoppers.
We've got our Monday business brief.
Anne Johnson speaks with Microsoft's Amy Hogan-Bernie on the afternoon CyberT segment,
and Google gets caught reheating someone else's holiday recipe.
It's Monday, December 1st, 2025.
I'm Dave Bittner, and this is your Cyberwire,
Intel Briefing.
Happy Monday and welcome back for our U.S. listeners, I hope you had a lovely Thanksgiving
break.
It's good to be back.
Europol and Eurojust, working under Operation Olympia,
seized three servers in Zurich and took control of the Cryptomixer.io domain late last month.
The site now displays a warning that data tied to the service has been obtained and users may face investigation.
Authorities collected more than 12 terabytes of information that could include logs capable of identifying customers.
Europol says Cryptomixer operated on both the clear web and dark web,
and was widely used by ransomware operators and other criminals to hide the flow of illicit funds.
Since 2016, it allegedly mixed more than 1.3 billion euros in Bitcoin.
The takedown follows a similar 2023 operation against chip mixer,
which resulted in the seizure of servers, data, and millions in cryptocurrency.
A 44-year-old Australian man received a seven-year prison sentence for running,
evil twin Wi-Fi networks to steal travelers' data on domestic flights and in airports in Perth,
Melbourne, and Adelaide. Authorities say he used a Wi-Fi pineapple device to clone legitimate
SSIDs, luring users to a fishing page that captured social media credentials. He then accessed
women's accounts to monitor messages and steal private images and videos. Forensic analysis found
thousands of intimate files, stolen credentials, and fraudulent Wi-Fi pages. After his equipment was
seized in April 2024, he attempted to delete evidence and access confidential information
from his employer's laptop. He later pleaded guilty to multiple cybercrime, theft, and evidence
destruction charges. Australian authorities urge travelers to treat free Wi-Fi with caution and use VPNs.
Scattered Lapsis Hunters, the group linked to scattered spider, Lapsis, and shiny hunters,
has spent 2025 extorting major global companies after stealing data,
often through social engineering campaigns that tricked victims into connecting malicious apps to Salesforce environments.
The group's public face, calling themselves Ray,
surfaced this week after Krebs on Security identified him as a 15-year-old from Amman Jordan,
Investigators connected multiple online identities through leaked passwords, info-stealer data,
and posts across telegram and breach forums where he was an administrator.
SLSH recently launched its own ransomware as a service, shiny spider, which he helped release.
He told Krebs he has been attempting to leave the group and claims to be cooperating with European law enforcement,
although those details remain unverified.
The revelation follows SLSH's ongoing recruitment of insiders
and continued extortion activity targeting dozens of major corporations.
Sisa has added a cross-site scripting flaw in OpenPLC Skata BR on Windows and Linux
to its known exploited vulnerabilities catalog.
Four Scout reports that pro-Russian group 2Net recently exploited the bug in an ICS-O-T honeypot
they mistook for a water plant using default credentials, creating a Bar-Latti account, and defacing
the HMI login page.
TUNET continues to expand from DDoS into industrial targeting and access services.
Federal agencies must patch the flaw by December 19th, and experts urge private organizations
to follow suit.
South Korean retailer Coupong confirmed that personal details from 33.
million customer accounts were compromised, prompting a formal apology and an emergency government
meeting. Officials from the Ministry of Science and ICT warned of strict sanctions if
safety measure violations are found. Houpang initially detected unauthorized access to
4,500 accounts in November, later revising the figure sharply upward. Exposed data includes names,
contact details, addresses, and order histories,
though payment information and passwords were not affected.
Investigators are examining the possibility of an insider threat
with reports pointing to a former Chinese employee,
although police have not confirmed this.
The breach follows major incidents at SK Telecom and Lotikard
and has renewed concerns about structural weaknesses
in South Korea's data protection regime.
Researchers from BitSight warn that threat actors are abusing digital calendar subscription features
to push harmful content directly onto users' devices.
Calendar subscriptions let third-party servers add events and notifications,
and attackers are exploiting expired or hijacked domains to deliver deceptive calendar files
containing malicious links, attachments, or fishing content.
BitSight's sinkhole investigation began with a single,
suspicious German holiday calendar domain receiving 11,000 daily unique IP connections, then expanded
to 347 related domains contacted by roughly 4 million unique IPs per day. Many of these requests
appear to be background sinks from long-established subscriptions, meaning anyone who takes over an
expired domain could silently inject new events. Bitsite says this highlights a major blind spot in
personal and corporate security, as calendar subscriptions lack the protections applied to email
and other communication channels.
New York's new hospital cybersecurity mandates will likely influence security expectations
well beyond the state, according to Chris Stuckert, Deputy Seesot at Frodert Thetacare Health.
The rules, effective October 1st, require multi-factor authentication, formal risk analysis,
incident response planning, and a designated qualified CISO.
Stucker says the 72-hour incident reporting rule is straightforward,
but the CISO requirement will have nationwide effects, given the shortage of experienced leaders.
He predicts insurers will soon ask hospitals whether they follow New York's model,
pushing others to align.
Stucker adds that New York facilities may begin recruiting CISOs from other states,
affecting the broader workforce.
He also highlights emerging safe harbor protections elsewhere
and says Frodert Thetacare is focused on identity,
modernization, and zero-trust products.
CloudSec has uncovered a massive holiday season scam
involving more than 2,000 fake online stores
designed to steal shoppers' money and personal information
during peak events like Cyber Monday.
The firm identified two major clusters,
one linking over 750 sites, including 170 Amazon impersonators using identical banners and urgency
timers, and another group of more than 1,000 dot shop domains, spoofing brands such as Apple,
Samsung, Dell, and Rayban.
All load resources from shared infrastructure, revealing a coordinated operation.
Victims are funneled to shell checkout pages that harvest payment data, often routed
through China-based hosts.
CloudSec estimates each fake site could net thousands of dollars before takedown.
Researchers warn these scams could significantly erode trust in e-commerce
and urge shoppers to avoid deals that seem unreal, suspicious domains,
aggressive urgency tactics, and stores with identical templates.
Turning to our Monday business brief,
cybersecurity investment and M&A activity accelerated this past,
week across sectors spanning consumer protection, offensive security, product security, identity,
AI risk, and observability.
Israeli consumer security firm Guardio raised $80 million, led by ion crossover partners to expand
its detection engine, AI-era protection layers, and global go-to-market efforts.
Offensive security startup 20 emerged from stealth with $38 million and a Pentagon contract,
while product security company Clover secured $36 million to double its workforce.
Method security raised $26 million to scale its autonomous cyber platform for government and critical enterprises,
and identity startup Opti emerged with $20 million for product expansion.
AI procurement platform cover base collected $20 million.
AI agent security firm Vigil raised $17 million and run-l.
layer secured $11 million. M&A included Palo Alto Network's $3.35 billion acquisition of
Chronosphere to pair observability with autonomous AI remediation plus deals by Red Squid, Zorient,
Amplix, and Keycard, which acquired Roonbook to expand its AI agent ecosystem.
Be sure to check out our Cyberwire business brief over on our website, the cyberwire.com.
It's part of CyberWire Pro.
Coming up after the break, Anne Johnson speaks with Microsoft's Amy Hogan-Burney on the afternoon CyberT segment,
and Google gets caught reheating someone else's holiday recipe.
Stay with us.
What's your 2 a.m. security worry? Is it, do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual works so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questions.
their trust management platform continuously monitors your systems centralizes your data and simplifies your security at scale and it fits right into your workflows using AI to streamline evidence collection flag risks and keep your program audit ready all the time with vanta you get everything you need to move faster scale confidently and finally get back to sleep get started at vanta.com slash cyber that's
V-A-N-T-A.com slash cyber.
AI is transforming every industry, but it's also creating new risks that traditional frameworks can't
keep up with.
Assessments today are fragmented, overlapping, and often specific to industries, geographies,
or regulations.
That's why Black Kite created the BK-G-A-3 AI Assessment Framework, to give
cybersecurity and risk teams a unified, evolving standard for measuring AI risk across their
own organizations and their vendors' AI use. It's global, research-driven, built to evolve
with the threat landscape, and free to use. Because Black Kite is committed to strengthening
the entire cybersecurity community. Learn more at blackkite.com.
On today's excerpt from the afternoon CyberT podcast, Microsoft's Ann Johnson speaks with Amy Hogan-Burney,
corporate vice president of customer trust and security at Microsoft.
They're discussing how Microsoft is redefining global cyber defense.
Today I'm excited to be joined by a wonderful Microsoft colleague, Amy Hogan-Bernie.
Amy is corporate vice president of customer security and trust at Microsoft.
where she leads global efforts to protect customers and build digital trust.
Amy, how did you get started in cybersecurity and what has kept you engaged?
I'm in cybersecurity by accident.
I went to law school because I was an engineer and I thought I wanted to be a patent attorney.
I was so bored.
I just could not do it.
But working on spent nuclear fuel cases led me to a job.
at the FBI. I rotated through lots of jobs, including a job at DOJ that involved cyber. And that
just started a journey across all cyber work. I accidentally stumbled into cyber because it just
became my calling. And that's how I ended up here at Microsoft. One of the things that's changed
the most is just how fast we are moving. The scope and the scale of the networks is much bigger.
The disruptions, we call them advanced persistence of disruptions now. There's no way that we are
disrupting these networks in totality. We have to think completely differently about how we are
working. What's the same? The same is, is the human element.
And what I mean by that is social engineering is still one of the biggest problems,
one of the biggest ways that cyber criminals and nation state actors get into systems.
I think that's exactly right.
The global scale of attacks is something that we're certainly seeing increasing,
but there always will be a human element in cybersecurity,
which brings me to your team generates, and I want to give you full credit for this,
because folks don't always know where it comes from,
but your team works very hard to publish the Microsoft Digital Defense Report.
We just published the sixth annual edition.
And this is really a cornerstone for the industry.
For this report, we really felt like as AI is advancing, it is more important than ever
that people understand that the basics for hardening your system and for being resilient,
are more important than they have ever been.
Because of the advances that we are seeing,
you must take all necessary steps right now.
My hope for this MDDR is that everyone will take the report,
they will use it, and a year from now it will be like a checklist.
I'm hoping that a year from now we actually see differences in the data
and that we see changes and that actually everyone does talk to people,
at the board level, that we do have people actively working to defend their perimeter,
that we really have people prepare for the regulatory changes that are coming,
and that really we have the basics done because of the advances that we are seeing in AI.
I want to talk about the landscape from the perspective of international collaboration,
cyber, from a practical operational partnership standpoint, can you give us your point of view on what
international collaboration is and why it is so important?
Microsoft's digital crimes unit has been around for more than a decade.
They partnered with a Japan cybercrime control center and with the Indian federal law enforcement,
and they were able to disrupt a widespread tech support scam that originated from Indian call centers.
The generative AI was used to impersonate Microsoft and mass-produce militia.
pop-ups. And I think the Digital Crimes Unit looking for creative ways to partner with law enforcement
and to look for ways to protect the most vulnerable is incredibly important. So can you talk
about cyber diplomacy? I don't think that a lot of our listeners are that familiar with that term.
I know your team is heavily engaged. What role does the private sector play in the term cyber diplomacy
and what does cyber diplomacy actually mean? I don't think we spend
enough time talking about cyber diplomacy. And I think it's incredibly important in this digital age.
As nations operate in the digital space and as we see nation state actors increasingly using the digital
space, both for, I think, espionage and potentially for pre-positioning in the event of a kinetic war,
saw in Ukraine, we need to think about what kind of rules and norms that we should have because we have to
make sure that we have a stable and secure operating system. The private sector holds the vast
amount of critical infrastructure. And so we need to make sure that we are preventing conflict
online in the same way that you would use traditional diplomacy to prevent conflict on land.
I'd love to hear what you were optimistic about when it comes to the future of cybersecurity.
I am so optimistic because of the people that I work with every single day, that the talent that we
have here and that I see in my travels around the world, it just makes me incredibly optimistic.
And I am so optimistic because I see that talent being used with the innovation, with the age of AI.
It is just incredible.
The combination of those two things, I just think makes me incredibly optimistic.
Be sure to check out the complete afternoon CyberT podcast right here on the N2K Cyberwire Network and wherever you get your favorite podcasts.
On December 12,
Disney Plus invites you to go behind the scenes with Taylor Swift
in an exclusive six-episode docu-series.
I wanted to give something to the fans that they didn't expect.
The only thing left is to close the book.
The end of an era.
And don't miss Taylor Swift.
the Ares Tour, the final show, featuring for the first time the tortured poets department.
Streaming December 12th, only on Disney Plus.
And finally, Google spent the week discovering that family recipes generated by AI
sometimes look suspiciously like someone else's family recipes.
A notebook LM promo on ex-Twitter
showcased a cozy infographic for classic buttery herb stuffing.
Only for users to notice it matched a
How Sweet Eats blog post, almost ingredient for ingredient.
Be sure to check out the complete afternoon CyberT podcast
right here on the N2K Cyberwire Network
and wherever you get your favorite podcasts.
Deleted the post with the same enthusiasm,
one deletes burnt stuffing, and moved on.
Microsoft recently suffered a similar embarrassment.
All this arrives as Google tests ads inside AI-generated answers,
blurring the line between citations and sponsored links.
OpenAI is experimenting with ads, too,
suggesting the future of helpful AI answers
may look a lot like the Internet's old business model,
only with more cheerful recipe cards.
A quick programming note.
Our team was invited by the NATO Cyber Coalition
to cover their 2025 cyber range exercise.
Stay tuned for our coverage from the event later this week,
where we were one of three podcasts invited
and the only one based in the U.S.
Our T-minus Space Daily host, Maria Vermazas,
and N2K producer Liz Stokes,
are on the ground.
in Tallinn, Estonia.
Stay tuned.
And that's the CyberWire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast
where I contribute to a regular segment
on Jason and Brian's show every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Eibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you.