CyberWire Daily – "Eviction Notice for Media Land"

Date: November 20, 2025
Host: Dave Bittner (N2K Networks)
Featured Guest: Cliff Crossland, CEO & Co-founder, Scanner.dev

Episode Overview

This episode delivers a comprehensive briefing on the latest cybersecurity developments, global enforcement efforts, and critical vulnerabilities. The spotlight interview explores why security data lakes are vital for integrating AI into security operations centers (SOCs), blending deep technical expertise with practical guidance. The show closes with an unusual case of insider crypto mining at a wind energy firm—highlighting the ever-evolving nature of insider threats.

Key News & Analysis

1. US and Allies Sanction Russian Bulletproof Hosting Providers

Segment: [02:35 – 04:35]

• Sanctions Announced: The US, UK, and Australia imposed new sanctions on Russian bulletproof hosting providers (notably Media Land and affiliates) accused of enabling ransomware gangs and cybercrime, including support for Lockbit, Blacksuit, Play, EvilCorp, and Black Basta groups.

• Nature of Services: These providers lease infrastructure to threat actors, ignore takedown requests, and facilitate phishing, malware, command and control (C2), illicit content, and DDoS attacks.

• Impact: Sanctions freeze assets and may trigger secondary penalties for intermediaries.

• Noteworthy Quote:

  “Bulletproof hosting providers lease infrastructure to threat actors and ignore takedown requests, enabling phishing campaigns, malware delivery, command and control operations, illicit content hosting and distributed denial of service attacks.” — Dave Bittner, [02:40]

• Guidance Issued: Five Eyes agencies urge defenders to boost threat intelligence, boundary filtering, and customer verification.

2. White House Moves to Preempt State AI Regulations

Segment: [04:36 – 05:33]

• Draft Executive Order: Trump administration is preparing a directive allowing the DOJ to sue states over AI regulatory laws, arguing such rules interfere with interstate commerce.
• Push for Uniformity: Seeks to establish a single national AI standard, with measures to review state laws and withhold broadband funds for non-compliance.
• Reactions: Legal experts question federal authority; some Republican lawmakers oppose federal preemption.

3. Secretive U.S. Border Patrol Surveillance

Segment: [05:34 – 06:32]

• Surveillance Details: Massive license plate reader network tracks millions of drivers, flags travel patterns, and triggers law enforcement stops without revealing Border Patrol involvement.
• Civil Liberties Concerns: Expansion well beyond the border zone; Fourth Amendment and movement freedom are at risk.

4. Legislation to Strengthen SEC Cybersecurity

Segment: [06:33 – 07:11]

• Bi-Partisan Bill: SEC Data Protection Act of 2025 would modernize data protocols, align with federal and NIST standards, and improve handling of sensitive market info.
• Incident Motivation: Recent government breaches highlighted need for improved agency safeguards.

5. Advanced Android Banking Trojans Make Headlines

Segment: [07:12 – 09:10]

• Sternus Trojan: Targets European banks, steals credentials, and even reads decrypted content from secure messaging apps (Signal, WhatsApp, Telegram).
• Eternidad Stealer: Brazil-focused, spreads via WhatsApp, hijacks accounts, steers credential and crypto theft.
• Tech Details: Uses Python worms and Delphi stealers; resilient C2 via hardcoded email credentials.
• Infrastructure Scale: Over 450 connection attempts from 38 countries.

6. Comet AI Browser’s Hidden Security Risk

Segment: [09:11 – 10:20]

• Security Concerns: Undocumented MCP API in Comet’s analytics extension can be exploited to run arbitrary commands and launch applications—bypassing browser protections.
• Demonstration: Squarex showed a spoofed extension running WannaCry ransomware via this API.
• Analyst Warning: Reinforces need for transparency and independent audits in AI-driven browser tools.

7. Fortinet Fortaweb Zero-Day Exploited

Segment: [10:21 – 11:13]

• Vulnerability: Authenticated attackers could execute unauthorized OS commands via HTTP/CLI input (CVSS 6.7).
• Exploitation: Fault found and patched, but actively exploited; follows another recent critical flaw.

8. Philippine Human Trafficking Conviction Linked to Cybercrime

Segment: [11:14 – 12:33]

• Conviction: Ex-mayor Alice Guo sentenced to life for running a scam center with trafficked labor, reflecting crackdown on Chinese-linked Philippine cybercrime.
• Case Impact: Calls renewed scrutiny on POGO (offshore gaming) and transnational organized crime.

Industry Voices: Why Security Data Lakes Are Ideal for AI in the SOC

Guest: Cliff Crossland, CEO & Co-founder, Scanner.dev
Segment: [14:37 – 30:25]

What are Security Data Lakes?

• Definition:

  “Most common way that people construct data lakes is to store significant amounts of messy-ish data in object storage buckets… can scale forever.” — Cliff Crossland, [14:50]

• Popular Tools: AWS S3, Azure Blob, Google Cloud Storage, often queried via SQL engines like Presto or Athena.

Intersection of Data Lakes and AI for SecOps

• Value for the SOC:

  “More than half of our customers are building agentic AI workflows on top of their data lakes… finding a tremendous amount of value in speeding up things like investigations.” — Crossland, [15:34]

• Agentic Workflows: Alerts (e.g., from GuardDuty) automatically trigger AI agents to investigate via data lake, enrich tickets, ping supporting tools, and even open GitHub pull requests for review.

• Quote:

  “No one is fully removing people from workflows, but they are finding a tremendous amount of value in speeding up things like investigations.” — [15:38]

The Critical Role of Query Speed

• Bottleneck:

  “Sometimes the query will run for hours and then the agentic workflow just doesn't work ... So what you really want ... is your data lake to be really fast to go and query.” — Crossland, [18:25]

• Outlook: Tools are improving and query speed issues (via formats like Parquet, new search techniques) will diminish.

Human + AI: The Best of Both Worlds

• Parallels with Chess & Medicine:

  “…human plus AI together does far better … In cybersecurity, the false negative rate, that's the scary thing … That was very common with AI running entirely by itself. But what we found to be really effective was AI and humans working together.” — Crossland, [20:30]

• Process: AI drafts an investigation; humans review, spot missed issues, and direct further exploration.

Oversight and Workflow Evolution

• Human in the Loop:

  “What is really effective is to keep humans in the loop, but then to do things like let the AI give you a batch understanding ... and then surface the highest priority things for you to go review.” — [23:45]

• Reduced Grunt Work:

  “…so much more fun than going and manually triaging dozens or hundreds of alerts per day. You can just use your high level judgment, your creative ideas...” — [26:01]

• Customization: SOC teams increasingly fine-tune detections (instead of relying on vendor defaults), enabled by AI making mass tuning feasible.

Embracing Messy Data

• Flexibility Over Rigid Schemas:

  “Instead of like every single one of your 50 log sources, you have to get to conform to a schema ... tools are going to be very good at handling messiness.” — [28:02]

• Innovation at Scanner.dev:
  Focus on rapid inverted index search across unstructured logs at scale, making data lakes more useful for all log source types.

Noteworthy Quotes

• On Bulletproof Hosting:

  “These are providers that lease infrastructure to threat actors and ignore takedown requests…” — Dave Bittner, [02:40]

• On Data Lake Speed:

  “If you want an agent to do a good job at doing an investigation quickly on an alert, you want your data lake to be really fast to go and query.” — Cliff Crossland, [18:25]

• On Human & AI Partnership:

  “AI and humans working together...the false positive rate got a lot better when humans were involved but also the false negative rate was a lot better.” — Crossland, [22:55]

• On the Future of SOC Roles:

  “The SOC analyst ... is going to evolve and it will become more about detection engineering together with an AI.” — Crossland, [26:01]

Memorable Moment

• Insider Crypto Incident at Wind Farm
  Segment: [31:52 – 33:45]
  • A Nordex technical manager, mid-recovery from a ransomware attack, concealed crypto-mining rigs inside a substation and wind turbines—quietly diverting power to a personal side hustle. He was sentenced to community service and damages.
  • Moral: Insider threats persist in unexpected ways, even leveraging green technology infrastructure.

Timestamps of Important Segments

• [02:35] – Russian bulletproof hosting sanctions
• [04:36] – White House vs state AI laws
• [05:34] – Border Patrol mass surveillance
• [06:33] – SEC cybersecurity bill
• [07:12] – Android Banking trojans
• [09:11] – Comet AI browser API security risk
• [10:21] – Fortinet Fortaweb zero-day exploit
• [11:14] – Philippine trafficking/cybercrime conviction
• [14:37 – 30:25] – Cliff Crossland interview: Security Data Lakes & AI in SOC
• [31:52] – Nordex wind turbine insider crypto mining

Episode Tone

Professional, informative, and pragmatic—balancing hard news with clear explanations and practical advice for practitioners. Cliff Crossland’s interview brings a collaborative, optimistic approach to the future of SOC operations, while the closing segment wryly illustrates the threat posed by insider creativity.

For Further Reference

For links to all stories mentioned, visit thecyberwire.com.

This summary has omitted advertisements and non-content sections, focusing solely on the episode’s news, analysis, and expert commentary.