A dark web titan falls.

Dave Buettner

You're listening to the Cyberwire network.

Maria Vermazes

Powered by N2K CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1 and without securing them, trust, uptime, outages and compliance are at risk. Cyberark is leading the way with the only unified platform purpose built to secure every machine identity, certificates, secrets and workloads across all environments, all clouds and all AI agents. Designed for scale, automation and quantum readiness, Cyber ARC helps modern enterprises secure their machine future. Visit cyberark.com machines to see how Global law enforcement's had a busy week. DHS is said to be among the agencies hit by the Microsoft SharePoint Zero day. The fire and Cyber Espionage Group targets global enterprise infrastructure Mitel Networks issues security patches for MyVoice, MX1 communications platforms CISA nominee Sean Planke faces tough questions at his Senate confirmation hearing. A malicious prompt was hiding in Amazon's Q developer extension for VS Code. Our guest is Brandon Karp, friend of the show, cybersecurity expert and founder of T Minus Space Daily, joining host Maria Vermazes to explore how space based telecom architectures could play a critical role in securing agentic AI systems and Android users. Scroll with caution while Apple fans roll the dice. It's Friday, 7-24-25. I'm Dave Buettner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great to have you with us. The Black Suit ransomware gang's darknet sites were seized in a global law enforcement operation involving over nine countries and led by US Homeland Security investigation. Seizure notices now appear on the group's Tor sites displaying logos from 17 agencies and cybersecurity firm BitDefender. Black Suit, active since spring of 2023, was a private ransomware group believed to be a rebrand of Royal Ransomware, which itself was linked to the infamous Conti gang. The FBI and CISA said Black suit demanded over $500 million in ransom payments from high profile victims like Kadokawa, Tampa Bay and blood plasma firm octafarmer. After the takedown, Cisco Talos found links between former Black Suit members and the chaos ransomware operation, suggesting the gang's remnants are still active. Ukrainian authorities, with help from France and Europol, have arrested a person suspected of running XSS is a major Russian speaking cybercrime forum on the Dark Web. The arrest occurred in early July after a multi year investigation that included surveillance of an encrypted Jabber messaging server used by cybercriminals. XSS is active since 2013, facilitated the trade of malware, stolen data and ransomware services. Authorities say the suspect wasn't just a technical operator but also supported criminal deals, helped resolve disputes and even took part in cyberattacks and extortion schemes. Prosecutors estimate at least $8.2 million in illegal profits were linked to the forum. With over 50,000 users, XSS is among the oldest dark web forums. This follows recent crackdowns on cybercrime marketplaces, including the June arrest of individuals tied to breach forums. Ukrainian officials have not commented and it's unclear if extradition will occur. The U.S. treasury's Office of Foreign Assets Control has sanctioned three North Koreans and Korea Sobaksu Trading Co. For running fake IT worker schemes that funnel money to North Korea's nuclear and missile programs. These workers, placed in U.S. companies using false identities, send earnings back to the DPRK. Sanctioned individuals include key figures in recruitment, crypto operations and sanctions evasion. This follows earlier crackdowns, including indictments and the disruption of laptop farms. Rewards of up to $7 million are offered for tips leading to arrests. In our continuing coverage of the Microsoft SharePoint breach, the Department of Homeland Security is said to be among the federal agencies affected by the ongoing cyber intrusion. CISA has alerted at least five agencies, possibly more, and is coordinating a national response. While Microsoft linked the attacks to China aligned hackers, it's unclear if DHS was directly targeted by such actors. So far there's no evidence of data theft at dhs. The exploited vulnerability, a zero day flaw, has triggered global concerns. A Chinese linked cyber espionage group, dubbed Fire Ant by cybersecurity firm Signia, is targeting global enterprise infrastructure through Stealthy attacks on VMware ESXi hypervisors. These hypervisors manage virtual machines, making them valuable for spying on large networks. Fire Ant, resembling the known UNC3886 group, uses custom tools that evade standard security systems like edr, allowing long term undetected access. Signia reports the group has been deeply entrenched in several environments, requiring complex real time operations to evict them. The attackers quickly adapted, using new tools and alternate entry points to stay ahead of defenders. While Singapore's National Security Minister has called out these kinds of attacks as threats to critical infrastructure, the Chinese government denies involvement. Fire Ant's tactics and targets, including defense, telecom and tech firms, suggest a state sponsored operation focused on strategic intelligence. Signia's report warns that hypervisor level intrusions pose a serious global cybersecurity threat. Mitel Networks has issued security patches for a critical authentication bypass flaw in its MyVoice MX1 communications platform. The bug, caused by improper access controls in the provisioning manager component allows unauthenticated attackers to gain admin access without user interaction. The flaw affects multiple versions and has been fixed in recent updates. Mitel urges customers to avoid exposing MX1 services to the public Internet and to request patches via authorized service partners for affected systems. At his Senate confirmation hearing, Sean Plenky, President Trump's nominee to lead cisa, faced tough questions on election security and looming cyber policy expirations. Planky, currently a DHS advisor, said he hadn't reviewed the 2020 election cybersecurity, which frustrated Senator Richard Blumenthal, who accused him of dodging responsibility. Planky emphasized CISA's focus would be on securing election tech, not policing misinformation. He acknowledged the agency's staffing and budget cuts, pledging to empower remaining personnel and restructure if needed. Planki also supported renewing the Expiring Cybersecurity Information Sharing act and state cyber grants. Responding to GOP concerns about CISA's past work with tech firms, Planky vowed to keep the agency within its legal limits. He promised CISA would not engage in content moderation, focusing solely on protecting infrastructure. His nomination awaits committee and full Senate votes. A malicious prompt was discovered in version 1.84 of Amazon's Q developer extension for VS code, instructing the AI assistant to wipe a user's system and AWS cloud resources. The destructive code, introduced via a GitHub pull request on July 13, directed Q to delete home directories, user settings and cloud instances using AWS CLI commands. Though the extension wasn't functional, AWS quickly removed it and replaced it with the current version. The company says no customer systems were impacted and updated its contribution guidelines to prevent future incidents. The prompt's discovery highlights the risks of open source code manipulation, especially when paired with AI assistance. This comes on the heels of another alarming AI mishap, where Replit's assistant deleted an entire company database, offering a cautionary tale about the pitfalls of Vibe coding with autonomous tools. Coming up after the break, Brandon Karp speaks with Maria Vermazes about space based telecom architectures and how they could play a critical role in securing agentic AI systems and Android users. Scroll with caution While Apple fans roll the dice, Stick around Bad actors don't break in. They log in. Attackers use stolen credentials in nearly nine out of 10 data breaches. Once inside, they're after one thing your data. Varonis AI powered data security platform secures your data at scale across LAS SaaS and hybrid cloud environments. Join thousands of organizations who trust Varonis to keep their data safe. Get a free data risk assessment@veronis.com Krogle is AI built for the enterprise SOC, fully private schema, free and capable of running in sensitive air gapped environments. Krogle autonomously investigates thousands of alerts weekly, correlating insights across your tools without data leaving your perimeter. Designed for high availability across geographies, it delivers context aware auditable decisions aligned to your workflows. Krogel empowers analysts to act faster and focus on critical threats, replacing repetitive triage with intelligent automation to help your SOC operate at scale with precision and control. Learn more@krogle.com that's C-R-O GL.com Brandon Karp is a friend of the show and cybersecurity expert. He recently caught up with Maria Varmazes on the T Minus Space Daily podcast to talk about how space based telecom architecture could play a critical role in in securing agentic AI systems.

Dave Buettner

Last month when you were on the show we were talking about agentic AI and you introduced this really fascinating premise about the metadata that AI models can generate. I'm trying to summarize this perhaps poorly. The metadata that gets generated is a lot more revealing than people perhaps, perhaps realize. And then I think this month is the now what do space companies need to do about that side of the equation? So what do they need to do about it?

Brandon Karp

Yeah, well both what do they need to do and the opportunity for some space companies to offer solutions and think about kind of where the market will probably go and the direction that the market's going to head in that's going to create opportunities for space companies. And specifically I think the opportunities in telecommunications and you know, we're seeing a lot of movement in like direct to cell or space based Internet and services and the mega constellations that are coming online. A lot of movement in that front. And I think that architecture does offer some nascent but critical security elements that actually mitigate the risk of metadata released into the Internet environment and specifically metadata from agentic systems.

Dave Buettner

Okay, so can you expand on that a little bit? Keep going.

Brandon Karp

Well, so one of the problems with all that metadata that we talked about last time is it creates opportunity for pattern analysis and for network analysis. And by doing network analysis and looking at what endpoints are communicating to what other endpoints, whether through APIs or other agentic connectors, it it can reveal a lot about your network architecture, can reveal a lot about your intent and what your organization is doing. And when you think about agentic systems, they're doing that at machine speeds. So you're creating a tremendous amount of metadata over a very short amount of time that can be analyzed and reveal a lot of secret information and reveal vulnerabilities of your network. Now, when we think about how today we move data, people use VPNs, people use proxies. But the problem with those things is those things are static, they're actually mappable. We can actually figure out pretty easily a VPN endpoint, a proxy endpoint. But when we add the space architecture, if you are proxying data in your Internet connection through the space architecture, it kind of flips the paradigm on its head. Think about it like a cellular network where the device in a terrestrial cellular network is mobile. And that creates some security because your device is moving. The adversary doesn't know where your device is physically in the world. But the cellular world, the mobile world, has created these identifiers that actually have basically taken away all of the security of being a mobile network. Now, when you look at the space architecture, it's not the user, it's not the endpoint that's mobile, it's the router, it's the intermediary node that is mobile. You don't know what node your device is going to connect to directly. And that creates a layer of potential security. And so by routing our network, by routing our traffic, and essentially proxying first through a space architecture, it creates this obfuscation layer where someone measuring your Internet traffic or looking for your specific company's traffic or something like that is not going to actually know where to look. And, and it's going to be, you know, potentially unpredictable, where your traffic is going to get routed. And that takes away a whole threat vector or attack vector, something called packet shaping, where an adversary can actually manipulate the traffic flows of Internet data to actually capture data. And again, even if they're capturing data that's encrypted, they're still going to get the metadata. It opens up a whole world of opportunity for security companies and telecommunication companies to add a layer of obfuscation and add a layer of security by routing through a space architecture.

Dave Buettner

So my mind is going, that is a fantastic opportunity. And the complexity of that, as I'm trying to just sort of, not that I understand networking on a good day, to be completely honest with you, it's not easy to understand, but just the complexity of that, especially as we have more satellites in LEO and many of them, these enmeshed networks, I'm going, holy cow. That sounds also incredibly difficult to implement. Not impossible, surely, but that sounds like a challenge to me in my layman's understanding of this.

Brandon Karp

It is a challenge and it's a challenge for a couple reasons. First, there's not that many providers right now in space based telecom that you can use. Those providers that do exist, they really only have the bandwidth for edge routing, not necessarily backbone routing. When we talk about backbone, we're talking, talking about the massive fiber lines owned by the world's largest telecoms that are moving unbelievable amounts of data every second through undersea cables and things like that. You know, the space architecture doesn't yet have the bandwidth and the throughput needs to be used as backbone. But what we are using those architectures for is the edge routing, like that last router before you get to the edge device, whether it's an IoT device or a mobile device or what have you, it's that last public router before you actually get to a device that's trying to access the Internet or a service on the Internet. So there are opportunities today to start routing some of your core traffic through a space architecture. Of course, Starlink is the one that comes to mind because they have the most proliferated architecture. But others, I mean, the FCC just authorized a merger between SES and Intelsat. And so like that, that is obviously intended to be a new competitor. Of course, most of their customers are like cable or satellite tv. Satellite TV is in structural decline. No one's really using that anymore. It's the same bandwidth, you know.

Dave Buettner

Just kidding.

Brandon Karp

Well, it is though, right? It's all, it's all Internet, right? It's all Internet tv. It's all streaming services.

Dave Buettner

That's not a controversial statement.

Brandon Karp

I'm sorry, they're all gonna. Yeah, they're all gonna invest in the exact same bandwidth. I think most of them are C band satellites, which is the same band that Starlink is using for a lot of their work. So you know, they'll just turn it into IP traffic and so that'll be a potential competitor. And then, you know, you look at the Space Force, right? The Space Force is investing in milnet, which is their proliferated, you know, Leo Constellation.

Dave Buettner

Yep.

Brandon Karp

It's like the follow on to their tranche three, I think, the transport architecture. And so we're starting to see these organizations investing in this. And I think part of it is connectivity. Right. There's the benefit of being able to connect anywhere, even in rural areas or in maritime considerations. But you can't neglect the security implications, which is there are great security implications of doing this. And so how can we invest as companies? How can we actually take advantage of this? Especially the high risk company. I'm thinking like financial services, maybe healthcare, things that are high risk right now.

Dave Buettner

Yeah, I was just gonna ask about application.

Maria Vermazes

Yeah.

Dave Buettner

Because to me I'm like the military. Use of this makes total sense in the business world, financial transactions. I could see that being useful. You mentioned healthcare. Anything else where he's like the use case makes a lot of sense here.

Brandon Karp

I think the opportunity is probably with the telecoms to start offering these services of getting companies access to direct to satellite connectivity that before it actually touches the backbone of the Internet or before it actually touches the high speed fiber of a telecom. Just routing data through a space architecture for your most critical applications, your most critical APIs. Things that we're talking about industrial secrets. So any manufacturing company that is potentially at threat from competitors from industrial espionage, I'm thinking those kinds of manufacturers. Anyone who worked with the defense industry and has industrial secrets or is trying to access APIs on like the AWS GovCloud, this is a service that AWS could offer and say, hey, if you're going to try to reach an API or now in an agentic world, an MCP server, right. That's hosted in the cloud somewhere, we're going to automatically route your traffic first through a space architecture or as the last hop before you get to the actual MCP server, we're going to route it through there and just provide that proxy offset, that obfuscation layer as a value add. Yeah, the value add, exactly. So to me this is a product opportunity for a telecom or a cloud provider or a data like a content.

Dave Buettner

Distribution network, even cloudflare Akamai kind of thing. Yes. Yep.

Brandon Karp

Right. And even some, maybe some smaller MSPs, right. Managed Service providers who are maybe targeting the space industry and saying hey, we're going to offer you guys some value added services. But that's kind of the initial opportunity that I see. But there is a security benefit to this that's interesting.

Dave Buettner

I'm just really curious, does that make a difference if we have greater edge computing in space with this model that you're talking about? Or is it just basically it's another computer in the network that we're talking about, so it doesn't matter necessarily where it's located?

Brandon Karp

I think it does. And where the opportunity lies is what we talked about earlier with the, the constraints on throughput and actually pushing data through a Space architecture, right. It's going to introduce a little bit of latency. The processing power up there right now isn't large enough to necessarily put a lot of data. So you can't use it for a backbone. It's not like a microwave link, a terrestrial microwave link where you can send a ton of data very quickly over relatively long point to point distances. As we increase the processing power in satellites and more routers, right? Cell towers is. Cell towers in space is something we hear about, but really what that is is it's a router attached to an antenna is we increase the routing power and the processing power in the space architecture. And we can do this today on pretty small satellites with the technology that exists. It'll allow us to push more data and more intelligently through space and be more efficient. Why? Because the data we push up, it can get processed, it can get analyzed, it can get, you know, instead of moving the entire data, the entire packet, the entire session from satellite to satellite, satellite to ground station, you just process it on site, in situ, and you just send the processed information. And so I do think that's coming. One of the challenges, right? Physics challenge, right? Heating and cooling, much more difficult in space than terrestrially. Now there's opportunities for cooling in a shade, but if you're in sunlight, right, you need, you need to have heat transfer.

Dave Buettner

Nasty physics thing.

Brandon Karp

Yeah, nasty physics thing, right. Like the 400 degree swing between sunlight, first shade in space. It's a physics challenge, right? But those technologies exist. I think that makes it a little more expensive. Where I would look for the initial growth in that sector of processing in space is actually in Indian space companies. And the reason being is as we add more processing power, as you add, therefore more heat management systems, you're getting heavier, more weight, more expensive to get up into orbit. Pound for pound, India is more cost effective than any other nation in the world in getting stuff into space. So I think that these things are going to get a little more expensive by adding more processing power, as we discussed. So to make it efficient, to make it marketable, to make the capital expenditures make sense, I would look at India in those companies and see what they're doing, because that's probably going to be a leading indicator of where the technology is moving.

Dave Buettner

Like, let's pick that up next month.

Maria Vermazes

And be sure to check out the T minus space daily wherever you get your favorite podcasts. Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes. You're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo. That's V A N T a dot com CYBER hey everybody, Dave here. I've talked about Delete Me before and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. Delete Me keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Deleteme also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K and finally, in the never ending smartphone wars, Android may have quietly won a surprising battle. Not tech specs, but online street smarts. According to malwarebytes, Android users are more cautious shoppers, more likely to use security tools, and slightly better at creating unique passwords. Meanwhile, iPhone users, perhaps lulled into a false sense of Apple invincibility, are more likely to DM strangers for coupons and shop on shady sites often with weak or reused passwords. The result is they fall for scams more often. This isn't about device superiority. Both platforms can be equally secure or vulnerable. But it seems Android users are simply a bit more suspicious online, while iPhone users trust their device like a toddler trusts a juice box. As malwarebytes Mark Baer wisely points out, the real threat isn't your phone, it's where you take it online. So maybe skip that discount link, update your security tools and for goodness sake, use a decent password. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August. There's a link in the show notes. Please take a moment and check it out. Be sure to check out this weekend's Research Saturday. We've got a special episode discussing Muddled Libra. This is from our friends who do the Threat Vector Podcast from Palo Alto Networks, unit 42. That's Research Saturday. Check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. And now a word from our sponsor. ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. AllowListing is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources, and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker.