CyberWire Daily - The rise of AI-driven cyber offense.
Episode Date: November 17, 2025The Pentagon is spending millions on AI hacking. The New York Times investigates illicit crypto funds. Researchers uncover widespread remote code execution flaws in AI inference engines. Police in Ind...ia arrest CCTV hackers. Payroll Pirates use Google Ads to steal credentials and redirect salaries. A large-scale brand impersonation campaign delivers Gh0st RAT to Chinese-speaking users.A bitcoin mining company CEO gets scammed. Monday biz brief. On our Industry Voices segment with our Knowledge Partner SpecterOps, Chief Technology Officer Jared Atkinson is discussing Attack Path Management: Identities in Transit. Bitcoin big wigs learn to bite through plastic. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment with our Knowledge Partner SpecterOps, Chief Technology Officer Jared Atkinson is discussing Attack Path Management: Identities in Transit. Hear more from Jared here. Cyber Things podcast Something strange has landed in all the cool podcast apps… Cyber Things is a new three-part series from Armis that decodes real-world cyber threats through the lens of a certain Hawkins-based sci-fi phenomenon. Just in time for the show’s final season, Rebecca Cradick leads us through a world where fiction meets cybersecurity. Because sometimes the scariest villains aren’t in the Upside Down — they’re online. You can check out Cyber Things on your favorite podcast app and on our website. On the site, you will find the trailer and Episode 1: The Unseen World available today! Selected Reading The Pentagon Is Spending Millions On AI Hacking From Startup Twenty (Forbes) The Crypto Industry’s $28 Billion in ‘Dirty Money’ (The New York Times) The Coin Laundry, a global cryptocurrency investigation (International Consortium of Investigative Journalism) "ShadowMQ" exploit pattern reported in major AI frameworks, enables remote code execution (Beyond Machines) Gujarat: Hackers steal maternity ward CCTV videos in India cybercrime racket (BBC News) Payroll Pirates: One Network, Hundreds of Targets (Check Point) Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT (Unit 42, Palo Alto Networks) Inside a Wild Bitcoin Heist: Five-Star Hotels, Cash-Stuffed Envelopes, and Vanishing Funds (WIRED) UK prosecutors seize £4.11M in crypto from Twitter mega-hack culprit (The Register) Tenzai emerges from stealth with $75 million in seed funding led by Greylock Partners. (N2K Pro) How to Not Get Kidnapped for Your Bitcoin (The New York Times) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Step into the digital Upside Down with Cyber Things,
Armis' new three-part podcast series,
which will dive into the unseen world of cybersecurity.
From real-life hacks to the digital shadows of the dark web,
we connect pop culture and protection, fear and control.
Episode one drops soon, so look out for Cyber Things in partnership with Cyberwire.
From fishing to ransomware, cyber threats are constant, but with Nordlayer, your defense can be too.
Nordlayer brings together secure access and advanced threat protection in a single, seamless platform.
It helps your team spot suspicious activity before it becomes a problem, by blocking malicious links and scanning downloads in real-time.
preventing malware from reaching your network.
It's quick to deploy, easy to scale, and built on zero trust principles,
so only the right people get access to the right resources.
Get 28% off on a yearly plan at Nordlayer.com slash cyberwire daily with code cyberwire dash 28.
That's Nordlayer.com slash cyberwire daily code cyberwire dash 28.
That's valid through December 10th, 2025.
The Pentagon spends millions on AI hacking.
The New York Times investigates illicit crypto funds.
Researchers uncover widespread remote code execution flaws in AI inference engines.
Police in India arrest CCTV hackers.
Payroll pirates use Google Ads to steal credentials and redirect salaries.
A large-scale brand impersonation campaign delivers ghost rat to Chinese-speaking users.
A Bitcoin mining company CEO gets scammed.
We got our Monday business brief on our industry voices segment with our knowledge partner SpectorOps.
Chief Technology Officer Jared Atkinson is discussing attack path management.
And Bitcoin bigwigs learn to bite through plastic.
It's Monday, November 17, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today. It's great as always to have you with us.
Federal Records Show, the U.S. is investing in AI-driven offensive cyber capabilities,
awarding up to $12.6 million to a stealth Arlington startup called 20,
which also secured Navy funding and backing from Incutel and major VCs.
20, staffed by former Cyber Command and Intelligence Veterans,
focuses on automating operations that can strike hundreds of targets at once.
Job listings indicate work on AI-powered attack tools,
autonomous agent frameworks, and social engineering personas.
The company's emergence reflects a broader shift toward automated cyber warfare,
as other nations, including China, also use AI agents for hacking.
While firms like 2-6 technologies have developed AI to assist human operators,
20 appears positioned to push far more autonomous offensive capabilities.
The crypto industry has gained mainstream momentum bolstered by President Trump's new crypto business
and his pledge to make the United States a global leader.
But an international investigation by the New York Times,
the international consortium of investigative journalists, and dozens of partner outlets,
found that more than $28 billion in illicit funds has flowed.
into major crypto exchanges over the past two years. Hackers, scammers, and criminal networks,
including North Korean groups and global fraud rings, routinely moved money through top platforms
such as Binance and OKX. Binance, which settled U.S. money laundering charges in 2023,
continued receiving hundreds of millions tied to sanctioned entities and hacked funds.
Exchanges have pledged to improve compliance, but investigators say law enforcement, law enforcement
cannot keep up with the scale of abuse.
Victims of scams from individual investors to bank executives rarely recover lost funds.
Meanwhile, lightly regulated crypto-to-cash storefronts worldwide
offer criminals an easy path to convert digital assets into untraceable money.
Researchers at Oligo Security report a widespread set of remote code execution flaws
impacting major AI inference engines from Meta, Invidia, Microsoft, and open-source projects
such as VLLM and S.G. Lang. The vulnerabilities called Shadow MQ stem from unsafe use of the
Zero MQ messaging library and Python's pickle deserialization. Multiple AI systems replicated the
same insecure pattern through code reuse, exposing sensitive prompts, model weights, and custom
data across internet reachable servers.
Additional vulnerabilities were found in VLM,
NVIDIA-Tensor RTLM,
modular max server,
Microsoft's Sarithi-Serve, and SG-Lang,
with several projects still incompletely patched.
Oligo says the issue shows how unsafe components propagate quickly
through the AI ecosystem
and urges immediate patching and strict limits on zero MQ exposure and pickle use.
Police in India say hacked CCTV footage from a maternity hospital was sold on telegram,
exposing severe privacy and security gaps as cameras become widespread nationwide.
Investigators uncovered a large cybercrime network that had breached at least 50,000 CCTV systems in hospitals, schools, offices, and private homes.
Hackers exploited weak or default passwords using brute force.
tools to access and sell sensitive videos for small payments, with some channels even offering
live feeds. Eight people have been arrested, and videos were removed after police contacted
YouTube and telegram. Experts warn that poorly secured CCTV systems, often managed by untrained
staff, leave Indians vulnerable to voyeurism, extortion, and data theft. Advocates urge stronger
manufacturer safeguards, mandatory password changes, and better protections, especially in
sensitive spaces. A financially motivated group known as the payroll pirates has been hijacking
payroll systems, credit unions, retailers, and trading platforms across the U.S. since mid-20203
using malvertising. First identified by Checkpoint, the operation uses Google Ads to impersonate
payroll portals, steal credentials, and redirect salaries. After going quiet in late
2023, the group resurfaced in mid-24 with upgraded kits capable of bypassing two-factor
authentication through real-time telegram interactions. Investigations by malware bytes,
silent push, and checkpoint showed the activity was part of a unified network, not shared tools,
with at least four admins and indications of operators based in Ukraine.
Two main clusters run the operation, Google Ads with cloaking redirects, and Bing ads using aged domains.
The campaign remains active, highly adaptive, and difficult to disrupt.
Palo Alto Network's Unit 42 reports two interconnected 2025 malware campaigns using large-scale brand impersonation to deliver ghost rat variants to Chinese-speaking users.
The first, campaign trio ran February through March of this year,
mimicked three popular apps such as I4 Tools and UDAO and used over 2,000 domains
to distribute trojanized installers from centralized infrastructure.
The second, campaign chorus began in May of this year,
expanded to more than 40 impersonated applications,
and adopted a far more evasive multi-stage infection chain,
including cloud-hosted payload delivery, VB script droppers, and DLLL side-loading through assigned executable.
Both campaigns rely on mass automated domain generation, focus on software favored by Chinese-speaking users,
and ultimately deploy ghost rat for full system control.
Hollow Alto provides indicators of compromise in their research.
The CEO of Bitcoin Mining Company Saz Mining, Kent Halliburton,
was conned out of $220,000 in Bitcoin by fraudsters posing as representatives of a wealthy Monaco family office,
Wired reports.
The supposed investors courted him over lavish in-person meetings in Amsterdam,
dangling a $4 million mining hardware deal tied to a side purchase of Bitcoin.
They persuaded him to create a new atomic wallet on his phone and move funds into it to prove capacity for the transaction.
Once the Bitcoin arrived, it was instantly drained and laundered through exchangers, mixers, and cross-chain bridges,
making it difficult to trace or recover.
Researchers believe the scammers captured his seed phrase, likely via discrete visual surveillance.
The theft created a serious cash crunch for SaaS mining,
but the company ultimately remained solvent.
Elsewhere, British prosecutors obtained a civil recovery order
to seize 4.1 billion pounds in crypto
from Twitter hacker Joseph James O'Connor,
reclaiming profits from the 2020 breach
that hijacked celebrity accounts to push a Bitcoin scam.
O'Connor, already serving five years in the U.S. for computer intrusions,
fraud and money laundering,
helped run a sim-swapping scheme that netted over $100,000.
The order targets Bitcoin, Ethereum, and stablecoins,
and shows UK authorities can recover illicit assets,
even when convictions occur abroad.
Turning to our Monday biz brief,
cybersecurity funding and acquisitions surged last week,
led by Israel's tensi emerging from stealth
with a $75 million seed round to build an AI agent-driven penetration testing platform.
Sweet Security also raised $75 million to expand its runtime C-Nap and AI security offerings.
Truffle Security secured $25 million to grow its secrets exposure detection tools,
while identity-focused O'Learia raised $19 million,
and Application Security startup CISO raised $7 million.
Threat detection firm Rilavera added $3 million in seed funding.
The MNA front was equally active.
Coalition acquired MDR provider wire speed.
Arctic Wolf bought ransomware prevention firm Upsite.
Morgan Franklin Cyber acquired Lynx Technology Partners.
Hexaware purchased IAM provider CyberSolve.
Axiom GRC acquired IS partners.
Arcon bought cloud security firm ScaleSec
and Pantara acquired offensive security firm EVA information security
to expand adversarial testing for AI integrated environments.
Be sure to check out our Cyberwire Business Briefing part of CyberWire Pro.
You can find that on our website.
And a programming note, join us for Cyber Things,
Armis' special edition podcast series
that pulls back the curtain on the eerie parallels between our real cyber landscape,
in a certain Hawkins-shaped sci-fi universe.
Episode 1, The Unseen World, premieres today,
revealing the hidden dangers lurking just beneath our digital surface
on your favorite podcast app.
Look for Cyber Things, tune in to the trailer and episode 1,
and subscribe now, before the shadows start moving.
We'll have a link in our show notes as well.
Coming up after the break,
Chief Technology Officer from Specter Ops, Jared Atkinson,
discusses attack path management,
and Bitcoin bigwigs learn to bite through plastic.
Stay with us.
They know cybersecurity can be tough and you can't protect everything.
But with Talis, you can secure what matters most.
With Talas' industry-leading platforms, you can protect critical applications, data and identities,
anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks, retailers, and healthcare companies in the world
rely on Talas to protect what matters most.
Applications, data, and identity.
That's TALIS.
T-H-A-L-E-S.
Learn more at TALIS Group.com slash cyber.
Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple?
Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack zero-trust networks, including hardware, firmware, and software, all designed to work seamlessly together.
The result? Fast, reliable, and secure connectivity without the constant patching, vendor-juggling, or hidden costs.
From wired and wireless to routing, switching, firewalls, DNS security, and VPN, every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles.
Meter even buys back your old infrastructure to make switching effortless.
Transform complexity into simplicity and give your team time to focus on what really matters, helping your business and customers thrive.
Learn more and book your demo at meter.com slash cyberwire.
That's M-E-T-E-R-com.com.
CyberWire.
Jared Atkinson is chief technology officer at our new N2K knowledge partner, Spector Ops.
On today's sponsored industry voices segment, we discuss attack path management, identities in transit.
So SpectorOps kind of comes out of a group of race.
teamers. And one of the things that we noticed over time was that as you're conducting an operation
in a network environment, there was kind of this guess and check kind of approach to how you would
do things. You would gain initial access at some kind of arbitrary starting point that would
be derived from fishing or maybe you have some sort of poison link that you make available and you
gain access. And then you would have control over a user identity, whoever clicked on the fishing
payload, for instance. And so in the process of doing that, we realize that if we collect all
information up front, we can build essentially Google Maps for the environment, which says,
I have this origin or starting point. I want to go to this destination. That's whatever my objective
is. Can you show me the different routes that are available to me? And that's kind of like the
guide. It's almost like MapQuest for the attacker. And those routes, we call attack paths, right?
So it says, okay, you need to laterally move to this computer. You need to dump the credentials
and take control of this user account and then you move to this next computer, so on and so forth.
Now, the attack path management component of that is, if you could predict one route,
then what would happen if we were to say, we don't know where you're going to start?
Because the starting point, like I said, it comes through fishing and things, vulnerabilities,
all that kind of stuff.
Typically, it's going to be relatively arbitrary.
But the destination is usually somewhat predictable.
Or maybe even if the destination is not predictable, organizations can typically identify
the things that they want to protect the most, right?
So not everything's kind of created equal on the, how much security should we put in that?
And so what you can do is you can say,
show me all of the attack pass, all of the routes
from any arbitrary starting point
to some destination that I define, right?
And so you would say,
show me all the attack pass to take over domain admins.
And the attack path management component of that is,
okay, now that we know all of the routes,
what configurations are creating the most kind of risk for us?
Where can we make configuration changes
that reduce the number of routes
that attackers have to take control of those?
more protected users or computers or relationships or resources.
Well, so help me understand.
When we're talking about attack path management,
why is identity such a central focus here?
Yeah, so kind of an interesting thing that fell out of all this
is that the attacker is always operating in an identity context.
And actually, the way that they traverse and gain access
is they kind of context switch from identity to identity.
So we typically use an active directory kind of like example,
but this applies in Azure and AWS and all kinds of clouds
or even things like GitHub, these point solutions in the cloud.
What we see is that when you fish a user,
you typically will start in the context of two identities.
You actually have two identities simultaneously.
You have the user that clicked the fishing payload, right?
That's John in accounting, for instance.
And then you have the computer in which that fishing payload was clicked, right?
And so you have these two identities.
These identities are granted access to resources.
Those may be computers, those may be the ability to change the password of a different user.
It may be the ability to add a user to a certain group membership, for instance.
And what the attacker is doing is they're saying, does my current identity context have the ability to perform whatever action or have whatever action on objectives that I desire, so to speak?
If not, is there another identity that I could take control of that would grant me the ability to get closer and closer to whatever my actual objective?
is. And so that's kind of like what they're doing constantly is trying to take control of different
resources, which grant them access to other identities, which then grants them access to more and
more resources. This is the type of attack is called the identity snowball attack. The interesting thing is
that as I'm changing from one identity to the next, right, I'm taking control of some additional
identity. It's not that I'm losing access to everything that I had control of previously. It's in
addition to. It's an aggregation type of attack to where I take control of new identities,
new. These could be users, they could be computers, they could be service principles. It could
be all kinds of different things, non-human identities, so on and so forth. Well, I know you've said that
attackers don't go through your tools, they go around them. Yeah. Can you unpack that for us?
What exactly does that mean? Sure, yeah. So this goes back to a little bit of the kind of red teaming
background, right? So for those that might not be familiar, a red team is kind of simulating an attacker
for an organization to help them understand kind of where their security controls work, where they
might not do what they expect, that kind of thing. And one of the things that we notice is that
from the attacker's perspective, there's often the organizations that we're working with,
the defenders, the security team, they often have expectations of the tools that they put in
place that are not calibrated to what those tools were actually built for. And what we find
as red teamers is that account, once it's logged in, maybe I can't steal the password. And even if I do
steal the password, it might rotate around. But when I log in as my administrative account,
the attacker comes to my computer and they can steal my token, my Kerberos ticket, so on and so
forth. And then they have control of that account, even if the password changes. We go around your
tools, which is basically the tactics and techniques that the attackers are using are essentially
changing based on the types of tools that are in the environment and how those tools actually
function. Well, help me understand here. So,
When we're talking about attack path management, how does that differ from traditional identity governance or things like lease privilege?
Oh, good question. Yeah. So I'll start with the identity governance idea. So identity governance is super important. So there's this idea of life cycle management, right?
We need to make sure that when an employee leaves a company, we turn off all their accounts and we kind of get rid of those.
We need to make sure that we're giving users the privileges that they need to do their job.
one of the problems that we see between identity governance and attack path management
is identity governance kind of has like a one hop kind of view of things, right?
So it's like you have Bob in finance and Bob is going to, he needs access to some finance
system to be able to write to a file share, for instance.
Maybe Bob needs access to log into a computer, so on and so forth.
So you're granting that access in a way to where it's only one hop.
You're not looking at kind of what are the downstream consequences.
I grant Bob access to a file share.
What can Bob do with that access that maybe was unintended?
What are the unintended consequences or externalities of that access?
Attack Path Management is taking the current access landscape.
So all the permissions that have been granted and then asking questions like if I have access to this file share,
and then there's a file on that file share that has a password in it,
that would allow me to compromise the user account or the identity that's associated with that password.
and that gives me access to additional resources
that may be the administrator that was operating
from the IGA or identity governance perspective
might not have considered.
That's the idea of the difference, right?
What are the downstream consequences of,
I give you access to a computer?
Well, there's other users that are logged into that computer.
If I have administrative control of that computer,
I can now steal those users' accounts
and do whatever it is in the context of those alternate identities.
Now, from the least privilege perspective,
it's interesting. I actually did some research on least privilege relatively recently and went back
and tried to find the first reference to the phrase least privilege that I could in the literature.
And that actually came out in 1975. There was a white paper. So 50 years ago, somebody was talking about
least privilege. And we're still struggling with it now. One of the things that I kind of make a joke
about how we typically don't actually operate with least privilege. We operate with enough privilege,
which is I identify that you need to do operation A, B, and C as part of your job,
and I grant you permissions until I can validate that you can actually do A, B, and C.
It's often very difficult for us to know in advance what permissions you actually need to do that.
And so I kind of like just ratchet it up a little bit and give you more and more permissions.
And what we find is that most organizations don't do that second part,
which is validating that you can't do things that are unnecessary for you to do your job.
And that's actually very difficult just by the nature of kind of what default permissions are
and the granularity with which permission granting is available and things of that nature.
This is the whole, he can't disprove a negative.
That's right.
Right, right.
Well, let's talk about risk.
I mean, I've seen in some of your publications this phrase,
visualize risk the way adversaries do.
What does that mean?
Yeah, so we have a whole research team at SpectorOps where what we're doing is we're
trying to identify what we call escalation primitives, right? And so this is where a real simple
example that's fairly obvious, I would say, is if I have the ability to change a user's password,
that means I have the ability to take control of that identity, right? And an attacker would
look at it from the same perspective, right? And so what we're constantly doing is thinking about
what are the ways that the different permissions that are being granted throughout the environment
facilitate our ability to take control of additional identities and therefore access more and more
resources. So we're thinking about it not necessarily as an administrator, which is how do I grant
people access to do their job? But we're thinking about how does the access that's granted to people
to do their job facilitate an attacker's ability, somebody that's acting in bad faith, to take control
of additional resources that maybe were unintentional? And one of the things that we realized is
that they were also using Active Directory as an input into Octa.
So you create users in Active Directory, you set their passwords in Active Directory,
and that is synchronized up with their Octa server.
And so that means that if I get control of your user account in Active Directory,
I have control of your user account in Octa.
But because they were using Octa as a single sign-on identity provider for GitHub,
that also meant that I have control of your GitHub account and access to read or write
to any of the repositories, code repositories.
that you have, that you would have access to in GitHub.
There's this weird thing to where you might have a GitHub administrator
who understands that Octa is feeding that through SSO,
but what they don't understand is that Octa is dependent upon Active Directory, for instance.
And so there's this dependent, we call it a security dependency downstream
that the GitHub administrator is unaware of
and therefore is not accounting for in their overarching kind of like security policy
or security operations.
Hmm. Well, how does it work? I mean, when we're talking about the mapping and the prioritizing of these attack paths, from a practical point of view, how do you go about that?
Yeah, so one of the things that we run into is in practice, large organizations will have
hundreds of millions, if not billions of attack pass to take over, say, Tier Zero,
which is this group that includes an active directory, domain administrators, domain controllers,
other highly privileged accounts.
There's a number of different kind of assets that fit into that category.
So if you have a billion attack pass, one of the interesting things is we do red teams.
and what we kind of would find
is that you would perform a red team
and what a red team is doing is they're traversing
or taking advantage of one,
two, maybe three attack paths
during the course of the operation
and you report that out
and the organization that you're working with
goes through and fixes those three attack pass.
The problem is that there's a billion attack pass
and so you imagine that there's
how many times you would have to conduct a red team
and then do all the fixes
before you would actually resolve those issues.
What we try to do is we try to say,
hey, there's a billion attack pass.
So there's a billion different routes
for any user to get control
of your tier zero assets, your domain controllers.
But what are the individual permissions
that everything funnels into?
And so we say that there are certain configurations
that are choke points or the major players
in facilitating these attack paths.
And so we direct your team
or your identity management team
to those specific configurations
and say, hey, did you know that
the authenticated users group,
which represents every user in your active directory domain,
has admin access to this computer.
And did you know that a domain administrator is logging into that computer?
That means that every single user in your environment
has the ability to become a domain administrator
because of that one configuration.
And so then we kind of point you in that direction and say,
these are the steps that you should take to remediate that configuration
and therefore reduce that risk.
Well, when we're talking these kinds of numbers,
You know, things that are literally in the billions,
I suspect there must be collaboration at play here.
I mean, people have to, this isn't a, you can't silo these things.
The teams have to be in good communications.
That's right.
Yeah, so vulnerability management is a discipline that a lot of security organizations
kind of have a good grasp of.
There's kind of an organization structure that facilitates that program.
we find that a lot of times this attack path management kind of falls into that same process
where you need to have organizational visibility of who's responsible for what environment.
This gets even more complicated when we start venturing out.
We have a new capability called Bloodhound Open Graph,
and what that allows you to do is expand the attack graph to account for different systems,
things like GitHub, things like Snowflake, things like VMware V Center, for instance.
And this allows you to see these attack paths through all these different systems and how they're
interconnecting and that kind of thing.
And so there needs to be kind of a central organization that understands attack path management,
but then knows who they need to talk to to direct these kind of like remediation steps to, right?
Because the Active Directory administrators might not have access to make the changes in GitHub
that are necessary to reduce the exposure of your code repository that's for your enterprise app, for instance.
Where do you suppose we're headed here?
I mean, where is attack path management going in the future?
What's the horizon look like?
Well, I think the thing that we are really interested in
are what we call hybrid attack paths.
So these are these attack paths that go across system boundaries, right?
So kind of the classic example would be this user synchronization
from Active Directory to Microsoft Intra, for instance,
to where if I compromise your,
active directory user, I now have control of a user in your intra account. And sometimes we would
see to where an unprivileged active directory user would be synced with a privileged intra user. And so
now there's this disconnect between the relationship there. What we're finding is that in these
large organizations, the interconnectedness between these systems is tremendous. And so the interconnectedness
is where all of this gets really interesting because attackers, they could get access to GitHub, not
have not have the ability to do the thing that they want to do. And then they could go back
to active directory, move around within active directory to find a different user that has
more privilege in the context of GitHub and go back up into GitHub. And so there's this ability
to kind of like traverse through all these different systems, typically going back to whatever
your system of record is, right? So that's a lot of times it's going to be active directory.
But in other cases, maybe more modern environments, these Silicon Valley startups that have
like a Mac based environment, maybe they're using JANF.
instead as kind of like their system of record or octa as their system of record.
And so you're constantly trying to figure out,
how do I get back to the system of record so that I can have more access to more users
and then go back into the systems that actually hold the data.
And then you kind of go from that perspective.
That's Jared Atkinson, chief technology officer with our N2K knowledge partner, SpectorOps.
What's your 2 a.m. security worry? Is it, do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work, so you can stop sweating over spreadsheets, chasing audit evidence, and,
filling out endless questionnaires. Their trust management platform continuously monitors your
systems, centralizes your data, and simplifies your security at scale. And it fits right into your
workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready
all the time. With Vanta, you get everything you need to move faster, scale confidently, and
finally, get back to sleep. Get started at Vanta.com slash
cyber. That's V-A-N-T-A-com slash cyber.
With A-M-X Platinum, $400 in annual credits for travel and dining means you not only satisfy
your travel bug, but your taste buds too. That's the powerful backing of Amex. Conditions apply.
And finally, at a lakeside Bitcoin conference in Lugano, a handful of jittery investors
ended their weekend not with price forecasts, but with a lesson in chewing through zip ties.
Their instructor, former Royal Marine Pete Kale, assured them that teeth beat plastic,
though it will bloody well hurt.
Such as life in crypto's wrench attack era, where kidnappers no longer bother with elaborate hacks
when a simple threat of violence does the trick.
With Bitcoin's surge, minting flashy Nouveau riches,
abductions have climbed to more than one a week,
prompting entrepreneurs like Alina Vranovo
to host 1,000-euro counter-kidnapping workshops,
complete with grim powerpoints and stern admonitions.
No lambos, no bragging,
and beware beautiful strangers
who find crypto-brose irresistibly fascinating.
Between tips on ditching obvious bodyguards and turning umbrellas into weapons, the trainers reminded attendees of one final truth.
No digital fortune is worth a shattered clavicle, or worse.
And that's the CyberWire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester
with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you.