A

You're listening to the Cyberwire network. Powered by N2K, the DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot at Thales. They know cybersecurity can be tough and you can't protect everything, but with Thales you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S Learn more at the EU fines Google $3.5 billion over ad tech abuses Cloudflare blocks record breaking DDoS attacks the Salesforce sales loft breach began months earlier with GitHub access. Researchers say a new tag 150 cyber criminal group has been active since March. Hackers stolen secrets to leak more than 6700 NX private repositories. Subsea cable outages disrupt Internet connectivity across India, Pakistan and parts of the uae. We got our Monday business breakdown on our Industry Voices segment. Todd Moore, global vice president for Data security at Thales, unpacks the perils of insider risk and hackers claim Burger King's security flaws are a real whopp.

B

Foreign.

A

September 8, 2025 I'm Dave Bittner and this is your CyberWire Intel Briefing. Hello and happy Monday. It is great to have you with us here today. The European Commission has fined Google $3.5 billion for abusing its dominance in the digital advertising technology market. Citing self preferencing and anti competitive practices, regulators ordered Google to stop these behaviors and prevent future conflicts of interest in adtech. Google disputes the ruling, calling it wrong and vowing to appeal. The company argues the fine is unjustified and will harm European businesses, claiming its services face strong competition. This marks the fourth major EU antitrust fines against Google, following penalties in 2017, 18 and 19 for abuses involving Android search and online ads. Separately, France's CNIL fined Google $378 million for displaying ads between Gmail users, emails without consent and violating cookie rules. Cloudflare says it blocked record breaking DDoS attacks, including one peaking at 11.5 terabits per second and 51 billion packets per second. The massive attack, largely sourced from IoT devices and Google Cloud, lasted 35 seconds and resembled a UDP flood. It surpassed Cloudflare's previous 7.3 terabit per second record. The company says its architecture easily handled the surge, dropping malicious traffic at the edge following up on the Salesforce Salesloft data theft campaign, new details confirm the breach began months earlier. Salesloft revealed attackers accessed its GitHub account between March and June of this year, laying groundwork for the August incident Where Compromise Drift OAuth tokens were used to siphon data from Salesforce environments. Attributed to UNC6395, the attack impacted hundreds of organizations with stolen data, including AWS keys, passwords and snowflake tokens. Initially believed limited to the Salesforce Salesloft integration, the breach also extended to Google Workspace customers. Salesforce disabled the integration, while Drift was taken offline and restored September 7th. Mandiant's investigation confirmed hackers exploited GitHub access, not flaws in drift. Roughly 700 companies, including major security vendors, were affected, with stolen data often tied to customer support records recorded futures Insict Group has identified a new cybercriminal group, tag 150. Active since March of this year, the actor is notable for its rapid development, technical sophistication and ability to quickly adapt after public reporting. Tag150 operates a large multi tiered infrastructure with victim facing servers running as C2 nodes for various malware families and deeper layers supporting operations. The group has released several self developed tools including Castle Loader, castlebot and now Castle rat, a newly documented remote access trojan available in Python and C. Castle RAT enables data collection, payload delivery and command execution through CMD and PowerShell. Tag150 also uses third party services such as file sharing platforms and the antidetection tool cleanscan. Hackers behind the recent NX supply chain attack dubbed Singularity, used stolen secrets to leak more than 6,700 private repositories. According to Wiz, the attack began when threat actors used a compromised NPM token to publish eight malicious versions of nx. These versions executed a telemetry JS script that searched infected machines for sensitive data, API keys, GitHub and NPM tokens, SSH keys and crypto wallets, then exfiltrated files to public GitHub repositories. Wiz found over 20,000 stolen files from at least 225 users with over 2300 secrets leaked, impacting 1700 accounts. The malware also modified shell startup files to crash terminals and misused AI clis like Claude and Gemini for reconnaissance and data theft. In phase two, attackers leveraged compromise credentials to access over 480 accounts, exposing thousands of secrets from organizations, including one with 700 repositories. Wiz urges victims to rotate secrets, hunt for IOCs and review GitHub logs, warning that some NPM tokens remain valid. Subsea cable outages in the Red Sea have disrupted Internet connectivity across India, Pakistan and parts of the UAE, according to NetBlocks. Failures were traced to cable systems near Jeddah, Saudi Arabia, though the cause remains unclear. Microsoft said Azure users may see higher latency after multiple fiber cuts as traffic through the Middle east was rerouted to alternative paths. While no outages occurred, Microsoft warned of slower connections for some services. Other regions not routed through the Middle east remain unaffected. It's Monday, which means it's time for our weekly business breakdown. Last week saw just over $65 million raised across three investments and six acquisitions. On the investment front, the majority of the fundraising came from Cato Networks, which raised an additional $50 million after expanding its Series G round from July, bringing the round's total funding to $409 million. The additional fundraising came alongside Cato acquiring AIM Security and AI Security Firm. This is Cato Network's first ever acquisition. Okta, a US IAM platform, also acquired Israeli privileged access management firm Axiom Security for $100 million. With this acquisition, Okta aims to integrate Axiom's technology into its identity security Fabric Image Source, a US enterprise content management company, acquired US cybersecurity company Zorse Cyber. This acquisition included Zorse's threat detection and prevention platform Bouncer, which adds advanced email, web and file based security technologies to the company's platform portfolio. Also making headlines, eight US and Indian VCs and PEs are teaming up to provide additional support for India's growing tech startups. And that wraps this week's business breakdown for deeper analysis on major business moves shaping the cybersecurity landscape. Subscribe to N2K Pro and check out TheCyberWire.com every Wednesday for the latest updates. Coming up after the break, Todd Moore from Thales unpacks the perils of insider risk and Hackers claim Burger King security flaws are a real whopper. Stick around. Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes. You're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo that's V A n t a dot com cyber.

B

And.

C

Now a message from McAfee.

A

I'm not a real kid and I'm.

B

Not a real grandpa. We are deep fakes and we're making it harder to tell what's real online. The good news? McAfee can help. McAfee's Scam Detector automatically identifies text and.

A

Email scams and even deepfakes.

B

So if you whippersnappers meet one of us, you'll know if they're faking it.

C

They're not making it past us.

B

Get award winning scam detection today. McAfee.com KeepItReal.

A

Todd Moore is global Vice President of Data Security at Thales. On today's sponsored Industry Voices segment, he explains why the biggest threat to your data has a badge, a password, and years of goodwill.

B

An insider threat is something that comes within an organization. It's a privileged user or a machine doesn't necessarily have to be human. Someone that has the right credentials to have access to information, data that's critical maybe to the organization. And those individuals or machines may accidentally do something inappropriate with that data or they may try to extract that data or they may try to take it outside the organization. So from an insider threat perspective, it's really someone that you trust inside your organization that either accidentally, because good things do happen to people, they make mistakes, they put data in places they shouldn't, like in a public repository, like in a public cloud. Or it's a person or machine that is maliciously trying to extract data from an organization, but they do have access to.

A

Yeah, it's an interesting, I think, nuance there because I think for a lot of folks, particularly if they're not in this sort of stuff, every day they hear the term insider threat and they automatically think that it's someone or something that's malicious. But as you point out, that's not necessarily the case. It could just be someone making an innocent or ignorant mistake.

B

Absolutely. And it happens all the time. And it's happening more and more. Right. As we continue to use different SaaS, applications, software as a service applications and storage and public cloud, we typically just want to get our jobs done as employees within organizations. And sometimes, you know, when we're in a hurry or we have a deadline and we're in that panic type mode, we'll. We'll move data around an organization, we'll send it through an email or copy it to a, you know, a shared drive, and that information is lost once it goes into the wild. And so again, it's not that someone was trying to do something necessarily bad or evil, they're just trying to get their job done. And unfortunately, it puts organization data at risk and it creates a breach opportunity for an organization and puts our crown jewels out there for the world to see.

A

Sometimes when I think of insider threats, I go back to that old horror movie chestnut about how the call is coming from inside the house.

B

Right. Scary, isn't it? Yeah.

A

Right. Well, I think it is because we think about a moat or a fence or defending from the bad guys who are coming at us from outside of our organization. But this is a different thing when the potential trouble is someone who has certain privileges within the company.

B

Absolutely. And what we're hearing a lot about now, it's a huge buzz in the industry is this thing called agentic AI. I don't know if we'll go into that too much today, but at a very, very high level, agentic AI is an agent that has all of those credentials and all those accesses that you have. So it's really a mirror of you as a person or again as a machine. And this agent is going to go off and do tasks on your behalf, and they have all the credentials and all the access to go off and do those tasks. And they can make mistakes as well, too, by moving data. It looks like it's a valid request for data or a valid movement of data, but they could put it in a place they weren't supposed to. So it's an interesting time right now in this world about how agentic AI is allowing access to data that when you're talking, would have access to machines and persons would have access to. And it's getting moved in places it should be moved to.

A

Well, let's talk about some of the basics here. I mean, an organization faced with a reality that this is a possibility, what are the basic things that they can do to minimize their exposure when it comes to insider threats?

B

Sure. So, you know, for many years now, organizations would put a lot of their most secure, most sensitive data into databases because. And we call that structured data because the data is put in columns and rows within a database. And we would watch those databases very carefully. We would make sure that the persons who had access to the database didn't have access to everything in that database. We would monitor them and we would look for behaviors that didn't make sense. Someone was accessing the database at off hours or they were extracting a lot of information. And so there's even compliance regulations around databases. But it gave us a single point of kind of failure in our organizations that we could watch and monitor. In this new world where we're using again the social media apps and we're using public cloud and all these different tools at our disposal, there's this huge explosion of unstructured data, a billion files, videos, chat, emails, and there's a lot of sensitive data out there as well too. But we don't really have the same rigor in most organizations at watching and monitoring that data to see that things aren't happening the way they should be happening. I think to answer your question, David, it's really about having visibility. And we're seeing that the fundamental things that organizations need is to have visibility across all their data, whether it's in a database which is very controlled in one location, or also in unstructured data, which are all these files that can be anywhere. They can be on prem and file servers, they can be in cloud, they can be in SaaS applications just everywhere and having that visibility. And then when I say watching, it's really monitoring on an ongoing basis, continuous monitoring to make sure that appropriate behaviors, that the data is being accessed and used appropriately, you know, where that data is coming from, who should have access to it, why are they accessing? And it's really asking those basic questions while you're looking and monitoring who and how people are using the data in your organization.

A

It's a really interesting point and it strikes me that certainly for my own use, I feel as though as on device search has gotten more sophisticated and More accurate that that has enabled me to have more unstructured data.

B

Right.

A

Like I can just leave anything anywhere. I hardly ever delete an email anymore.

B

Right.

A

And so, but if I need something, my first thing to do is to go just searching for it and chances are it's going to pop up. So it's sort of a combination of convenience, but also a bit of a pack rat mentality.

B

It's.

A

And I suspect that's fairly common these days.

B

Yeah, absolutely. And we're seeing that 80% of all data that's out there is unstructured data. Things like you just said, emails, files, pictures. And with the advent of artificial intelligence and us using all these chatbots, AI is creating 90% of all new unstructured data. It's just an amazing amount of data that's being created by using these new techniques and tools available to us. And again, that data is going everywhere. In many cases, it's data that's important to us as persons, but even more important to our companies. And so from an insider perspective, you've got to have visibility where employees and machines are putting that data. You want to watch and make sure it's being used and accessed appropriately and you want to put controls around that. So in many aspects and what you're talking about, and this is in many organizations around data retention, that especially in the finance and government type worlds, there's rules around how long you can keep data. And even in personal privacy laws, there's rules around how long we as individuals want our data to be kept within an organization. And so, you know, we need tools to be able to find the data, understand what that data is, you know, put controls around it. Whether we want it to be protected for a long period of time, we might encrypt it or tokenize it. Those are different types of controls to, to really protect the information. Or in some cases, if it's been out there for a long time and it doesn't belong there, you can delete it. So there is, you know, a data retention piece to this whole hygiene when it comes to unstructured data and reducing the number of insider threats, the number of breaches that can occur through this sprawl of unstructured data.

A

Yeah. What about the stigma of making a mistake? You know, I can imagine somebody who accidentally clicks on something or puts a file in the wrong place. And depending on the culture of the security team, they may be hesitant to reach out and say, hey, I think I messed up here.

B

That's a great question. We have a video, a Little snippet of a video that shows a typical use case of a person that's trying to do the right thing and they accidentally take a very critical piece of information, it's a spreadsheet, and they put it out into a public cloud repository and tools that TALAS has and other vendors. You know, we would detect the criticality, that file being put into a public cloud repository and we would essentially alert the soc, the operation center that this has occurred. We would have processes in place to immediately protect that file by encrypting it. So we would basically revoke access as well as encrypt that information. And then there would be, you know, a little bit of learning that came from that so that that person would never make that mistake again. I think that there is a little bit of a stigma about that. The funny thing I was getting to Dave is when I show that video to folks after I get done showing the video, a lot of people raised their hands and asked, did the person lose their job? And my answer is I don't think so. I don't think the person should lose their job. I think in this case it was a woman, she made a mistake, she moved to file in the wrong place. We had the right controls in place as an organization to protect her and her organization. And I think there is a little bit of training that comes following that to remind her not to do that again. Now if this is something that happens over, you know, multiple times and in different ways, then perhaps there's other problems that we have there. But I think that, you know, people making mistakes happen every day, we have to admit that. And how we handle those mistakes and respond to them I think is important. And the tools, the cyber tools are available today to help with that.

A

What about for the security professional within the organization when, when these sorts of things are implemented, what are the changes that they will see in their day to day?

B

I think from a. I think most large organizations already have risk management or they have security operations centers. They're already looking at, you know, audit data, they're already looking at databases that we talked about because they need to. From a compliance perspective, this is really just adding to that. It's really from a risk intelligence or a risk analysis perspective, getting that insight across your networks, across all of your different applications, storage infrastructure, and then being able to detect where there might be a potential issue putting remediation plans in place and executing on this remediation plan. So I think you asked about a significant security professional. I think this is what they've been doing in the security world for a very long period of time. Unfortunately, it's been very focused on, you know, again, databases, structured data and other parts, other risks. And with this explosion of unstructured data and the advent of artificial intelligence and creating more and more unstructured data, it's been a blind spot for many organizations. And I think now folks really have to take account that there's critical data out there in those files and those images, video and emails and really start monitoring it like they were monitoring other data in their organization in the past. So it's an extension of what they're already doing today.

A

What are your recommendations then for folks who want to go down this path and explore the possibilities for themselves? What's the best way to get started?

B

Well, I think that I always use three or four words to describe a basic getting started process. You know, it's discover, protect, control and monitor. And so the first step is really that visibility step, discovering what you have in your organization, who has access, what are they accessing? And that is something that does take a little bit of time. You have to really kind of do a discovery throughout your systems, understanding where things are going and how things are moving from a data lineage perspective. But you can put the right sort of analysis in place to get that initial visibility. So once you have the discovery done, then you understand where there's potential gaps or places that are higher risk within your organization. You put the appropriate protections in place. In some cases, it's like we already said, it's encrypting data that's very critical. It might be encrypting drives and like file systems, web applications, it may be tokenizing data, it might be masking or it may be deleting data. If it doesn't belong in places, it is from a control perspective, it's really managing the access and the control of who has and what has access to that data and making sure you have all the appropriate things in place. And last but not least, it's that monitoring piece of continuously monitoring. But to get started, and there was a lot of words there, Dave, but to get started, companies like Talas, we have tools today we have a data security platform that supports all four of those elements. And you know, we really, really encourage people not to ignore the fact that there's a lot of sensitive data in their organization as well as outside their organization that they need to protect. And making that first step through discovery is really that first step to get an idea of what, what and where your problems are.

A

That's Todd Moore, Global Vice president of Data Security at.

D

Abercrombie, is an official fashion partner of the NFL. And I'm CeeDee Lamb, wide receiver for the Dallas Cowboys. You know I'm here for Abercrombie's Cowboys gear. That's not a question, but I need a whole wardrobe to go with it. No shade to the guys, but I'm used to having the best tunnel fits. This season, Abercrombie has me covered. Shop NFL by Abercrombie in the app, online and in store.

C

When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together. Use polls to settle dinner plans, send event in invites and pin messages so no one forgets mom 60th and never miss a meme or milestone. All protected with endtoend encryption. It's time for WhatsApp message privately with everyone. Learn more@WhatsApp.com.

A

And finally, two self styled white hats, Bob the Hacker and Bob the Shoplifter, say they uncovered security so flimsy at Restaurant Brands International that even a soggy napkin might have put up more resistance. Rbi, the parent company of Burger King, Tim Hortons and Popeyes, runs systems across over 30,000 restaurants worldwide. And according to the Bobs, every one of those systems could be exploited with laughable ease. Among the goodies, they claim to have found passwords hard coded into HTML, a sign up for anyone, API and drive thru tablets that politely accepted admin as the password. Once inside, they could edit employee accounts, order equipment, and even eavesdrop on raw Drive thru audio, including the occasional personal detail slipped in between orders of fries and nuggets. The Bobs insist they followed responsible disclosure, keeping customer data safe. Rbi, however, apparently didn't acknowledge their report. The final jab from the mobs, a simple verdict in their blog's closing line, Wendy's is better. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian show every week. You can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.