A (12:57)

Close your eyes, exhale, feel your body relax and let go of whatever you're carrying today. Well, I'm letting go of the worry that I wouldn't get my new contacts in time for this class. I got them delivered free from 1-800-contacts. Oh my gosh, they're so fast. And breathe. Oh, sorry. I almost couldn't breathe when I saw the discount they gave me on my first order. Oh, sorry. Namaste. Visit 1-800contacts.com today to save on your first order.

B (13:24)

1-800-Contacts. Christiane Beek is senior director for threat Intelligence and Analytics at Rapid seven. And in today's sponsored Industry Voices conversation, we discuss how attackers are accelerating exploitation, refining ransomware and expanding nation state operations.

C (13:49)

I think in Q3, look, we always track ransomware, right? And we always hope that at some point the numbers will go down. And I was hoping that for two years ago. Then last year came in and I thought like, oh wow, this is really worse. And it really felt like this quarter like ramping up so much groups and initiatives that it's like, hey, I think people need some Christmas money for buying Christmas gifts or something. But my God, like 80 groups almost daily active trying to do ransomware operations. And it goes up and down, right? Like you see groups disappear and then new, new ones are surfacing. And I would say that those are the smaller ones, but yes, one of those steady operations that goes on and on and on and it's like unbelievable the volume of attacks we observe there, right? And I think that was one of the key findings there in the report. But also if you talk about vulnerabilities, well, hey, we're in the middle of this react server stuff going on this week. Yeah, it proved the point we made, actually. Like, hey, if a vulnerability is actually made public, then it's no longer a zero day, but an end day is being exported in the wild immediately. And, well, that's exactly what we saw happening this week when it was announced. I think we hit at some point like 30 attacks an hour on our honeypots with regards to this particular vulnerability. And also it's not only like, hey, let's try if I can use this exploit by some people. But no, it was also like really ranging from cybercriminals to nation states incorporating this new vulnerability immediately in their attack plan and starting to exploit it. So it was fascinating to see, like, hey, the observation we mentioned in the report now actually seeing proven alive as well now out in the wild there.

B (15:33)

Yeah. I mean, one of the things that struck me when I was reading the report is how this is a story about Velocity also that these exploitations are happening within hours of disclosure. How do you suppose defenders need to respond to that uptick in Velocity?

C (15:50)

I think it's a challenge to be fair. Right. With all respect, not every vulnerability and actually the platform impact that lends itself for like, hey, let's patch this tonight. Right? So let's say on Friday afternoon we get this notification indication that we have this vulnerability. It's not standard that we actually patch this in the evening. Right. Or it really depends on what type of software we're talking about. So it's really becoming a really a challenge for defenders to actually actively. Or how you say that. Yeah. Adequately respond in fast enough on these kind of threats. And that's a challenge for sure.

B (16:30)

Yeah. What about the ransomware that you're tracking here? How have you seen these operations evolve? And are there any particular groups that seem to have the biggest impact?

C (16:41)

Well, traditionally, ransomware was really like, hey, let's go into a company, we go after the endpoints. You actually launch the ransomware. You find this ransom note on your desktop with this nasty message that you have been a victim that is gone, kind of. That's really disappeared. What we really observe is that first when they come in, they're not so much interested anymore in the endpoint itself. It's more like, hey, where do you stash your data? And let's go after that. So that's already going on for a while, I think. We see now more trends. This is of the last couple of weeks where some of those major groups are really going after the virtualization environments. That's not new on itself, but that's becoming a focus and really going after the data. Yeah, that's definitely a trend we're observing.

B (17:31)

Are there any particular sectors that they seem to be targeting?

C (17:34)

Surprisingly, we saw a new sector rising in Q3 which was the construction sector. And with all due respect, in all those years we're tracking rent somewhere, this was like a new one for me. It's like, wow, I haven't that one scene coming, but that was interesting. Healthcare unfortunately still very popular. But yeah, those are some of the significant sectors we observe for sure in Q3.

B (17:59)

Yeah, we've seen some alliances among these ransomware groups. That's reflected in the report as well.

C (18:07)

Well, at some point there was this kind of, we call it in Dutch here like a fitty. It's like a fight going on. It's like a gang language, the word fitty, but it means like, yeah, you're fighting each other, you're doxing each other. And they were making fun of some of those groups that were being hit by law enforcement. And there are messages on those forums where it's like, hey, these guys can't do their job. So let's come over to us, work with us. We give you, we host the infrastructure for you, we help you even with negotiations. So we would talk about Dragon Force here and at some point we even saw alliances with Scattered Spider. Right. That initial group of teenagers trying to attack some high value targets. But definitely that some of those alliances were definitely observed. Yeah, I think if they want to survive at some point, yeah, this will probably observe this more happening.

B (19:02)

One of the things that the report highlights is how nation state actors seem to be focusing on stealth and persistence. What insights can you share about that?

C (19:12)

If you look at nation states on itself, right. Of course they are not into the game for like hey, let's, let's attack a target and let's be detected very soon. They are in for the long term. Right. That's why the persistence comes from as well, I would say. But also most of the operations for nation states is really like long term information, classic intelligence gathering. So they really try novel ways to bypass some of these security technologies. We of course courses, vendors develop at the same time, stay below the radar. And yeah, we've observed some innovation happening over the past couple of months. We have seen some really stealthy backdoors that are really hard to detect. You Know, you have to know exactly, like they're sleeping on the system. And until they get like a specific command or like what we call a network packet sent to them, that's when they become alive. And then it's still very limited what they are doing. So it's really, really hard to spot. And yeah, that's some of the observation we have seen.

B (20:14)

Yeah. Interesting. Being 2025, I would be remiss to not ask you about AI and the influence that you're seeing that on things today.

C (20:25)

Yeah, well, I was expecting and anticipating on this question, right. Like, there's hardly in any interview when this buzzword is passing by. Right, right, right. Well, AI, I think, honestly I still would call it machine learning. What they are doing, it's mostly are doing.

B (20:43)

Right.

C (20:44)

Like for example, you write a piece of code and you say, like, hey, can you check my code? Is there anything I can do better? For sure, that. That's all the stuff we're seeing, I think the professionalism of creating a phishing campaign using AI technology. Yeah, that's, that's obvious, right? Some of those campaigns are so real hard to detect, like if it's fake, yes or no. So that's why we see the embracing. And I've heard also, of course, like, this whole DPRK IT workers think that they are heavily using AI to mimic people. They create fake profiles on LinkedIn where they leverage AI to create the images. All those kind of, hey, these are the allocations you need to put in a profile to make it really convincing that you're dealing with a professional in engineering. So, yeah, it's really like widespread being used.

B (21:32)

Well, based on the information you've gathered here, what are your recommendations for defenders in terms of prioritizing their efforts?

C (21:41)

I would really say, like, if you look at the ransomware actors themselves, right, they're really doing like in what they call like a shift left. So they go really for the security devices at the edge of the networks, like the firewalls, the VPNs and all that stuff. And I think what we really need to ask ourselves, like back to your prior point, why you asked, like, hey, if you have this vulnerability and we can't patch quick enough, what can you do? And I think that's where we need to do our homework, where we say, like, hey, if they bypass some of this, I would say edge protecting technology. Where in my technology stack, in my people, in my processes, where is the next step where properly we can actually spot them? And actually, is this something where I might have a gap in my visibility AKA what is my attack surface. Right. And do I exactly have the visibility I need to respond? And it sounds really like do we need to go back to the foundations? Yes. Big, yes. I would say like sometimes we are doing a lot with technology. You mentioned AI with cloud. We have all those beautiful technologies, but sometimes it makes it so complex that we hardly understand anymore. Like hey, what are some of those attack factors and where do we need to look for this?

B (22:58)

Well, given these realities, what's your outlook for the fourth quarter and into 2026?

C (23:05)

I think the fourth quarter would be a lot different than the third quarter. I think the numbers even go up if you look for different perspectives. And then 2026. Well, I think this year, I think at the second half of 2025 we had with quite some of those supply chain attacks. Salesforce for example, and Oracle E Business, those had a major, major impact on what's happening and how we had to respond. And I think we should take some lessons learned from those supply chain attacks and really apply them into the next year or anticipate on those because that will only grow bigger, in my humble opinion.

B (23:46)

That's Christian Bieck from Rapid7. We have a link to their research in our show Notes.

A (24:04)

So good, so good, so good Score. Holiday gifts Everyone wants for way less at your Nordstrom Rack store. Save on Ugg, Nike, Rag and Bone, Vince Frame, Kurt Geiger, London and more.

C (24:17)

Cause there's always something new.

A (24:18)

I'm giving all the gifts this year with that extra 5% off when I use my Nordstrom credit card Santa who join the Nordy Club at Nordstrom Custom Rack to unlock our best deals. It's easy. Big gifts, big perks. That's why You Rack Ford BlueCruise Hands Free highway driving takes the work out of being behind the wheel, allowing you to relax and reconnect while also staying in control. Enjoy the drive in BlueCruise enabled vehicles like the F150 Explorer and Mustang Mach E. Available feature on equipped vehicles Terms apply does not replace safe driving. See Ford.com BlueCruise for more details.

B (25:09)

And finally, pornhub says data linked to its premium members was exposed. The incident traces back not to pornhub itself, but to a breach at analytics firm mixpanel, a vendor Pornhub says it stopped using in 2021. Attackers linked to the Shiny Hunters extortion group allegedly accessed Mixpanel via an SMS phishing attack and stole roughly 94 gigabytes of historical analytics data. That data reportedly includes email addresses, viewing activity, search terms, video titles, locations and timestamps. Shiny Hunters is now extorting affected companies, raising awkward questions about why such intimate data was retained for years. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire n2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.