A

You're listening to the Cyberwire Network, powered by N2K.

B

Think your certificate security is covered. By March 2026, TLS, certificate lifespans will be cut in half, meaning double today's renewals. And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal volume. That's exponential complexity, operational workload and risk. Unless you modernize your strategy, Cyberark proven in Identity security is your partner in certificate security. Cyberark simplifies lifecycle management with visibility, automation and control at scale. Master the 47 day shift with CyberArk Scan for vulnerabilities, streamline operations, scale security visit cyberark.com 47day that's cyberark.com the numbers 47day SonicWall confirms a breach in its cloud backup platform Google patches a high severity zero day in Chrome updates on the shy Hulu worm Chinese phishing emails impersonate the chair of the House China Committee. The UK's NCA takes the reins of the Five Eyes law enforcement group. Revenge Hotels uses AI to deliver Venom RAT to Windows Systems. A major VC shares details of a recent ransomware attack. A lawsuit targets automated license plate readers. Our guest is Brock Lupton, product strategist at Maltego, discussing the human side of intelligence work and from mic check to Malware, a crypto phishing story. It's Thursday, September 18th, 2025. I'm Dave Buettner and this is your Cyberwire Intel Brief.

A

Foreign.

B

Thanks for joining us here today. It's great to have you with us. Sonicwall has confirmed a breach in its MySonicWall cloud backup platform. Attackers launched brute force attacks against its API service, gaining access to firewall configuration files. Those files may include network maps, VPN credentials, API keys, encrypted passwords and firewall rules. While Sonicwall says fewer than 5% of firewalls are affected, it hasn't shared exact numbers. If you use SonicWall with cloud backup, check your MySonicWall account. If your devices are flagged, you need to reset all passwords, keys and shared secrets not just on your firewall, but also with ISPs, dynamic DNS providers, VPN peers and LDAP or RADIUS servers. Sonicwall has shut down the attack vector and is working with law enforcement. Google has issued emergency patches for a high severity zero day in Chrome's V8 JavaScript engine. It's the sixth exploited zero day fixed in Chrome this year. Google confirmed the flaw has a public exploit, a strong sign of active abuse, often linked to state backed spyware campaigns targeting high risk individuals. The issue was reported by Google's Threat Analysis Group and patched within a day. Users are urged to update Chrome immediately. Yesterday we shared news of a new self replicating worm dubbed Shy Hulud that has compromised over 180 packages, including the popular ONTROL tiny color library. The malware spreads automatically by stealing developer credentials, publishing malicious code to NPM and creating GitHub repos that expose stolen secrets. Harvested data includes API keys, cloud credentials, GitHub tokens and SSH keys, potentially enabling ransomware crypto mining and cloud data theft. Analysis from Palo Alto Networks Unit 42 indicates a large language model likely helped generate the malicious bash script based on unusual comments and emojis in the code. The worm currently targets Linux and macOS systems. Developers are urged to rotate all credentials, audit dependencies, review GitHub accounts and enforce MFA immediately. This incident highlights the escalating risk of AI assisted malware and the growing speed of CI CD driven supply chain compromises across open source ecosystems. Proofpoint has uncovered a new Chinese state aligned cyber campaign targeting US Government agencies, think tanks, law firms and academics focused on trade policy. The activity is attributed to TA415, also known as APT41, Wicked Panda and Brass Typhoon. Attackers used phishing emails themed around US China economic relationships, sometimes impersonating Representative John Moulinar, Chair of the House China Committee. The emails invited recipients to closed door briefings with malicious attachments, delivering a Python loader called Whirlcoil. Instead of noisy malware, the group leaned on Visual Studio code, remote tunnels and legitimate cloud services like Google Sheets and Zoho Work Drive for persistence and command and control. The campaigns ran during summer trade negotiations, suggesting a clear intelligence gathering motive. The findings echo a recent congressional advisory about ongoing Chinese fishing operations. Together they highlight Beijing's continued push for insights into U S China economic strategy and its willingness to use stealthy, creative methods. The UK's National Crime Agency will chair the Five Eyes law enforcement group for the first time since 2015, pledging to use the alliance to disrupt cybercrime, money laundering and online child sexual abuse. The Five Eyes Law Enforcement Group, or felig, unites major policing bodies including the FBI, dea, afp, RCMP and New Zealand Police. A key target is the com, the loosely connected network of online groups spreading violent extremist and child abuse material often run by young men on gaming platforms and messaging apps. These groups are also tied to major cybercrime outfits like Scattered Spider, Shiny Hunters and Lapsus, linked to high profile data thefts and extortion campaigns against global retailers and fashion brands NCA Director Graham Bigar stressed that international cooperation is vital as criminals exploit new technologies, highlighting successes such as the Lockbit ransomware takedown as proof of what joint action can achieve. Revenge Hotels, also known as TA558, is using AI generated loader scripts plus JavaScript and PowerShell downloaders to deliver Venom Rat to Windows systems. Targets include hotel reservation and HR inboxes lured with overdue invoice or job application links that redirect to fake document portals visiting the site, auto downloads an AI crafted Wscript JS that drops a PowerShell loader, leading to Venom Rat execution. The rat hardens itself, kills debuggers and forensic tools, drops a VBS for persistence, elevates its privileges, spreads via removable media, and erases Windows event logs. Insight Partners, a major venture capital firm, disclosed more details of a 2024 ransomware attack affecting over 12,000 individuals. The breach began in October 2024 but was only detected in January of this year when attackers exfiltrated data and encrypted servers after a social engineering attack. Stolen information may include banking, tax, employee and limited partner data. Victims face risks of identity theft and are offered free protection services. Experts warn VC firms are prime targets due to their sensitive financial and portfolio data. A lawsuit in Norfolk, Virginia has revealed the extent of surveillance by Flock Safety's license plate readers. Between February and July of this year, 176 cameras tracked retired veteran Lee Schmidt 526 times. That's about four times per day and co plaintiff Crystal Arrington 849 times, averaging six logs a day. Norfolk struck a $2.2 million deal with Flock, whose ALPR network spans 5,000 police agencies, 1,000 businesses and homeowners associations nationwide. The plaintiffs, backed by the Institute for Justice, argue warrantless tracking violates the Fourth Amendment and are seeking to disable Norfolk's system. Flock, however, cites case law supporting ALPR use as public point in time photography. Civil liberties advocates warn the technology amounts to mass surveillance, with potential risks if data is shared across jurisdictions or accessed by federal agencies such as ice. Coming up after the break, my conversation with Brock Lupton, product strategist at Maltego. We're discussing the human side of intelligence work and from mic check to malware A crypto phishing story. Stick around. And now a word from our sponsor. The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program. Study alongside world class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition, textbooks and a laptop, as well as providing a $34,000 additional annual stipend. Apply for the fall 2026 semester and for this scholarship by February 28th. Learn more at cs jhu.edu, mSSI We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed. When it comes to hiring Indeed is all you need. Stop struggling to get your job Post noticed Indeed Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first and it works. Sponsored Jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed plus, with Sponsored Jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed according to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility@indeed.com cyberwire just go to indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need. Brock Lupton is product strategist at Maltego, and in today's Sponsored Industry Voices segment, we discuss the human side of intelligence work.

A

Increasingly, there's this emphasis on automation and tools and you know, we're being inundated with large language models and machine learning and artificial intelligence. And it's the AGI is going to appear at any moment and take away all our jobs. But I think that's a lot of noise. You know, at the end of the day, like when we're talking about intelligence, we're talking about open source intelligence or online investigations. It's a human thing. Like it always comes back to. Typically you're looking at some kind of criminal activity or something that a human has done and it takes another human to look at that situation and have the, you know, maybe the insight and the intuition to, to ask why things happened the way they did, or to, to, to tease apart the different aspects of the case that they see, you know, like it's not the machines can't solve those problems yet. Like we still need someone who's critically thinking about what's going on and asking why did these things happen and what does this mean?

B

I think it's a really interesting point and, and the, this whole notion that you know, we have sometimes just a gut feeling and for people to have the freedom to pursue that, to chase that down, as you say, it seems to me, is something that can get lost in automation.

A

What you see online as well, there's a lot of this is a common, I think, message that's coming out of the open source intelligence community right now as we speak. And I think it's really good to see that happening. And there are a lot of voices I think saying the same thing because we're in this space now where it's, it's, there's a lot of clout chasing, you know, like there are a lot of these self proclaimed Osint experts on the Internet, on Twitter, X whatever, trying to jump on the story right away, you know, something happened. I'm going to get this analysis in quotes out to the world right away. It's all this clout chasing and it's just like it's just making noise. Like it's not. There's no critical thought, there's no analysis, there's no actual, as some people would say, there's no tradecraft that's been applied to that. There's no deep thought sitting there quietly thinking about why these things are happening, what do they mean? It's an interesting time to be in.

B

Right now and what's the potential peril of that? Of people, can I say, putting out their hot takes. How does that hurt us as an OSINT community?

A

Those things get amplified, you know, like people jump on that and it just creates noise in the environment we see. It can spread to politics where you have people in positions of power that are suddenly amplifying and promulgating false narratives that have come out of, you know, like weird interpretations of events happening. I mean it even, you know, there's this dead Internet theory that the Internet is all completely filled with automatons and bots and it feeds into that, you know, it creates this noise environment where it's hard to find out what the truth actually is. And I mean that goes back to saying that this is a human endeavor, right? Like it just increases the importance and the need for critical thought.

B

What role does curiosity and healthy skepticism play in good OSINT work?

A

I think that curiosity is, you know, like one of the number one attributes that, that you should bring into that kind of work. Like asking why, Constantly asking why, and being skeptical about what you see because, you know, like the information that can be presented or the information that you find can be overwhelming, you know, and you, you don't know what the provenance of it may be. You don't know where it's come from. And having that kind of innate, I mean, I would call that investigative mindset, you know, like the, the ability to maybe harness innate curiosity and skepticism and kind of relentlessly pursue leads to find out where that kernel of actual truth is. You know, like going down every lead, following every, every rabbit hole and figuring out, you know, how do these things connect? Do they actually connect? Is important. That's kind of critical. Like without that, you know, you're just, you're just another robot. I guess at the end of the day you might just be like making assumptions and jumping to conclusions without actually actively questioning them. And it doesn't result in intelligence, it's just data and information being regurgitated.

B

Well, for you personally, how do you train or sharpen those investigative instincts?

A

For me personally or for teams that I've worked with, you know, we spent a lot of time talking about these very subjects, you know, having these conversations about as boring as it might sound like, talking about critical thinking and talking about our biases, spending a lot of time reading, you know, a variety of different types of literature, having conversations with other practitioners. I've been really lucky in that I have almost a mentor, I guess, but a good friend who's, you know, a long time investigator here in Canada, 50 years of experience, who has spent a lot of time doing online investigations. And having somebody like that that you can talk to, who has, you know, finely honed investigative instincts is super helpful. And you know, they call you out. Having a person like that around can, can help you because that person will call you out, they'll question why you're coming to conclusions, you know, and that's a good habit to pick up and a good thing to pass on to other people. And it's good to kind of cultivate friends like that that will question your assumptions and, you know, question your conclusions.

B

Yeah, I'm curious. You know, I can imagine folks saying, you know, Brock, this is all great and curiosity and skepticism and the personal touch for OSINT is absolutely appropriate, but it's also really hard to scale. And we've got so much information coming at us that we need to rely on automation. What's your response to that line of thinking.

A

I agree. And it's not just because I work for a tool company, but there's only so much you can do. And investigations online are completely reliant on tools. A browser is a tool, a search engine is a tool, but there's also huge amounts of data that you need to process and acquire and do analysis on. And there's only so much, as you rightfully pointed out, there's only so much a human can do in that environment. And so I think from my perspective, not relying on tools to do everything for you, but finding those places where the tools can augment the things you need to do. So if there's repetitive grinding work that has to be done that, you know, you could do it manually, but you can make it happen almost instantaneously by using automation. That's a good application of automation. You know, it's like amplifying what the person can do to maybe highlight the things that they need to look at. There's a risk with that as well because obviously automation that is producing massive amounts of data can also be completely overwhelming. And then you have to figure out how to process and analyze that. I think we're starting now to see that artificial intelligence or machine learning or whatever you want to call it is starting to maybe have some ability to clean up some of that data. And it's very interesting to cautiously find uses for those types of tools to help with that data overload. I guess that's how I look at things. It's that realistic. Not depending on the tooling, but definitely using it intelligently to augment your process and augment your workflow in a way that makes sense and helps to amplify your abilities.

B

Is there an aspect of this, of allowing for the reality that not every avenue is going to pay off, that sometimes someone's going to have a hunch and they're going to chase something down. And in the end it really just doesn't lead anywhere. But that's okay.

A

I guess I would, I would say like encouraging people to, to make mistakes is what I would call that, you know, because that happens all the time. Like you go down, you go down rabbit holes, you find a piece of information that seems like it might make sense and you chase it down. And you might spend hours or days chasing down leads that go nowhere. That's challenging to overcome. The feeling that that creates, that you've wasted time. But at the same time, that's what we want. Investigations take time. It's not this fast paced Thing it can be, there are times where it can be, but inevitably that leads to mistakes. And we don't want to put the wrong information into the people's hands who are consuming the intelligence reports that we're producing. It's okay to go down those paths. You also, you need to be able to cut your losses too and recognize that this is going nowhere. And I need to take a different tack. Working in a team that, that helps, you know, to have somebody looking at what you're doing and saying, does this really make sense? And questioning, you know, those questioning the, the assumption or questioning the path that you're on.

B

Yeah. What does success look like to you? A well running team who's balancing human side of thing, but also taking advantage of some automation. Can you describe what the ideal is?

A

That's a really good question. Having worked on a really well running team with automation, I think that, you know, everybody's happy. You have to tell them to stop working. You know, that's a good indicator. You have to tell them to stop. Like you cannot continue investigating these subjects when you're supposed to be off because you have to recover, you have to relax, you have to get some downtime, you have to spend time with your family, you know, being able to take on tasks to work with, you know, whoever's giving you the intelligence requirements or the RFIs, whatever it might be, being able to work with them to develop and understand their requirements and then to be able to translate those, you know, into a plan, into a collection process, gathering information, using tools maybe to help automate that information. Whether, you know, it might involve scanning huge chunks of the Internet to find certain pieces of infrastructure and then being able to process that information and glean the intelligence out of it that you need to find and then conducting that analysis on it and providing it to the consumer at the end of the day and having them say to you, you know, like, this is exactly what we're looking for. When all of that's working and running as a well oiled machine, that's success. The team knows what they need to do. There might not be that many dead ends. They're working together like a well oiled machine. They're using the tools to augment the work that they need to do. And it's a beautiful thing to see when it happens.

B

Yeah, it feels good too. It's fun.

A

What's that? Dopamine hit of success, right? Like I actually achieved something here. Like it's great.

B

That's Brock Lupton, product strategist at Maltego At Talas, they know cyber security can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Talas. T H A L E S learn more@talasgroup.com Cyber.

C

I'm Christian McCaffrey, pro running back, and Abercrombie is an official fashion partner of the NFL. I'm not kidding when I say NFL by Abercrombie broke the Internet last year, and I think this season's lineup is even cooler. And so does my wife who keeps stealing all my hoodies. Stay fit for the season and Abercrombie's newest arrivals Shop NFL by Abercrombie in the app, online and in store.

B

And finally, in a story that hits uncomfortably close to home, it seems cybercriminals have decided that if you can't get on a podcast and you might as well pretend to host one. A new phishing campaign is making the rounds in the crypto world, with attackers impersonating the popular Empire podcast to lure developers and influencers into exclusive interviews. The pitch arrives via DMs, complete with fake flattery and calendar invites. But instead of market insights, the victims are nudged towards convicting lookalikes of platforms like Streamyard or Huddle, where they're told to download a desktop client. It's not a client, it's Amos Stealer, neatly wrapped in a DMG file. Once installed, the malware dutifully rifles through credentials, cookies, and crypto wallets, handing them over to cybercriminals for resale. This scheme follows hot on the heels of August's fake CoinMarketCap journalist stunt, proving scammers are nothing if not creative. Perhaps the moral is that not every podcast invitation is worth accepting, especially if it comes with a download link. Present company accepted, of course. And that's the CyberWire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2n2k's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Foreign Attention Security Startups there's less than a week left to apply for the 2025 Data Tribe Challenge. This unique program accelerates early stage cyber companies. Refine your messaging with startup veterans, then pitch to top venture firms shaping the future of cyber. The live pitch competition takes center stage at Cyber Innovation Day, November 4th in Washington, DC. Applying is easy. Go to challenge.datatribe.com Share your company info and upload your pitch. Submissions close September 19th. Submit your entries today. And now a word from our sponsor. ThreatLocker the powerful zero trust enterprise solution that stops ransomware in its tracks. AllowListing is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker.