CyberWire Daily - Whistle-blown and wide open.
Episode Date: August 27, 2025A whistle-blower claims DOGE uploaded a sensitive Social Security database to a vulnerable cloud server. Allies push back against North Korean IT scams. ZipLine is a sophisticated phishing campaign ta...rgeting U.S.-based manufacturing. Researchers uncover a residential proxy network operating across at least 20 U.S. states. Flock Safety license plate readers face increased scrutiny. A new report chronicles DDoS through the first half of the year. LLM guard rails fail to defend against run-on sentences. A South American APT targets the Colombian government. Our guest is Harry Thomas, Founder and CTO at Frenos, on the benefits of curated and vetted AI training data. One man’s fight against phantom jobs posts. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest today is Harry Thomas, Founder and CTO at Frenos, talking about the benefits of curated and vetted AI training data. Learn more about the Frenos and N2K Networks partnership to utilize industry validated intelligence to build the first AI native OT security posture management platform. Selected Reading DOGE Put Critical Social Security Data at Risk, Whistle-Blower Says (The New York Times) Governments, tech companies meet in Tokyo to share tips on fighting North Korea IT worker scheme (The Record) ZipLine Campaign: A Sophisticated Phishing Attack Targeting US Companies (Check Point Research) Phishing Campaign Targeting Companies via UpCrypter (FortiGuard Labs) Belarus-Linked DSLRoot Proxy Network Deploys Hardware in U.S. Residences, Including Military Homes (Infrawatch) CBP Had Access to More than 80,000 Flock AI Cameras Nationwide (404 Media) Evanston shuts down license plate cameras, terminates contract with Flock Safety (Evanston Round Table) Global DDoS attacks exceed 8M amid geopolitical tensions (Telecoms Tech News) One long sentence is all it takes to make LLMs misbehave (The Register) TAG-144’s Persistent Grip on South American Organizations (Recorded Future) This tech worker was frustrated with ghost job ads. Now he’s working to pass a national law banning them (CNBC) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
The DMV has established itself as a top-tier player in the global cyber industry.
DMV rising is the premier event for cyber leaders and innovators
to engage in meaningful discussions and celebrate the innovation happening in and around the Washington
D.C. area. Join us on Thursday, September 18th, to connect with the leading minds shaping
our field and experience firsthand why the Washington, D.C. region is the beating heart of
cyber innovation. Visit DMVRising.com to secure your spot.
Risk and compliance shouldn't slow your business down. Hyperproof helps.
helps you automate controls, integrate real-time risk workflows, and build a centralized system of trust so your teams can focus on growth, not spreadsheets.
From faster audits to stronger stakeholder confidence, Hyperproof gives you the business advantage of smarter compliance.
Visit www.hyperproof.io to see how leading teams are transforming their GRC programs.
A whistleblower claims Doge uploaded a sensitive social security database to a vulnerable cloud server.
Allies push back against North Korean IT scams.
Zipline is a sophisticated fishing campaign targeting U.S.-based manufacturing.
Researchers uncover a residential proxy network operating across at least 20 U.S. states.
Flock safety license plate readers face increased scrutiny.
A new report chronicles DDoS through the first half of the year.
LLM guardrails fail to defend against run-on sentences.
A South American APT targets the Colombian government.
Our guest is Harry Thomas, founder and CTO at Franos,
on the benefits of curated and vetted AI training data.
And one man's fight against phantom jobs posts.
It's Wednesday, August 27th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great as always to have you with us.
A whistleblower complaint has revealed that the Department of Government Efficiency, Doge, a group tied to Elon Musk's government tech initiative, uploaded a copy of the Social Security Administration's numidant database, containing records of over 548 million social security numbers to a vulnerable cloud server back in June.
The New York Times reports the database includes full names, addresses, and birth dates, making it one of the most sensitive U.S. repositories of personal information.
The complaint filed by Social Security's chief data officer Charles Borges warns of catastrophic impact if the data were exposed, including mass identity theft and the costly reissuance of Social Security numbers.
Borgas alleges
alleges
Doge bypassed
standard security
oversight
excluded him
from discussions
and ignored
risk assessments
labeling the
project
high risk.
While no breach
has been
confirmed,
documents show
Doge
pushed forward
despite repeated
warnings.
The complaint,
supported by
whistleblower
lawyers,
claims
Doge's
actions may
have violated
federal laws
protecting
government
data.
Governments and
tech firms
met in Tokyo this week to share strategies against North Korea's covert IT workers scheme.
Organized by the U.S., Japan, and South Korea, the forum gathered over 130 participants
from payment providers, crypto exchanges, AI companies, and freelance platforms.
For years, North Korean citizens posing as foreign contractors, have landed IT jobs at Western
firms using stolen IDs, earning millions to fund Pyongy.
Yong's weapons programs.
Hundreds have secured roles, sometimes holding multiple jobs at Fortune 500 companies.
While their work often appears competent, U.S. officials warn of risks, including data theft,
reputational harm, and insider access for future hacks.
North Korea linked groups like Lazarus have stolen over $600 million from crypto firms,
prompting tighter cooperation and recent sanctions.
Researchers at Checkpoint have uncovered Zipline, a sophisticated fishing campaign targeting
U.S.-based manufacturing and supply chain critical industries.
Unlike traditional fishing, attackers begin contact through a victim's public contact us form,
prompting companies to respond and creating an appearance of legitimacy.
They then sustain weeks of credible email exchanges, often under the guise of business partnerships
or AI transformation initiatives
before delivering a malicious zip file.
The payload contains Mix Shell,
a custom in-memory implant using DNS tunneling
and HTTP fallback for command and control.
Mix Shell enables file operations,
proxying, command execution, and persistence.
Attackers leverage aged U.S. registered domains
with cloned websites to boost credibility.
Dozens of organizations,
including large manufacturers and smaller firms were targeted.
The campaign demonstrates how patient trust-based social engineering
combined with advanced malware can bypass traditional defenses,
highlighting the need to scrutinize even routine inbound business interactions.
Elsewhere, Fortegard Labs has uncovered a global fishing campaign
using personalized emails and spoofed websites to spread upcryptor,
a malware loader that deploys multiple remote access tools, including pure HVNC, DC Rat, and Babylon Rat.
Attackers use convincing lures, such as missed voicemail messages or purchase orders with malicious HTML attachments.
These scripts redirect victims to phishing pages tailored with their email domains and logos, making the sites appear legitimate.
Once on the page, victims are prompted to download a zip file containing an obfuscated JavaScript
dropper. This triggers PowerShell commands, bypasses security checks, and executes payloads directly
in memory. Upcryptor ensures persistence of AIDS analysis and retrieves additional malware
from attacker-controlled servers. The campaign has already spread rapidly across multiple
industries, highlighting how attackers now use advanced loaders to maintain long-term control
inside networks far beyond simple fishing attempts.
InfraWatch and Krebson Security have identified DSL Route, a residential proxy network,
operating across at least 20 U.S. states.
Unlike typical proxy providers that rely on mobile SDKs, DSL route installs dedicated hardware
in American homes, creating persistent access to residential IPs.
The service is managed by Andre Hollas, a Belarusian national with residences in Minsk and Moscow.
Researchers estimate roughly 300 active devices, primarily using CenturyLink and Frontier IP space.
Technical analysis shows DSL Roots custom software can remotely manage consumer routers and even Android devices,
enabling IP rotation and anonymous traffic routing.
The network operates without authentication, exposing U.S. infrastructure to foreign control.
DSL route markets its proxies on underground forums,
alongside related services like virtual credit cards and company formation,
offering global clients stealth access to U.S.-based IPs for $190 per month.
Customs and Border Protection quietly gained
access to more than 80,000
Flock Safety License Plate Reader
cameras nationwide, giving
federal agents sweeping visibility
into vehicle movements across the
U.S. According to
reporting from 404 media,
this access extended far beyond
what local jurisdictions had been
told, with many city officials
unaware their camera data was
being shared. In response
to the revelations, flock
announced it would pause all federal
pilot programs and limit
direct federal access. The fallout is already unfolding at the local level. Yesterday, Evanston,
Illinois voted to shut down its license plate reader system and terminate its contract with Flock
safety by September 26th. The decision followed a state audit revealing that Flock had illegally
shared Illinois plate data with federal agencies, including CBP, in violation of a 2024 state law.
Evanston officials cited both the privacy risks and the company's non-compliance as reasons for ending the program.
A new report from NetSkout recorded over 8 million global DDoS attacks in the first half of 2025, the highest ever.
Activists and nation states now time their assaults with major political events, crippling communications, energy, and transport.
Europe, the Middle East, and Africa bore 3.2 million attacks.
including a 3.12 terabit-bit-per-second strike in the Netherlands.
Groups like No-Name 05716 dominate, launching hundreds monthly,
while newcomers like Dynet and Kymus Plus quickly spread.
With AI-driven automation, cheap DDoS for hire services,
and vast IoT botnets, experts warn traditional defenses are increasingly obsolete.
Researchers at Palo Alto Network's U.S.
Unit 42 have found a simple but powerful way to jailbreak large language models, run-on sentences
with bad grammar. By packaging all instructions into one continuous clause without punctuation,
attackers can bypass safety guardrails before they activate. Tests showed an 80 to 100% success
rate against major models like Lama, Gemma, and Quinn. The team introduced the concept of the
refusal affirmation logic gap, highlighting that alignment training only reduces but not erase
the chance of harmful outputs. Their proposed defenses include a sort-sum-stop method
and layered protections such as input sanitization, external AI firewalls, and post-generation
filtering. Senior Director Billy Hewlett stressed that alignment is a patch on top of models
that still contain unsafe knowledge, meaning jailbreak risks will persist.
While the technique hasn't been observed in the wild yet,
researchers warn this cat and mouse game will likely continue.
Recorded Futures Insect Group has linked five activity clusters to Tag 144,
also known as Blind Eagle, a South American APT that conducts cybercrime alongside espionage.
The clusters share tactics such as,
using cracked rats, dynamic DNS services, and legitimate internet services for staging,
but differ in infrastructure and malware deployment.
Most victims are within the Colombian government at multiple levels.
Tag 144 also shows ties to red Akkadon and has leveraged compromised government email accounts for spearfishing.
Recommended defenses include IP and domain blocking, enhanced email filtering, data exfiltration,
monitoring, and updated Yara, Sigma, and Snort Rules.
Coming up after the break, my conversation with Harry Thomas, founder and CTO at Frenos,
we're discussing the benefits of curated and vetted AI training data, and one man's fight
against phantom job posts. Stick around.
Compliance regulations,
and customer security demands are all growing and changing fast.
Is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient than spreadsheets,
screenshots and all those manual processes, you're right.
GRC can be so much easier,
and it can strengthen your security posture
while actually driving revenue for your business.
You know, one of the things I really like about Vanta
is how it takes the heavy lifting out of your GRC program.
Their trust management platform automates those key areas,
compliance, internal, and third-party risk,
and even customer trust,
so you're not buried under spreadsheets
and endless manual tasks.
Vanta really streamlines the way you gather and manage information across your entire business.
And this isn't just theoretical.
A recent IDC analysis found that compliance teams using Vanta are 129% more productive.
It's a pretty impressive number.
So what does it mean for you?
It means you get back more time and energy to focus on what actually matters,
like strengthening your security posture and scaling your business.
Vanta, G-R-C, just imagine how much easier trust can be.
Visit vanta.com slash cyber to sign up today for a free demo.
That's V-A-N-T-A.com slash cyber.
You can get protein at home or a protein latte at Tim's.
No powders, no blenders, no shakers, starting at 17 grams per medium latte.
Tim's new protein lattes, protein without all the work,
at participating restaurants in Canada.
Now, I'll admit right up front,
this next segment is a bit self-promotional,
but do stick with me because I think you'll see why it matters.
Here at N2K, we've been curating and refining our certify knowledge base
for more than 25 years.
We think it's the gold standard for cybersecurity,
certification practice exams, and now we're opening it up to help power the next wave of AI-driven
innovation. So yes, I'm bragging a little bit, but I promise there's real value here,
especially as we talk about our new partnership with Frenos, an OT security innovator,
working to protect critical infrastructure. And joining me now is Harry Thomas, founder and
CTO at Frenos. Harry, thanks so much for taking the time for us today.
Hey, nice to be here. Thanks, Dave.
So I want to start from the very beginning here.
Can you describe for our audience what this partnership between N2K and Freenos is all about?
Yeah, certainly.
So the partnership, what it really comes down to is large language models,
AI models right now are generally benchmarks on how well they do at like general education,
right, or general math being done.
And it's really hard to understand how these language models perform with like task-specific results.
Our partnership with N2K is really utilizing your training data, your exams to benchmark and
understand how our language model at Franos will perform, right?
I mean, language models need some form of intelligence, and utilizing the data from N2K allows
us to bake in the intelligence of professionals within our field to assist with cybersecurity.
So unlike data that's scraped from the open web, our knowledge basis has.
highly curated. Can you explain why that matters in an AI context?
So even like scraping general web data, it needs to go through some sort of fine-tuning process,
some formatting so that language models understand and can utilize it. You can't just scrape the
web and utilize it that way. The same thing is with this highly curated N2K data. What it does is
it gives us like up-to-date information on how current technologists should
operate within a professional setting because the problem with just scraping data off the
internet is that it's historic data, right? Sometimes since the internet's been around and it's
really hard to tell a language model to put less emphasis on that type of data when you're training
it. So the benefit of the N2K curated data is that it kind of mimics how professionals
now operate rather than historic type of training or historical type of
data. There's been references in the information about this effort that the data set is living
and continuously updated to reflect evolving certification standards and vendor technologies.
What part does that play in all of this? I mean, it plays a big part in all of this, right?
I mean, technology is evolving day after day. There's new innovations, new, you know, we're talking
about cybersecurity, new cybersecurity principles that we need to worry about. And the fact
that N2K data is living and it gets updated quite frequently really helps us out here at
Franos because then we can utilize that data, train a language model, or utilize some of
the data within retrieval augmented generation so that the language model doesn't necessarily
need to be trained. It already has this base foundational knowledge, but with all this extra
information that we're able to get from this N2K partnership, we're able to be on the cutting
edge, bleeding edge of cybersecurity and ensuring that our customers are able to reap the benefits
of having kind of this kind of consultant in a box, you know what I mean?
Yeah, I mean, let's talk about that.
I mean, your focus is innovation in OT security.
What do you hope comes out of this for your customers?
That is a really good question.
Well, what I'm really expecting for our customers to understand and utilize this,
language model that's been
trained on this data for is really
understand that it's kind of like a trusted partner
right? I mean obviously trust by
verify that's cyber security
101. But certainly
work with our
language model or our AI reasoning agent
we've named her Sirea work with her
to understand
and gain a grasp
of kind of your environment
how your environment might operate against
threat actors but also
look to Sira to help you figure
out what you need to work on next. And like I said, in a kind of trusted advisership.
What do you think distinguishes this resource from some of the other data sets that are out there?
I mean, the first and foremost, you have a whole company behind this data set, putting in
hours and hours of work to ensure that it is up to snuff to train human cybersecurity professionals
in the field and make them successful.
What you really lack from the other data sets that are out there
is open source, open source isn't a bad thing,
but you don't have somebody getting paid to pour in
all of those working hours to make sure that this data set
is really like up to snuff
and can benefit a lot of other individuals
or a lot of other AI models, you know what I mean?
Yeah.
What sort of timeline are we on here?
When do we expect this to be available to folks out there who want to take advantage of it?
Well, the language model is built inside the Frenas platform, and we're already utilizing some of the N2K data right now.
We internally benchmark our language models on N2K data.
I probably should put out a blog post about that, showing how Sira operates with the N2K data and the benchmarks that we're getting from it.
You know, quite frankly, just our internal testing and results, you know, our language model,
Sira, is doing close to on par with these larger language models like Chachy BT and Claude, right?
You know, they might get a 80, 90%, but our language models are coming very close to those
task-specific results, which is pretty cool.
But, yeah, to answer your question, you know, as we continue releasing the Franos platform
through our release cycle for the rest of the year,
more and more of the N2K data is coming into and influencing SIRA.
All right.
Well, there you have it.
And we took a minute to brag about our own work
and our collaboration with Franos.
And we hope our audience will forgive us
because we think it really does matter.
The N2K Certify Knowledge Base isn't just about practice exams anymore.
It's becoming part of the foundation for AI solutions
that can help keep our critical infrastructure.
you're safe, and that is what Franos is working on. Harry Thomas is the founder and CTO at
Frenos. Harry, thanks so much for joining us. Yeah, thank you. Pleasure being here.
2K networks, tell us what matters most to you by completing our annual audience survey.
Your insights help us grow to better meet your needs.
There's a link to the survey in our show notes.
We're collecting your comments through August 31st.
Thanks.
With Amex Platinum, access to exclusive Amex presale tickets can score you a spot trackside.
So being a fan for life turns into the trip of a lifetime.
That's the powerful backing of Amex.
Pre-sale tickets for future events subject to availability and varied by race.
Terms and conditions apply.
Learn more at mx.ca.orgia.
It's Rona Week.
Now until Wednesday, rain or shine, you can always be building yourself a better summer.
So head over to Rona and save 30% on SICO endurance interior paint.
Give that room you keep saying needs a fresh coat of paint, a fresh coat of paint.
Build it right, build it Rona.
Conditions apply, details in store, and more offers at rona.ca.
I said interior paint, right?
And finally, when Eric Thompson lost his job in late 2024, he expected the usual frustration of job hunting.
Awkward interviews, long silences, maybe even a rejection or two.
What he didn't expect was dispatched.
spend months chasing ghost jobs. Positions posted online that employers never actually plan to fill.
Annoyed enough to turn ghost busting into a side hustle, Thompson founded the Truth in Job Advertising
and Accountability Act Working Group. The group's draft proposal would require employers with over 50 staff
to list details like start dates, whether a role is new or just recycling, and even how many
times it's been posted. Violators could face fines of at least $2,500. About 17% of jobs on greenhouse
in the second quarter of 2025 fell into the ghost category, making it a common headache.
Thompson now spends 20 to 30 hours a week pitching the idea to Congress. Whether lawmakers will
prioritize ghostbusting remains hauntingly unclear.
And that's the Cyberwire.
For links to all of today's stories, check out our daily briefing at the Cyberwire.com.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of August, so there's just a few days left.
there's a link in the show notes. Please do check it out. N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin. Peter Kilby is our publisher, and I'm Dave Vittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you.