Week in Review: ShinyHunters-Scattered Spider merge, DARPA AI prize, Water infrastructure volunteers

Cyber Security Headlines – Week in Review: ShinyHunters-Scattered Spider Merge, DARPA AI Prize, Water Infrastructure Volunteers

Podcast: Cyber Security Headlines
Host: CISO Series
Guest: Steve Zalewski, Co-host of Defense in Depth
Date: August 15, 2025

Episode Overview

This week’s “Cyber Security Headlines – Week in Review” unpacks critical cybersecurity stories, including the ShinyHunters-Scattered Spider merger and its implications for phishing attacks, DARPA’s $4M AI prize at DEFCON for automated code review, and the Franklin Project’s surge of volunteer cyber defenders for water infrastructure. Host and guest Steve Zalewski explore ongoing pain points like social engineering, the evolving use of AI in both offense and defense, and the unique challenges facing smaller organizations and critical infrastructure.

Key Discussion Points & Insights

1. ShinyHunters-Scattered Spider Merge: A Professionalization of Cybercrime

Timestamp: 03:00–08:40

The Story: The notorious hacker groups ShinyHunters and Scattered Spider have merged, forming a coordinated campaign targeting Salesforce users via phishing, vishing, and malicious app-based attacks. Their approach includes impersonating IT support, fake Okta pages, and spoof apps designed to steal credentials and data.
Techniques:
- Impersonation and voice phishing
- Sophisticated fake login pages
- Spoofed applications mimicking legitimate tools
- Targeting sectors like luxury retail, aviation, insurance, and financial services

Steve Zalewski’s insights:

“A brutal truth, which is the human is the weakest link. … We are lazy to a certain extent, we are forgetful, we don’t get enough sleep. And so this opportunity to take advantage of human nature…” ([04:30])
Deepfakes and realistic impersonations raise the stakes on social engineering.
On professionalization:
- “You have two professional organizations … They’ve professionalized it, and now they’re working together to both increase the velocity of attack and increase the sophistication of the success of the attack. That’s what has me nervous.” ([05:52])
Comparison to ransomware as an almost business-like criminal activity.
Host’s take: The merger could introduce inefficiencies like any corporate merger, but the trend toward “cybercrime as a business” with increasing specialization is worrying for defenders.

2. DARPA’s $4 Million AI Prize for Automated Code Review

Timestamp: 08:42–14:01

The Story: DARPA concluded a two-year challenge at DEFCON, awarding $4M to Team Atlanta (Georgia Tech, Samsung Research, KAIST, Pohang University) for building an AI system that finds and patches software vulnerabilities.
AI's Role: The contest sought tools that can “ingest 54 million lines of code,” detect faults, and patch them rapidly.

Steve Zalewski’s insights:

Praises DARPA’s initiative: “I really appreciate DARPA doing this. There are a lot of startups out there that are going after vulnerability management, … which we haven’t been very successful at because the number of assets we have to patch has far surpassed our ability to patch it.” ([10:09])
“What I’m hoping for … is not just the velocity to ingest … it’s the ability to generate the insights of which lines of code were the problem and then the speed of execution.” ([10:56])
Sees AI as “a force multiplier to remove a lot of the drudgery that humans have to do with eyes on glass, to be able to let the humans be more effective at figuring out what the right defense in depth compensating controls are for actionability and let the machines go ahead and do a lot of the drudgery.” ([13:06])
Key point: AI is not about replacing humans but amplifying their capabilities, especially in defense posture.

3. Franklin Project: Volunteer Cyber Defenders for Water Infrastructure

Timestamp: 14:01–17:22

The Story: The Franklin Project, founded by Jake Braun (former White House, Univ. of Chicago), is mobilizing volunteers to provide free cybersecurity services to critical infrastructure, particularly water systems.
Challenge: Many utilities believe they’re too small or remote to be targets for sophisticated attackers.

Steve Zalewski’s insights:

“Cybersecurity is a family… like firefighters, like policemen, are there for each other.” ([14:58])
Emphasizes “mutual aid, mutual defense, mutual support” for defending the broad attack surface.
Nation-state context: Small utilities see themselves as unlikely targets, but hostile actors look to disrupt national integrity through these points.
“They’re very operationally oriented. … For them to appreciate nation states wanting to come in and take them and others out, … This is why we have to rely on our community.” ([16:26])
Key takeaway: Improving “cyber hygiene” at the grassroots level is essential for national security.

4. Microsoft Windows 365 Reserve: Cloud PC as Incident Response

Timestamp: 19:21–22:41

The Story: Microsoft is piloting Windows 365 Reserve – allowing temporary cloud PC access during failures or cyberattacks, with up to 10 days annually for affected employees.
Pre-configured desktops match company security/app policies and can be accessed via browser from any device.

Steve Zalewski’s insights:

Mixed feelings: “I get warm because I start to sweat thinking about giving Microsoft access to all that material or committing myself to one egg, one basket.” ([19:29])
For large enterprises, Microsoft is a necessary but challenging partner; for SME/SMBs, this is often a practical BCP solution.
“I really appreciate what Microsoft is doing because I can see over time, … put it in a good place so that I can then just drop in an alternative application platform. … You’re going to see a lot of people adopt it … this is good enough.” ([20:57])
For MSPs and manufacturing or non-target industries, this provides affordable, practical continuity.

5. Booking.com: Persistent Phishing via Homograph Attacks

Timestamp: 22:41–25:23

The Story: After earlier “captcha scam” attacks, Booking.com is now combating a homograph phishing scam using a Japanese Hiragana character in URLs to mimic legitimate links in customer complaint emails.
Problem: Users easily misinterpret URLs, especially when facing nearly invisible character substitutions.

Steve Zalewski’s insights:

“It’s not a matter of time before it works. This is why it always works.” ([23:52])
Attackers exploit normal human errors; attackers analyze “are you sleep deprived, likely to miss, just had a child.” ([24:25])
“For all the folks … concerned about AI and Skynet and it’s taking my jobs away… we have to put AI in because … I need that additional ability for AI to be watching and streaming through this and being able to give me that authorization last mile check… or cauterize the wound.” ([24:40])
AI is now required as a line of defense against sophisticated, ever-persistent social engineering tricks.

Notable Quotes & Memorable Moments

On human error in cyber defense:
- “Treating the business like you treat a child oftentimes goes a long way to understanding what you can do.” (Steve Zalewski, [04:51])
On deepfakes:
- “With the deep fakes and the ability to take that digital persona of you … and making it almost perfect … it’s much harder for you to know that it’s fake. It’s much harder for my tools to know that it’s fake.” ([04:52])
On the “cybersecurity family”:
- “No company, no matter how big … can effectively go it alone. … The security industry [is] doing what it does best.” ([15:18])
On the inevitability of phishing:
- “They know that 1% of the time you’re going to do it. They know that they hit you up with enough times … you’re going to click.” ([24:02])
On AI’s defense role:
- “AI as a force multiplier to remove a lot of the drudgery that humans have to do … let the humans be more effective at figuring out what the right defense in depth compensating controls are.” ([13:06])

Key Timestamps

03:00 – ShinyHunters/Scattered Spider merger and evolution of cyber crime tactics
04:30 – The enduring and evolving threat of phishing/social engineering
08:42 – DARPA’s AI competition and implications for vulnerability management
14:01 – Franklin Project’s volunteer cybersecurity initiative for water infrastructure
19:21 – Microsoft Windows 365 Reserve: cloud-based incident continuity
22:41 – Booking.com’s ongoing battle with phishing and homograph attacks
26:37 – Recap: Social engineering as the prevailing “facepalm” of the week

Closing Thoughts

Steve Zalewski summed up the week’s cybersecurity narrative as largely driven by increasingly sophisticated social engineering attacks and the corresponding obligation to inject AI throughout the defensive stack—not to supplant humans, but to cover ever-growing gaps. The episode closes with an encouragement for listeners to recognize the difference between what they “want” in security and what they “need,” emphasizing that practical, layered solutions are necessary in a threat landscape that targets both humans and tech.

Listenership Note: Steve welcomes messages and contacts via LinkedIn and continues to accept community questions for the “Defense in Depth” podcast.

For full stories and more cybersecurity news, visit CISOseries.com.

Cyber Security Headlines – Week in Review: ShinyHunters-Scattered Spider Merge, DARPA AI Prize, Water Infrastructure Volunteers

Podcast: Cyber Security Headlines
Host: CISO Series
Guest: Steve Zalewski, Co-host of Defense in Depth
Date: August 15, 2025

Episode Overview

Key Discussion Points & Insights

1. ShinyHunters-Scattered Spider Merge: A Professionalization of Cybercrime

Timestamp: 03:00–08:40

The Story: The notorious hacker groups ShinyHunters and Scattered Spider have merged, forming a coordinated campaign targeting Salesforce users via phishing, vishing, and malicious app-based attacks. Their approach includes impersonating IT support, fake Okta pages, and spoof apps designed to steal credentials and data.
Techniques:
- Impersonation and voice phishing
- Sophisticated fake login pages
- Spoofed applications mimicking legitimate tools
- Targeting sectors like luxury retail, aviation, insurance, and financial services

Steve Zalewski’s insights:

“A brutal truth, which is the human is the weakest link. … We are lazy to a certain extent, we are forgetful, we don’t get enough sleep. And so this opportunity to take advantage of human nature…” ([04:30])
Deepfakes and realistic impersonations raise the stakes on social engineering.
On professionalization:
- “You have two professional organizations … They’ve professionalized it, and now they’re working together to both increase the velocity of attack and increase the sophistication of the success of the attack. That’s what has me nervous.” ([05:52])
Comparison to ransomware as an almost business-like criminal activity.
Host’s take: The merger could introduce inefficiencies like any corporate merger, but the trend toward “cybercrime as a business” with increasing specialization is worrying for defenders.

2. DARPA’s $4 Million AI Prize for Automated Code Review

Timestamp: 08:42–14:01

The Story: DARPA concluded a two-year challenge at DEFCON, awarding $4M to Team Atlanta (Georgia Tech, Samsung Research, KAIST, Pohang University) for building an AI system that finds and patches software vulnerabilities.
AI's Role: The contest sought tools that can “ingest 54 million lines of code,” detect faults, and patch them rapidly.

Steve Zalewski’s insights:

Praises DARPA’s initiative: “I really appreciate DARPA doing this. There are a lot of startups out there that are going after vulnerability management, … which we haven’t been very successful at because the number of assets we have to patch has far surpassed our ability to patch it.” ([10:09])
“What I’m hoping for … is not just the velocity to ingest … it’s the ability to generate the insights of which lines of code were the problem and then the speed of execution.” ([10:56])
Sees AI as “a force multiplier to remove a lot of the drudgery that humans have to do with eyes on glass, to be able to let the humans be more effective at figuring out what the right defense in depth compensating controls are for actionability and let the machines go ahead and do a lot of the drudgery.” ([13:06])
Key point: AI is not about replacing humans but amplifying their capabilities, especially in defense posture.

3. Franklin Project: Volunteer Cyber Defenders for Water Infrastructure

Timestamp: 14:01–17:22

The Story: The Franklin Project, founded by Jake Braun (former White House, Univ. of Chicago), is mobilizing volunteers to provide free cybersecurity services to critical infrastructure, particularly water systems.
Challenge: Many utilities believe they’re too small or remote to be targets for sophisticated attackers.

Steve Zalewski’s insights:

“Cybersecurity is a family… like firefighters, like policemen, are there for each other.” ([14:58])
Emphasizes “mutual aid, mutual defense, mutual support” for defending the broad attack surface.
Nation-state context: Small utilities see themselves as unlikely targets, but hostile actors look to disrupt national integrity through these points.
“They’re very operationally oriented. … For them to appreciate nation states wanting to come in and take them and others out, … This is why we have to rely on our community.” ([16:26])
Key takeaway: Improving “cyber hygiene” at the grassroots level is essential for national security.

4. Microsoft Windows 365 Reserve: Cloud PC as Incident Response

Timestamp: 19:21–22:41

The Story: Microsoft is piloting Windows 365 Reserve – allowing temporary cloud PC access during failures or cyberattacks, with up to 10 days annually for affected employees.
Pre-configured desktops match company security/app policies and can be accessed via browser from any device.

Steve Zalewski’s insights:

Mixed feelings: “I get warm because I start to sweat thinking about giving Microsoft access to all that material or committing myself to one egg, one basket.” ([19:29])
For large enterprises, Microsoft is a necessary but challenging partner; for SME/SMBs, this is often a practical BCP solution.
“I really appreciate what Microsoft is doing because I can see over time, … put it in a good place so that I can then just drop in an alternative application platform. … You’re going to see a lot of people adopt it … this is good enough.” ([20:57])
For MSPs and manufacturing or non-target industries, this provides affordable, practical continuity.

5. Booking.com: Persistent Phishing via Homograph Attacks

Timestamp: 22:41–25:23

The Story: After earlier “captcha scam” attacks, Booking.com is now combating a homograph phishing scam using a Japanese Hiragana character in URLs to mimic legitimate links in customer complaint emails.
Problem: Users easily misinterpret URLs, especially when facing nearly invisible character substitutions.

Steve Zalewski’s insights:

“It’s not a matter of time before it works. This is why it always works.” ([23:52])
Attackers exploit normal human errors; attackers analyze “are you sleep deprived, likely to miss, just had a child.” ([24:25])
“For all the folks … concerned about AI and Skynet and it’s taking my jobs away… we have to put AI in because … I need that additional ability for AI to be watching and streaming through this and being able to give me that authorization last mile check… or cauterize the wound.” ([24:40])
AI is now required as a line of defense against sophisticated, ever-persistent social engineering tricks.

Notable Quotes & Memorable Moments

On human error in cyber defense:
- “Treating the business like you treat a child oftentimes goes a long way to understanding what you can do.” (Steve Zalewski, [04:51])
On deepfakes:
- “With the deep fakes and the ability to take that digital persona of you … and making it almost perfect … it’s much harder for you to know that it’s fake. It’s much harder for my tools to know that it’s fake.” ([04:52])
On the “cybersecurity family”:
- “No company, no matter how big … can effectively go it alone. … The security industry [is] doing what it does best.” ([15:18])
On the inevitability of phishing:
- “They know that 1% of the time you’re going to do it. They know that they hit you up with enough times … you’re going to click.” ([24:02])
On AI’s defense role:
- “AI as a force multiplier to remove a lot of the drudgery that humans have to do … let the humans be more effective at figuring out what the right defense in depth compensating controls are.” ([13:06])

Key Timestamps

03:00 – ShinyHunters/Scattered Spider merger and evolution of cyber crime tactics
04:30 – The enduring and evolving threat of phishing/social engineering
08:42 – DARPA’s AI competition and implications for vulnerability management
14:01 – Franklin Project’s volunteer cybersecurity initiative for water infrastructure
19:21 – Microsoft Windows 365 Reserve: cloud-based incident continuity
22:41 – Booking.com’s ongoing battle with phishing and homograph attacks
26:37 – Recap: Social engineering as the prevailing “facepalm” of the week

Closing Thoughts

Listenership Note: Steve welcomes messages and contacts via LinkedIn and continues to accept community questions for the “Defense in Depth” podcast.

For full stories and more cybersecurity news, visit CISOseries.com.

wavePod

Powered by Wave AI

Summary

Cyber Security Headlines – Week in Review: ShinyHunters-Scattered Spider Merge, DARPA AI Prize, Water Infrastructure Volunteers

Episode Overview

Key Discussion Points & Insights

1. ShinyHunters-Scattered Spider Merge: A Professionalization of Cybercrime

2. DARPA’s $4 Million AI Prize for Automated Code Review

3. Franklin Project: Volunteer Cyber Defenders for Water Infrastructure

4. Microsoft Windows 365 Reserve: Cloud PC as Incident Response

5. Booking.com: Persistent Phishing via Homograph Attacks

Notable Quotes & Memorable Moments

Key Timestamps

Closing Thoughts

Summary

Cyber Security Headlines – Week in Review: ShinyHunters-Scattered Spider Merge, DARPA AI Prize, Water Infrastructure Volunteers

Episode Overview

Key Discussion Points & Insights

1. ShinyHunters-Scattered Spider Merge: A Professionalization of Cybercrime

2. DARPA’s $4 Million AI Prize for Automated Code Review

3. Franklin Project: Volunteer Cyber Defenders for Water Infrastructure

4. Microsoft Windows 365 Reserve: Cloud PC as Incident Response

5. Booking.com: Persistent Phishing via Homograph Attacks

Notable Quotes & Memorable Moments

Key Timestamps

Closing Thoughts