CyberWire Daily - Logging off in Myawaddy.
Episode Date: October 29, 2025Explosions rock a shuttered Myanmar cybercrime hub. The Aisuru botnet shifts from DDoS to residential proxies. Dentsu confirms data theft at Merkle. Boston bans biometrics. Proton restores journalists...’ email accounts after backlash. Memento labs admits Dante spyware is theirs. Australia accuses Microsoft of improperly forcing users into AI upgrades. CISA warns of active exploitation targeting manufacturing management software. A covert cyberattack during Trump’s first term disabled Venezuela’s intelligence network. Our guest is Ben Seri, Co-Founder and CTO of Zafran, discussing the trend of AI native attacks. New glasses deliver fashionable paranoia. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today’s guest is Ben Seri, Co-Founder and CTO of Zafran, discussing the trend of AI native attacks and how defenders should use AI to defend and remediate. Selected Reading Stragglers from Myanmar scam center raided by army cross into Thailand as buildings are blown up (AP News) Aisuru Botnet Shifts from DDoS to Residential Proxies (Krebs on Security) Advertising giant Dentsu reports data breach at subsidiary Merkle (Bleeping Computer) Boston Police Can No Longer Use Facial Recognition Software (Built in Boston) Proton Mail Suspended Journalist Accounts at Request of Cybersecurity Agency (The Intercept) CEO of spyware maker Memento Labs confirms one of its government customers was caught using its malware (TechCrunch) Australia sues Microsoft for forcing Copilot AI onto Office 365 customers (Pivot to AI) CISA warns of actively exploited flaws in Dassault DELMIA Apriso manufacturing software (Beyond Machines) CIA cyberattacks targeting the Maduro regime didn’t satisfy Trump in his first term. Now the US is flexing its military might (CNN Politics) Zenni’s Anti-Facial Recognition Glasses are Eyewear for Our Paranoid Age (404 Media) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Risk and compliance shouldn't slow your business down.
Hyperproof helps you automate controls, integrate real-time risk workflows,
and build a centralized system of trust so your teams can focus on growth, not spreadsheets.
From faster audits to stronger stakeholder confidence,
hyperproof gives you the business advantage of smarter compliance.
Visit www.hyperproof.io to see how leading teams are transforming their GRC programs.
a shuttered Myanmar's cybercrime hub,
the Asuru Botnet shifts from DDoS to residential proxies.
Dentsu confirms data theft at Merkel.
Boston bans biometrics.
Proton restores journalist email accounts after backlash.
Memento Labs admits Dante spyware is theirs.
Australia accuses Microsoft of improperly forcing users into AI upgrades.
Sisa warns of active exploitation targeting manufacturing management software,
a covert cyber attack during Trump's first.
term disabled Venezuela's intelligence network.
Our guest is Ben Seri, co-founder and CTO of Zaffron,
discussing the trend of AI native attacks.
And new glasses deliver fashionable paranoia.
It's Wednesday, October 29th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel Briefing.
Thanks for joining us here today.
Great to have you with us, as always.
Thailand's military says the flow of people fleeing Myanmar after a major cybercrime hub was shut down,
has nearly stopped following a week in which more than 1,500 crossed the border.
border. Myanmar's army raided the KK Park complex near Mawadi in mid-October, part of an ongoing
campaign against online scams and illegal gambling networks. Explosions reportedly leveled parts of the
site, damaging homes on the Thai side. Most who fled are believed to have been foreign workers
forced into scam operations, with Thai authorities, sheltering and screening people from 28 countries
to determine if they were trafficking victims.
KK. Park had been a key node in Myanmar's expanding cyber scam industry,
where criminal groups lure workers with fake job offers
before coercing them into online fraud.
Despite the raid, independent reports suggest similar operations
remain active in Maiwadi,
underscoring Myanmar's ongoing struggle to dismantle cross-border cybercrime networks.
The Isuru Botnet, once known for record-breaking DDoS attacks, has shifted toward a more profitable model, renting infected IoT devices as residential proxies.
Krebson Security estimates Isuru controls about 700,000 compromised routers and cameras.
These devices now help anonymize cybercriminal traffic and power large-scale data scraping for AI training.
Experts say the flood of cheap proxy access is driving explosive growth across proxy services,
some tied to Chinese conglomerates like IPDIA's HK network.
Many of these networks rely on SDKs secretly installed on user devices,
selling their bandwidth to proxy resellers.
While legitimate firms such as Oxy Labs and Bright Data deny exaggerated growth claims,
analysts warn that botnet-driven proxy ecosystem,
systems blur the lines between lawful data collection and cybercrime infrastructure.
Japanese advertising giant Dentsu has confirmed a cybersecurity incident
affecting its U.S. subsidiary Merkel, exposing employee and client data.
The company detected abnormal network activity, shut down certain systems, and notified
authorities in affected countries.
Internal reports suggest the breach involves staff, financial, and personal.
data, including payroll and bank details.
Densu later confirmed that attackers stole files containing information on clients, suppliers,
and current and former employees.
While its Japan-based systems were unaffected, the company anticipates some financial impact.
Merkel, which employs 16,000 people and serves major global brands,
continues to investigate with third-party forensics experts.
No ransomware group has claimed to.
responsibility, and the full scope of the breach remains under review.
The Boston City Council has unanimously voted to ban the use of facial recognition technology
by all city departments, including the police, making Boston the largest East Coast city to do so.
The ordinance prohibits officials from acquiring or using facial recognition systems
or contracting third parties to do so, though police may still follow up on leads,
generated by other agencies.
Citing racial bias and accuracy issues,
the law aims to protect residents' privacy
and prevent discrimination against communities of color.
Supported by the ACLU of Massachusetts and local advocacy groups,
the measure aligns Boston with cities like San Francisco and Oakland
that have enacted similar bans.
The ordinance was sponsored by counselors Michelle Wu and Ricardo Iroyo.
The company behind Proton Mail suspended the accounts of two journalists investigating South Korean government hacks,
prompting backlash over its commitment to privacy and press freedom.
The reporters, publishing under pseudonyms in Frack magazine,
had responsibly disclosed their findings, linked to North Korea's Kimsuki threat group,
to South Korean authorities using Proton Mail accounts.
After the print issue appeared, Proton disabled their accounts.
citing policy violations following a complaint from an unspecified cybersecurity agency.
Despite appeals, Proton offered little explanation until public criticism forced reinstatement
weeks later. Press advocates warned the move undermines trust among journalists who rely on Proton
for secure communications. Proton later said it was acting on a cert alert, but admitted its automated
anti-abuse process may have mistakenly affected legitimate users.
Yesterday, we reported cybersecurity firm Kasperski has identified a new Windows spyware
strain called Dante, which it links to Memento Labs, the rebranded successor to the notorious
spyware maker hacking team.
In a key confirmation, Memento CEO Palo Leszzi told TechCrunch that the spyware detected by Kaspersky
does indeed belong to his company, blaming a government client for using an outdated version.
This discovery follows earlier reporting on Memento's continued development of surveillance tools
despite hacking teams collapse after major scandals and leaks.
Kaspersky says the Forum Troll Group used Dante and targeted attacks on Russian and Belarusian
organizations, including media and government entities. Memento has since urged customers
to discontinue use of its Windows spyware as it shifts focus to mobile surveillance tools.
Australia's Competition Regulator, the Australian Competition and Consumer Commission, or ACC, has filed suit against Microsoft,
alleging the company misled Office 365 customers by forcing an upgrade to its co-pilot AI service
and charging higher subscription fees without proper consent.
The ACCCC claims Microsoft falsely represented that users had to accept the AI integration and pay more to retain access, violating multiple provisions of Australian consumer law.
The regulator seeks penalties, refunds, and injunctions.
Microsoft, which told customers they risked losing access if they didn't upgrade, says it's reviewing the claim and will cooperate with regulators.
The ACCCC, known for strong consumer enforcement, says affected users can revert to their original plans
and should contact Microsoft for refunds if charged improperly.
Sisa has warned that attackers are actively exploiting two critical flaws in DeSoe Systems Delmia-Apriso
manufacturing management software.
The bugs, which allow remote privilege escalation, enabling arbitrary code execution
with existing elevated access
affect multiple versions.
Dassoe patched both vulnerabilities in August of this year,
and Sisa urges organizations to apply updates immediately
and isolate affected systems from untrusted networks
to prevent compromise.
In the final year of Donald Trump's first term,
the CIA launched a covert cyber attack
that disabled Venezuela's intelligence network, CNN reports.
The operation, described by sources as perfectly successful, was intended to appease Trump's push for aggressive action against Nicolas Madura without escalating into open conflict.
Officials characterized the move as part of broader covert maneuvers to pressure Caracas, though Maduro remained in power.
The revelation emerges as Trump's current administration ramps up military activity near Venezuela, including the deployment of 10.
10,000 U.S. troops and an aircraft carrier, raising fears of a potential regime-change effort.
Former officials say Trump's renewed maximum pressure campaign reflects lessons from his first term
when military and intelligence leaders resisted riskier operations.
Analysts warn that today's military build-up, framed as a counter-narcotics mission,
may mask preparation for direct strikes.
Coming up after the break, my conversation with Ben Sari from Zafron discussing the trend of AI native attacks and new glasses deliver fashionable paranoia.
Stay with us.
And now a word from our sponsor, Threat Locker, the powerful zero-trust enterprise solution that stops ransomware in its tracks.
Allow listing is a deny-by-default software that makes application control simple and fast.
Ring fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources, and other applications they truly need to function.
shut out cybercriminals with world-class endpoint protection from threat locker.
What's your 2 a.m. security worry? Is it, do I have the right controls in place?
Maybe are my vendors secure? Or the one that really keeps you up at night,
how do I get out from under these old tools and manual processes?
That's where Vanta comes in. Vanta automates the manual works,
so you can stop sweating over spreadsheets,
chasing audit evidence, and filling out endless questionnaires.
Their trust management platform continuously monitors your systems,
centralizes your data, and simplifies your security at scale.
And it fits right into your workflows,
using AI to streamline evidence collection,
flag risks, and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster, scale confidently,
and finally get back to sleep.
Get started at Vanta.com slash cyber.
That's V-A-N-T-A-com slash cyber.
Ben Seri is co-founder and C-T-O of Zafron.
I recently sat down with him
for information on the trend of AI native attacks.
I think there is a great interest in this field and how it can actually be a force multiplier for practitioners in their day to day.
I think there is still a question about how much of the human should be still in the loop and be the one controlling the AI or how much agency essentially should the AI be given.
But I think there is the basic of it.
There is many much much curiosity and wonder about what is the opportunity.
of this market, and this is a great thing for innovation.
This is a great opportunity for companies like ourselves and others
to offer new solutions and see how the market reacts.
Well, and I suppose it's fair to say, to a certain degree,
it's a necessity because the adversaries are adopting this rather quickly.
That is completely true.
Attackers have been observed to be using AI,
to exploit vulnerabilities, to develop malware,
to scan the engine and find a prey.
And unfortunately, they've been very successful at it.
And so defenders need to up their game
and to see how they can also adopt new tech
to better defend themselves.
So what are some of the opportunities that you see here
in terms of using this technology to better protect people?
So being a bit technical, I think from a technical perspective, LLMs and Agenic AI, the potential of it is to be a great tool to analyze text.
That is the basics of it, right?
That's how it began.
And many of our problems, also in cybersecurity, include unformatted, non-structured text.
And there is expertise into understanding this text, and this is why vendors are required to
train or to at least guide the AI towards sensible outcomes.
But at the principle of it, at the basis of it,
it's a tool that is awesome, that is really incredible at analyzing text and reacting to it.
And from there, it can create plans, and from plans, it can also do actions.
What are some of the specific things that you see there being a future here?
So in our field of exposure management or continuous spread exposure management, there is just a huge pile of vulnerabilities that practitioners need to deal with on a daily basis.
Many of these are actually false positives.
There are not exploitable vulnerabilities in their environment, but it's very difficult for practitioners to know what is false and what is true.
some automation in existing tools in CTEM, like Zafran,
already provide great context to be able to better prioritize and understand this data.
And then a genetic technology can come on top of that
and actually also make sense of that last mile.
I understand that I have an impact.
Is this impact actually relevant for me?
And then how can I remediate it?
So connecting the dots between potential impact to actual impact,
to remediation plans.
Concrete remediation plans is something that we are seeing
that the genetic technology can be a great opportunity in it.
How do you recommend that organizations balance the need
for putting guardrails on this technology,
but at the same time taking advantage of the speed
with which it can do things?
I think it's the beginning of it,
is human in the loop that is essential.
So it's twofold, I would say.
Let me go back.
It's twofold.
One is you have to understand how the solutions that you are buying in this field, how they work.
So you can't just connect them and trust them out of the box.
Each solution that takes on a genetic technology needs to implement on its end, a guard rules.
What data does the tool have access to what tools it can then interact with,
And at which points would the human be in charge and approving actions?
So it's essential to understand guardrails that are provided by vendors.
And then it's essential to ask what would the human be validating in this process.
It's not only I would approve what is presses off me.
I also need to be a feedback loop to be cognitive of the fact that AI needs to be validated at our current stage.
we have all experienced the fact that it can hallucinate.
It can come up with wrong evidence or distorted the realities.
And the human needs to be also a guardrail in that sense.
But I do believe that not far from now, humans will try this tool on in our field, in
other fields.
They will find the 90% or 98% or 95% of cases where it is accurate, where it is accurate,
where it is offering them good advice.
And then there is an opportunity to automate further and say,
okay, for these actions, for these insights that you're providing,
you don't meet me in the loop.
You can provide that as a report.
I can get that offline, right?
So starting with human and the loop that's required.
But as trust is gained, there is opportunity to do more.
What sort of results are you and your colleagues seeing here?
What does success look like?
So what we have published is research and a blueprint of how agentic tech can also be the remediator of vulnerabilities and production environments.
So there are various types of vulnerabilities and various types of environments.
And what we found is that you're giving an instruction to the agent here as an asset.
It has a certain exposure or a certain vulnerability.
Now investigate that in depth.
understand the potential impact of patching this.
What will it do to my system if I actually remediate it?
Because that is a primary risk, not only the cyber risk,
but the operational risk of remediation.
So understanding dependencies,
understanding interaction between different parts of your system
is one thing that we found that it can do very well.
And then that second half is it can then simulate the pad
or offer actual scripts, create code,
that will do the remediation.
And that makes sense because these models by anthropic, for example, have been trained on code.
And so they know how to produce code.
That is one of the use cases that they are doing very good.
And during patching and during remediation involves creating these upgrade packages.
So that piece came quite natural to these tools to do because they have been trained on doing code.
So to summarize, they can actually be a remediator or fall abilities.
They can be one that interacts with your endpoints or your servers
and offer complete plans to how to do the patch.
And that is a huge gap on how particulators are trying to do that today.
And we are saying that is a huge opportunity.
For folks who are curious about this,
or think perhaps it's a good fit.
What sort of questions should they be asking?
What sort of things should they be considering
to discover if it really is a good match for them?
I think, like a very basic question to ask,
it's about AI, but it's not only about AI,
is do you believe in your current state
that you are able to actually remediate everything
that you're impacted by?
To actually prioritize well,
have enough context to know that you are patching,
you are mediating against the threats
that are going to pose the most threats to you.
And that is basic questions that need to be asked continuously.
And now, as attackers are using AI,
that question needs to be asked twice as much.
Because the speed in which attackers are able to exploit vulnerabilities
is not matching,
the speed in which defenders are able to remediate against...
emerging threats. So the combination of the team means that there is opportunity for attackers to be
match much faster, and they don't need to find zero-day vulnerabilities. They can just exploit
vulnerabilities that were known for some time. So from the potential's point of view, he needs to ask
himself, is there a tool that I can take on, agentic or otherwise, that can allow me to actually be
much quicker than I am today, and maybe to also shorten the gap, not only between
attackers and defenders, but also between security and IT. Security used to have one job
is to say this is critical, go ahead and patch it, and then IT takes it on and does the remediation
side. One of the questions I think that practitioners need to ask themselves, can I shorten
this gap? Are there cases where security can be one acting?
on the remediation side.
Can I provide more context and more practical tips to IT on how to catch as well as to the DevOps and to engineers?
So I think that is the main question.
Can we be faster with this too?
Much, much, much faster.
All right, terrific.
Well, I think I have everything I need for our story here.
Is there anything I missed?
Anything I didn't ask you that you think it's important to share?
Yes, I think one of the elements that that, that,
we are seeing becoming a growing concern is the fact that not only our attackers using AI
more and more vendors, more and more customers are now part of enterprises that are developing
AI in-house. And there is also risks in the applications that these enterprises develop.
And it's a very new field. It's unknown in many regards what will be the greatest risk of
developing applications that use AI for customers for enterprises.
I think that is one of the things that Davern is also looking to be a partner for enterprises
to find vulnerabilities and to find exposures in their AI applications.
That is a field that will become significant because as more AI becomes inherent in coding,
the more vulnerabilities and new types of risks to be improved.
That's Ben Seri from Zafran.
And finally, Zeni, the online glasses retailer, best known for affordable frames and bold colors,
now sells eyewear that claims to block.
facial recognition, because apparently that's where we are as a society.
The company's new ID guard coating gives lenses a subtle pink shimmer that reflects infrared
light, blinding the cameras used in some surveillance systems. Tests by 404 media
confirmed the glasses can foil Apple's face ID and turn wearer's eyes into mysterious
voids under infrared cameras. Unfortunately, they're less effective against the more
mundane thread of someone photographing your face in daylight and uploading it to a search
engine. Still, there's something comforting about the idea. When the world is one big panopticon,
at least Zeni will sell you reasonably priced rebellion in a flattering shade of rose.
And that's the Cyberwire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to CyberWire.
Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilby is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Cyber Innovation Day is the premier event for cyber startups, researchers, and top VC firms building trust into tomorrow's digital world.
Kick off the day with unfiltered insights and panels on securing tomorrow's technology.
In the afternoon, the eighth annual Data Tribe Challenge takes center stage as elite startups pitch
for exposure, acceleration, and funding.
The Innovation Expo runs all day,
connecting founders, investors, and researchers
around breakthroughs in cybersecurity.
It all happens November 4th in Washington, D.C.
Discover the startups building the future of cyber.
Learn more at cid.d. datatribe.com.
Thank you.