CyberWire Daily - Hacktivists go galactic.
Episode Date: November 26, 2025Report sheds light on cyber activity targeting space-related organizations during the Gaza War. Russian threat actor targets US civil engineering firm. FBI says $262 million has been stolen in account... takeover scams this year. HashJack attack tricks AI browser assistants. London councils disrupted by cyberattacks. Russia’s Gamaredon and North Korea’s Lazarus Group appear to be sharing infrastructure. Canon says subsidiary was breached by Oracle EBS flaw. Dave Bittner was joined by Cynthia Kaiser, SVP of the Ransomware Research Center at Halcyon, sharing a deep dive on Akira ransomware. And Campbell’s Soup CISO placed on leave following lawsuit. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Dave Bittner was joined by Cynthia Kaiser, SVP of the Ransomware Research Center at Halcyon, sharing a deep dive on Akira ransomware. Learn more on Halcyon’s threat actor profile of Akira, and how they fit into their latest Malicious Quartile Report. Selected Reading New Report Warns Space Sector Faces Rising Cyber Threats Amid Modern Conflicts (Orbital Today) Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine (Arctic Wolf) FBI says $262 million has been stolen in account takeover scams this year (IC3) HashJack – Novel Indirect Prompt Injection Against AI Browser Assistants (Cato Networks) Multiple London councils 'hit by cyber-attacks' (BBC) London Cyberattacks Confirmed — Security Experts Issue Multiple Warnings (Forbes) Russian and North Korean Hackers Forge Global Cyberattack Alliance (GB Hackers) Canon Allegedly Breached by Clop Ransomware via Oracle E-Business Suite 0-Day Hack (Cyber Security News) A Campbell Soup VP is on leave after secret recording appears to show him mocking 'poor' customers, '3D-printed chicken' (Business Insider) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
AI agents are now reading sensitive data, executing actions, and making decisions across our environments.
But are we managing their access safely? Join Dave Bittner and Barack Shalef from Oasis Security on Wednesday, December 3rd, at 1-Py,
Eastern for a live discussion on agentic access management and how to secure non-human identities
without slowing innovation. Can't make it live? Register now to get on-demand access after the event.
Visit events.thecyberwire.com. That's events with an s.thecyberwire.com to save your spot.
What's your 2 a.m. security worry? Is it, do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual works so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralized,
your data and simplifies your security at scale.
And it fits right into your workflows,
using AI to streamline evidence collection,
flag risks, and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster,
scale confidently, and finally get back to sleep.
Get started at Vanta.com slash cyber.
That's V-A-N-T-A-com slash cyber.
Report sheds light on cyber activity targeting space-related organizations during the Gaza war.
Russian threat actor targets U.S. civil engineering firm.
FBI says $262 million has been stolen in account takeover scams this year.
hash jack attack tricks AI browser assistance
London councils disrupted by cyber attacks
Russia's Gamaradon and North Korea's Lazarus group
appear to be sharing infrastructure
Cannon says subsidiary was breached by Oracle EBS flaw
Dave Bittner was joined by Cynthia Kaiser
SVP of the Ransomware Research Institute at Halcyon
sharing a deep dive on Akira ransomware
and Campbell's Soup C-So placed on leave following lawsuit.
Today is Wednesday, November 28th, and I'm your T-Mindus Space Daily host, Maria Vermazas,
in for Dave Bittner, who is preparing for tomorrow's turkey feast.
Thank you for joining us for your Cyberwire Intel Brief.
We're starting today with a new report out of E.H. Zurich that sheds light on a spike in
cyber activity targeting space-related organizations during the Gaza War. Researchers at the Center
for Security Studies tracked 237 cyber operations aimed at the space sector over the course of the
conflict, and here is the striking part. Only 11 of those incidents happened
before October 7th. According to the study, once the war began, hacktivist groups, mostly pro-Palestinian groups,
either emerged or significantly ramped up activity. And most of what they did was not subtle.
The bulk of these operations were DDoS attacks. One of the most frequent targets was the Israel Space Agency,
even though it does not operate satellites or maintain deep space infrastructure and has a pretty
limited attack surface. But because hacktivist campaigns often recycle huge lists of government-related
URLs, the agency became a recurring name on those target lists. The authors of the report say that
this is part of a broader pattern that we are seeing in modern conflict. Cyber operations
against space sector organizations are now a routine element of geopolitical escalation.
The Russia-aligned threat actor Romcom used Sok Golish to breach a U.S.
civil engineering company that had done work for Ukraine, according to researchers at Arctic Wolf.
While Sok Golish is operated by a criminal malware-as-a-service group, Arctic Wolf, assesses with a
medium-to-high-high-confidence level that Russia's GRU unit 29-155 is utilizing Sok-Golish to target
victims. The researchers note this Sok-Golish activity demonstrates the ongoing exploitation of
compromised legitimate websites as a malware delivery framework.
turning routine web browsing into a potential vector for ransomware access.
The U.S. Federal Bureau of Investigation has issued an advisory on account takeover fraud schemes,
noting that these attacks have caused $262 million in losses since January 2025.
The attackers use well-known social engineering techniques to impersonate financial institutions
and trick users into granting access to their accounts.
The crooks are targeting banks, payrolls, and health savings accounts.
The FBI notes, in some instances, cybercriminals impersonating financial institutions reported to the account owner
that their information was used to make fraudulent purchases, including firearms.
The cybercriminal convinces the account owner then to provide information to a second cybercriminal
impersonating law enforcement, who then convinces the account owner to provide account information.
Cato Networks has published a report on an indirect prompt injection technique affecting several AI
browser assistance, including Perplexity's Comet, co-pilot for Edge, and Gemini for Chrome.
The technique, which Cato calls hash jack, uses the pound symbol or hashtag sign depending on what
generation you're in, to place malicious prompts after legitimate URLs.
The researchers explain when an AI browser loads a page and the user interacts with the AI,
assistant, these hidden prompts are fed directly into large language models. In a gentic AI
browsers like Comet, the attack can escalate further, with the AI assistant automatically sending
user data to threat actor-controlled endpoints. Perplexity and Microsoft have since implemented
mitigations against this technique, while Google acknowledged the issue and gave Cato permission
to publicly disclose the flaw. The issue is still unresolved in the Chrome browser.
The BBC reports that at least three London councils were hit by disruptive cyberattacks over the last few days.
The Royal Borough of Kensington and Chelsea, or RBKC, and the Westminster City Council,
sustained an attack that affected shared IT systems and took down phone services,
while Hammersmith and Fulham Council said it was working to recover from a serious cybersecurity incident.
The Hammersmith and Fulham attack appears to be connected to the incident affecting RBCC and Westminster City,
A memo from the Hammersmith and Fulham Council instructed staff not to click on any Outlook or Teams links from RBKC and Westminster City colleagues until further notice.
The BBC says the Met Police is investigating the incidents.
Researchers from Gen Threat Labs have seen evidence that Russia's Gameradon and North Korea's Lazarus Group are sharing infrastructure,
indicating that the two state-sponsored actors may be coordinating at an operational level.
The researchers observed a Gomeridon C2 server hosting Invisible Ferret, which is a strain of malware attributed to the Lazarus Group.
The malware was then delivered through an identical server structure used in Lazarus's contagious interview campaign.
Jen notes, while the IP could represent a proxy or VPN endpoint, the temporal proximity of both groups' activity and the shared hosting pattern indicate probable infrastructure reuse with moderate confidence of operational collaboration.
Cannon has confirmed that one of its subsidiaries was breached by an attack campaign targeting Oracle
e-business suite instances. The company told Security Week, quote, we have confirmed that the
incident only affected the web server, and we have already taken security measures and resumed
service. In addition, we are continuing to investigate further to ensure that there is no other
impact. The Klop extortion gang listed Cannon as one of its victims, but has not leaked any data
from the company.
Stick around after the break as we have Cynthia Kaiser,
SVP of the Ransomware Research Center at Helcyon,
sharing a deep dive on Akira ransomware.
And Campbell's Soup CISO placed on leave following lawsuit.
From fishing to ransomware, cyber threats are constant, but with Nordlayer, your defense can be too.
Nordlayer brings together secure access and advanced threat protection in a single, seamless platform.
It helps your team spot suspicious activity before it becomes a problem, by blocking malicious links and scanning downloads in real time, preventing malware from reaching your network.
It's quick to deploy, easy to scale, and built on zero trust principles, so only the right people get access to the right resources.
Get 28% off on a yearly plan at Nordlayer.com slash cyberwire daily with code cyberwire-28.
That's Nordlayer.com slash cyberwire daily code cyberwire dash 28.
That's valid through December 10th, 2025.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave, and with Threat Locker DAC,
defense against configurations, you get real assurance that your environment is free of
misconfigurations and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CISO's real visibility, real control, and real peace of mind.
Threat Locker make zero-trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environment.
environments. Schedule your demo at Threatlocker.com slash N2K today.
Dave Bittner recently sat down with Cynthia Kaiser, SVP of the Ransomware Research Center at Halcyon,
as they took on a deep dive on Acura ransomware. Here's their conversation.
it's really one of the most aggressive ransomware actors that we're tracking and that's saying something right among all these people who are really the lowest of the low but i think one of the most important things to know about akira is it's all about speed with them so we're seeing ransomware attacks getting faster and faster but akira's really at the front edge of getting
all of these attacks happening in a really quick way.
Well, let's dig into that together.
What are some of the tactics, techniques,
and procedures that they use to make that happen?
So we don't actually see them encrypting the full file.
They're encrypting a small percentage of files as they go through
in an effort to encrypt as much as they can,
as quick as they can, which I think, you know,
make sense when you think about it,
but also isn't something that I'd necessarily had at the front
of my mind as we were starting to look at that, the actor and see some of the incidents
that we're responding to. They, of course, are doing what has become really typical of ransom
actors, which is looking to kind of blind or tamper with endpoint detection because they want to
try to figure out ways to be able to be stealthy, to not let somebody know they're there.
And that helps them enumerate the whole network, have everything in place so that when they're
staged, when they're going for patient zero, it's only going to take minutes for them to encrypt
over a hundred, right, or more across the systems. And they're starting with
those portions of your network
that'll give them a lot of access at once,
the hypervisors.
So as you increase your virtualization
in your network, they're going after
those components so that they can reach
more of your network more quickly.
Help me understand
the infection vectors here.
How do they typically get on someone's system?
We're seeing them use
the Sonic Wall vulnerabilities
that have been widely published
over, I think since the summer.
You know, if you normally can get some type of compromised credentials for Sonic Wall or and then be able to utilize that for the known vulnerability that's on them to get onto a system.
And then once they're on a system, they create admin credentials for themselves so that it's no longer really detectable what they do.
So unless you're kind of detecting them at that Sonic Wall.
all that early initial access, it becomes harder and harder to find them until they're ready
to encrypt.
Are they using living off the land techniques here to keep themselves hidden?
Absolutely.
We see that among a lot of ransomer actors where they're using the tools that you already
have in your system to be able to conduct their activities.
So what was interesting here in some of the tactics you see among the,
some of the actors is they will basically try to trick trusted apps on your system into
running a malicious tool, DLL side loading.
We saw them in one incident because we were responding and we actually were able to block
encryption through almost the whole network and they didn't know what was going on.
And so they started trying all these different tricks and some of it was.
it's it's they were going around they were like trying to figure out a different way in a different
way to do the encryption and you know one of those was like doing that deal with side loading
tricking trusted apps on systems they use any desk they use several different uh tools that are on
a system but all of that's really fueled by creating those credentials for themselves so they just
look like a typical user and who do they seem to be targeting here are there any particular
sectors that have their attention
It feels like manufacturing, business services, and construction take the brunt of the hits, but
there's absolutely effects across all industries, think like retail, IT, education, finance.
If you look at where they've claimed to have done attacks, so, you know, whether they're, you know,
posting data and their leak site, et cetera, it's about 60 attacks just in November.
alone.
That's a crazy amount.
And so really, you have to think about everybody is being targeted because they're trying to
maximize the vulnerabilities they have now to be able to get onto systems.
And they're running an affiliate model here.
That's part of how they have such breadth, widespread attack capabilities, I suppose.
Yeah, they're a ransomware as a service, which group, which really means somebody develops the malware and then there are affiliates who borrow the malware from the developers, go out and conduct the attacks against various targets and then give a share of the profits back to the developers themselves.
I mean, in this way, it really shields the developers from a lot of the risk.
of actually conducting the attacks,
but it allows the larger group itself
to just have a lot more reach across
to be able to conduct simultaneous attacks at once.
There's some downsides to that model.
I think we've seen exit schemes from certain groups.
We've seen various ways in which
those groups are more easily infiltrated by law enforcement,
which, I mean, negative for them,
positive for us, right? But overall, they do this to try to see if they can make the most money
that they can as quickly as they can. I feel funny asking this question, but are they an honorable
group as far as ransomware groups go? If you pay them, are you going to get your stuff back?
That's always a hard question, right? Because a lot of the, in most cases, you receive a
decryptor. Whether it works on all your files is a different story. For Akira itself,
overall, I think our experience has seen, yes, for the most part, the decryptor would work.
But there's a lot of other groups that you get the decryptor. And it turns out, like,
now we're developers don't spend a lot, they spend a lot of time breaking things and they don't
spent a lot of time figuring out how to fix them again.
You know, there are a lot of care list of cryptors out there.
But more so, this is a group that also steals data.
And there are, in most ransomer groups will come out and say, oh, if you pay us this
ransom, we won't leak your data.
Some claim, oh, we won't, we'll delete your data.
I mean, there has not been a group that I've seen who,
says they were going to delete the data where when I was over at the bureau or now so I was
at the FBI right before and now I'm at Helcyon I've not seen any instance where once we were
able to look under the hood of what was going on and those ransomer groups and their infrastructure
that they actually deleted customer data right right yeah why would they right I mean
perfect it's like why would they just spend the time doing it they don't need to right right
So what are your recommendations then?
I mean, for folks to best protect themselves here, what should they be doing?
The first thing I advise is going to the updated cybersecurity advisory that was put out by FBI, SISA, and a host of other agencies last week, where they recommend prioritizing remediating known exploited vulnerabilities.
So like the Sonic Wall vulnerability that I was talking about earlier.
enabling and enforcing fishing-resistant multifactor authentication, so not necessarily just text-based.
You get a code, but using authenticator apps or, you know, some other type of fishing-resistant
multi-factor. And the kind of normal ransomware advice we give, which is maintaining regular
backups of data, ensuring backups are stored offline, and regularly testing the restoration process.
In addition to what that cybersecurity advisory noted, I don't.
also note ensuring that you have some type of a defense in depth that ensures if a your
endpoint detection is turned off or blinded in some way, you still are able to identify the actors
or that at least something funny is going on across your network. Having lots of different
points of security is just essential nowadays to all of these advancing ransomware actors.
How do you rate the sophistication of Akira?
Akira is very sophisticated.
It's incredibly difficult to identify them when they're on a system.
Even in the after, when you're doing an incident response,
it can be hard to determine how information might have been taken from your network,
what information was taken from your network,
or really what happened between them getting onto the network,
and then getting to that final encryption event.
So it's aggressive, but it's also sophisticated,
which is a terrible combination for all of us.
That was Cynthia Kaiser,
SVP of the Ransomware Research Center at Halcyon,
sharing a deep dive on Akira ransomware.
Learn more on Halcyon's threat actor profile of Akira
and how they fit into their latest malicious quartile report.
There's a link for you in the show notes.
At TALIS, they secure what matters most.
The most trusted companies and organizations utilize TALIS cybersecurity products
to protect critical applications, sensitive data, and identities anywhere at scale.
Through their innovative services and integrated services, and integrated
platforms, Talis provides customers a greater visibility of risks, the ability to defend against
cyber threats, close compliance gaps, and deliver trusted digital experiences for billions of
consumers every day. That's Talis. T-H-A-L-E-S. Learn more at CPL.tallisgroup.com.
And finally today, Campbell's Soup, Chief Information Security Officer, is in hot water
after a lawsuit claimed that he made disparaging remarks about the company's soup,
as well as racist comments about his Indian co-workers.
The executive, Martin Valley, has been placed on leave pending an investigation.
The lawsuit was filed by a former employee of the company, remote security analyst,
Robert Garza. Garza recorded Bally's comments during a lunch meeting and claims that he was
fired after bringing the recording to a superior. Bally allegedly said that Campbell's makes
unhealthy soup for, quote, poor people using 3D printed chicken and bioengineered meats. For its part,
Campbell said in a statement, and I quote, the comments on the recording are not only inaccurate,
they are patently absurd. Keep in mind, the alleged comments are made by an IT person who has nothing to do
with how we make our food, end quote.
And that's the Cyberwire.
For links to all of today's stories,
check out our daily briefing at theCiberwire.com.
A quick programming note, everybody.
tomorrow through Sunday in observance of the Thanksgiving holiday here in the United States.
We do have some great content planned for you, though, to check out in our CyberWire
Daily podcast feed. And we will see you back here on Monday. Enjoy your turkey, everyone, and
happy Thanksgiving. And that's the CyberWire Daily, brought to you by N2K CyberWire. We'd
love to know what you think of this podcast. Your feedback ensures we deliver the insights that
keep you a step ahead in the rapidly changing world of cybersecurity.
you like our show, please share a rating and review in your podcast app. Please also fill out
the survey in the show notes or send an email to Cyberwire at N2K.com. N2K's senior producer is Alice
Carruth. Our producer is Liz Stokes. We are mixed by Elliot Peltzman and Trey Hester, with
original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpie is our
publisher, and I'm Maria Vermazes in for host Dave Bittner. Thank you for listening. Have a
wonderful Thanksgiving.
Thank you.