A

You're listening to the CyberWire network powered by N2K. AI adoption is exploding and security teams are under pressure to keep up. That's why the industry is coming together at the Data SEC AI Conference, the premier event for cybersecurity, data and AI leaders. Hosted by data security leader ciara. Built for the industry, by the industry, this two day conference conference is where real world insights and bold solutions take center stage. Datasec AI25 is happening November 12th and 13th in Dallas. There's no cost to attend, just bring your perspective and join the conversation. Register now@datasecai2025.com CyberWire the Secret Service dismantles an illegal network Jaguar Land Rover extends the shutdown production plants the EU probes tech giants over online scams Iranian APT Nimbus Manticore expands operations in Europe North Korean Kim Suki deploys a shortcut based espionage campaign. GitHub and Ruby Central roll out supply chain security upgrades. LastPass warns of a macOS click fix campaign using fake GitHub repos. AT&T's CISO warns that hackers are mimicking salt typhoons unconventional tactics. CISO Perspectives host Kim Jones previews his upcoming season and an attorney pays 10 grand for AI hallucinations. It's Tuesday, September 23rd, 2025. I'm Dave Buettner and this is your CYBERW Intel Briefing. Thanks for joining us here today. It's great as always to have you with us. The Secret Service announced it dismantled a clandestine communications network in the New York region that was capable of disabling the cellular system. As world leaders gathered for the UN General assembly, the New York Times reports investigators seized more than 100,000 SIM cards and 300 servers across multiple sites within 35 miles of UN headquarters. Officials said the system could send 30 million texts per minute, anonymously, disrupt emergency services and support encrypted communication. Analysis has already revealed ties to at least one foreign nation and links to known criminals, including cartel members. While there's no evidence it directly threatened the UN conference, experts suggested the scale and sophistication point to state backed espionage. The operation followed threats made to senior US Officials earlier this year. Multiple agencies are now investigating, with officials warning similar networks may exist elsewhere. Special Agent in charge of the New York field office, Matt McCool had this to say.

B

The investigation led us to the New York Tri State area where investigators discovered tens of thousands of co located and network cellular devices capable of carrying out nefarious telecommunications attacks. These devices allowed anonymous encrypted communications between potential threat actors and criminal enterprises enabling criminal organizations to operate undetected. This network had the potential to disable cell phone towers and essentially shut down the cellular network in New York City. These devices were concentrated within 35 miles of the global meeting of the United Nations General assembly now underway in New York City. Given the timing, location and proximity and potential for significant disruptions to the New York telecom system, we move quickly to disrupt this network. To be clear, these recovered devices no longer pose a threat to the New York Tri State area. We will continue working towards identifying those responsible and their intent, including whether their plan was to disrupt the UN General assembly and communications of government and emergency personnel. During the official visit of world leaders in and around New York City.

A

That Special Agent in Charge of the New York field office, Matt McCool Jaguar Land Rover has extended the shutdown of several of its plants until at least October 1, leaving production idle for a month following a major cyber attack. The company, working with the UK's National Cybersecurity center and law enforcement, says it's prioritizing a safe restart, but the disruptions could cost an estimated $2.9 billion in revenue and $202 million in profits. Reports suggest JLR may lack adequate cyber insurance but potentially deepening losses. The crisis has triggered layoffs in its supply chain, which employs more than 100,000 workers, raising concerns for local businesses that depend on the plants. Experts warn that without emergency government support, the prolonged disruption could be one of the worst crises in JLR's history. The European Union is pressing Apple, Google, Microsoft and Booking to prove they're doing enough to stop online scams. Regulators issued formal information requests under the Digital Services act focusing on fraudulent apps, manipulated search results and fake accommodation listings. The inquiry highlights growing concern about criminal activity online and could open the door to official investigations if found lacking. The companies risk fines of up to 6% of global annual revenue. Checkpoint Research reports that Iranian threat actor Nimbus Mantakore, also tracked as UNC 1549 and Smoke Sandstorm, is intensifying attacks on European defense, telecom and aviation sectors. Recent campaigns target Denmark, Sweden and Portugal with spear phishing from fake recruiters directing victims to fraudulent career portals. Each target receives unique credentials, enabling precise victim tracking and strong operational security. The group employs a sophisticated DLL sideloading chain, deploying evolving tools like the Mini Junk Backdoor and minibrowse Stealer. These payloads leverage valid code, signing, obfuscation and multi stage sideloading to evade analysis. Nimbus Manticore's activity reflects nation state, tradecraft, stealthy delivery, resilient infrastructure and custom implants. Like Minibike, which continues to evolve, analysts warn this campaign signals a mature, well resourced adversary aligned with Iran's strategic priorities. Researchers at Logpresso report that in July 2025, North Korea linked threat actor Kim Suki launched a new espionage campaign using malicious shortcut files. The operation spreads through compressed archives disguised as official or sensitive documents, luring victims to execute hidden shortcuts. These trigger an executable which retrieves encrypted payloads from command and control servers, then installs multistage scripts and DLLs. The malware harvests browser data, wallet extensions, telegram sessions, certificate files, documents and keystrokes, transmitting them in encrypted fragments. It also maintains persistence, avoids virtual machines and executes remote commands. Researchers note this attack demonstrates advanced tradecraft with obfuscation encryption and reflective DLL injection, enabling long term access and intelligence collection. The campaign highlights Kim Suki's continued focus on covert surveillance and credential theft across multiple sectors. GitHub is introducing stricter defenses after multiple large scale supply chain attacks, including Singularity, Ghost Action and Shy Hulude, which spread from GitHub to NPM and compromised thousands of accounts. To reduce risk, GitHub will require two factor authentication for local publishing, shorten token lifetimes, deprecate older authentication methods, and expand trusted publishing. These changes aim to minimize token misuse and strengthen publishing workflows. Meanwhile, Ruby Central is tightening governance of the Ruby Gems ecosystem following recent malicious gem campaigns, temporarily limiting admin access to staff while transitioning toward a more transparent, community driven model. Together, the moves highlight growing recognition that ecosystem security requires both stronger platform safeguards and active developer participation. Documentation and migration guides will accompany GitHub's rollout to ease adoption. In related news, researchers at Socket Threat Research discovered a malicious NPM package named FezBox that used QR codes to deliver cookie stealing malware masquerading as a utility library, the package fetched a JPEG image containing a dense QR code, which unpacked an obfuscated payload. The malware targeted credentials stored in cookies, then exfiltrated usernames and passwords via HTTPs. To evade detection. The code reversed embedded URLs and strings before removal. FezBox was downloaded at least 327 times, highlighting continued supply chain risks in open source ecosystems. LastPass is warning of a campaign targeting macOS users through fake GitHub repositories, impersonating more than 100 popular apps including 1Password, Dropbox, Robinhood and SentinelOne. The sites push atomic stealer malware through clickfix attacks, where users are tricked into pasting malicious commands into terminal atomic stealer malware sold as malware as a service now includes a backdoor for persistent access. Attackers use search engine optimization and mass created GitHub repos to evade takedowns and boost visibility. Victims who execute the curl based command unknowingly install the payload. LastPass advises downloading software only from official vendor sites and warns that automated repository creation makes these attacks difficult to contain. The campaign highlights rising threats to macOS users from well orchestrated supply chain deception. AT&T's Chief Information Security officer warns that hackers are increasingly copying Salt Typhoon, the Chinese group behind last year's telecom breaches. Speaking at Google's Cyber Defense Summit, Rich Bosch said attackers now hunt for weak points outside traditional endpoint detection, exploit platforms without logging, and use living off the land tactics with legitimate administrative tools. These methods, combined with careful evasion of forensic probes, make intrusions harder to detect. Former NSA cyber chief Rob Joyce added that stronger defenses in common technologies are forcing adversaries to innovate with chained exploits and stealthy tradecraft. Security leaders stress that defenders must adapt expanding protections beyond conventional endpoints and anticipating how attackers may turn everyday tools into attack vectors. Coming up after the break, CISO Perspectives podcast host Kim Jones previews his upcoming season and an attorney pays 10 grand for AI hallucinations. Stick around at Talas. They know cybersecurity can be tough and you can't protect everything, but with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S. Learn more@talasgroup.com cyber compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo that's V A n T a dot com CYBER it is always my pleasure to welcome back to the show Kim Jones. He is the host of the CISO Perspectives Podcast, part of Cyberwire Pro. Kim, welcome back.

C

Always good to be here, Dave. How have you been?

A

I have been fine, thanks. And you know, I was thinking about how quickly time has flown since you took the reins at CISO Perspectives and you're heading into a new season here. What take us through the thought process of, as you were assembling what your goals were for this new season of CISO Perspectives.

C

Yeah, so I still am focused on taking some time to take the half step back that senior cyber leaders often don't have the time to take because we're dealing with the fire of the day, the week, the hour, etc. This time, when I looked at this season, if I were to put a tagline on it, I wanted to look at Brave New World with apologies to either Huxley or Shakespeare, depending on how far back you want to go for that reference. And I sat back and said, okay, let's think about the pace of change in just the past five years. We all understand the change is the only constant out there and we've seen massive amounts of changes just in my 35 years doing this, but just in the past five years. You start with a pandemic with COVID and forcing people to actually leave the office and work from home and having to figure out how we create security and compliance in environments that never envisioned having to work remotely or work from home. You have the aftermath of that in terms of the hybrid work environment, et cetera. For those keeping track on the buzzword bingo card, you have the emergence of AI within the environment and generative AI being pushed to agentic AI and what that can for data analytics within the environment. You have a resurgence of concern regarding privacy within the environment. As people who are very protective of their identities and the access to the data, we're seeing concerns rise Regarding what can be done with that data exacerbated by the processing power associated with AI. You add to this a change, and I'm not going to categorize this as good or bad, but a change in the perspective of the regulatory entities as well as the federal government regarding that data, what it can be used for, breaking down those silos and potentially creating risk to individuals within the environment. We've seen some ripples of that risk happening around the corner. We've still got Quantum coming. Remember when Quantum was the big buzzword? We were talking and then all of a sudden AI came to the scene. But Quantum is still there and it is still coming down the track and the implic. Other things regarding encryption are things that we need to think about. And then there's always fraud and scams within the environment. We've seen the numbers go up on fraud and it's not a matter of we're necessarily reporting more, but we're seeing the potential impacts of that happening. Whether that's linked to AI or not or other factors remains to be seen. And then we also have the struggle associated with the concept of identity online. One of the classes I teach for or University California, Berkeley, we're talking about that in terms of when we talk about things like deepfakes within the environment, when we talk about some of the voice phishing that's going, the vishing that's going on within the environment and the different types of vectors that have happened, we can see the potential for fraud increase. And that's just top of my head, Dave. So how do we step back, look at each of these areas, learn a little bit more about each of these areas and potentially figure out how we strategize to tackle them? Because again, you and I've had this conversation in many cases, strategize with big air quotes means how I deal with operational things around them versus truly be forward looking three or four years out and prepare for that so that we're not reacting but proacting, if you will, as these things come about. So those are some of the topics that I'm actually looking at this season and I'm bringing in. This is going to be mutual learning. Whereas last season I had some definite opinions as well as bringing in other experts to play point counterpoint with me on that. These are areas where I'm actually trying to learn and get answers to those questions myself. So I've brought in deep experts in these areas to teach me as well as the audience and for me to poke at a little bit and say, well, what about this? And have you thought about this so that we can really begin to get a handle on how we solve these problems. So it's gonna be a fun season.

A

No, it sounds like you've got your work cut out for you there. And I'm curious, you mentioned at the outset of kind of taking that half step back to be able to have the breathing room to ask these questions. Do you see yourself as the proxy for the person out in the audience to be able to have these conversations with the subject matter experts that you're going to invite on?

C

Yes, absolutely. That's why there's going to be less of Kim talking and setting up and more of a hey, this is why this is probably something you ought to look at very briefly. Then I'm sitting there asking the questions that I would presume, if not hope, that my audience members would be asking if they have the privilege of talking to these guests.

A

I was here in the studio earlier this week and my caveat, co host Ben Yellen was here. He said that he very much enjoyed the time he spent chatting with you. So he's on your guest list this year? Yes.

C

Not only is he on my guest list, he is my first guest of the season. So episode one, which is talking about the shifting relationship of regulation and private and private sector for cyber under this new world order. What's that look like and what's that mean for us? So he's kicking off the festivities.

A

All right, terrific. Well, Kim Jones is host of the CISO Perspectives podcast that is part of Cyberwire Pro. You can learn all about that on our website cyberwire.com Kim Jones, thanks so much for joining us.

C

Always a pleasure, Dave, thank you.

A

That's Kim Jones, host of the CISO Perspectives Podcast. You can find that right here on the Cyberwire Podcast network. His first episode of the season will be included in your Cyberwire podcast feed. Beyond that, it's part of Cyberwire Pro, which you can find out more about on our website. Foreign investigating is hard enough. Your tools shouldn't make it harder. Maltego brings all your intelligence into one platform and gives you curated data along with a full suite of tools to handle any digital investigation. Plus, with on demand courses and live training, your team won't just install the platform, they'll actually use it and connect the dots so fast cybercriminals won't realize they're already in cuffs. Maltego is trusted by global law enforcement, financial institutions and security teams worldwide. See it in action now@maltego.com.

B

When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together, use polls to settle dinner plans, send event invites and pin messages so no one forgets mom 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone. Learn more@WhatsApp.com.

A

And finally, a California attorney has learned the hard way that AI isn't a substitute for reading the fine print. Or in this case, the fine cases. Amir Mostafavi submitted an appeal brief in which 21 of 23 citations were either fabricated or misquoted, courtesy of his AI Co authors, Judge Lee Smalley. Edmond was unimpressed, sanctioning him with a $10,000 fine and a reminder that lawyers must actually read their sources. Mostafavi, who admitted he hadn't fact checked the AI's work, argued ignorance, but the court disagreed. While the judge noted there's nothing wrong with using AI in law, delegating due diligence to a chatbot is not a winning defense. The cautionary tale adds to a growing list of legal professionals discovering that hallucinated case law doesn't hold up in court. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@the cyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. Were mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here tomorrow. Foreign Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual Data Tribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, DC. Discover the startups building the future of cyber. Learn more@cid.datatribe.com.