CyberWire Daily - Operation spyGPT.
Episode Date: November 14, 2025Anthropic reports China-linked hackers used Claude AI in an automated espionage campaign. Google reconsiders its upcoming “Developer Verification” policy for Android. AT&T customers affected by tw...o data breaches in 2024 can now file claims. Nearly 10,000 Washington Post employees were affected by a data breach. ASUS and Imunify360 patch critical flaws. DoorDash discloses a data breach. Checkout.com donates the ransom to researchers. Kraken ransomware benchmarks systems before encryption. Mike Arrowsmith, Chief Trust Officer of NinjaOne, shares his thoughts on how cyber may be heading for its California fire insurance moment. AI ChatBot toys behave badly. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Mike Arrowsmith, Chief Trust Officer of NinjaOne, is sharing his thoughts on how cyber insurance is heading for its California fire insurance moment. Selected Reading Anthropic Says Chinese Hackers Used Its A.I. in Online Attack (The New York Times) Researchers question Anthropic claim that AI-assisted attack was 90% autonomous (Ars Technica) Google backpedals on new Android developer registration rules (Bleeping Computer) AT&T data breach settlement to pay thousands to claimants. Who is eligible, how to apply (El Paso Times) Washington Post Says Nearly 10,000 Employees Impacted by Oracle Hack (SecurityWeek) ASUS warns of critical auth bypass flaw in DSL series routers (Bleeping Computer) Imunify360 Vulnerability Could Expose Millions of Sites to Hacking (SecurityWeek) DoorDash hit by new data breach in October exposing user information (Bleeping Computer) Protecting our Merchants: Standing up to Extortion (Checkout.com) Kraken ransomware benchmarks systems for optimal encryption choice (Bleeping Computer) AI-Powered Toys Caught Telling 5-Year-Olds How to Find Knives and Start Fires With Matches (Futurism) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Step into the digital Upside Down with Cyber Things,
Armis' new three-part podcast series,
which will dive into the unseen world of cybersecurity.
From real-life hacks to the digital shadows of the dark web,
we connect pop culture and protection, fear and control.
Episode one drops soon, so look out for Cyber Things in partnership with Cyberwire.
Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple?
Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack, zero-trust networks, including hardware, firmware, and software,
all designed to work seamlessly together.
The result?
fast, reliable, and secure connectivity without the constant patching, vendor juggling, or hidden costs.
From wired and wireless to routing, switching, firewalls, DNS security, and VPN,
every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service,
you skip the heavy capital costs and endless upgrade cycles.
Meter even buys back your old infrastructure to make switching,
effortless. Transform complexity into simplicity and give your team time to focus on what really
matters, helping your business and customers thrive. Learn more and book your demo at meter.com
slash cyberwire. That's M-E-T-E-R dot com slash cyberwire.
Anthropic claims China-linked hackers used Claude AI in an automated espionage campaign.
Google reconsider its upcoming developer verification policy for Android.
AT&T customers affected by two data breaches in 2024 can now file claims.
Nearly 10,000 Washington Post employees were affected by a data breach.
ASIS and Immunify 360 patch critical flaws.
DoorDash discloses a data breach.
Checkout.com
Donates the ransom to researchers.
Cracken ransomware benchmarks systems before encryption.
Our guest is Mike Aerosmith, chief trust officer at Ninja One,
sharing his thoughts on how cyber may be heading for its California fire insurance moment.
And AI chatbot toys behave badly.
It's Friday, November 14th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
Happy Friday.
It's great to have you with us.
Chinese state-sponsored hackers used Anthropics clawed AI tools in a September cyber espionage campaign
that the company describes as the first reported case of an AI agent automating most phases of an attack with limited human input.
According to Anthropic, the group, assessed with high confidence as China-linked, used clawed code to handle up to 90% of tasks across reconnaissance, exploitation, and data collection.
with humans guiding only a handful of key decisions.
The operation targeted about 30 technology firms and government agencies,
though only a small number of attempts succeeded.
Outside researchers questioned the significance,
noting that attackers relied on common open-source tools
and that clawed frequently hallucinated results, limiting effectiveness.
They also argued that AI has not yet produced the dramatic offensive gains
some vendors suggest. China's foreign ministry rejected unproven accusations.
Researchers broadly agree that AI can streamline workflows, but fully autonomous high-impact attacks
remain elusive. Google is softening its upcoming developer verification policy after
significant backlash from Android users and developers. The policy announced in August and set
to begin in 2026, would require all apps on certified Android devices to come from developers
who verified their identities, a move meant to curb malware in side-loaded apps. Critics objected
to the required fees and government ID checks, and projects like F-Droid warned the rules
threaten the open-android ecosystem. In response, Google will create a lighter-weight account for
developers distributing apps to small audiences and a new install flow that lets advanced users
sideload unverified apps with added warnings. Early access invitations are rolling out now.
Verification becomes mandatory in select countries in late 2026 with worldwide adoption planned
for 27. AT&T customers affected by two data breaches in 2024 can file claims for part of a
77 million-dollar class action settlement.
The first breach, disclosed in March, exposed sensitive personal data on the dark web.
A second breach in July involved limited data taken from a third-party cloud workspace.
Eligible customers may receive up to $5,000 or $2,500, depending on the incident,
with some qualifying for both.
Claims are due by December 18th and can be submitted at Telecom Data Settlement.com.
Nearly 10,000 current and former Washington Post employees and contractors were affected by a data breach tied to attacks on vulnerable Oracle e-business suite systems.
A threat actor linked to Clop ransomware exploited zero-day flaws across dozens of organizations, stealing more than 120 gigabytes of post-data and later attempting extortion.
Compromised information includes names, bank and routing numbers,
Social Security numbers, and tax IDs.
The Post says hackers access data between July and August,
aligning with reports that exploitation began months before patches were released.
ASIS has issued new firmware to fix a critical authentication bypass flaw,
affecting multiple models of their routers.
The vulnerability lets remote unauthenticated attackers access unpatched devices exposed online with minimal effort.
The latest firmware version resolves the issue, and ASIS urges all users to update.
For devices that cannot be patched, ASIS advises disabling internet-facing services such as
remote WAN access, port forwarding, DDNS, VPN servers, DMZ, and FTP.
Users should also strengthen passwords, avoid credential reuse, and regularly check for updates.
there are no active exploitation reports, router flaws are frequently targeted for botnet activity.
ASIS has recently patched other serious vulnerabilities, and past incidents show attackers leveraging
router bugs to compromise thousands of devices. A newly patched flaw in Immunify 360, a security
suite protecting roughly 56 million Linux-hosted websites, could allow attackers to execute arbitrary
code and potentially take over shared hosting environments.
Patchstack says the issue is triggered when Immunified 360's AI
Ballot Malware Scanner processes a specially crafted file, allowing code to run with root
privileges.
Cloud Linux confirmed the critical vulnerability and released a fix on October 21st,
though no CVE was assigned.
Technical details and a proof of concept are now public, and providers are urged.
to check for compromise.
DoorDash has disclosed in October 2025 data breach caused by a successful social engineering
scam against an employee.
The company says an unauthorized party accessed and took user contact information, including
names, physical addresses, phone numbers, and email addresses.
DoorDash did not specify how many people were affected, but confirmed that consumers,
dashers, and merchants were among those instances.
impacted. Notifications began going out on November 13th with many reaching Canadian users,
though a broader advisory suggests the incident may extend beyond Canada. This is DoorDash's
third major breach after incidents in 2019 and 2022. Users have criticized the company for taking
19 days to issue notices. DoorDash advises customers to watch for fishing attempts and says
its strength and security and notified law enforcement.
Checkout.com says it was hit by an extortion attempt by the Shiny Hunters Group,
which accessed data stored in a legacy third-party cloud system used before 2020.
The company estimates that fewer than 25% of current merchants are affected,
the compromised systems held internal documents and onboarding materials, not payment data.
Checkout.com says it's live private.
platform was untouched and no card numbers or merchant funds were accessed. The company acknowledges
the legacy system should have been properly decommissioned and is contacting impacted partners
while working with regulators and law enforcement. Refusing to pay the ransom, checkout.com will
instead donate the equivalent amount to cybersecurity research at Carnegie Mellon University and the
University of Oxford. The company says transparency and trust remain its priorities.
Cracken ransomware, a successor to the Hello Kitty operation, now incorporates a rare
benchmarking feature that tests each compromised machine to determine how quickly it can
encrypt data without overloading system resources. Cisco Talos says Cracken creates and
encrypts temporary files to decide between full or partial encryption.
active since 2024, the group conducts big game hunting attacks with data theft and lists victims
across the U.S., UK, Canada, Panama, Kuwait, and Denmark. Cracken intrusions typically begin by
exploiting SMB flaws, then using stolen admin credentials, cloud-flared tunnels, and SSHFS to move
laterally and exfiltrate data. Windows and Linux ESXI variants include modules to target
databases, network shares, local drives, virtual machines, and more.
Krakken also launched a cybercrime forum to support its operations, and ransom demands
can reach $1 million.
Coming up after the break, Mike Aerosmith from Ninja One shares his thoughts on how cyber may be
heading for its California fire insurance moment, and AI chatbot toys behave badly.
Stick around.
We've all been there.
You realize your business needs to hire someone yesterday.
day. How can you find amazing candidates fast? Well, it's easy. Just use Indeed. When it comes to
hiring, Indeed is all you need. Stop struggling to get your job post noticed. Indeed's sponsored jobs
helps you stand out and hire fast. Your post jumps to the top of search results, so the right
candidates see it first. And it works. Sponsored jobs on Indeed get 45% more applications than
non-sponsored ones. One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire. Many of my colleagues here
came to us through Indeed. Plus, with sponsored jobs, there are no subscriptions, no long-term
contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been
talking to you, 23 hires were made on Indeed. According to Indeed data,
worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed. And listeners
to this show will get a $75 sponsored job credit to get your jobs more visibility at Indeed.com
slash cyberwire. Just go to indeed.com slash cyberwire right now and support our show by saying you
heard about Indeed on this podcast. Indeed.com slash cyberwire. Terms and conditions apply. Hiring. Indeed is
all you need.
What's your 2 a.m. security worry? Is it, do I have the right controls in place? Maybe are my
vendors secure? Or the one that really keeps you up at night? How do I get out from under
these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual
work so you can stop sweating over spreadsheets, chasing audit evidence, and filling out
endless questionnaires. Their trust management platform continuously monitors your systems,
centralizes your data, and simplifies your security at scale. And it fits right into your
workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready
all the time. With Vanta, you get everything you need to move faster, scale confidently, and
finally get back to sleep. Get started at Vanta.com slash cyber. That's V-A-N-T-A-com
slash cyber.
Mike Aerosmith is chief trust officer at Ninja One. I recently caught up with him for insights on how
cyber may be heading for its California fire insurance moment.
Long-time listeners of the Cyberwire will know that I love analogies.
And for years, I've been using the analogy or wondering if cyber insurance wasn't headed the same way as, let's say, flood insurance.
But you've got an even better analogy here.
You're talking about fire insurance, like from California.
Do I have this right, Mike?
Correct. That's a great example and analogy that I think accurately describes where we're.
heading. Well, let's dig into it here. How does where we stand with cyber insurance compare to the
situation folks in California find themselves in? Yeah, great question. So I think, you know,
it's taking a step back. When we think about cyber insurance policies, I think probably the predominant
adoption of cyber insurance is probably occurred maybe over the last 10 years is what I kind of
recall being asked about it, purchasing policies. So within the last 10 years, there's been an
of organizations like Ninja One, others, other past employers of mine purchasing these policies
that effectively cover themselves in lieu of a breach.
So when a breach happens, it provides some kind of financial stability, resources for that
organization to effectively contain, respond, and ultimately remediate any kind of breach
that may have happened.
Traditionally, we have seen most organizations kind of switch and pivot to away from this
kind of ideology, I can absolutely prevent a breach to now everybody accepting it will happen,
and it's just a matter of timing before that occurs. And so I think it has a really great synergy
with the current fire insurance fiascos that are happening in California today. And especially when
we start to overlay, what we're already beginning to see is the impacts of how artificial intelligence
is actually helping adversaries penetrate, exploit organizations, that much faster, that much easier.
So we see a lot of these insurance policies being written for flat dollar amounts.
I think I need, as an example, $1 million in terms of effective coverage to help us when a specific breach was to occur.
And typically insurers are banking on, ideally, you never leveraging that policy.
policy. At some point in time in the future, may or maybe it doesn't happen. It's all a factor of how you are specifically targeted. What types of services that you provide to your customers, how easy it is, how much time, energy you invest in your own cybersecurity program. So seeing the advent of what was traditionally a very complex and technically advanced set of skills that were necessary to
exploit organizations, AI has significantly lowered that bar of entry for adversaries.
It's enabled them to spin up active campaigns to target organizations through spearfishing,
to exploit open APIs or web services that you may have available to the point where we're seeing
it quite regularly, whereas in maybe the past upwards or five years ago,
we would see one or two fishes, maybe a month, maybe a quarter.
Now we're seeing that multiple times happening every day.
And we see this compounding in retrospect to insurance carriers
that we're seeing an increase of breaches,
increase of activity from adversaries,
and it's just common sense and logical deduction
that the insurers are going to end up having this snowfall effect
where more organizations are going to find themselves
being breached leveraging these policies and ultimately these insurers who rightfully so up until recently haven't had to pay out large significant amounts
or like in California seeing with fire area examples and disasters those policies quickly escalating
and quickly having some monetary impact to the insurers themselves and ideally this this is what we're describing as this watershed moment for cyber insurers.
How do you see the cyber insurers adjusting the policies that they offer
and the scrutiny that they have for paying people back after an incident?
Yeah, great question.
So up until recently, most of the time it was filling out a self-assessment questionnaire,
and then based off of how you answered that questionnaire,
your policy would be effectively ranked.
And you would get your premium assigned after that.
Now we are seeing insurers begin to do more formal due diligence with insurees to make sure that what they report as factually accurate is to their best of their abilities, actually factually in place.
A great set of tools that we're seeing more and more are these types of risk assessment tools.
Again, BidSight is one of them.
Security Scorecard is another one.
It's very easy for organizations to kind of leverage these types of.
holistic tools that look at organizations, your domain, your emails, your employee accounts,
and just try to get a valid or maybe a symbolic sense of what the risk profile is for your
specific organization. And we're seeing insurers adopt more and more like technologies or
validate that additional protective measures are in place. Show me screenshot. Show me examples
of where you're actually using these tools. Where in the past it was more of a
traditional just questionnaire, true or false, yes or no, types of questions to where now it's
a borderline what we would expect in like a compliance audit or some form of due diligence audit
by our customers. We want to make sure that you're actually implementing these various
types of controls, that you have these tools, you have these teams, you have these technologies
in place because they themselves are seeing the increase in policy payouts. And it's just
a matter of time with the advent of AI coming into the picture of more and more, we're going
to see more and more organizations breached every month, every quarter, every year.
What's your advice for the folks who are out there shopping for insurance? What sort of things
should they be looking for and what can they put in place to make sure that the insurance
companies see them as a good risk? Great question. I would think that the first and foremost is
to find yourself a really good broker that understands the space in which you operate as an
organization, what type of customers you typically deal with in an hour, and have similar
like insurers within their portfolio so that you have a really good partnership to be able to
provide the right insurance, to be able to provide the right level of comfort and coverage,
but also a lot of times with these insurers policies, they are a gateway for a lot of
organizations to get that advanced help and when the stressful time does occur like a
breach. So that would be step number one. Step number two is to really assess what does a breach
impact to your organization really mean. So understanding if we were breach, is there some form
of reputational damage that will be underway against our organization? Is there some kind of
reporting obligation that has to be done to a government or third party agency or customer
base? What does all that mean? What does it mean if we lose customer data? What does it mean if
data that customers provide to us is actually exfiltrated, meaning removed from my possession
by an adversary? I think a lot of times as consumers, we're inundated with breach
notifications from this credit reporting agency or this web service. So we kind of get into this
false sense of narrative that that was okay. It's not okay by any means. And so trying to wrap
our heads around that specific issue as an organization. And what does it mean for our future
goals, for our milestones that we as an organization are trying to achieve is really imperative.
When you think about, am I picking the right cyber insurance policy, the right sets of
coverages, the policy includes the things that I'm going to need to most, but also the
amounts that are going into that policy, do we believe that will cover us when that breach does
occur? And then lastly, is really most important, as I'm referencing here, is to really understand
and walk through that as an executive team, as a PR function, what does it mean when we actually
have a breach and to have everybody be ready for when that event occurs? All of those will impact
that policy. All of that will impact which provider you choose. And to make sure that that
partnership as effective and seamless as possible it sounds to me like part of what you're saying is
people need to be mindful to not just have their insurance policy be a checkbox in the things that
they do in business that you know they're the the person that you're dealing with your broker
could be a partner in making sure that you're where you need to be one thousand percent
and also could be a tremendous partner in lifeline when you do have that breach
it's incredibly stressful. You're going to get inundated with lots of customer calls,
executive calls, a lot of financial backers, especially investors, will all of a sudden
ask lots of questions when that event does occur. And having that amazing partner,
a moment, phone call away is really a tremendous value ad that a lot of these brokers,
a lot of these insurers will provide if you've picked the correct one. And I often use the
analogy of, you know, in our own personal life, we're often motivated by price. So when we go purchase
an auto insurance policy, a life insurance policy, price as a consumer is typically one of the
greater impacts to why I chose the specific provider. But from a business perspective, price
should be secondary and more focused on what is the risk and an overall partnership with
that provider when that emergency does happen. So unlike, you know, you know, you know,
again, I'm trying to use it in generic terms, but you may never use your auto insurance policy,
which is a goal. Many of us don't ever use or home insurance policy. In a cyber insurance policy
perspective, you are almost guaranteed at some point in the future to use that policy because you
will be breached. It's just a matter of timing when that will occur. And so having the very
best partnership, the most effective policy in place that covers all of the aspects that you
as an organization deem necessary or vital to continue operations is really, we cannot stress
that enough with more and more people.
More like a life insurance policy where, you know, nobody gets out alive, right?
Like we all meet her that day.
That's exactly it.
That's a great analogy.
And so, again, it's inevitable, right?
And so thinking through that, life insurance is a great analogy.
How does it get paid out?
Why does it get paid out?
What does it mean for my errors?
What does it mean for my family?
Those types of similar type of conversations we conduct as an organization to make sure we're properly insured.
Again, it's always that balance.
You know, a lot of times we don't want to be too much insurance policy.
We don't want to be stuck with too little either.
So trying to find that balance, I think, is also another important aspect.
That's Mike Arrowsmith, Chief Trust Officer at Ninja One.
At Talas, they know cybersecurity can be tough and you can't protect everything,
but with Talas, you can secure what matters most.
With Talis's industry-leading platforms, you can protect critical applications, data, and identities, anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks, retailers, and healthcare companies in the world rely on Talis to protect what matters most.
Applications, data, and identity.
That's Talas.
T-H-A-L-E-S.
Learn more at Talisgroup.com slash cyber.
And now, a word from our sponsor, Threat Locker,
the powerful zero-trust enterprise solution that stops ransomware in its tracks.
Allow listing is a deny-by-default software that makes application control simple and fast.
Ring fencing is an application containment strategy, ensuring apps can only access the files,
registry keys, network resources, and other applications they truly need to function.
Shut out cybercriminals with world-class endpoint protection from threat locker.
And finally, researchers have now confirmed what many parents long suspected.
Giving a teddy bear the verbal powers of a Silicon Valley chatbot may,
in fact, be a terrible idea.
In tests of three AI-powered toys, the U.S. public interest research group found the gadgets
behaved less like cuddly companions and more like unfiltered internet strangers.
Given just a bit of conversation, the toys began offering children tips on locating kitchen
knives, lighting matches, and in one memorable case, exploring a wide range of eroticism.
The worst offender, Folo Toys Kuma, managed to pivot from safety first little buddy
to full-blown kink tutorials with unsettling enthusiasm.
Researchers warn that the holiday rush will put millions of these lightly regulated devices into homes
long before anyone understands their developmental impact.
As the public interest research group's RJ Cross put it,
If she were a parent, she would not hand her child a chatbot in a bear suit,
no matter how cute and cuddly it may be.
And that's the Cyberwire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday
and my conversation with Dr. Renee Burton,
Vice President of Threat Intelligence at InfoBlocks.
We're discussing their research deniability by design,
DNS-driven insights into a malicious ad network.
That's Research Saturday. Do check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity,
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Caruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ivan.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week.
Thank you.