CyberWire Daily - The November that never ended.
Episode Date: September 29, 2025A Chinese state-sponsored group exploited enterprise devices in a global espionage effort. The UK Government guarantees £1.5 billion financing to help Jaguar Land Rover’s recovery efforts. A maximu...m-severity flaw in Fortra’s GoAnywhere Managed File Transfer product is under active exploitation. The AI boom faces sustainability questions. Akira ransomware bypasses MFA on SonicWall devices. Dutch teens are arrested for allegedly spying for Russia. Luxury retailer Harrods confirms a data breach. An Interpol crackdown targets African cybercrime rings. We’ve got our Monday business briefing. Brandon Karpf joins us to discuss the cybersecurity ecosystem in Japan. Cyber crooks offer a BBC journalist an early retirement package. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today our guest is Brandon Karpf, friend of the show, and he joins to discuss the Cybersecurity ecosystem in Japan. Selected Reading Chinese hackers breached critical infrastructure globally using enterprise network gear (CSO Online) UK government bails out Jaguar Land Rover with $2 billion loan (Metacurity) Maximum severity GoAnywhere MFT flaw exploited as zero day (Bleeping Computer) The AI boom is unsustainable unless tech spending goes ‘parabolic,’ Deutsche Bank warns: ‘This is highly unlikely’ (Fortune) Akira ransomware breaching MFA-protected SonicWall VPN accounts (Bleeping Computer) Dutch teens arrested for trying to spy on Europol for Russia (Bleeping Computer) Harrods: Hackers contact firm after 430,000 customer records stolen (BBC) Africa cybercrime crackdown includes hundreds of arrests, Interpol says (The Record) Cyberbit acquires RangeForce. Terra Security raises $30 million. (N2K Pro) 'You'll never need to work again': Criminals offer reporter money to hack BBC (BBC) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
At TALIS, they know cybersecurity can be tough and you can't protect everything,
but with TALIS, you can secure what matters most.
With TALIS's industry-leading platforms, you can protect critical applications,
data and identities, anywhere and at scale with the highest RR.
That's why the most trusted brands and largest banks, retailers, and health care companies in the world rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALIS.
T-H-A-L-E-S.
Learn more at talusgroup.com slash cyber.
A Chinese state-sponsored group exploited enterprise devices in a global espionage effort.
The UK government guarantees 1.5 billion pounds financing to help Jaguarian Land Rover's recovery efforts.
A maximum severity flaw in Fortress Go Anywhere managed file transfer product is under active exploitation.
The AI boom faces sustainability questions.
Akira ransomware bypasses MFFA.
on Sonic Wall devices, Dutch teens are arrested for allegedly spying for Russia.
Luxury retailer Herodz confirms a data breach.
An Interpol crackdown targets African cybercrime rings.
We got our Monday business briefing.
Brandon Karpf joins us to discuss the cybersecurity ecosystem in Japan.
And cyber crooks offer a BBC journalist an early retirement package.
It's Monday, September 29th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
Happy Monday.
It's great to have you with you.
this. A Chinese state-sponsored group known as Red November has carried out a sweeping espionage
campaign from June 24 through July of this year. The hackers targeted defense contractors,
government agencies, and corporations worldwide exploiting flaws in VPN appliances and firewalls
faster than organizations could patch them. Researchers at Recorded Future documented breaches
of at least two U.S. defense contractors,
more than 30 Panamanian government agencies,
and firms across Europe, Asia, and South America.
Victims included aerospace manufacturers and law firms.
Red November relied on publicly available tools
like the Pontagana backdoor, cobalt strike,
and spark rat to maintain persistent access,
sometimes for months at a time.
The campaign highlights how quickly adversaries
can weaponize newly disclosed vulnerabilities,
underscoring the need for rapid patching
and tighter monitoring of network infrastructure.
The U.K. government will guarantee a 1.5 billion pound loan
for Jaguar Land Rover after a cyber attack forced the automaker
to halt production at plants in the U.K., Slovakia, Brazil, and India.
The attack disrupted supply chains, leading some vendors unpaid and staff sent home.
The five-year loan, arranged through a commercial bank and backed by U.K. export finance,
is intended to stabilize suppliers.
Officials signaled that further government assistance for JLR and its network of 120,000 U.K. linked jobs remains possible.
Hackers are actively exploiting a maximum severity flaw in Fortress Go Anywhere managed file transfer product,
The deserialization vulnerability, located in the license servlet, allows attackers to inject commands remotely without authentication.
Security firm Watchtower Labs reports credible evidence of exploitation as early as September 10th,
eight days before Fortra publicly disclosed the flaw.
Attackers leverage the bug to achieve remote command execution, create backdoor accounts, and deploy secondary payloads,
including a repurposed simple help binary for persistence.
Researchers also observed privilege-checking commands
and attempts to enable lateral movement.
Admins are urged to patch immediately,
restrict Internet exposure of the admin console,
and review logs for suspicious entries.
The current artificial intelligence boom may be unsustainable,
according to new research from Deutsche Bank and Bain & Company.
Deutsche warned that,
that AI-related capital expenditure has become so large it is effectively keeping the U.S.
out of recession. Without tech spending, the bank said, the economy would be near contraction.
Bain, meanwhile, projected an $800 billion shortfall in revenues needed to sustain AI's
demand for computing power by 2030, even factoring in efficiency gains.
This wave of spending has distorted financial markets, with half of the market.
the S&P 500's gains this year tied to tech stocks.
Analyst noted that growth is being driven not by AI's output, but by building the
infrastructure to power it.
Some warn the market is dangerously concentrated in the magnificent seven tech giants.
Still, Goldman Sachs offered a more optimistic view, predicting significant long-term productivity
gains once AI adoption matures.
Akira ransomware operator.
are continuing to exploit Sonic Wall SSL VPN devices,
successfully logging into accounts even when one-time password multifactor authentication is enabled.
Researchers at Arctic Wolf say the activity links back to an improper access control flaw
patched in August 24.
However, attackers appear to be reusing credentials and possibly one-time password seeds stolen before devices were updated.
Google Threat Intelligence Group has observed similar behavior, assessing with high confidence that stolen OTP seeds are enabling renewed access to patch devices.
Once inside, Akira affiliates move quickly, scanning networks, enumerating active directory, and targeting VEM servers to extract backup credentials.
They also deploy Bring Your Own Vulnerable Driver Techniques to disable endpoint protection before encryption.
Researchers stress that even fully-patched systems remain at risk if credentials were compromised.
Sonic Wall urges administrators to reset all VPN credentials and ensure devices are running the latest firmware.
Dutch police have arrested two 17-year-old boys accused of spying for Russia
using Wi-Fi sniffer devices near sensitive locations in the Hague,
including Europol, Eurojust, and the Canadian Embassy.
According to Delegraph, the teens were recruited via telegram
and caught following a tip from the Dutch intelligence service AIVD.
Erippol confirmed awareness of the case but said its systems remain uncompromised,
citing robust security safeguards.
Authorities believe the teens intercepted wireless traffic for a reconnaissance,
though the full extent of their activity is under investigation.
One was reportedly arrested at home while doing homework,
with parents unaware of his espionage involvement.
The suspects remain in custody for at least two weeks as charges proceed.
The case highlights a troubling escalation in Russian recruitment of European youths
for low-level espionage and sabotage activities.
Luxury retailer Harrods has confirmed that hackers contacted the company
after stealing data tied to 430,000 customer records
in a breach involving a third-party provider.
The stolen information includes names, contact details, and loyalty card data, but no
passwords, payment details, or order histories.
Harrod said it will not engage with the attackers and is focused on supporting affected customers
while cooperating with authorities.
The company emphasized that most shoppers are in-store, limiting the breach's overall impact.
Interpol announced that 260 people were arrested across several African countries
in a coordinated crackdown on online fraud networks.
Authorities identified more than 1,400 victims who collectively lost $2.8 million
through romance scams, sextortion, and related schemes.
Police dismantled scam infrastructure and seized over 1,200 devices,
including SIM cards and USB drives.
Ghana reported the most arrests, detaining 68 suspects and recovering $70,000 of $450,000 in losses.
Senegalese police arrested 22 for impersonating celebrities to defraud victims,
while the Cote de Lavore identified nearly 810 extortion victims tied to 24 suspects.
Angola detained eight linked to cross-border fraud cases.
Interpol warned of a sharp rise in digital-enabled crimes across Africa,
stressing that online platforms have expanded opportunities for exploitation,
with both financial and psychological harm to victims.
It's Monday, which means it's time for our weekly business briefing.
The cybersecurity market saw a wave of acquisitions this past week.
CyberBit acquired Rangeforce to expand its live-fire training catalog,
while Halon bought Germany's 11 cybersecurity to strengthen its email threat intelligence offerings.
Spreedly added fraud prevention firm Dodgeball.
Spectratel picked up mosaic networks to boost secure networking,
and Echo Store acquired CyberNorth to extend MSSP services.
Other deals included Unico buying own ID for passwordless authentication,
Digisert acquiring Valomail for Zero Trust.
email, and Blue Mantis acquiring Canadian MSB Correo.
On the funding side, Terra Security raised $30 million to advance AI-driven red-teaming,
and GDPR-compliance startup Kirtos closed a $16.5 million round.
Silent Push secured $10 million for global expansion.
Unit 221B raised $5 million to enhance threat intelligence collaboration, and Mycroft
emerged from stealth with $3.5 million to accelerate compliance automation.
Finally, Austin-based EVE Security raised $3 million to develop its AI-powered observability platform.
If business news is your thing, be sure to check out our weekly cyber business brief, part of Cyberwire Pro.
All the details on that are on our website, thecyberwire.com.
Coming up after the break, Brandon Karp joins us to discuss the cybersecurity ecosystem in Japan,
and cyber crooks offer a BBC journalist an early retirement package.
Stay with us.
Compliance regulations, third-party risk, and customer security demands are all growing and changing fast.
Is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right.
GRC can be so much easier.
and it can strengthen your security posture while actually driving revenue for your business.
You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program.
Their trust management platform automates those key areas, compliance, internal and third-party risk, and even customer trust,
so you're not buried under spreadsheets and endless manual tasks.
Vanta really streamlines the way you gather and manage information across your entire business.
business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta
are 129% more productive. It's a pretty impressive number. So what does it mean for you? It means
you get back more time and energy to focus on what actually matters, like strengthening your
security posture and scaling your business. Vanta, GRC, just imagine how much easier trust can be.
Visit vanta.com slash cyber to sign up today for a free demo.
That's v-a-n-ta.com slash cyber.
AI adoption is exploding, and security teams are under pressure to keep up.
That's why the industry is coming together at the Datasec AI conference, the premier of
for cybersecurity data and AI leaders hosted by data security leader,
Saira. Built for the industry, by the industry, this two-day conference is where real-world insights and bold solutions take center stage.
Datasek AI 25 is happening November 12th and 13th in Dallas. There's no cost to attend. Just bring your perspective and join the conversation.
Register now at Datasek AI 2025.com
backslash Cyberwire.
And joining me once again is Brandon Karp.
He's the leader of international public-private partnerships at NTT.
Brandon, welcome back.
Thanks, Dave.
Good to be back, as always.
So, an interesting article that came by,
I wanted to check in with you on as a former sailor, Naval Academy grad.
And want to be pirate, I will say.
And want to be pirate, absolutely.
I mean, what Naval Academy grad doesn't have that aspiration?
You know, it's the only reason I went to the Naval Academy is I wanted to be a pirate.
I understand.
Your parents must be proud.
Interesting article that came by, this is from Arizona Republican David Schweikert,
who has introduced a bill called the Scam Farms Mark and Reprisal Authorization Act into the House of Representatives.
Letters of Mark, my understanding, go back to pirate days.
Can you give us a little of the background here?
Certainly.
Certainly.
So when you think about kind of the age of sale and how expensive it was for nations to maintain ships,
when they went into war, they didn't always have a stand.
Navy, or at least they had a standing Navy, but they wanted more to have a larger effect
overseas, especially against the shipping of their adversary. And so they created these things
called Letters of Mark that allowed them to basically deputize a private captain who owned
his own ship. And I'll say his, because almost all of them were men. There actually were a few
instances of female captains here. But essentially allowed them to do legal piracy against
the enemies of that nation
and usually against actually
the civilian traffic
like the trade traffic
against that that nation
was using ships to transport
and it was a way for
a nation to kind of expand
its capabilities in terms of naval operations
so how did this affect
diplomacy if I'm out there
deputizing
these folks to go
attack other nations
private ships, this is not going to generate a good response?
No, and I will say that when you think about it, right, this was and is an antiquated practice, right?
This is really the purpose was to disrupt civilian infrastructure, what we today would call
critical infrastructure, and really attack the population, the civilian populations of your
adversary by affecting their trade and their finances.
It was broadly accepted as just a part of warfare during this age.
Today, that's frowned upon going after civilian infrastructure and civilian critical infrastructure, especially in a time of war.
There's laws of armed conflict that we have to adhere to.
And thinking about using this idea of the Letters of Mark, which is deputizing private citizens,
and more specifically in the cyber realm, it would be really private companies.
to go after independently,
maybe cybercrime infrastructure, etc.
It raises some, I would say, major concerns
around legality, but of course,
as you said, geopolitics and international relations.
We'll go on.
Well, first, without a controlling infrastructure here in place,
you would end up seeing exactly what happened
during the age of sale,
which is these private pirates,
which they really were, private pirates,
just taking advantage of these letters of Marx for their own personal gain.
Some of these private pirates who were legally authorized to do what they were doing
became fabulously wealthy because they were using it as an opportunity to basically steal
and do piracy under the guise of support from the nation.
This potentially opens up the door to those types of nefarious activities,
even for authorized people.
Reverse ransomware.
Right.
Especially when you consider the fact that any cyber operation,
especially offensive operations,
are so carefully constructed
and so carefully authorized under legal frameworks,
starting at the president,
all the way down to the unit
that is conducting these operations in the U.S.
at Cyber Command or the National Security Agency.
There's so much consideration given
to what the actual legal authorities are,
what the equities are,
if we're looking at information purely from
foreign perspective. If any U.S. person's information happens to get accidentally scooped up,
that goes through a whole legal review and audit process, all these things that are meant to help
protect our civil liberties. Now, when you give a letter of mark to a private citizen or a private
company, they have no obligations to protect any of that stuff. So the reporting I've seen on this
seems pretty skeptical that this could actually make its way through. What's your take? I in general would
say, yeah, this has been talked about for at least a decade. We've seen articles talking about
letters of mark for cyber operations, usually closely or within the same breath, mentioned with
hackback, which is authorizing companies to offensively hack against foreign nations and
adversaries, both broadly seen in the cybersecurity community and the policy world as bad
ideas for a number of reasons that I've mentioned. There are others, of course. That being said,
in this day and age, who knows?
I mean, this bill, and if you read the text of the bill,
it's actually directly authorizing the president,
the U.S. president, giving the president direct authority
to create these letters of mark
and give authorization for reprisals,
basically privately arm and equipped persons in the cyber domain.
I don't know.
Seeing what's happening with immigration enforcement in the country,
seeing what's happening and what the National Guard is being used as,
there's a world in which this could very well get through Congress.
Yeah, there'd be a new assignment for the Doge team.
Right, and our favorite Dozier Big Balls as the new hacker,
which is a perfect gnome-de-plume for a hacker, I guess.
I guess it is.
All right, well, time will tell.
Time will tell.
All right, well, Brandon Karp is leader of international public-private
partnerships at NTT.
Brandon, thanks so much for taking the time.
Thank you, David.
Think your certificate security is covered.
By March 26, TLS certificate lifespans will be cut in half, meaning double today's renewals.
And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal volume.
That's exponential complexity, operational workload, and risk, unless you modernize your strategy.
CyberArk, proven in identity security, is your partner in certificate security.
CyberArk simplifies life cycle management with visibility, automation, and control at scale.
Master the 47-day shift with CyberArc. Scan for vulnerabilities, streamline operations, scale security.
Visit cyberark.com slash 47-day. That's cyberark.com slash the numbers 47-D-A-Y.
And now a word from our sponsor, Threat Locker, the Powerful.
zero-trust enterprise solution that stops ransomware in its tracks.
Allow listing is a deny-by-default software that makes application control simple and fast.
Ring fencing is an application containment strategy, ensuring apps can only access the files,
registry keys, network resources, and other applications they truly need to function.
Shut out cybercriminals with world-class endpoint protection from threat locker.
And finally, BBC cyber correspondent Joe Tidy got a firsthand lesson in insider threat recruitment
when a hacker calling himself syndicate slid into his signal inbox with a tempting pitch.
Hand over BBC credentials get a cut of a multi-million dollar ransom.
The offer started at 15%, then sweetened to 25% and promised.
of early retirement.
The hackers, tied to Ransomware Group, Medusa, even offered a trust payment in Bitcoin
because nothing says reliable business partner like cybercriminals promising not to scam you.
When Tidy stalled, the charm offensive shifted to harassment with a barrage of MFA pop-ups
flooding his phone.
Ultimately, Tidy walked away with no beachside villa but a hard reset from BBC security.
The crooks vanished, account deleted, as if ghosting was part of their benefits package.
His takeaway, insider recruitment isn't theoretical, it's happening, and it can come knocking in your DMs.
And that's The CyberWire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast
where I contribute to a regular segment
on Jason and Brian's show every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes
or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester
with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Cyber Innovation
Cyber Innovation Day is the premier event for cyber startups,
researchers and top VC firms, building trust into tomorrow's digital world.
Kick off the day with unfiltered insights and panels on securing tomorrow's technology.
In the afternoon, the 8th annual Data Tribe Challenge takes center stage
as elite startups pitch for exposure, acceleration, and funding.
The Innovation Expo runs all day, connecting founders, investors, and researchers
around breakthroughs in cybersecurity.
It all happens November 4th.
fourth in Washington, D.C.
Discover the startups building the future of cyber.
Learn more at cid.dotribe.com.