CyberWire Daily - Windows servers under siege
Episode Date: October 28, 2025WSUS attacks escalate as emergency patch fails to fully contain exploited flaw. Schneider Electric and Emerson are listed among victims in the Oracle EBS cyberattack. Google debunks reports of a massi...ve GMail breach. A new banking trojan mimics human behavior for stealth. Sweden’s power grid operator confirms a cyberattack. Italian spyware targets Russian and Belarusian organizations. The U.S. declines to sign the new UN cyber treaty. Ransomware payments fall to record lows. U.S. Cyber Chief calls for a “clean American tech stack” to counter China's global surveillance push. On today's Threat Vector segment, David Moulton speaks with two cybersecurity leaders from Palo Alto Networks: Sarit Tager and Krithivasan Mecheri. AI mistakes Doritos for a deadly weapon. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector On today's Threat Vector segment, David Moulton speaks with two cybersecurity leaders from Palo Alto Networks: Sarit Tager and Krithivasan Mecheri (Krithi). Together, they dive into the urgent challenges of securing modern development in the age of AI and "Shifting Security Left". You can listen to their full conversation here, and catch new episodes every Thursday on your favorite podcast app. Selected Reading Microsoft WSUS attacks hit 'multiple' orgs, Google warns (The Register) Industrial Giants Schneider Electric and Emerson Named as Victims of Oracle Hack (SecurityWeek) Google says talk of Gmail breach impacting millions not true (The Register) 'Herodotus' Android Trojan Mimics Human Sluggishness (Gov Infosecurity) Hackers Target Swedish Power Grid Operator (SecurityWeek) Italian-made spyware spotted in breaches of Russian, Belarusian systems (The Record) US declines to join more than 70 countries in signing UN cybercrime treaty (The Record) Ransomware profits drop as victims stop paying hackers (Bleeping Computer) National cyber director says U.S. needs to counter Chinese surveillance, push American tech (CyberScoop) Armed police handcuff teen after AI mistakes crisp packet for gun in US (BBC News) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Risk and compliance shouldn't slow your business down.
Hyperproof helps you automate controls, integrate real-time risk workflows,
and build a centralized system of trust so your teams can focus on growth, not spreadsheets.
From faster audits to stronger stakeholder confidence,
hyperproof gives you the business advantage of smarter compliance.
Visit www.hyperproof.io to see how leading teams are transforming their GRC programs.
At TALIS, they know cybersecurity can be tough and you can't protect everything.
But with TALIS, you can secure what matters most.
With Talis's industry-leading platforms, you can protect critical applications, data, and
identities, anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks, retailers, and healthcare companies in the
world rely on Talis to protect what matters most.
Applications, data, and identity.
That's Talas.
T-H-A-L-E-S.
Learn more at talisgroup.com slash cyber.
W.SUS attacks escalate as an emergency patch fails to fully contain exploited flaws.
Schneider Electric and Emerson are listed among victims in the Oracle EBS cyber attack.
Google debunks reports of a massive Gmail breach.
A new banking trojan mimics.
human behavior for stealth.
Sweden's power grid operator
confirms a cyber attack.
Italian spyware, targets Russian
and Belarusian organizations.
The U.S. declines to sign the new
UN Cyber Treaty. Ransomware
payments fall to record lows.
The U.S. Cyber Chief calls for a clean
American tech stack to counter
China's global surveillance push.
On today's threat vector segment,
David Moulton speaks with two
cybersecurity leaders from Palo Alto networks,
Sarit Taguer and Kritha
on MacCherry and AI mistakes Doritos for a deadly weapon.
It's Tuesday, October 28, 2025. I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great as always to have you with us.
Researchers warn that a critical Windows server update services or W-Suss vulnerability
is being actively exploited, despite Microsoft's recent emergency patch.
The flaw enables unauthenticated remote code execution on Windows.
server 2012 through 2025, stemming from insecure deserialization of untrusted data.
Google's threat intelligence group confirmed multiple intrusions by a threat actor it calls
UNC 6512, observing reconnaissance and data exfiltration from compromised hosts.
Trend Micro reports roughly 100,000 exploitation attempts in a week, with nearly half a million
internet-exposed W-sus servers potentially vulnerable.
Experts warn that exposed servers could allow attackers
to distribute malicious updates downstream,
amplifying the threat.
Cybercriminals tied to the Klop ransomware operation
have named Schneider Electric and Emerson
as victims of an ongoing campaign
exploiting Oracle E-Business Suite vulnerabilities.
The attackers believed to be associated
with the financially motivated
Finn 11 group, claimed to have stolen large volumes of corporate data, later posted on Klopp's
leak site. The site lists 2.7 terabytes of data allegedly from Emerson and 116 gigabytes from
Schneider Electric, with file structures suggesting origin in Oracle environments. Other organizations
including Harvard University and Envoy Air have confirmed impact from the same campaign.
researchers say the operation mirrors prior large-scale attacks on Move It and Fortress systems,
underscoring persistent risks in enterprise software supply chains.
Widespread reports of a massive Gmail data breach grabbed headlines this week,
but Google says the claims are false.
The confusion began after researcher Troy Hunt added 183 million credentials to his have-I-been-poned service
sourced from old Info-Stealer malware logs, not a new Gmail hack.
Google confirmed there's no evidence of compromise, calling the reports a misunderstanding of recycled data.
The company emphasized that Gmail's defenses remain strong and advised users to enable two-factor authentication.
Researchers at Threat Fabric have identified a new Android banking trojan called Herodotus
that uses randomized pauses to evade basic behavioral detection systems.
The malware inserts delays of up to three seconds when entering stolen credentials,
mimicking human typing speed to appear legitimate.
Distributed through smishing links and side-loaded apps,
Herodotus abuses Android accessibility services to steal banking credentials,
intercept SMS one-time passcodes, and display fake login overlays.
Its shares limited code overlap with the Brokwell Trojan discovered earlier this year.
Though currently active in Italy and Brazil, Herodotus includes templates for banks and
crypto wallets in multiple countries, suggesting broader campaigns ahead.
More advanced biometric systems may still detect its automated behavior.
Sweden's state-owned power grid operator, Svenska Krafnaut, confirmed a cyber attack that led
a data breach but did not affect the country's electricity supply. The incident discovered Saturday
targeted an isolated external file transfer system, according to the organization's chief information
security officer. Ransomware group Everest has claimed responsibility, adding Svenza Kroftnott
to its leak site and alleging theft of roughly 280 gigabytes of data. The company reported the
attack to authorities and is investigating the breach's scope.
While no critical systems were compromised, the attack underscores the growing threat to critical infrastructure operators from data extortion groups.
Researchers from Kaspersky say Italian spyware from Memento Labs, formerly known as Hacking Team, was used in cyberattacks targeting organizations in Russia and Belarus.
The commercial surveillance tool, called Dante, appeared in incidents linked to a threat group dubbed Forum Troum.
which has previously targeted Russian institutions with fishing and Chrome Zero Day exploits.
Kaspersky could not confirm who commissioned the attacks or whether Memento Labs knew of Dante's
deployment. The discovery marks the spyware's first confirmed use since its 23 debut for
law enforcement clients. Forum Troll's campaigns leveraged a custom loader, Leet Agent,
to deploy Dante in select cases, showing advanced SPP.
capabilities. Memento Labs declined to comment on the findings.
More than 70 countries, including the UK, China, Russia, and the European Union
signed the new UN Convention Against Cybercrime in Hanoi, while the United States notably
withheld its signature. The treaty establishes the first global framework for sharing electronic
evidence and coordinating cross-border cybercrime investigations.
U.N. Secretary General Antonio Gutierrez called the convention a powerful legally binding
instrument against crimes like ransomware, money laundering, and online trafficking.
But critics warn it could enable mass surveillance and suppress digital freedoms under authoritarian regimes.
The State Department said the U.S. is still reviewing the treaty, which will take effect after 40
ratifications. Ransomware payments have fallen to their lowest level on record, with just 23%
of victimized organizations paying attackers in the third quarter of this year, according to
coveware. The firm says the steady six-year decline reflects stronger defenses, improved incident
response, and growing pressure from authorities not to pay. Average ransom payments dropped to $37,000,
with median payments at $140,000. Data theft now dominates ransomware activity,
featured in 76% of incidents, and payment rates fall to 19% when only exfiltration is involved.
Groups like Akira and Kielin increasingly target medium-sized firms,
while remote access compromise and software vulnerabilities remain top entry points.
Coveware says every avoided payment constricts the tax.
of oxygen, validating collective defensive progress.
National Cyber Director Sean Karncross warned that China is attempting to export a surveillance
state across planet Earth and urge the U.S. to promote a clean American tech stack as a
democratic alternative. Speaking at the 2025 Meridian Summit, Karncross said Washington must engage
both current and emerging partners to push back against Beijing.
's growing digital influence, which he described as destabilizing and aimed at undermining
U.S. decision-making.
He said the upcoming U.S. cybersecurity strategy under President Trump will emphasize posture
and action over length or rhetoric.
Strengthening the Office of the National Cyber Director remains his top priority, following
recommendations from the Cyberspace Solarium Commission.
Karen Cross also urged Congress to renew the expired cybersecurity information.
Sharing Act, calling its protections essential for industry collaboration on cyber threats.
Coming up after the break in our threat vector segment, David Moulton speaks with his Palo Alto
network colleagues about urgent challenges of securing modern development in the age of AI and shifting security left.
and AI mistakes Doritos for a deadly weapon.
Stick around.
And now a word from our sponsor, Threat Locker,
the powerful zero-trust enterprise solution that stops ransomware in its tracks.
Allow listing is a
deny-by-default software that makes application control simple and fast. Ring fencing is an
application containment strategy, ensuring apps can only access the files, registry keys,
network resources, and other applications they truly need to function. Shut out cybercriminals
with world-class endpoint protection from threat locker.
What's your 2 a.m. security work?
worry. Is it, do I have the right controls in place? Maybe are my vendors secure? Or the one that
really keeps you up at night? How do I get out from under these old tools and manual processes?
That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over
spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trust management
platform continuously monitors your systems, centralizes your data, and simplifies your security
at scale. And it fits right into your workflows, using AI to streamline evidence collection,
flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need
to move faster, scale confidently, and finally get back to sleep. Get started at vanta.com
slash cyber. That's V-A-N-T-A-com slash cyber.
On today's Threat Vector segment, David Moulton speaks with a pair of his Palo Alto network's colleagues,
Sarit Tager and Krithi Macheri.
They're diving into some of the urgent challenges of securing modern development in the age of AI.
Here's their conversation.
Hi, I'm David Moulton, host of the Threat Vector podcast, where we break down cybersecurity.
threats, resilience, and the industry trends that matter most.
Today, I'm joined by Sarithi Tadger, Vice President of Product Management and Karethi Vastin,
senior director of product security, both from Palo Alto Networks.
We dig into how to truly shift security left, build prevention first programs,
and how to keep code velocity high without creating chaos.
Context-aware ASPM keeps teams focused on what actually matters in production.
Think golden templates, secure base images, automated poll requests,
tools that turn prevention into speed and help developers move fast,
fix early, and still sleep at night.
Surrette, Kreeti, welcome to Threat Vector.
I'm really excited to have both of you here today.
Thank you, David. Great to be here.
Hey, David. Great to be here.
You know, I know that AI.
is rewriting the rules of development.
It's accelerating code delivery
by at least 10x.
What security risk do you see
this creating?
So this is a great question.
Actually, it's not the one,
but it's few problems.
So one will be that
I would say the shift in responsibility.
If you think about it before,
the developer was the one that's responsible
for the vulnerabilities or the problems
that were getting into the code.
now we have some kind of an agent that is writing the code.
And the responsibility is kind of being shift between the developer and the agent.
Sometimes the developer accept or reject, approve or reject things from the agent.
But this will be the first one.
It's not just a shift in responsibility.
It's also a shift in knowledge.
If I was a developer a few years ago, then I knew my code.
I understand exactly what I did.
And hence I could have remediated it.
Now that an agent did, this is kind of a surprising one.
The second one will be, if you think about agents and the way they,
even if they kind of have like MCPs and you add your scanners and you say,
yes, let's do a scanning, it has to be done as a prerequisite,
and not a post one, a post-scanning like we do today.
And today we first write the code and then do the scanning.
in an AI coding, vibe coding,
it has to change.
That would be part of the way
you generate the code.
And then comes some questions.
For example,
will the agent adhere to the requirement
by the scanners?
It's not necessarily happening.
So this is something that we need
to kind of take care of.
And another one is the entire
new attack surface
that are being created
by this vibe coding.
Think about how,
cursor or winter for walking.
Just an example, of course.
They have an agent.
They have the LLMs that they are walking on.
They have the MCPs.
Not all of them are secure.
You may find yourself and pretty can say that
with a lot of MCPs servers
that are not approved by your application security
practitioners and they are not part
of your organization approval,
the White List or something like that.
And then you may find yourself in a way
that things, the agent will do things in the computer that you are not protected from.
So first will be the problems of the post-scanning.
The fact it's not longer only the developer that is responsible for.
The second will be the new attack surface.
Like there are MCPs, new supply chain attacks.
So there are a lot of different areas in which vibe coding is bringing value by generating
code, velocity, very important.
but it also has a risk in which you have to protect your environment in a better way
and make sure that you know exactly what is going to be applied to your code.
How do you protect the users?
So a lot of interesting stuff I had.
Yeah, you know, I was just on an interview with a research firm asking about AI
and its usage inside of marketing organizations.
That was specifically what she was looking at.
And I think that alongside our like different corporate trainings,
for security policy or for, you know, how to be inclusive, how to make sure that we're upholding
our ethics and our values as an organization, there's got to be AI training. And I think what
you're talking about is beyond just the regular security training of don't click on the fishing
link and, you know, stay away from some of those things that we see as patterns. But what are
the types of things that are going to happen when you are using AI tools to accelerate your
ability to succeed in a corporate environment? And what are the types of things that you open
putting a business up to. And maybe that's not necessarily the path that both of you are,
you know, thinking about. But I think if we don't see that in the training within the next six
months, that there's been a massive miss because the amount of risk and the ease at which
the risk is taken is, it's just, it's everywhere right now. It's actually quite a while to me.
Khrush, I want to switch it over to you from your vantage point in AI security. What
vulnerabilities do your teams see that are often overlooked in that AI generated code?
That's my favorite question, actually, out of in the podcast. So here's my take, okay?
So with the amount of choices developers have of using different models, different code generation
tools, right? These are all built on functional correctness, lacks sometimes security context.
So, leading to many code-related vulnerabilities, most of the times we have seen input validation missing, you know, meek access control, you know, hard-coded credential.
So it begins super important, one, to understand how these tools work fundamentally.
Second, also we have seen because of hallucinations, models and tools recommending packages which don't even exist, which leads to typosquoting,
recommending packages, older versions of vulnerable packages.
So it kind of opens up an interesting perspective
because you have to now detect everything at scale.
And that is what I say.
It is as a challenge and an exciting problem to go solve
from a practitioner's point of view.
If your teams are drowning in alerts,
this conversation shows how to turn security
into a business accelerator.
Listen to the full episode now
in your Threat Vector podcast feed.
It's called Shifting Security Left,
and it's live now.
Thanks for listening.
Stay secure.
Goodbye for now.
Be sure to check out the full Threat Vector podcast
wherever you get your favorite podcasts.
We'll also have a link in our show notes.
Now streaming on Paramount Plus is the epic return of mayor of Kingstown.
Warden? You know who I am.
Starring Academy Award nominee Jeremy Renner.
I swear in these walls.
Emmy Award winner Edie Falco.
You're an ex-con who ran this place for years.
And now, now you can't do that.
and BAFTA award winner Lenny James.
You're about to have a plague of outsiders descend on your town.
Let me tell you this.
It's going to be consequences.
Mayor of Kingstown, new season now streaming on Paramount Plus.
You know what's better than the one big thing?
Two big things.
Exactly.
The new iPhone 17 Pro on TELUS's five-year rate plan price lock.
Yep, it's the most powerful iPhone ever, plus more peace of mind with your bill over five years.
This is big.
Get the new iPhone 7.
17 Pro at tellus.com slash iPhone 17 Pro on select plans. Conditions and exclusions apply.
And finally, 16-year-old Taki Allen was finishing football practice and a bag of Doritos when Baltimore County Police, eight cars deep, arrived with guns drawn.
the culprit not to key but an AI gun detection system with a vivid imagination it flagged the glint of his packet of chips as a firearm prompting what one might call a highly seasoned police response the school's principal quickly realized it was a false alarm but not before the teen was handcuffed and thoroughly confused police insist they responded proportionally though one wonders
what a disproportionate response would look like,
an airstrike, perhaps.
The AI vendor Omni Alert
said its system operated as designed,
which may concern anyone who snacks in public.
To Key said, he now avoids eating chips outdoors,
citing safety concerns.
Because in 2025 America,
even Doritos can trigger an incident report.
And that's The CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what do you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share.
a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester
with original music by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Peter Kilpe is our publisher,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Cyber Innovation Day is the premier event for cyber startups, researchers, and top VC firms building trust into tomorrow's digital world.
Kick off the day with unfiltered insights and panels on securing tomorrow's technology.
In the afternoon, the 8th annual Data Tribe Challenge takes center stage as elite startups pitch for exposure, acceleration, and funding.
The Innovation Expo runs all day connecting founders, investors, and researchers around breakthroughs in cybersecurity.
It all happens November 4th in Washington, D.C.
Discover the startups building the future of cyber.
Learn more at c.id.d. datatribe.com.
Thank you.