CyberWire Daily - When the breachers get breached.
Episode Date: October 10, 2025International law enforcement take down the Breachforums domains. Researchers link exploitation campaigns targeting Cisco, Palo Alto Networks, and Fortinet. Juniper Networks patches over 200 vulnerabi...lities. Apple and Google update their bug bounties. Evaluating AI use in application security (AppSec) programs. Microsegmentation can contain ransomware much faster and yield better cyber insurance terms. The new RondoDox botnet exploits over 50 vulnerabilities. Researchers tag 13 unpatched Ivanti Endpoint Manager flaws. Our guest is Jason Manar, CISO of Kaseya, sharing his insight into how the private and public sectors can work together for national security. Hackers mistake a decoy for glory. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Jason Manar, CISO of Kaseya, sharing his insight into how the private and public sectors can/must work together for national security. Selected Reading FBI takes down BreachForums portal used for Salesforce extortion (Bleeping Computer) Cisco, Fortinet, Palo Alto Networks Devices Targeted in Coordinated Campaign (SecurityWeek) Juniper Networks Patches Critical Junos Space Vulnerabilities (OffSeq) Apple Announces $2 Million Bug Bounty Reward for the Most Dangerous Exploits (WIRED) Google Launches AI Bug Bounty with $30,000 Top Reward (Infosecurity Magazine) In AI We Trust? Increasing AI Adoption in AppSec Despite Limited Oversight (Fastly) Reducing Risk: Microsegmentation Means Faster Incident Response, Lower Insurance Premiums for Organizations (Akamai) RondoDox Botnet Takes ‘Exploit Shotgun’ Approach (SecurityWeek) ZDI Drops 13 Unpatched Ivanti Endpoint Manager Vulnerabilities (SecurityWeek) Pro-Russian hackers caught bragging about attack on fake water utility (The Record) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
And now a word from our sponsor.
The Johns Hopkins University Information Security Institute is seeking qualified applicants
for its innovative Master of Science in Security Informatics degree program.
Study alongside world-class interdisciplinary experts
and gain unparalleled educational research and professional experience in information security and assurance.
Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program,
which covers tuition, textbooks, and a laptop, as well as providing a $34,000 additional annual stipend.
Apply for the fall 2026th semester and for this scholarship by February 28th.
Learn more at CS.com.
JhU.edu slash MSSI.
Alto and Fortinette.
Juniper Networks patches over 200 vulnerabilities.
Apple and Google update their bug bounties.
Evaluating AI use in application security programs.
Microsegmentation can contain ransomware much faster and yield better cyber insurance terms.
The new Rondo Docs Botnet exploits over 50 vulnerabilities.
Researchers tag 13 unpatched Avanti endpoint manager flaws.
Our guest is Jason Minar, Sissau of Kasea.
sharing his insights into how the private and public sectors can work together for national security.
And hackers mistake, a decoy for glory.
It's Friday, October 10, 2024.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
Happy Friday.
It's great to have you with us.
The FBI and French police seized breach forums domains,
shutting down shiny hunters' platform used to leak corporate data.
The seizure occurred October 9th,
with bleeping computer confirming FBI name servers now control the sites.
Shiny hunters acknowledge the loss in a PGP-Signed telegram post, saying backup since 2003,
escrow databases and backup servers are now compromised.
They added the forum will not be rebuilt, warning that such platforms have become law enforcement honeypots.
Despite the seizure, their dark web leak site remains online, with a Salesforce data dump still scheduled.
The takedown exposes historic forum data and,
signals closer global cooperation. Still, organizations face looming risk as shiny hunters
claims to hold over a billion stolen Salesforce records.
Gray Noise has linked three exploitation campaigns targeting Cisco, Palo Alto Networks, and
Fortinette devices to IPs on the same subnets, suggesting shared threat actors.
The firm first observed scanning of Cisco ASA firewalls weeks before Cisco,
disclosed two zero-day flaws exploited in China-linked arcane door espionage attacks.
More recently, Gray Noise detected a 500% spike in scanning of Palo Alto Global Protect
portals with over 1.3 million login attempts from thousands of unique IPs.
These same subnets are now tied to brute force attacks against Fortinette VPNs.
Gray Noise warns that 80% of such spikes precede new firewall or VPNs,
vulnerabilities by about six weeks, advising organizations to harden defenses and block brute-forcing
IPs.
Juniper Networks has patched over 200 vulnerabilities in its Juno's space and security director
platforms, including nine rated critical.
Flaws range from cross-site scripting and privilege escalation to remote command execution
and backdoor creation.
One critical bug allows admin-level command execution.
No active exploitation is reported, but Juniper urges immediate patching.
The issues pose serious risks to enterprise and telecom networks,
especially in Europe, where large Juniper deployments heighten potential impact.
Apple has doubled its top bug bounty payout to $2 million for exploit chains enabling spyware attacks,
with total rewards reaching $5 million for findings that also bypass lockdown mode,
or are discovered in beta software.
Announced by Apple Security Chief Ivan Kirstick at Hexicon,
the expansion underscores the company's push to incentivize
high-impact vulnerability research.
Since opening its bounty to the public in 2020,
Apple has paid over $35 million to more than 800 researchers.
The program now covers one-click web kit and wireless proximity exploits
and adds a target flag's testing feature.
alongside this, Apple introduced memory integrity enforcement in iPhone 17 devices and pledged
1,000 phones to rights groups supporting at-risk users. Google has launched a new AI vulnerability
reward program, offering up to $30,000 for verified bugs in its AI products, including
search, Gemini, and workspace. The program streamlines reporting by consolidating AI-related issues
previously handled under the abuse VRP.
Eligible vulnerabilities include data leaks, model theft, and fishing enablement involving
AI interactions.
Since 2018, researchers have earned over $430,000 from AI-related reports.
Google says the AI VRP aims to reward high-impact findings while excluding content-based
issues like prompt injections.
A new survey from Fastly finds that 90% of security leaders are using or evaluating AI in their
application security programs, citing faster vulnerability detection and reduced manual effort.
Yet, nearly a third act on AI findings without human review, raising concerns over false positives
and misplaced trust.
Half of the respondents report frequent or occasional inaccuracies, while
only 22% rate AI's accuracy as excellent.
Key challenges include integration complexity, skills gaps, and compliance worries.
Despite mixed confidence, 80% plan to expand AI use, emphasizing automation, real-time detection,
and explainability.
Fastly, Sissau Marshall Irwin, cautions that success will depend on reducing false positives
and integrating AI effectively to avoid AI shelfware.
A new report from Akamai finds that organizations adopting micro-segmentation
can contain ransomware much faster and receive better cyber insurance terms.
Surveying 1,200 security leaders, Akamai notes that while 90% use some form of segmentation,
only 35% employ micro-segmentation across their networks.
Among enterprises already using micro-segmentation,
ransomware containment times dropped by about 33%.
75% of organizations say insurers now assess segmentation posture
during underwriting and 60% report receiving lower premiums tied to their segmentation maturity.
The report also flags deployment challenges including network complexity,
visibility gaps, and organizational resistance as common barriers to adoption.
trend micro has identified a new botnet Rondo docs that exploits over 50 vulnerabilities across
routers, servers, cameras, and other devices for more than 30 vendors. Active since mid-2020
5, Rondo docs initially targeted a TP-link router flaw, but has since expanded to include DVRs,
CCTV systems, and web servers. The botnet leverages both known and unlisted command injection
vulnerabilities, 18 without CVEs, several on SISA's known exploited vulnerabilities list.
CloudSec reports a 230 percent surge in Rondo Docs activity since mid-2020, with compromised devices
used for cryptocurrency mining, DDoS attacks, and enterprise intrusions. The malware now spreads
via a loader-as-a-service model alongside Marai and Morta payloads, masking activity by mimicking
gaming platforms and VPNs.
Trend Micro's Zero Day initiative disclosed 13 unpatched Evanti endpoint manager flaws,
one local privilege escalation reported in November 2024, and 12 remote code execution issues
reported in June of this year. ZDI labels them zero day upon disclosure, though they're
not actively exploited zero days. No CVEs exist yet. All of
our high severity with one scoring 8.8. The local privilege escalation affects agent portal
via unsafe deserialization to system. The RCEs stem from inadequate input validation across
multiple reporting and query classes, mostly leading to authenticated SQL-driven code execution.
The highest severity RCE involves unsafe path use and can be triggered with admin credentials
or user interaction.
Trend Micro says patches slipped
from September and November
to March of next year.
Coming up after the break,
my conversation with Jason Minar from Kasea,
sharing his insights on public-private cooperation
for national security,
and hackers mistake a decoy for glory.
Stay with us.
At TALIS, they know cybersecurity can be tough and you can't protect everything,
but with TALIS you can secure what matters most.
With TALIS's industry-leading platforms, you can protect critical applications,
data and identities, anywhere and at scale with the
highest ROI. That's why the most trusted brands and largest banks, retailers, and health care
companies in the world rely on TALIS to protect what matters most. Applications, data,
and identity. That's TALIS. T-H-A-L-E-S. Learn more at talusgroup.com slash cyber.
What's your 2 a.m. security worry? Is it, do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work, so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data,
and simplifies your security at scale.
And it fits right into your workflows,
using AI to streamline evidence collection,
flag risks, and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster,
scale confidently, and finally get back to sleep.
Get started at Vanta.com slash cyber.
That's V-A-N-T-A-com slash cyber.
Jason Minar is CISO at Kasea.
We recently caught up to discuss his insights on how the private and public sectors can work together for national security.
So I would give a generalized statement first, that when I think about cybersecurity and when I think about politics in general, I think about Congress's ability or inability.
to pass meaningful legislation that keeps up with cybersecurity, if you will,
cybersecurity technology and cybersecurity issues and problems.
For example, I am a very data analytically driven human being.
And as such, I am still amazed that we don't have certain mandatory reporting requirements
or some type of standard that the government has deemed that must be.
be in place with the exception of FedRamp for, you know, governmental utilization.
So, but you're truly asking about what we see politically and what we see politically,
unlike some of our adversaries, quite frankly, we oftentimes change.
Every four years or potentially eight years, we change even ever so slightly, are
initiatives. And one of the things that has been changed as of late is the mission of SISA,
right? And looking at that, there's been some impact. And looking at that, there's been some concern.
Now, I see it from both sides. I see when SISA was started very early on,
it was very hard for them to find their footing, right? And then they started.
coming into their own
and they started really
filling in some voids within the community.
We seem to be pulling away from that
and pulling back from that now.
It's going to be very interesting
to see what governmental
or private resources that we have
to step in and fill the void.
My perspective has been
that for many, many years,
cybersecurity kind of enjoyed
broad bipartisan
support. It stayed out of the fray of any particular side's interests. Everyone agreed this was
important for our national security, for the security of our citizens. And my sense is that the past
couple of years, that's kind of drifted away a little bit. Or perhaps we, would it be fair to say we
lost a little of our innocence? Is that an acceptable way to frame it? Yeah, I would say we lost a little of
are in a sense, but being in government, I would say that depending upon which part of government
you're in, it's no different than certain businesses. There are different silos, and people
understand the problem differently. So those that are closest to it, right, the line level agents
within various organizations that are combating these adversaries and actors every day
have a very different understanding of what's going on, quite frankly, than some other parts
of the government. And sometimes I think our attention is somewhat diverted. I pause and I hesitate
to say because, and this is Jason Menard's take, right? What I continue to see is in certain
ways Congress and our congressional delegates and representatives having a very difficult time
providing legislation, whether it's on cybersecurity or other matters. And I think that affects
cybersecurity in a meaningful way. And if you look back to when the last true legislation was
passed, and I'm not talking about, you know, presidential, you know, some type of presidential
directive, but actual, you know, congressional cybersecurity legislation, you know, it's truly
been at some time. And even the laws around cybersecurity, when you look at the laws around
cybersecurity, many times they are using financial fraud laws. They're using RICO laws. They're
using other laws that aren't necessarily specific because all that we have, you know, is one law
that was passed back in, I think it was back in the 80s on the books, at least federally,
for cybersecurity.
Yeah.
So do you think there's kind of a fundamental velocity mismatch here between the ever-accelerating rate
at which things happen in the cyber domain and Congress's inability to squeeze anything through?
Well, I think it's that.
But I also think, you know, I want to give Congress and I want to give our government the benefit of the doubt somewhat.
You know, there are many, many issues to address at any given moment.
But I think truly understanding, right, that where are technology, our data, our intellectual property,
and a lot of things that make this a great, great country
resides in the digital realm and digital space.
And as such, I really believe that we need to give
a lot more bandwidth to thinking about how we're protecting
and addressing that and how we're doing that, you know,
across the board through public and private partnerships.
I'm not just speaking to, you know, potential regulatory compliance
or congressional mandates,
but true public-private, you know,
collaborations that move the needle in a meaningful way
that protect America's interest
while protecting, you know,
the interest of our businesses.
What do you suppose something like that could look like?
Wow.
Isn't that the $50,000 question?
Or maybe in this realm,
you know, $50 trillion question.
Yeah.
Well, first, it has to always start with the dialogue.
And I will say CISA, the FBI, and several other entities are trying very hard at getting that dialogue going and keeping that going through several different initiatives.
I'm very excited what some agencies are doing to try to bridge that cap.
I would obviously like to see that expand because truly the way that I think you get everyone involved is if you get all stakeholders in a room.
I know Sisa for a while, last year, the year before that, they had a committee for RMM security standards and we were able to push out some security standards for companies that were.
selling RMM. And RMM can be a very, very powerful tool, which is why we chose to start
there. And there were really legs on continuing that legislation and rolling that into what
that looked like with the SDLC process, CIDC pipeline, and how we could meaningfully look at
technology and businesses that were making products, what that public-private partnership
look like so that we could have some directions to continue to make things in a safer
way for the ultimate in-consumer, right? And I think that's a great place to start. And then I think
from that, you get some wonderful ideas around things that then grow legs, because in these
meetings. You have not only people from the top sectors within business, but you have
representatives that are a part of the legislative team. So you won't necessarily have legislatures
there, but you'll have part of the legislative team. You'll have people from, you know,
cyber warfare from all aspects. You'll have people from people from
from all agencies that you can think about.
And they're all sharing ideas and trying to come up with that, you know,
$40 trillion answer, if you will, and how we slowly get there.
And I think that's where you kind of have to start, right?
Because some of the best intended legislation, especially when it starts out,
if you don't involve the end technical user,
while it may be well-intentioned can lead to adverse consequences.
And that's where we don't want to be.
Do you suppose that we have what it takes to make these things happen?
Is there political will there?
Is there good faith partnerships in the making?
Yeah.
So I will say my time during the FBI, we spend a lot of time building those relationships within Fortune 50 and 100.
companies and even some smaller.
And so I would say that there are things, even from back then, you know, a decade ago,
that are still bearing fruit and there's still some really good traction to be had there.
With some of the other initiatives, I'll be honest, I'm not sure what the newer initiatives
are.
I am part of that I will take personal blame for because I am.
set to go to D.C. and meet with some folks. But unfortunately, I think it was just a time of
transition last year. So unfortunately, that didn't happen. So I'll be going to D.C. I'll be
seeing if those things potentially even exist, and I'm just unaware. But I know, as I said
before, several of the initiatives with Sisa and DHS have kind of gone away.
And those were some of the ones that I was most engaged with.
So while they are reconstructing what that looks like, we're engaging more with, you know,
other government entities and trying to be of service and trying to make sure that we are a
voice for MSPs and small and mid-sized businesses.
to whom we protect and sell services to.
That's Jason Minar from Kasea.
With Amex Platinum,
access to exclusive Amex pre-sale tickets
can score you a spot trackside,
so being a fan for life turns into the trip of a lifetime.
That's the powerful back-end.
of Amex. Pre-sale tickets for future events
subject to availability and varied by race.
Terms and conditions apply. Learn more at
at MX.ca.ca slash Y-Amex.
This episode is brought to you by Peloton.
A new era of fitness is here.
Introducing the new Peloton
Cross Training Tread Plus, powered by
Peloton IQ. Built for
breakthroughs with personalized workout plans,
real-time insights, and endless
ways to move. Lift with confidence
while Peloton IQ counts reps,
corrects form, and tracks your progress.
Let yourself run,
lift, flow, and go.
Explore the new Peloton cross-training tread plus at OnePeloton.C.A.
And finally, in a twist-worthy of a digital sitcom,
pro-Russian hackers spent September loudly celebrating the takeover of a Dutch water facility,
only to discover they'd been splashing around in a honeypot.
The group, calling itself Toonet, had in fact broken into a decoy network built by researchers at Forscout,
who quietly watched as the hackers defaced a login page, disabled alarms, and generally made mischief, all in a sandbox.
Their victory announcement, complete with the charming signature hacked by Barlotti, F,
although the F was another word, was met by the cybersecurity equivalent of
polite applause.
Forescout says the incident illustrates how novice hacktivists are increasingly poking at
industrial systems they barely understand, mistaking honeypots for heroics.
Toonet, like many of its peers, quickly folded, proving that hacktivist groups often have the
lifespan of a mayfly, just louder.
Still, researchers warn these bumbling forays mark a worrying shift toward real-world infrastructure
as the next big cyber playground.
So it turns out the hack of the year
was really just a splash
in a very well-monitored puddle.
And that's the Cyberwire
for links to all of today's stories
check out our daily briefing at thecyberwire.com.
A quick program note, we will not be publishing this coming Monday in observance of the federal
holiday. We'll see you back here on Tuesday. Be sure to check out this weekend's research
Saturday in my conversation with John Focker, head of threat intelligence at Trellix.
We're discussing their research gang wars, breaking trust among cybercriminals. That's Research
Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback
ensures we deliver the insights that keep you a step ahead in the rapidly changing world of
cybersecurity. If you like our show, please share a rating and review in your favorite
podcast app. Please also fill out the survey in the show notes or send an email to Cyberwire
at N2K.com. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're
mixed by Trey Hester with original music by Elliot Heltzman. Our executive producer is Jennifer
I've been Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.
Cyber Innovation Day is the premier event for cyber startups, researchers, and top VC firms
building trust into tomorrow's digital world.
Kick off the day with unfiltered insights and panels on securing tomorrow's technology.
In the afternoon, the eighth annual Data Tribe Challenge takes center stage as elite startups
pitch for exposure, acceleration, and funding.
The Innovation Expo runs all day, connecting founders.
investors and researchers around breakthroughs in cyber security.
It all happens November 4th in Washington, D.C.
Discover the startups building the future of cyber.
Learn more at cid.d. datatribe.com.