CyberWire Daily - Ransomware sick day.
Episode Date: August 29, 2025A suspected ransomware attack disrupts hundreds of Swedish municipalities. Google warns Gmail users of emerging cyberattacks tied to the ShinyHunters group. A malicious supply chain attack hits the np...m registry. Senators press AFLAC for answers following a data breach. Law enforcement takedowns splinter the ransomware ecosystem. The FBI and Dutch police take down a major online fakeID marketplace. Florida proposes requiring healthcare providers to strengthen data breach preparedness and reporting. Our guest is Kathleen Peters, Chief Innovation Officer at Experian North America, explaining why AI is both accelerating and mitigating fraud. An affiliate army pushes fake casinos worldwide. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Kathleen Peters, Chief Innovation Officer at Experian North America, who is sharing the AI paradox: why AI is both accelerating and mitigating fraud. You can learn more in Experian’s U.S. Identity & Fraud Report. Selected Reading Hundreds of Swedish municipalities impacted by suspected ransomware attack on IT supplier (The Record) Google issues emergency warning for all Gmail users (Geekspin) TransUnion Data Breach Impacts 4.4 Million (Security Week) Npm Package Hijacked to Steal Data and Crypto via AI-Powered Malware (Infosecurity Magazine) US Senators Call for Details of Aflac Data Breach (Bank Infosecurity) Ransomware gang takedowns causing explosion of new, smaller groups (The Record) FBI, Dutch cops seize fake ID marketplace, servers (The Register) Florida Considers Rule to Improve Healthcare Data Breach Transparency (The HIPPA Journal) Affiliates Flock to ‘Soulless’ Scam Gambling Machine (Krebs on Security) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
The DMV has established itself as a top-tier player in the global cyber industry.
DMV rising is the premier event for cyber leaders and innovators
to engage in meaningful discussions and celebrate the innovation happening in and around the Washington
D.C. area. Join us on Thursday, September 18th, to connect with the leading minds shaping
our field and experience firsthand why the Washington, D.C. region is the beating heart of
cyber innovation. Visit DMVRising.com to secure your spot.
Risk and compliance shouldn't slow your business down. Hyperproof helps.
helps you automate controls, integrate real-time risk workflows, and build a centralized system of trust so your teams can focus on growth, not spreadsheets.
From faster audits to stronger stakeholder confidence, Hyperproof gives you the business advantage of smarter compliance.
Visit www.hyperproof.io to see how leading teams are transforming their GRC programs.
A suspected ransomware attack disrupts hundreds of Swedish municipalities.
Google warns Gmail users of emerging cyber attacks tied to the shiny hunters group.
A malicious supply chain attack hits the MPM registry.
Senators press Afflack for answers following a data breach.
Law enforcement takedowns splinter the ransomware ecosystem.
system. The FBI and Dutch police take down a major online fake ID marketplace.
Florida proposes requiring health care providers to strengthen data breach preparedness and
reporting. Our guest is Kathleen Peters, chief innovation officer at Experian North America,
explaining why AI is both accelerating and mitigating fraud. And an affiliate army
pushes fake casinos worldwide.
It's Friday, August 29th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
Happy Friday. It's great to have you with us. A suspected ransomware attack on Swedish IT supplier
Miliodata has disrupted systems across nearly 200 municipalities and regions. Miliodata provides
HR software used for sick leave, medical certificates, and workplace injury reports. The attack
detected on Saturday is now under police investigation with extortion attempts reported. Civil
defense minister Carl Oscar Bolin confirmed the government is closely monitoring the situation,
though the full impact remains unclear. CERT SE and the National Cybersecurity Center are assisting
both Miliodata and affected municipalities. Miliodata's CEO Eric Hollen said external experts are working to
restore functionality and assess damage. With 290 municipalities in Sweden, the scale of the
disruption is significant. Bolin emphasized the need for stronger national cybersecurity, noting a
forthcoming bill that would impose stricter security requirements.
Google has issued an emergency warning to Gmail users after cyber attacks tied to the shiny
hunters group emerged following a Salesforce data breach. While Google's own systems remain secure,
hackers are exploiting stolen business data through social engineering, particularly by impersonation
impersonating IT staff in phone-based vishing attacks.
Google's threat analysis group detected the activity in June,
confirming several successful intrusions by August through compromised passwords.
Shiny hunters, active since 2020, have a track record of high-profile breaches
at companies like Microsoft, AT&T, and Ticketmaster, often leaking or selling stolen records.
Impacted users were notified on August 8th.
With Gmail serving over 2.5 billion people, Google urges all users to strengthen defenses by updating passwords and enabling two-factor authentication.
TransUnion is notifying over 4.4 million people of a July 28th data breach exposing names, social security numbers, and birth dates.
The compromised data came from a third-party application used for U.S. customer support, though not from core credit.
files. Victims are being offered two years of free credit monitoring and fraud assistance.
Hackers linked to shiny hunters, reportedly tied to the broader Salesforce breach campaign,
claim additional data like addresses and emails were stolen. The incident follows similar
Salesforce-related breaches at major global firms. A malicious supply chain attack hit the NPM
registry on August 26th, when attackers published Compromise.
versions of NX, a popular open source build platform. NPM is a massive public database
of JavaScript software packages. Eight versions contained malware that stole developer secrets,
SSH keys, GitHub, and NPM tokens, and even cryptocurrency wallets. The malware abused AI-CLI
tools like Claude, Gemini, and Amazon Q to scan systems, then exfiltrated data to GitHub,
by creating repositories under victim's own accounts.
Within just five hours, thousands may have been exposed.
Step Security later confirmed a second wave.
Attackers weaponized stolen GitHub CLI-Oath tokens,
converting private repos into public ones
and forking them for persistence.
Researchers call this the first-known supply chain attack
that hijacked AI developer tools for data theft,
urging urgent credential resets and repo audits.
The U.S. Senate Health Education, Labor and Pensions Committee
is pressing insurance giant AFLAC for answers after a recent cyber attack
exposed personal and health data.
In an August 22nd letter, Senators Bill Cassidy, Republican from Louisiana,
and Maggie Hassan, a Democrat from New Hampshire,
asked CEO Daniel Amos to detail the company's
security protocols, how protected health information was safeguarded, and what measures are
planned going forward.
Afflack first disclosed the breach to the SEC on June 20th, calling it part of a cybercrime
campaign targeting insurers.
Regulators later confirmed that HIPAA protected data for at least 500 individuals was compromised.
Lawmakers compared the incident to last year's Change Healthcare breach and warned of rising
cyber risks in health care, which cost organizations nearly $10 million per incident and disrupt
patient care. The ransomware ecosystem is splintering as law enforcement take down, scatter
affiliates, and force criminal rebrands. Malwarebytes reports that between July 24 and June of
this year, 41 new groups emerged, pushing the total over 60 active gangs for the first time. This doubling
over three years has fueled a surge in attacks, aided by leaked ransomware code,
commoditized tools, and even AI, which lowers barriers to entry.
Large ransomware-as-a-service groups like LockBit, Hive, and Alpha have been disrupted,
but affiliates often rebrand or form new crews.
Researchers note that trust within the cybercriminal underground is eroding,
leading to infighting, exit scams, and stolen data being sold,
multiple leak sites. With dominance, more fleeting, small groups now drive attacks,
fragmenting the ecosystem further. The FBI and Dutch police have shut down Verif tools,
a major online marketplace selling fake IDs for as little as nine bucks. The site offered
counterfeit driver's licenses, passports, and other documents from all 50 U.S. states and several
countries. Criminals used the IDs for fraud, IT job scams, and bank help desk cons,
while teens exploited them to buy alcohol. On August 27th, Dutch police seized VerifTools servers
in Amsterdam, while the FBI took its domains offline. Investigators linked the marketplace
to about $6.4 million in illicit proceeds. Undercover agents even purchased fake New Mexico licenses
using cryptocurrency during the probe, which began in 2022.
Authorities said the takedown marks a major step against fraud and identity theft,
though users and admins remain under investigation.
Florida's Agency for Healthcare Administration has proposed a new rule
requiring health care providers to strengthen data breach preparedness and reporting.
Providers would need a written contingency plan to ensure critical operations
and patient care continue during IT incidents, including secure, redundant data backups within
the U.S. and verified restorability. The rule defines incidents broadly, covering cyber
attacks and insider misuse. Providers would have to report incidents to the administration
within 24 hours. These requirements would supplement existing HIPAA rules. A workshop is scheduled
for September 17th.
Coming up after the break, Kathleen Peters from Experian North America explains why AI is both accelerating and mitigating fraud,
and an affiliate army pushes fake casinos worldwide. Stay with us.
Compliance regulations, third-party risk, and customer security demands are all growing and changing fast.
Is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right.
GRC can be so much easier.
And it can strengthen your security posture while actually driving,
revenue for your business. You know, one of the things I really like about Vanta is how it takes
the heavy lifting out of your GRC program. Their trust management platform automates those
key areas, compliance, internal and third-party risk, and even customer trust, so you're not
buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and
manage information across your entire business. And this isn't just theoretical. A recent IDC
analysis found that compliance teams using Vanta are 129% more productive. It's a pretty
impressive number. So what does it mean for you? It means you get back more time and energy to
focus on what actually matters, like strengthening your security posture and scaling your
business. Vanta, GRC, just imagine how much easier trust can be. Visit Vanta.com
slash cyber to sign up today for a free demo. That's V-A-N-T-A dot com slash cyber.
When I found out my friend got a great deal on a wool coat from winners, I started wondering.
Is every fabulous item I see from winners? Like that woman over there with the designer jeans.
Are those from winners? Ooh, are those beautiful gold earrings?
Did she pay full price?
Or that leather tote?
Or that cashmere sweater?
Or those knee-high boots?
That dress, that jacket, those shoes.
Is anyone paying full price for anything?
Stop wondering.
Start winning.
Winners find fabulous for less.
Kathleen Peters is Chief Innovation Officer at Experian North America.
I recently caught up with her for explanations on why AI is both
accelerating and mitigating fraud. In the context of fraud, and as we're thinking about it,
it's interesting here at Experian for 10 years now, we've done an annual study and survey
talking to consumers and businesses about fraud, about identity, privacy, understanding
what consumer sentiments are and where business spend is. And over all of those years,
conclusions that we've come to, as we've put the study together, is that fraud is on the rise.
It's a sad state of affairs, but that's the world that we live in. And this year, we've found the same
conclusion. Fraud is on the rise. However, this year, it truly is different. What I'm seeing is that
this year, AI, in fact, really the generative AI capabilities that are publicly available are
changing the fraud landscape. And so what's happened is artificial intelligence AI itself has been
around for over a decade. And it has traditionally been the realm of data scientists, engineers,
who were able to manipulate the power of AI and generative AI, because even generative AI existed
quite some time ago. But you needed experts and you needed compute horsepower. And those things
didn't exist in the same way as they have now over the last 18 to 24 months. So when OpenAI was
put ChatGPT in the marketplace, it suddenly really democratized that power and that capability
of AI. Suddenly, people are able to use natural language to harness that power, and we also
have the compute behind that that's available from new chipsets, as well as through cloud capabilities.
And so that has really, as you can imagine, empowered fraudsters to be more creative and more
efficient than ever before. It's also empowering businesses to be able to fight fraud, but what's
really changed in that fraud landscape is how these publicly available tools have made committing
fraud easier and more scalable than ever before. Well, as you mentioned, you and your colleagues
at Experian have been tracking this for some time now. Is it fair to say that this explosion of
AI accessibility really is a demarcation point when it comes to how we think about dealing with
fraud? It really is.
What we've found is that businesses are going to need to assess how they're fighting fraud today, looking at the tools that they have. We'll still need a layered approach. We'll still need to use various tactics to stop the fraudsters. However, people need to look at what's different now. In fact, in our survey, we found that 72% of business leaders are expecting there to be major challenges in 2020.
around the fraud landscape, and the overwhelming majority are prepared to invest more in their
fraud solution in the coming 12 to 18 months.
Can you help put that in perspective for us?
I mean, are there categories of fraud that businesses need to be most concerned with?
Certainly. I would say that one of the fastest growing areas is in the area of scams.
So we've seen this brewing for a while now where fraudsters are growing more sophisticated in finding ways to reach out to individuals, to consumers, or to employees even at businesses that they are trying to scam, and they are using various types of fishing or smishing, whether there's something SMS's emails to get folks to click on things.
But more often, too, they're engaging in conversations to build trust with an individual
and then through that trust in convincing the individual to send them money or to reveal
passwords or other personally identifiable information so that the fraudsters can then
harvest that information and commit the fraud themselves.
We see this social engineering, these fishing scams happen.
the victims are often groomed over time, and that's just leading to a new degree of scam
capabilities by fraudsters that is really starting to scale.
Well, let's look at the other side of it then, on the defensive side, how does accessibility
to AI tools benefit organizations?
Yes, and so this is an area that I'm very excited about.
So for Experian and other providers of fraud tools, as well as businesses with fraud teams themselves,
we're really able to harness the new power that AI is bringing these days.
So for example, AI is particularly strong at data processing.
Using AI and the newest forms like agentic AI, businesses can analyze a lot of information from multiple sources at very
high speed. So that's a big advantage. Being able to assess as much data as possible in the
moment will help us get a better idea of how risky a transaction is. AI is also really good at
pattern recognition. This has been a hallmark of strong fraud solutions historically in terms
of machine learning, and that is certainly carried forward with the capabilities in AI and
agentic AI today. Being able to do these things and detect fraud in real time so that we can
enable that immediate response to something that we feel as high risk is a great capability
that AI is bringing that fraud fighters will continue to use as a really good tool in the toolbox.
Are there any elements of AI that are weaker than others? In other words, if I'm looking to
enable this to help me with my defenses, any particular areas I should maybe steer away from
for the time being? I would say that great AI solutions really depend on their training. So you want
to use as much data as possible to train the solutions and the models that you're going to
apply to a particular fraud problem. So it's not about maybe using AI to move away from certain
tasks, it's thinking about how you use AI very wisely.
And what are your recommendations then for organizations exploring this?
What's the best way to go down this path?
The best thing to do is to start trying these solutions and get familiar with them.
Even as generative AI and the public models were coming online, I encouraged audiences that I
spoke to, get your fraud teams using these tools and understand.
understanding the threat better. And then as you do that, work with a trusted partner.
Work with Experian, work with your partners in this space to assess your overall fraud-fighting
estate. How long has it been since your models have been tuned and updated? What other types
of capabilities can you add that will help fight and hold off this next generation of scams?
They're really getting sophisticated.
This is a great time to review what you're doing
so that you can match the fight and fight AI with AI.
That's Kathleen Peters, Chief Innovation Officer at Experian North America.
Stellist lenses do more than just correct your child's vision.
They slow down the progression of myopia.
So your child can continue to discover all the world has to offer through their own eyes.
Light the path to a brighter future with stellar lenses for myopia control.
Learn more at SLOR.com.
And ask your family eye care professional for SLOR Stellist lenses at your child's next visit.
Wendy's most important deal of the day has a fresh lineup.
pick any two breakfast items for four dollars new four piece french toast sticks bacon or sausage wrap
biscuit or english muffin sandwiches small hot coffee and more limited time only at participating wendy's
taxes extra and finally according to crebs on security it turns out that the flood of shiny new
online gambling sites wasn't the work of entrepreneurial vegas hopefuls but of a
a Russian affiliate program called Gambler Panel, a soulless project made for profit, in its
own words. The scam is polished, ads promise $2,500 in credits, players register win fake
jackpots, then hit a wall when trying to cash out. Then follows the verification deposit
request in crypto, money that, of course, never comes back. The scheme is disturbingly professional,
complete with fake casino software, chat support scripts, and a wiki that could pass for startup
documentation if you ignore the part about fleecing victims.
Affiliates, some 20,000 strong, are promised up to 70% of profits, complete with telegram
brag posts of sports cars and models.
As one teen researcher dryly noted, it's basically fraud as a service, franchising the casino
dream, but with none of the winnings.
And that's the Cyberwire.
For links to all of today's stories,
check out our daily briefing at the Cyberwire.com.
A quick program note, we will not be publishing our regular update this coming Monday.
There will be some special additions in your Cyberwire feed, so be sure to check those out.
We'll see you back here on Tuesday.
We would love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of August, so just a couple more days.
There's a link in the show notes.
Please take a moment and check it out.
Be sure to check out this weekend's edition of Research Saturday.
And my conversation with Jamie Levy, Director of Adversary Tactics,
at Huntress. We're discussing their work on active exploitation of Sonic Wall VPNs. That's Research
Saturday. Check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz
Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is
Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you
back here next week.
You know,