CyberWire Daily - Prosper’s not so prosperous week.
Episode Date: October 17, 2025Prosper data breach reportedly affected more than 17 million accounts. Microsoft revokes certificates used in Rhysida ransomware operation. Threat actors exploit Cisco flaw to deploy Linux rootkits. E...uropol disrupts cybercrime-as-a-service operation. BeaverTail and OtterCookie merge and display new functionality. Singapore cracks down on social media. On our Industry Voices segment, we are joined by Danny Jenkins who is talking about defending against AI. And who let the bots out? Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, we are joined by Danny Jenkins, CEO and Co-Founder of ThreatLocker, talking about defending against AI. You can tune into Danny’s full conversation here. Selected Reading Have I Been Pwned: Prosper data breach impacts 17.6 million accounts (BleepingComputer) Microsoft Revokes Over 200 Certificates to Disrupt Ransomware Campaign (SecurityWeek) Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits (Trend Micro) Critical ConnectWise Vulnerabilities Allow Attackers To Inject Malicious Updates (Cybersecurity News) European police bust network selling thousands of phone numbers to scammers (The Record) North Korean operatives spotted using evasive techniques to steal data and cryptocurrency (CyberScoop) New Singapore law empowers commission to block harmful online content (Reuters) Niantic’s Peridot, the Augmented Reality Alien Dog, Is Now a Talking Tour Guide (WIRED) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use Indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post.
noticed. Indeed's sponsored jobs helps you stand out and hire fast. Your post jumps to the top
of search results, so the right candidates see it first. And it works. Sponsored jobs on Indeed
get 45% more applications than non-sponsored ones. One of the things I love about Indeed is how
fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K Cyberwire. Many
of my colleagues here came to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed,
according to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75-sponsored job credit to get your job.
more visibility at indeed.com slash cyberwire.
Just go to indeed.com slash cyberwire right now
and support our show by saying you heard about Indeed on this podcast.
Indeed.com slash cyberwire.
Terms and conditions apply. Hiring?
Indeed is all you need.
Prosper Data Breach reportedly affected more than 17 million accounts.
Microsoft revokes certificates used in Ryside a ransomware operation.
Threat actors exploit Cisco flaw to deploy Linux rootkits.
Europol disrupts cybercrime as a service operation.
Fevertail and Otter Cookie merge and display new functionality.
Singapore cracks down on social media.
On our industry voices segment today, we are joined by Danny Jenkins, who is talking about defending against AI.
And who let the bots out?
Today is Friday, October 17, 2025.
I'm Maria Varmazis, host of T-minus space-te.
Daily, taking the mic for Dave Bittner. And this is your CyberWire until briefing.
Thank you for joining me on this Friday. Let's get into it. A data breach disclosed last month
by Financial Services Company Prosper affected more than 17 million accounts, according to bleeping
computer. Prosper disclosed that the attackers stole Social Security numbers belonging to
Prosper customers and loan applicants, but didn't share how many users were impacted.
Have I Been Poned disclosed the alleged scope of the breach yesterday, saying that the breach
affected 17.6 million unique email addresses, as well as names, dates of birth, government-issued
IDs, employment status, credit status, income levels, physical addresses, IP addresses, and browser
user agent details. Prosper spokesperson told Bleeping Computer that the company, quote, is not able to
validate have I been Pohn's report, adding the investigation to determine what data was
affected and to whom it belongs remains ongoing. Microsoft disrupted a Rysider ransomware operation
by revoking more than 200 certificates that were being used to sign malicious teams installers
according to Security Week. The company attributes the activity to the financially motivated
threat actor called Vanilla Tempest. Microsoft stated, running the fake Microsoft Teams setup
delivered a loader, which in turn delivered a fraudulently signed Oyster backdoor.
Vanilla Tempest has incorporated Oyster into their attacks as early as June 2025,
but they started fraudulently signing these backdoors in early September 2025.
To fraudulently sign the fake installers and post-compromise tools,
Vanilla Tempest was observed using trusted signing, as well as SSL.com,
DigiCert, and Global Sign Code Signing services.
Trend Micro has published a report on the exploitation of a Cisco SNMP vulnerability to deploy
rootkits on older Linux systems.
The researchers have dubbed the operation Zero Disco after the universal password used by the malware.
The report notes Trend Micro Telemetry has, as of writing, detected that Cisco 9400 series and
9300 series are affected by this operation.
The operation also affected Cisco 3750G devices with no guest shell available, but this type of device has already been phased out.
And Tread Micro added this.
Currently, there is no universal automated tool that can reliably determine whether a Cisco switch has been successfully compromised by the Zero Disco operation.
So if you suspect a switch is affected, we recommend contacting Cisco TAC immediately and asking the vendor to assist with a low-level investigation.
investigation of firmware, ROM, and boot regions.
Security researchers have disclosed critical vulnerabilities in ConnectWise,
a widely used remote monitoring and management platform.
Attackers could exploit these flaws to gain unauthorized access,
execute arbitrary commands, or escalate privileges across managed networks.
Some of the issues stem from inadequate input validation and weak authentication checks
in key modules, including web interfaces and API endpoints.
Because remote monitoring and management tools inherently have deep privileged access,
exploiting them can grant attackers broad control over client environments.
So users are strongly urged to apply vendor patches immediately,
audit all privileges and sessions, and monitor logs for suspicious behavior.
The situation does underscore how remote monitoring and management and managed service provider software
do remain prime targets, as when compromised, they act as,
force multipliers for attackers.
A Europol-coordinated operation resulted in the arrest of five Latvians accused of operating
a service that sold phone numbers to scammers, according to the record.
Police seized 1,200 SIM box devices and 40,000 active SIM cards.
Europol stated, the online service created by the Criminal Network offered phone numbers
registered to people from over 80 countries for use in criminal activities.
It allowed perpetrators to set up fake accounts for social.
social media and communication platforms, which were subsequently used in cybercrimes while
obscuring the perpetrator's true identity and location.
North Korea-linked operators are using stealthy, modular malware, and social engineering
to steal credentials and cryptocurrency.
Cisco Talos and Google's Threat Intelligence Group observed campaigns linked to famous Cholima
that involved the use of beavertail and otter cookie, which are separate but complementary
malware strains, frequently used by the North Korea-aligned threat group.
Researchers said that their analysis determined the extent to which Beavertail and Otter Cookie
have merged and displayed new functionality in recent campaigns.
Those recent campaigns trick job seekers into installing loaders that deploy info-stealers,
backdoors and ransomware, often rotating tool sets and infrastructure to evade detection.
Attackers favor low-noise tactics like rust-based binaries, transacted hollowing,
and impersonation of legitimate services
to blend malicious traffic
and reduce forensic footprints.
Compromised endpoints are leveraged
for targeted crypto theft,
data exfiltration, and follow-on ransomware,
while operators rapidly switch payloads
and C2 servers to frustrate defenders.
Singapore's parliament passed a sweeping new law,
granting authorities broad powers
to block harmful online content,
target platforms with fines up to $1 million
Singaporean dollars, or the equivalent of
$740,000 U.S. dollars, and require removal of content at, quote, short notice. The legislation
empowers the Infocom Media Development Authority to issue takedown orders without court approval
and mandate platforms to use proactive monitoring tools. Platforms that fail to comply may be
blocked in Singapore, and foreign services face stricter obligations if they reach large audiences
in the country. While dubbed a move to protect society from disinformation and cyber harm, critics
warn that it risks censorship and overreach, especially given its vague definition of what
harmful speech means. Civil Liberties groups say that the law could chill online discourse
and give the state sweeping control over public narratives.
After the break, we have our industry voices segment with Danny Jenkins, CEO and co-founder of
Threat Locker, talking about defense.
vending against AI.
And who let the boss out?
What's your 2 a.m. security worry?
Is it, do I have the right controls in place?
Maybe are my vendors secure?
Or the one that really keeps you up at night?
How do I get out from under these?
old tools and manual processes.
That's where Vanta comes in.
Vanta automates the manual
works so you can stop sweating over
spreadsheets, chasing audit
evidence, and filling out endless questionnaires.
Their trust management platform
continuously monitors your systems,
centralizes your data,
and simplifies your security
at scale. And it fits right into
your workflows, using AI
to streamline evidence collection,
flag risks, and keep your
program audit ready. All
the time. With Vanta, you get everything you need to move faster, scale confidently, and finally
get back to sleep. Get started at Vanta.com slash cyber. That's V-A-N-T-A-com slash cyber.
And now, a word from our sponsor, Threat Locker, the powerful zero-trust enterprise solution
that stops ransomware in its tracks.
Allow listing is a deny-by-default software
that makes application control simple and fast.
Ring fencing is an application containment strategy,
ensuring apps can only access the files, registry keys,
network resources, and other applications they truly need to function.
Shut out cybercriminals with world-class endpoint protection from threat locker.
On our industry voices segment, Dave Bittner recently sat down with Danny Jenkins,
CEO and co-founder of Threat Locker, to talk about defending against AI.
Here's their conversation.
All right.
So today we are talking about zero trust in this era of intelligent malware and dealing with AI.
Before we dig into the AI part of this story, I would love to hear from you how you
define zero trust?
So essentially the idea of zero trust is to allow what is needed and block everything else
or deny everything else, essentially least privilege.
So in the case of applications, it means if an application is required to do your job or
function, it should be allowed to run.
If it's not, it should be blocked, whether it's malware or whether it's a game or a remote
access tool.
In the case of what applications should do, we'd say if an application needs to talk to the
internet or needs to see your files, it should be able to see your files. If it doesn't, it
shouldn't. How has the state of the art of zero trusts changed over the past few years?
So I think the biggest change is really the usability of it. And that's where we've really
focused is how do we make this so it's hours and days at worst to deploy, not months and years
to deploy. And traditionally, zero trust was very, very complicated if you weren't a brand new
business because nobody knew what they needed and what they didn't.
And I think what's changed is the technology is the ability to learn from the history of applications, know what applications need to do, so you can apply those policies without effort.
Well, let's talk about AI. I mean, in this era we find ourselves in, certainly rapid change here.
How has AI affected people's ability to rely on zero trust?
So I think it's made it more important because now we're in a situation where we're trying to determine things are good or bad that have never been seen.
before. If we go back four years ago, you had to be a software engineer to write a piece of
malware or you had to buy it. And antivirus companies, EDRs would add that malware into that
database as soon as they saw it. And it was a few days behind, a few weeks behind, a few months
behind sometimes, but they would eventually get it added into their database. Today, anyone with a
computer, there's now five, six, seven billion people in the world that can create malware.
That malware has never been seen before. It's very hard to determine if its intent is good or
bad. Is it a piece of backup software that's copying your files to the internet or is a piece of
malware? And what that's meant is zero trust is so much more important because this unknown
is going to be blocked by default. And what are you all seeing in terms of what the bad guys are
doing embracing AI? So I think the two areas we see the most of is AI created malware, malware that's
brand new, never seen before. And even something as simple as chat GPT, if you ask it to write
you are a piece of backup software to find where you store your files and upload it into the
internet. It will do that and it will give you the code and spit it right out. So we're seeing
a lot of malware created like that that hasn't been seen, but also a lot more scamming.
It's a lot easier for an attacker to send you a convincing email saying, hey, I need to update
your machine, can you click on this? Whereas previously these emails were badly written. They were
poor English. It took a long time. Again, they were being reused and getting picked up by
anti-spam. Now, every time you're going to AI, or you can go into any kind of AI LLM and say,
write me an email as if I'm in the HR department telling people they should update their
machines for security reasons. And it will write a really well-crafted email. They can then hit
regenerate and it'll create functionally the same email, but very uniquely different email,
so it's harder to be detected by spam. Even voice AI was seeing sometimes not as much,
where attackers definitely when they're more targeted are simulating someone's voice to call
and saying, can you run this on your machine?
Can we talk about some of the challenges
that folks are facing when it comes to AI and cybersecurity?
More generally, what are some of the things
that you all are seeing here that people are challenged with?
So I think there's two challenges.
One is the risk of attack because of the increase in AI,
so that malware, that spam email, that scamming email.
But the other challenge is companies and users
using AI without necessarily the knowledge of the company
and copying company data into LLMs,
then maybe don't keep that confidential,
we'll build that into their training model, IP, source code.
And that's a big concern as well.
And companies really don't know how to control
what tools the users are using
and what to do about that.
So that's probably the second biggest challenge.
Well, are there any particular areas
where Zero Trust has challenges
when it comes up against the AI
specter, if you will.
So I think only to the point of where it's implemented.
And we also have to classify AI.
If we think about AI in 2010, 2011, it was all the big word, big data, AI, machine learning.
And AI in those times was we're going to build out and use data from the past to make decisions
about the future image recognition, even when, if you think back to Tesla self-driving cars
or at least partially self-driving cars in 2016, 2017.
Then suddenly we've got the second wave of AI, which is really LLMs, the chat GPTs, open AI, the GROCs, those type of things.
And what we've seen is a lot of people have reclassified what was previously considered as machine learning or intelligence based on previous data sets as AI, but then we also have the LLMs.
And that's what's really new is this LLM, the ability to create content based on that.
I think the only risk where it comes to a zero trust environment is the person that's implemented.
it could be convinced to implement something
because they've got a voice call from somebody
but it's less likely because they're the people
that are trained on cybersecurity.
These are the processes we follow.
This is what we're going to do.
In a non-zero trust world
while we're trying to detect,
AI is incredibly bad at detecting malicious intent.
And it can also be manipulated.
Data can be injected in.
So if you, for example, created a piece of malware,
put it on the internet,
wrote a blog post about it,
this software does this,
software and then you asked AI to research that because it doesn't exist anywhere else it's going
to go to the one source on the internet which is the attacker's source so AI is really bad at
detecting but from a zero trust point of view because we're blocking by default it really doesn't
matter too much well I know you and your colleagues at threat locker talk about zero trust
being not just technology but a mindset why is that distinction important so technology is a tool
So if you think about, if you say I'm going to implement zero trust and you think I'm going to buy a tool.
So if you buy Threat Locker and you implement our allow listing and our network controls to block network ports
and you implement our storage to block storage, you implement detect policies that automatically limit how much you can upload.
That is a set of tools to help you do something.
But the starting point, and this is not just about technology, the starting point in anything
is not to buy the tool, but what do I want to achieve?
How do I achieve it?
And it could also be granting a permission to a file.
A lot of companies back in, well, even today,
will set up a file server or a SharePoint,
allow the whole company to access that SharePoint,
even if they don't need to access it.
And they say, well, it's okay.
It's only the marketing department.
I don't think our marketing people are going to steal our source code.
And well, in most cases, that's true.
You do have it inside a threat.
So when you think about zero trust,
you're saying it's not just about stopping untrusted software.
It's also about making sure your marketing team
don't have access to your source code,
or this department developers don't have access to this source code.
And when you think about that mindset,
it really helps you everywhere.
And I'll give you one example.
I remember back in 2015, I think it was,
I was dealing with a ransomware attack.
The entire business was encrypted.
Someone had got in, Ranmauer encrypted all of the file shares
that got on as a domain administrator,
all of the file shares, all of the laptops, everything,
except one share.
And that was the payroll share.
And the reason the payroll share wasn't encrypted
was because someone,
one at some point said, I don't want the IT guy seeing the payroll, so I'm going to remove
domain admin permissions from payroll. And the payroll wasn't encrypted. Now, if they had taken
a zero-trust approach to even files at that point, they wouldn't have been able to encrypt the
marketing and the accounts and the other things that were allowed open to the whole company. So
it's not just about stopping untrusted software. That's probably one of the most important
zero-trust approaches you can take, but it's also about stopping files being copied and uploaded
where they shouldn't be and other things like that.
Yeah, that's a fascinating story.
I mean, in an attempt to protect some information
that they felt shouldn't have been accessible to a certain employee,
they ended up making themselves less secure.
Well, in that case, the payroll more secure,
but they only protected the payroll.
Everything else was allowed.
So the domain admin could access everything except the payroll.
And they took away the payroll,
and that was the only thing that wasn't encrypted
because they didn't trust the IT guy with the payroll.
I see.
Where do you suppose we're headed with this?
As you look towards the future and zero trust and the development of AI,
what's in your crystal ball?
So I think the future, well, I know the future of security
has to adopt a least privilege approach
and call it zero trust, call it least privilege,
but it has to.
If we think about, look at the breaches, I mean, look at MGM.
Do we think MGM, one of the most advanced companies,
in the world when it comes to security. They have cameras and monitors all of their
business. Do you think their cybersecurity didn't have a SOC and an EDR and some of the best
detection tools in the world? And yet we saw them completely shut down from someone running a piece
of malware or giving someone access. So I think as a world, we have to accept that the future of
security is about blocking first, setting controls, making sure people don't have access to more
than they need to. And there's no choice of that. And I think we've proven that as a company,
because today we've got nearly 70,000 companies that have implemented zero trust.
69,900 of them had never taken or even considered that approach before.
And the future is nearly every business will have to adopt this.
And that's going to change the paradigm of cybercrime,
because it's going to be much harder for the criminals,
and they're going to have to start doing something else.
Do you find that people come to the table,
potential customers for you, feeling as though this is going to be a much heavy,
lift than it actually is, the conversion to using zero trust?
Absolutely.
Nearly 99% of our customers think this is going to be a complete disaster.
And we as a company have to educate, show them the reason.
We do extended trials for that reason.
We'll say, why don't you do a long trial?
We'll deploy it.
We'll actually secure it.
We'll do simulations to show you what will happen.
But it's always starting with fear and then always being pleasantly surprised
that with the right tool set, the implementation doesn't have to be.
difficult. Well, before I let you go, just a tip of the hat, how much me and my crew enjoyed being
at Zero Trust World last year in Florida and being able to do our Hacking Humans show live,
it's quite an event you and your colleagues through down there. Okay, I appreciate that. Thank you.
Yeah. Hopefully we see you again next year. We're looking forward to it. And that was Dave Bittner,
sitting down with Danny Jenkins, CEO and co-founder of Threat Locker. Talk about Defending Against
AI. And if you enjoyed their conversation and want to hear the full interview, head over to
our industry voices page where there's a link in the show notes.
At Talas, they know cybersecurity can be tough and you can't protect everything. But with Talas, they know
cybersecurity can be tough and you can't protect everything. But with Talas,
you can secure what matters most.
With Talis's industry-leading platforms,
you can protect critical applications,
data and identities,
anywhere and at scale with the highest ROI.
That's why the most trusted brands
and largest banks, retailers,
and healthcare companies in the world
rely on Talas to protect what matters most.
Applications, data, and identity.
That's Talas.
T-H-A-L-E-S.
Learn more at Talisgroup.com.
slash cyber
with amex platinum
access to exclusive
amex pre-sale tickets
can score you a spot track side
so being a fan for life
turns into the trip of a lifetime
that's the powerful backing of
amex pre-sale tickets for future events
subject to availability and varied by race
terms and conditions apply learn more at mx.ca
slash y annex
And finally today, Niantic, the company that gave us ingress and Pokemon Go,
is once again blending the digital world with the real one.
Their new AR pet game called Parodot now comes with a new twist.
Your alien dog can talk.
Through a partnership with Hume AI and Snap's latest spectacles,
Niantic's dots, and those would be colorful dog-sized companions you can only see with augmented reality,
can now act as your personal tour guide.
Now, I want you to picture walking along the San Francisco waterfront
when your virtual pipes up to share a fun historical fact about the pier.
It's part navigation, part trivia night, and part fever dream.
Developers of this say that it is a glimpse of the future,
one where AI companions can help guide us through the world around us.
And for now, it's a chance to see what happens
when man's best friend meets machine learning.
Just remember, if you're alienate.
and dog starts giving you directions, don't forget who's really holding the leash.
And that's The Cyberwire. For links to all of today's stories, check out our daily briefing at
the Cyberwire.com.
And be sure to tune in to an all-new research Saturday tomorrow where Dave Vittner is joined by Eclipseum researchers Jesse Michael and Mickey Chateauv to share their work on bad cam, now weaponizing Lytics webcams.
That's Research Saturday. Check it out.
It's the end of this stint for me sitting in for Dave.
He will be back on the mic on Monday.
And please check out our sister podcast, T-minus Space Daily, where yours truly is the host on your favorite podcast app.
We'd love to know what you think of our podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like the show, please share a rating and review in your podcast app.
Please also fill up the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Caruth.
Our producer is Liz Stokes.
We are mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilphy is our publisher.
and I'm Maria Vermazas, in for host, Dave Bittner.
Thank you for listening.
Have a wonderful weekend.
researchers and top VC firms building trust into tomorrow's digital world.
Kick off the day with unfiltered insights and panels on securing tomorrow's technology.
In the afternoon, the eighth annual Data Tribe Challenge takes center stage as elite startups
pitch for exposure, acceleration, and funding.
The Innovation Expo runs all day, connecting founders, investors, and researchers around
breakthroughs in cybersecurity.
It all happens November 4th.
in Washington, D.C.
Discover the startups building the future of cyber.
Learn more at cid.dotribe.com.