Summary4 min read

Cybersecurity Headlines – October 9, 2025

Host: Sarah Lane
Podcast: Cyber Security Headlines by CISO Series
Episode Theme: The AI-powered evolution of cybersecurity: New technologies, escalating attacks, and legislative progress shaping the threat landscape and data rights.

Overview

This episode covers the latest advancements, threats, and legal changes influencing cybersecurity. Major stories include Google DeepMind’s autonomous vulnerability-fixing AI, California’s new universal opt-out law, Chinese threat actor tactics, high-profile ransomware alliances, and shifts in Russian cyber warfare. The host, Sarah Lane, explores how defenders and attackers alike are increasingly leveraging AI and collaboration, while legal frameworks attempt to keep pace.

Key Discussion Points and Insights

1. Google DeepMind’s CodeMender AI: Autonomous Vulnerability Fixer

[00:10–01:10]

Announcement: Google DeepMind introduces CodeMender, powered by Gemini DeepThink models, capable of autonomously finding and fixing code vulnerabilities.
Capabilities:
- Rewrites code to eliminate broad classes of security bugs.
- Validates fixes using static/dynamic analysis, fuzzing, and multi-agent systems.
- Prevents regressions with advanced checks.
Impact: In 6 months, CodeMender delivered 72 security fixes to major open source projects.
Review Safeguard: All patches are reviewed by humans before submission.
Significance: Addresses the escalating challenge of keeping up with AI-generated vulnerabilities.

Notable quote:
“Codemender can rewrite code to eliminate entire classes of security bugs, validate changes... and prevent regressions.” – Sarah Lane, [00:13]

2. California’s Universal Data Opt-Out Law

[01:11–02:14]

Legislation: New law requires web browsers to present a universal, easy-to-use opt-out for third-party data sharing.
Expansion: Builds on the 2018 California Consumer Privacy Act.
Related Bills:
- Strengthens data broker disclosure rules.
- Mandates social media platforms fully delete user data upon account closure.
Purpose: Makes privacy rights more accessible; simplifies data control for Californians.

Notable quote:
“Californians [can now] block third party data sales with one click.” – Sarah Lane, [01:20]

3. China-Nexus Actors Weaponizing Open-Source Tools

[02:15–03:08]

Threat: China-linked actors use Nezha, an open-source server management tool, to establish persistent access.
Techniques:
- Enter via unsecured PHPMyAdmin.
- Use log poisoning to drop web shells.
- Deploy Nezha for remote management, turn off Windows Defender, install Ghost RAT.
Scale: Over 100 orgs across six continents affected since August, including media and academic institutions.
Trend Highlight: Legitimate tools are abused for lower detection risk and cost.

Notable quote:
“Researchers highlight the growing trend of repurposing legitimate tools for attacks due to low detection risk and minimal research cost.” – Sarah Lane, [03:04]

4. DraftKings Attack: Credential Stuffing and User Safeguards

[03:09–03:54]

Incident: On September 2, DraftKings detected a credential stuffing attack via stolen (non-DraftKings) logins.
Impact: No internal system breach, but some user accounts temporarily accessed.
Response:
- Account notifications.
- Mandatory password reset and MFA recommendations.
- New technical safeguards implemented.
Context: Similar incident affected 68,000 accounts in 2022.

Notable quote:
“DraftKings added technical safeguards to prevent future attacks.” – Sarah Lane, [03:50]

5. Russian Hackers Pivot to AI and Rapid-Strikes

[04:48–05:26]

Shift: Russian hackers now use AI-generated malware, automated phishing, and zero-click exploits.
“Steal-and-Go”: Quicker data theft and departure before detection.
Coordination: Attacks timed with missile and drone strikes.
Effectiveness: Ukrainian defenses continually adapt, neutralizing most intrusions.

Notable quote:
“Russian cyber operations are also coordinated with missile and drone strikes, but Ukraine’s defenses have largely kept pace.” – Sarah Lane, [05:20]

6. Vampire Bot Malware Targets Job Hunters

[05:27–06:06]

Actors: Vietnam-based "Bat Shadow" group.
Tactics:
- Target job seekers/marketers with phishing emails and fake PDFs in ZIP files.
- Install Vampire Bot: takes screenshots, hides in system folders, exfiltrates data.
Threat: Blends surveillance and theft under guise of legitimate job materials.

Notable quote:
“Campaign uses fake job related PDFs in zip files to lure in victims, blending surveillance and data theft…” – Sarah Lane, [06:01]

7. Ransomware Alliances Escalate Threats

[06:07–06:54]

Groups: Lockbit, Qilin, and DragonForce form an alliance.
Purpose: Share tools/infrastructure, target critical infrastructure and lower-risk sectors.
Lockbit 5.0: Returns after 2024 takedown; targets Windows, Linux, ESXi.
Qilin: Over 200 North American victims in Q3 2025.
Trend: Ransomware expands globally—Egypt, Thailand, Colombia.

Notable quote:
“Ransomware groups…have formed an alliance to share tools, infrastructure and techniques, potentially increasing attacks on critical infrastructure…” – Sarah Lane, [06:10]

8. Red Hat & Scattered Lapsus Alliance – High-Profile Data Theft

[06:55–07:21]

Breach: Crimson Collective (behind Red Hat consulting breach) joins forces with Scattered Lapsus Hunters.
Stolen Assets: 28,000 Red Hat repositories with client data; listed on dark web leak site.
Tactics: Target AWS environments via leaked credentials; apply extortion.

Notable quote:
“Crimson Collective claims it stole 28,000 red hat repositories containing client data…” – Sarah Lane, [07:10]

Memorable Moments & Final Thoughts

Sarah Lane on ‘visibility’: [07:22]
- Discusses the evolving, ambiguous meaning of “visibility” in security and the discussion available on the "Defense in Depth" podcast.

Timestamps Overview

00:10: DeepMind AI fixes vulnerabilities
01:11: California data opt-out law
02:15: China-Nexus actors abuse open-source tool
03:09: DraftKings credential stuffing incident
04:48: Russian hackers’ AI tactics
05:27: Vampire Bot targets job seekers
06:07: Ransomware group alliances
06:55: Red Hat and Scattered Lapsus Hunters joint activity

For full stories and further discussion, visit cisoseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Thursday, October 9, 2025. I'm Sarah Lane. Google's DeepMind AI agent fixes and finds vulnerabilities Google DeepMind unveiled CodeMender, an AI agent that autonomously finds and fixes software vulnerabilities. Using Gemini DeepThink models, Codemender can rewrite code to eliminate entire classes of security bugs, validate changes via static and dynamic analysis, fuzzing and multi agent systems, and prevent regressions. Over the past six months, it has delivered 72 security fixes to large open source projects. Though all patches are reviewed before submission, the tool addresses the growing challenge of keeping pace with AI generated vulnerabilities. California law lets consumers universally opt out of data sharing California's governor signed a new law requiring web browsers to include an easy to find universal opt out option for data sharing, letting Californians block third party data sales with one click. The law expands on the 2018 California Consumer Privacy act, which granted the right to send opt out signals to but did not require browsers to make them simple to use. Governor Newsom also approved related bills strengthening the state's data broker disclosure rules and requiring social media platforms to fully delete user data upon account cancellation. China Nexus Actors weaponize Nezha Open Source Tool A China linked threat actor is exploiting the open source server management tool Nezha to compromise organizations, primarily in Southeast Asia. Attackers gained initial access through unsecured PHP My Admin instances, performed log poisoning to deploy a web shell, and then used Neza to manage systems, disable Windows Defender, and install Ghost Rat malware. Since August, more than 100 organizations across six continents, including large media and academic targets, have been affected. Researchers highlight the growing trend of repurposing legitimate tools for attacks due to low detection risk and minimal research cost. DraftKings thwarts attack urges password reset and MFA DraftKings detected a credential stuffing attack on September 2 using stolen logins from non DraftKings sources. While no evidence shows itself systems were breached or sensitive data was stolen, some user accounts may have been accessed at least temporarily. Impacted users were notified and advised to reset passwords and enable MFA. DraftKings added technical safeguards to prevent future attacks. This does follow previous incidents, including one in 2022 affecting 68,000 accounts. Huge thanks to our sponsor, ThreatLocker. Cybercriminals don't knock. They sneak in through the cracks other tools miss. That's why organizations are turning to ThreatLocker as a zero trust endpoint protection platform. ThreatLocker puts you back in control, blocking what doesn't belong and stopping attacks before they spread. Zero Trust Security starts here with Threat Threat Locker A quick reminder for fans of the CISO series and NYC based security professionals. You're all welcome to join us for a what should be very fun networking event in New York City on October 21st at 5:30pm it is free so head on over to the events page@cisoseries.com to register. Russian hackers turn to AI as old tactics fail Ukrainian researchers report that Russian hackers are increasingly using AI and new tactics as Kyiv's defenses improve. Attacks now include AI generated malware, automated phishing and zero click exploits, while hackers adopt a steal and go model, taking data quickly and then disappearing. Cert. UA noted that Russian cyber operations are also coordinated with missile and drone strikes, but Ukraine's defenses have largely kept pace, neutralizing most intrusions. Vampire Bot Malware targets Job hunters Researchers at Iraqiya Threat Research Labs says a Vietnam based group called Bat Shadow is targeting job seekers and digital marketing professionals with phishing emails that install vampire bot malware. Written in Google, the malware takes continuous screenshots, hides in system folders and sends stolen data to remote servers. The campaign uses fake job related PDFs in zip files to lure in victims, blending surveillance and data theft into what looks like a normal professional activity. Lockbit, Qilin and Dragon Force join ransomware forces Ransomware groups Lockbit, Qilin and and Dragonforce have formed an alliance to share tools, infrastructure and techniques, potentially increasing attacks on critical infrastructure and expanding into lower risk sectors. Lockbit 5.0, capable of targeting Windows, Linux and ESXi, marks its return after a 2024 law enforcement takedown. Qilin, which is highly active in North America climate, claimed over 200 victims in Q3 of this year. Overall, ransomware incidents remain high as groups increasingly target new regions like Egypt, Thailand and Colombia. Red Hat hackers team up with scattered lapsus hunters Dark Reading reports that the group behind the Red Hat consulting breach, known as Crimson Collective, has joined forces with Scattered Lapsis Hunters. The alliance linked to major breaches at Salesforce and and other companies. Crimson Collective claims it stole 28,000 red hat repositories containing client data and has added Red Hat to scattered lapsis Hunters Dark Web leak site security firm Rapid7 says that Crimson Collective has also targeted AWS environments using leaked credentials and extortion tactics. Every vendor is quick to throw out that word visibility, but like AI, that term is loaded and has a wide variance. What is meant by visibility and does it sync with what is desired by visibility? That is what we're trying to figure out on the latest episode of Defense In Depth. Look for the episode what is the visibility that security teams need? Wherever you get your podcasts, if you have thoughts on the news from today or about the show in general, the be sure to reach out to us@feedbackisoseries.com we'd love to hear from you. I am Sarah Lane, reporting for the CISO series. Enjoy your favorite bagel today or wherever you get your snacks.
[07:30]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.