A

You're listening to the Cyberwire network powered by N2K.

B

Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effort, transform complexity into simplicity and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire Operation Endgame expands global takedowns the US is creating a Scam Center Strike force Microsoft rolls out its Delayed Prevent screen capture feature for teams Proton pass patches a clickjacking flaw Researchers uncover previously undisclosed zero day flaws in both Citrix and Cisco Identity Services engine. Android based digital picture frames contain multiple critical vulnerab Loomis Stealer rebounds after last month's doxxing campaign Our guest is Garrett Hoffman, Senior manager of Cloud Security Engineering from Adobe. Talking about achieving cloud security at scale and X marks the spot where your passkey stops working. It's Thursday, November 13th, 2025. I'm Dave Bitten and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great as always to have you with us. Authorities dismantled three major cybercrime platforms and arrested a key suspect during the latest phase of Operation Endgame, coordinated from Europol's headquarters in the Hague. Starting earlier this week, officials targeted the Ratamanthis Infostealer, the Venom Rat Remote Access Trojan and the Elysium Botnet, according to the provided report, the operation removed more than 1,000 servers, seized 20 domains, and included searches across Germany, Greece and the Netherlands. Hundreds of thousands of computers were infected and millions of stolen credentials were stored in the dismantled infrastructure. Authorities say the Venom Rat suspect was arrested earlier on 3 November in Greece. The takedown disrupts major tools used in global cybercrime and highlights the scale of compromised systems worldwide. Victims may still be unaware of infections, and the report urges them to check their devices. The US is creating a Scam Center Strike Force to confront cyber scam compounds across Southeast Asia that have stolen billions from Americans in recent years. Treasury says the team will include the Justice Department, Secret Service, State Department and FBI personnel who will investigate, disrupt and prosecute major scam operations in Burma, Cambodia and Laos. Officials plan to use sanctions, asset seizures and criminal cases while helping victims with restitution and scam avoidance education. The government estimates Americans lost at least $10 billion in 2024 to romance scams, fake investment platforms and fraudulent cryptocurrency sites. New sanctions target Myanmar's democratic Karen Benevolent army, several of its leaders and Thai companies accused of supporting scam compounds that rely on human traffick and fund armed groups in Myanmar's civil war. Microsoft has begun rolling out its delayed Prevent screen capture feature for Teams Premium, designed to block screenshots and recordings during meetings. Originally planned for July of this year, the rollout shifted to early November. The feature restricts visual content capture on Windows and Android by forcing screenshots to display a black box or or show a warning message. Unsupported platforms join meetings in audio only mode. It's off by default and must be enabled per meeting by organizers. While Microsoft 365 admins manage device enrollment and licensing through Entra ID, Microsoft notes the feature does not stop someone from photographing a screen. The update follows similar privacy protections from WhatsApp and broader Microsoft efforts to strengthen security in Teams chats. ProtonPass has released an updated version of its browser extension to fix a DOM based clickjacking flaw demonstrated at DEFCON 33. Researcher Toth showed that attackers could invisibly trigger password manager UI elements, tricking users into approving autofill or exposing sensitive data with a single misleading click. The vulnerability affected most major managers, though only some vendors have patched it. The Update HardenS Proton Pass's injected UI against manipulation. Users are urged to update immediately and consider disabling autofill on untrusted sites. Amazon's Threat Intelligence team has uncovered a highly sophisticated actor exploiting previously undisclosed zero day flaws and in both Citrix and Cisco Identity Services engine. Amazon's mad pot honeypots detected Citrix Bleed 2 exploitation before public disclosure, leading investigators to a second zero day in Cisco ISE that enabled pre authentication remote code execution. The actor weaponized both vulnerabilities before patches were available, a sign of advanced capability. After gaining access, the attacker deployed a custom in memory web shell tailored for Cisco ISE using Reflection encrypted communication and Tomcat listener registration to evade detection. Amazon notes the campaign reflects a growing focus on identity and network access infrastructure security Teams are urged to enforce strict access controls and strengthen behavioral detection. Elsewhere, CISA is urging federal agencies to fully patch two actively exploited Cisco, ASA and Firepower vulnerabilities. The flaws allow unauthenticated access to restricted URLs and remote code execution and when chained, can give attackers complete control of unpatched devices. Cisco confirmed both were zero day exploits tied to the Arcane Door campaign. CISA's emergency directive mandates agencies secure all Cisco firewalls within 24 hours, noting some mistakenly applied incomplete updates. Shadow Server still tracks over 30,000 vulnerable devices online. Researchers at Quokka found that Uhail Android based digital picture frames contain multiple critical vulnerabilities, including behavior that downloads and executes malware at boot. Many frames fetch an app update from China based servers that installs a payload linked to the Void and Mismas malware families, which then runs at every startup. Devices ship with Selinux, disabled, are rooted by default, and use insecure configurations that enable remote code execution, command injection and unauthorized file access. Zxen, the vendor behind the platform, has not responded to repeated disclosures. Trend Micro's latest research shows lumastealer has rebounded after last month's Doxxing campaign, with activity rising again starting October 20th. The malware now uses browser fingerprinting alongside its traditional command and control methods, collecting extensive system network hardware and browser details through JavaScript payloads and stealthy HTTP traffic. These additions help operators evaluate victim environments, guide follow on actions, and evade detection. Trend also observed process injection into Chrome and new fingerprinting endpoints on the CNC infrastructure. Despite reduced underground visibility and signs of operational strain, lumasteela remains active, continues targeting endpoints, and deploys secondary payloads like Ghost socks. Coming up after the break, Garrett Hoffman, senior manager of cloud security engineering at Adobe, talks about achieving cloud security at scale and X marks the spot where your pass keys stop working. Stay with us, we've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed when it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed. Indeed. Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first and it works. Sponsored Jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed plus with Sponsored Jobs There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed according to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility@indeed.com cyberwire just go to indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need. What's your 2am Security worry? Is it do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started@vanta.com cyber that's v a n t a dot com cyber Garrett Hoffman is Senior Manager of Cloud Security Engineering from Adobe. In today's sponsored Industry Voices conversation, I speak with him about achieving cloud security at scale. Let's start off by getting to know you a little bit, Garrett. Can you tell us where you got your start and what led you to where you are today?

A

Yeah, definitely. So I've been at Adobe for almost eight years. Prior to this I was at Microsoft. So I've been in a variety of security roles at Adobe, both as an individual contributor and as a technical leader. So I'm currently on the Cloud infrastructure security team in the cloud security space. I've also done software development and some of this was focused on cloud security around building platform services that increase product developer productivity and enforce security best practices. So right now my team focuses on infrastructure security, which is pretty much everything except the software that's running on the endpoints. And since that's such a large space, we definitely work with our partner teams to ensure that we have comprehensive security coverage.

B

You know there's folks in this industry, when I speak with them and I say that is a big Job and senior manager of cloud security at Adobe falls into that category.

A

Yeah, you know what helps me the most though is I have such a great team that's very proactive, very competent. You know, they're, they're experts on the cloud security space, they're experts on what's going on the industry, and so they really help us to lead a successful cloud security program here.

B

Well, today we're focusing on this notion of cloud security at scale. How do you define that? What does that term mean to you?

A

Yeah, so to me, cloud security at scale means three different things. So the first is cloud security is a very large space and encompasses many different areas. So you really need to define what your foundation for that is. So what is your cloud security strategy or what is your standard? This is something that needs to be done as a joint effort across what's probably going to be multiple teams. So you can define a comprehensive strategy and not have different blind spots. There are some pre established frameworks that you can use as a foundation. Each cloud service provider has their own recommendations as well around best practices for using their services. But at the end of the day, each company needs to define what this means for them. So that'll be based on your risk tolerance, your compliance certifications, the data you protect, and just overall the experience that you want to give to your customers. So once you define your baseline standard, the next step is really understanding how your company compares to that. So each major functional area that you've defined in your cloud security strategy or standard will have their own way of doing this. So one of the common things I see across the industry today as I talk to others in my network is using a cloud native application protection platform or a cnapp solution. So a cnapp solution helps security teams pull together visibility across multiple areas of cloud security. So that's all the way, if you think left all the way. From code to detections. There's really no one size fits all approach to this. Depending on your company size, a CNAP solution might be best. Or maybe you do everything in house or what Adobe does. Most companies do is they use a combination of both purchase tools and in house built tools so they can have a true, comprehensive view of how they compare to their cloud security standard. So there's really no one solution here. The outcome that you want to look for is defining a comprehensive visibility into where you're deficient compared to what your cloud security standard is, so that you know where your focus needs to be. And then the third aspect of cloud security at scale is moving Your entire cloud environment closer to that standard, based on your discoveries. So there are two main areas of this. The first is secure by default, and that's ensuring that all new cloud resources are deployed in a secure state. So this is looking at the full development life cycle from code to production. So I look at the secure by default as building security into the product for from the beginning, not bolting it on afterwards. And so this requires developing relationships with the product teams, building their trust, getting it into their work stream so that you can be there from the very beginning of their ideation phase, their design phase, through the entire process, so that you can ensure that what they're implementing follows best practices. And then the second is preventing security drift. This is around after cloud resources are deployed. Over time, you know, new vulnerabilities are discovered, things go eol. And so ensuring that you have practices in place to constantly refresh your infrastructure and have a plan to be able to both detect those at the end of life or vulnerabilities and then fix them.

B

So when we're talking about scaling cloud infrastructures, are there any common misconceptions that you've come across things where people have a different idea from what may be reality out there?

A

You know, there are a few that come to mind. So the first would be focusing so much on remediation that you don't address risk prevention. So depending on your situation, you know, focusing only on discovering risks and remediation can keep you very, very busy, but it won't really move your security program forward. You know, I kind of see that as maintaining the status quo. So the best practice in that situation would actually be to assess the risk that you're discovering and then determine how to prevent new ones from being created in the first place. And of course, along with that, you know, it's thinking about, you know, risk areas, you might not have as many findings in as you would expect and then investigating why that is, you know, are you truly secure in that area? Are you just not seeing things that you probably should be seeing? You know, so this is something that'll look different for every company, you know, depending on your specific situation. So for example, you know, if you're immediate vulnerabilities and you know, you want to prevent new ones, you know, you might think about, you know, what, what are your, what are your hardening guardrails like, you know, prior to deployment, you know, and how often are you refreshing your VMs? And then a second misconception around cloud security is that effective cloud security belongs to the security team and that it's the security team's responsibility to make that happen. And that's absolutely not correct. Security is everyone's responsibility. So part of a mature security program is bringing security awareness to non security teams. So the entire company works together to keep customer data safe. So the misconception is that you don't have to foster a culture of shared responsibility around cloud security. You really do need to in order to be successful.

B

What's the best method that you've found for getting that sort of buy in, for getting, you know, everyone across the organization to, to agree and invest in this idea that it is everyone's responsibility?

A

Yeah, that's a great question because in, in large companies you have such a diverse set of, of roles and responsibilities and functions, you know, across the entire space. And so it really comes down to a couple of things. So one is awareness, you know, you sure that everyone is aware that the actions they take can impact our cloud security? They have to understand what's okay to do, what's not okay to do, especially around things like social engineering. They have to be able to understand what best practices are and have that be top of mind for them. And I think the second thing would be around trust. So I mentioned before that it's important for the security team to be able to work with product teams from the beginning so that they can ensure that the products are built, you know, secure by default, you know, in ways that implement best practices. And so we have to ensure that the product teams trust the security team and that they, they believe that as we work with, as they work with us and as we work with them, that they'll have better outcomes over time.

B

Hmm. Well, I would love to dig into some of the nitty gritty here and some of the actual architectural decisions that you all contend with when you are building cloud security at scale. What are some of the things you've experienced?

A

One of the biggest things I could think of would be a lack of shared standards. So not building security in from the beginning or taking a secure by default approach. So product teams are customer first, you know, as they support and grow their product offerings to meet customer needs. So if they don't implement security best practices from the beginning, and by this I mean designing security into their product offering as it's in the design phase and then implementation phase, they'll have to go back and fix the infrastructure after it's deployed. And that can be a major slowdown to the business because it takes their attention and focus away from improving the product and it can also lead to unnecessary risks before they're remediated. There's security drift that can happen over time, but ideally you'll be managing platforms or you'll be using managed platforms that will automatically enforce best practices and that can help reduce the risk.

B

Are there any specific lessons that you've learned while you're there at Adobe that have really informed how you approach scaling cloud security across an enterprise?

A

Yeah, definitely. So Adobe is a large company and we've been able to successfully implement standard practices. These have brought comprehensive security and efficiency to each of our product teams. You know, if you work for a small, small company, you know, now is the best time to implement standardized practices so that as your company continues to grow, that will be in there from the beginning. You know, we've seen a lot of benefits from that. You know, one of them is of course on the security side that product teams don't have to worry about going back and remediating after the fact our customer data is secure. And the other thing is, you know, as we, as we as product teams utilize shared practice or sorry, standardized practices, it helps them be more efficient as well.

B

Where do you suppose we're headed when you look toward the horizon, the future of cloud security? And of course AI and machine language are top of mind for a lot of folks. What do you suppose the future holds here?

A

Yeah, this is a really good question too, and one of the areas I really like to look at and think about. It's one of the things that makes cloud security fun. You know, it's not doing the same thing every day. It's constantly changing, it's constantly evolving. The major cloud service providers are constantly releasing new features and functionality. Just about, it seems like every week or so there are new features and things and developers are constantly, they're staying on top of that and they're constantly using these new features. As cloud security professionals, we need to expect that and we need to ensure that our programs cover these new areas and that we're prepared for the new risks and attack vectors that are introduced. You know, one of the other areas that I think about it when I hear that question is AI, artificial intelligence. You know, it seems to be the hot topic in the industry right now. And so AI systems can present cloud security professionals with both a new risk and an opportunity. So some of these AI systems, like chatbots or automated tools, are increasingly being tested for weaknesses. So this means that we as security leaders need to be focused on understanding how these systems can be manipulated to better ensure that the right safeguards are in place, kind of shifting from just AI in general to kind of more generative AI, you know, that's, it's really transforming cybersecurity by enabling faster threat detection, automated responses, predictive analytics. Adobe sees AI is a powerful tool to enhance security, but not necessarily to replace human oversight. You know, so while these technologies offer new efficiencies, they can also introduce, you know, new and novel risks that have to be managed with transparency, governance and accountability. So at Adobe, our fundamental approach to AI is grounded in our AI ethics principles of accountability, responsibility and transparency.

B

You know, I'm curious just from a personal point of view, whenever I have the opportunity to talk to someone in a position like yours, how do you deal with the scale of the challenges that are before you? Again, as we said, an organization the size of Adobe, how do you break it down into manageable bite sized pieces for you and your team to be able to tackle?

A

Yeah, that's definitely something that we think about often and that we have to strategize around. And I think this goes back to what I was saying before, around how security is really a shared responsibility across the whole company. So that includes, you know, all of the, every employee at Adobe or you know, whatever company you're at, doing their part to reduce risk and prevent risks, you know, prevent attackers. But the other aspect of that is making sure that you have great relationships with your partner teams so that you can work together and put together a holistic strategy where, where you, where one team isn't trying to tackle all of security by themselves, but instead, you know, you have the different pillars where, where each team is working together, doing their specific thing to work to, to put together the larger picture.

B

That's Garrett Hoffman, senior management of cloud security engineering at Adobe. At Talas they know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most. Applications, data and identity. That's Thales. T H A L E S. Learn more at Thales Group. And now a word from our sponsor, ThreatLocker. The powerful zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function shut out cybercriminals with world class endpoint protection from Threat Locker. And finally yesterday, reports were bubbling up across social media that users of Elon Musk's X are now trapped in an endless Two factor authentication obstacle course. The trouble started when X told anyone using passkeys or hardware keys to re enroll on the shiny X.com domain, a necessary side effect of retiring the creaky old twitter.com address. Unfortunately, those keys still think Twitter exists, and they refuse to make the jump. After the November 10 deadline, many users found themselves locked out entirely, stuck between error messages and looping setup screens. It's the latest in a long string of headaches since Musk bought the platform for $44 billion, though his own account seems blissfully unaffected. X has yet to comment, perhaps still circling the login page with the rest of us. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Sa.