CyberWire Daily - The SMB slip-up.

Starting point is 00:00:00 You're listening to the Cyberwire Network, powered by N2K. Are you ready for AI in cybersecurity? Demand for these skills is growing exponentially for cybersecurity professionals. It's why Comptia, the largest vendor-neutral certification authority, is developing SEC AI Plus. It's their first ever AI certification focused on artificial intelligence and cybersecurity and is designed to help mid-career cybersecurity professionals demonstrate their competencies with AI tools. And that's why N2K's SEC AI Plus practice exam is coming out this year to help you prepare for this certification release in 2026. To find out more about this new credential and how N2K can help you prepare today,

Starting point is 00:00:55 check out our blog at certify. cybervista.net slash blog. And thanks. At TALIS, they know cybersecurity can be tough, and you can't protect everything. But with TALIS, you can secure what matters most. With TALIS's industry-leading platforms, you can protect critical applications, data and identities, anywhere and at scale with the highest RR. That's why the most trusted brands and largest banks, retailers, and health care companies in the world rely on TALIS to protect what matters most.

Starting point is 00:01:38 Applications, data, and identity. That's TALIS. T-H-A-L-E-S. Learn more at talisgroup.com slash cyber. CISA warns a Windows SMB privilege escalation flaws under active exploitation. Microsoft issues an out-of-band fix for a Winare USB input failure. Nation state hackers had long-term access to F5. Envoy Air confirms it was hit by the Zero Day in Oracle's E-Business Suite.

Starting point is 00:02:22 A non-profit hospital system in Massachusetts suffers a cyber attack. Russia's Cold River Group rapidly retools its malware arsenal. Glassworm malware hides malicious logic with invisible Unicode characters. European authorities dismantle a large-scale Latvian Sim farm operation. Myanmar's military raids a notorious cybercrime hub. Our guest is Josh Kamjou from Sublime Security, discussing how teams should get ahead of scattered spiders next move. And Eagle Scouts are soaring into cyberspace.

Starting point is 00:02:56 It's Tuesday, October 21st, 2025. I'm Dave Bittner, and this is your Cyberwire Intel briefing. Thanks for joining us here today. always to have you with us. Cicill warns attackers are exploiting a Windows server message block flaw to gain system privileges on unpatched Windows systems. With a CVSS score of 8.8, the vulnerability affects Windows server, Windows 10, and Windows 11 through 24 H2. Microsoft addressed it in June's 2025 patch Tuesday. An attacker could trick users into connecting to a malicious application server, such as an SMB server, then compromise the protocol.

Starting point is 00:04:02 Attackers could gain system-level privileges, raising a risk of serious compromise. SISA requires federal civilian executive branch agencies to secure affected systems by November 10th, and organizations should apply Microsoft's June 2025 security updates. Microsoft shipped an out-of-band update that revives Windows Windows. RE on systems where USB input went silent. The company acknowledged the bug on Friday. It blocked navigation inside Windows recovery environment, while mice and keyboard still worked after login.

Starting point is 00:04:40 Microsoft began rolling out the update today. Obviously, recovery is rescue for responders, and Microsoft recommends users install the update immediately. If you cannot boot, use a touch keyboard or a PS2, device or a USB recovery drive. Enterprises can deploy via PXE or use Windows 80K and WinPE. F5 says nation state hackers maintained long-term access, stealing big IP code and vulnerability data, prompting urgent government warnings. According to Bloomberg, access began in late 23 and was discovered August 9th per F-Files filing. People briefed say attackers exploited

Starting point is 00:05:29 exposed F-5 software after staff ignored company guidelines. Intruders downloaded big IP files, including source code and data on undisclosed flaws. F5 reports no code modification or known active exploitation. Stolen code and vulnerability details raise the risk of silent surveillance manipulation or disruption of big IP traffic. SISA issued an emergency directive requiring federal agencies to identify and update F5 products by October 22nd. The UK National Cybersecurity Center also warned customers. Envoy Air has confirmed it was hit in a coordinated wave of attacks, exploiting a zero-day in Oracle's e-business suite, a system critical to global enterprise operations,

Starting point is 00:06:20 The Clop Ransomware Group, long associated with large-scale extortion, leveraged the flaw for remote takeover without credentials. The same campaign hit Harvard earlier this month and may extend to American Airlines. The vulnerability remained unpatched for nearly three months, underscoring the danger of lagging vendor response times in supply chain software dependencies. Haywood Healthcare, a nonprofit system in North Central, Central Massachusetts has taken its IT network offline after a cyber attack disrupted operations at its two hospitals.

Starting point is 00:06:59 The outage has forced ambulance diversions, halted CT imaging, and affected radiology, lab, phone, and email systems. While inpatient and outpatient care continues, digital systems are severely limited. Experts warn the attack reflects the health care sector's growing vulnerability to ransomware and extortion schemes, where operational disruption, not just data theft, is the goal. Analysts from Lumify, Rapid 7, and Clearwater note that weak vendor security, delayed patching, and poor segmentation remain systemic risks. They urge hospitals to prioritize zero-trust architectures, faster patch management, segmentation of medical devices, and continuous risk analysis to build

Starting point is 00:07:47 resilience against the accelerating wave of financially motivated AI-assisted attacks targeting patient care infrastructure. Russian-linked Cold River has rapidly retooled its malware arsenal, replacing the publicly exposed lost keys with a chained suite. G-Tig calls no robot, yes robot, and maybe robot, and has used it more aggressively than prior campaigns. The attack begins with a a click-fix capsule lure that tricks victims into running a malicious DLL via RunDL-32, which then fetches staged components. Initially, a Python-based backdoor, and later a lighter, more flexible power shell backdoor. Google's Threat Intelligence Group notes,

Starting point is 00:08:37 Cold River alternated noisy and stealthy delivery chains, rotated infrastructure, and tweaked components to frustrate analysis, signaling a higher development. development and operations tempo aimed at credential theft and espionage against NGOs, former Intel officers, and NATO-aligned targets. Defenders should prioritize fishing-resistant controls, robust detonation, and DLL executable monitoring, and rapid capture of multi-component chains. A developer-focused supply chain campaign named Glassworm has infected roughly 35,000 marketplace installs across OpenVsX and Microsoft Visual Studio by hiding malicious logic with invisible Unicode characters. Once deployed, it steals GitHub, NPM, and OpenVsX credentials

Starting point is 00:09:31 and crypto wallet data, self-propagates using compromised accounts to backdoor more extensions, and installs a SOX proxy plus HVNC for covert remote access. Its final payload, zombie, which is massively obfuscated JavaScript that turns workstations into criminal nodes, is fetched via links embedded in Solana blockchain transactions, with Google Calendar and a fallback IP as backups, making takedown and attribution difficult. Key defensive actions include treating extensions as supply chain risks, enforcing MFA and least privilege for developer accounts,

Starting point is 00:10:13 scanning repos for invisible or unusual characters, monitoring outbound traffic for proxies or HVNC and validating third-party code before inclusion. European authorities dismantled a large-scale SIM farm operation in Latvia known as Sim Cartel, which provided millions of fake mobile numbers used in fishing, smishing, and fraud across 80 countries. Coordinated by Europol and Eurojust, the raid resulted in seven arrests, The seizure of 1,200 SIM boxes operating 40,000 sims,

Starting point is 00:10:51 cryptocurrency worth $835,000, and the takedown of several domains. The group's infrastructure enabled the creation of 49 million fraudulent online accounts, supporting scams that impersonated police, ran fake marketplaces, and stole financial credentials. Victim losses exceeded $5.2 million. dollars. Investigators say the services bulk SIM access masked identities fueled transnational cybercrime and exposed the blurred boundary between telecom misuse and organized fraud, highlighting the need for stricter SIM registration and cross-border digital forensics collaboration. Myanmar's military has raided KK. Park, a notorious cybercrime hub near the Thai border,

Starting point is 00:11:42 detaining over 2,000 people, and seizing 30 Starlink terminals used to power global online scam operations. The crackdown launched in September, targeted networks behind romance and investment fraud schemes that trafficked foreign workers and forced them into criminal labor. KK.K. Park, near Mayawadi in Kyan State, lies in a contested region partly controlled by ethnic militias. The junta accused the Karen national union of complicity, which that group denies. The raid follows international sanctions against similar scam syndicates in Cambodia and reflects mounting regional pressure, especially from China and Thailand, to dismantle Southeast Asia's human trafficking-linked cybercrime compounds, exploiting unlicensed Starlink connectivity to evade surveillance and fuel transnational fraud.

Starting point is 00:12:42 Coming up after the break, Josh Kamju from Sublime Security discusses how teams can get ahead of Scattered Spider's next move. And Eagle Scouts are soaring into cyberspace. Stick around. What's your 2 a.m. security worry? Is it, do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work, so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster,

Starting point is 00:13:58 scale confidently, and finally get back to sleep. Get started at Vanta.com slash cyber. That's V-A-N-T-A-com slash cyber. And now a word from our sponsor. The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program. Study alongside world-class interdisciplinary experts and gain unparalleled educational research and professional experience

Starting point is 00:14:38 in information security and assurance. Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition, textbooks, and a laptop, as well as providing a $34,000 additional annual stipend. Apply for the fall 2026th semester and for this scholarship by February 28th. Learn more at c.j.j.u.edu slash MSSI. Josh Kamjou is CEO and co-founder of Sublime Security. He joins us to discuss how teams can get ahead of Scattered Spiders' next move. Yeah, so Scattered Spider is a notorious at this point, threat actor that is

Starting point is 00:15:40 most well known for conducting socially engineered attacks against organizations of various sizes and various industries in order to achieve various objectives. And typically those are financially motivated objectives. And what sets them apart? What's been the secret to their success? Well, I think we've seen a huge adoption or explosion in different kinds of of social engineering tactics and techniques. And one of the things that Scattered Spider has been doing is using kind of non-traditional types of, well, historically been more non-traditional forms of social engineering.

Starting point is 00:16:26 So things like delivering attacks via various different mediums. And, you know, that could be some of their targets, personal email address. It could be a different, you know, it could be some other form of electronic medium. It could also be voice fishing. It could be, you know, calling up the help desk and getting them to install something or follow certain instructions. So there's a lot of different techniques that we're seeing a big adoption of.

Starting point is 00:17:05 And especially as of late, you know, you've seen. seen our adversaries start to adopt more and more generative AI tooling to conduct their attacks. You know, we're an email security company, so we see that primarily in the email domain with more sophisticated types of email attacks like BEC, fraud, even credential theft or malware, ransomware delivery. But at the threat landscape writ large, we're seeing all kinds of attacks. I mean, we're even seeing deep fakes. We're seeing voice impersonations. We're seeing all kinds of different types of techniques. So if you're a defender, how do you establish a baseline against a group like this that has such a broad playbook? I think as a as a practitioner,

Starting point is 00:17:57 prior to sublime, I spent my career as a security practitioner. And the age old saying is defense in depth, right? And so there is no like one control that is going to protect you against a sophisticated and determined adversary. It's about layered defense. And it's around knowing where your attack surface is. So whether you do have a help desk, whether you are the type of business that only does business online or over email or whatever that, might be. So it's around knowing what your attack surface is, knowing where your crown jewels are, and just where the risks are in the business, and building multiple layers of defense against those. And obviously, it's a very kind of high-level description, but there's many different

Starting point is 00:19:01 techniques around, like, principles of least privilege. If you do have people on the front lines, you're only giving them access to what they need. And you've got just multiple layers of defense in depth to prevent these types of attacks. Help me understand where we stand when it comes to email security these days. I mean, can you take me through the spectrum of, you know, from someone setting up a free me, free Gmail account and counting on Google to be their line of defense, you know, all the way through people who have very specific needs and they know that they are being targeted. What's the state of the art these days?

Starting point is 00:19:47 Yeah, I mean, you mean from an email defense perspective? Yeah. Yeah. Yeah. Well, we are seeing there's been email is always, I would say the security landscape is always a moving target, right? You've got an adversary on the other side that's motivated to achieve some objective, and they are actively looking to bypass defensive solutions. And we've seen new types of techniques over the course of since email security has been a thing,

Starting point is 00:20:22 but we're starting to see more rapid adaptation of threats, I think in large part due to nerd of AI. And what that means from a defensive standpoint is a few things. One is that as attacks become more and more targeted to their recipient, we put out a threat report a couple months ago around some of the insights that we're seeing across our customers. Over 90% of attacks that we see are customized to the recipient in some way. And they're getting more tailored. contextual, they're leveraging more real information because you can automate it all. You can have an agent go and do recon on your target, and that can be used to make a more convincing phishing email. And so context is really important when conducting defense, but I would

Starting point is 00:21:20 say that that's kind of just table stakes. That's the foundation, is being able to really understand the tone and intent of a message, there's natural language understanding techniques, there's all kinds of machine learning techniques that I would say are pretty table stakes these days. What I think is needed, and this is really kind of segues into what Sublime does and how we do things a little bit differently, is that the way that traditional email security has been done over the past 20 years or so is that you've got this centralized detection model where you've got, you train a model

Starting point is 00:22:04 and you train it to understand what bad looks like and you deploy that to all your customers. And one of the challenges with that, as attacks become more targeted and as adversaries figure out ways to deliver their attacks and bypass security solutions, it's inevitable that an attack will get through or that any security solution

Starting point is 00:22:29 is going to eventually misclassify something. So our thinking was, how do we prepare for that inevitability and be able to adapt very rapidly to the changes in the landscape? So at Sublime, we designed a distributed detection model where each of our customers gets really their own copy, in essence,

Starting point is 00:22:55 that's tailored to them of our detection engine. And that ends up being much more contextually aware. And every environment is so different. Like, you've got, you know, if I were to just pick a couple of our customers, you've got, like, Netflix is on one end where their environment and kind of the behavior that you see is very distinct to Netflix. Whereas you've got ASOS, you know, know, like a retail company is going to be also just very different. So the distributed model

Starting point is 00:23:26 kind of makes detection more tailored, but it also allows defenses to be adapted much more rapidly when we get something wrong. And so that's been one of the keys to how we've been able to keep up with the advances in and how quickly the landscape is moving. So we've built a couple agents within Sublime that will actually autonomously investigate, triage, detect, respond, and even adapt defenses on a per customer basis. And that allows us to much more rapidly within hours instead of like weeks or months deploy new detections. So I think that this is kind of this approach to just being much more rapidly adaptable, I think is going to be the key, of the big keys to this more autonomous offense that we are seeing more and more, where you've

Starting point is 00:24:26 got a machine on one side and you've got a machine on the other side. How do you strike the balance between human analysis and automated response when we've got these threat actors embracing AI and I think it's fair to say increasing their own velocity? Mm-hmm. Yeah. I mean, our kind of mindset is that we want to automate everything that can be automated with high confidence. We don't want to just make assumptions without knowing or learning what the organization's preference is and the risk tolerances. So for example, to give you a very concrete example, one of our agents is called the Autonomous Security So it basically acts as a tier one, tier two sock analyst to triage alerts, fishing alerts. And our directive to this agent is essentially not to make decisions unless it is highly confident. The output of the agent is a verdict. It's whether it's malicious, it's whether it's, you know, gray mail, spam.

Starting point is 00:25:42 But really, really importantly, I would say just as importantly is that, we have an escape hatch for the agent to output an unknown verdict. And so that is the point at which we can escalate to a human to actually review. And based off a customer's preference, we can actually still take some action in those cases, but maybe it's not as severe of an action. So if we know it's malicious, for example, we're going to probably quarantine it, if that's what the configuration is set to. But for unknown, maybe the tolerance is, let's insert a warning banner.

Starting point is 00:26:20 And so that the user, when they pull up the message, they see an informative banner that, you know, if because we're not sure, maybe that'll actually reduce, that ends up reducing risk. That's Josh Kamju from Sublime Security. And finally, Scouting America, formerly the Boy Scouts, is boldly venturing into the digital wilderness with new AI and cybersecurity merit badges. Once the domain of knots, compasses, and campfires, scouts are now learning about deepfakes, fishing, and machine learning models. CEO Roger Crone says the goal is to stay relative. in an increasingly digital world.

Starting point is 00:27:19 The AI badge asks scouts to explore ethical impacts and build tech-savvy projects, while the cybersecurity badge arms them with tools to stay safe online. No neckerchief required. Early adopters, like brothers Charles and Wydell Hendricks, already earned theirs. Wydell plans a cyber career in the Air Force, noting the badge also teaches ethics, proving that even in the age of algorithm, honor codes still matter. Not for nothing,

Starting point is 00:27:50 the Girl Scouts introduced their first cybersecurity badges back in 2018. And that's the CyberWire for links to all of today's stories. daily briefing at the cyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our

Starting point is 00:28:27 show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

Starting point is 00:29:15 Cyber Innovation Day is the premier event for cyber startups, researchers, and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the eighth annual Data Tribe Challenge takes center stage as elite startups pitch for exposure, acceleration, and funding. The Innovation Expo runs all day, connecting founders, investors, and researchers around breakthroughs in cyber security. It all happens November 4th in Washington, D.C. Discover the startups building the future of cyber.

Starting point is 00:29:59 Learn more at cid.d. datatribe.com.

CyberWire Daily - The SMB slip-up.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.