A

You're listening to the Cyberwire Network, powered by N2K.

B

From phishing to ransomware, cyber threats are constant. But with Nordlayer, your defense can be too. Nordlayer brings together secure access and advanced threat protection in a single, seamless platform. It helps your team spot suspicious activity before it becomes a problem by blocking blocking malicious links and scanning downloads in real time, preventing malware from reaching your network. It's quick to deploy, easy to scale, and built on zero trust principles so only the right people get access to the right resources. Get 28% off on a yearly plan at nordlayer.com cyberwire daily with code CYBERWIRE28 that's nordlayer.com CyberWire Daily Code CYBERWIRE28 that's valid through December 10, 2025. The US and allies sanction Russian bulletproof hosting providers the White House looks to SUE states over AI regulations. The U.S. border Patrol flags citizens suspicious travel patterns. Lawmakers seek to strengthen the SEC's cybersecurity posture. A new Android Banking Trojan captures content from end to end encrypted apps. A hidden browser API raises security concerns. Fortinet patches a zero day A Philippine former mayor gets life in prison for scam center human trafficking. Our guest is Cliff Crossland, CEO and co founder@scanner.dev discussing why security data lakes are ideal for AI in the sock and green energy gets hijacked for a blockchain side hustle. It's Thursday, November 20th, 2025. I'm Dave Bittner and this is your Cyberwire Intel Brief.

C

Foreign.

B

Thanks for joining us here today. It's great as always to have you with us. The United States, United Kingdom and Australia announced new sanctions against Russian bulletproof hosting providers that support ransomware gangs and broader cybercrime operations. Bulletproof hosting providers lease infrastructure to threat actors and ignore takedown requests, enabling phishing campaigns, malware delivery, command and control operations, illicit content hosting and distributed denial of service attacks. The U.S. treasury's Office of Foreign Assets Control, designated media land and three affiliated companies, noting the group's links to ransomware operations, including Lockbit, Blacksuit and Play. Three Media Land executives were also sanctioned with with UK officials stating that one, Alexander Volosevic, has worked with groups such as EvilCorp and Black Basta. OFAC additionally sanctioned ISA Group LLC, previously targeted in July, as well as Hypercor Limited and related support entities. Five Eyes cybersecurity agencies issued accompanying guidance urging defenders to use threat intelligence to traffic analysis, boundary filtering and stronger customer verification. The sanctions freeze assets and expose intermediaries to secondary penalties. The Trump administration is preparing an executive order that would direct the Justice Department to sue states that pass laws regulating artificial intelligence, according to a draft reviewed by the Washington Post. The move follows a failed Republican Senate effort to block state AI rules amid concerns about risks to jobs, children and energy consumption. The order argues that state regulations interfere with interstate commerce, though legal experts say this likely exceeds presidential authority. It would also create a federal task force to review state AI laws and allow the Commerce Department to withhold broadband funding from states deemed out of line. Trump continues to push for a single national AI standard, though several Republican governors and lawmakers object to federal preemption. The Associated Press reports that the U.S. border Patrol is running a secretive surveillance program that tracks millions of American drivers and flags suspicious travel patterns. The system uses a vast network of license plate readers and algorithms to analyze where vehicles come from, where they go and what routes they take. Alerts lead to whisper or wall stops where local police pull drivers over for minor infractions, then question and search them without revealing Border Patrol's role. Cameras are often hidden in traffic equipment and extend far beyond the traditional 100 mile border zone, reaching deep into major metro areas. Civil liberties experts say this mass data collection and pattern analysis raises serious Fourth Amendment and free movement concerns. A bipartisan pair of Georgia lawmakers, Democrat David Scott and Republican Barry Loudermilk, have reintroduced the SEC Data Protection act of 2025 to strengthen the securities and Exchange Commission's cybersecurity posture. The bill would require the SEC to adopt modern data protection protocols aligned with federal and National Institute of Standards and Technology best pract, create uniform policies for handling sensitive market information and improve internal accountability, the lawmakers say. Rising cyber attacks and recent government breaches underscores the need for updated safeguards, warning that outdated frameworks risk undermining trust in the US financial system. The measure, which would take effect one year after enactment previously stalled in 2020. The SEC declined to comment. A newly identified Android banking trojan named Sternus can capture content from end to end. Encrypted apps like Signal, WhatsApp and Telegram by reading messages directly from the device screen after decryption. Researchers at ThreatFabric say the malware, still in development but already fully functional, targets European financial accounts using region specific HTML overlays to steal credentials. Sternus supports full device takeover through Android accessibility abuse and real time remote control via an AES encrypted Websocket VNC channel. It spreads through malicious APKs designed as Chrome or Premix box apps, though its distribution method remains unclear. After installation, it establishes encrypted connections with its command and control server, gains device administrator privileges, blocks removal attempts, and can silently conduct actions such as transfers by hiding activity behind fake system update screens. Elsewhere, researchers at Trustwave Spider Labs have identified a new Brazil focused banking trojan called Eternidad Stealer that marks an escalation in the region's cybercrime activity. The malware spreads through WhatsApp using a Python based worm to hijack accounts, steal contact lists and send personalized malicious messages. An accompanying installer deploys a Delphi built stealer that activates only on systems using Brazilian Portuguese and targets banking, fintech and cryptocurrency apps with credential harvesting overlays. Eternidad also uses hard coded email credentials to retrieve fresh command and control details via imap, improving resilience. Additional scripts perform reconnaissance and evade antivirus tools. Researchers trace the infrastructure to interconnected domains, observing more than 450 connection attempts from 38 countries, mainly from desktop systems. Despite the malware's Brazil centric design, researchers at squarex have uncovered an undocumented system level API inside the Comet AI browser that allows its hidden embedded extensions to run arbitrary commands and launch applications, bypassing protections enforced by mainstream browsers for more than a decade. The custom MCP API found in Comet's analytics extension can be invoked directly from Perplexity AI and could be exploited through common techniques such as compromised extensions, cross site scripting or phishing. Squarex demonstrated how a spoofed extension used the API to execute WannaCry on a device. Because Comet conceals its embedded extensions, users cannot disable them, and squarex warns that other extensions may also gain access to the API. Analysts say the finding reinforces enterprise reluctance toward AI browsers and highlights the need for transparency, independent audits and user control. A newly patched Fortaweb Zero Day is being actively exploited despite its medium CVSS 6.7 rating. The flaw allows authenticated attackers to execute unauthorized OS commands via crafted HTTP requests or CLI input stemming from improper command neutralization. Trend Micro's Jason McFadyen discovered the issue, which affects multiple fortaweb versions and fixes are now available. It follows last week's silent patch of a separate critical fortaweb path traversal flaw, which allowed unauthenticated command execution and has also seen reported exploitation. A Philippine trial court has sentenced former Bamban mayor Alice Guo to life imprisonment for human trafficking following a police raid that uncovered a scam center employing hundreds of trafficked foreign and local workers. Authorities later identified Guao, who had run for office, as a Filipino citizen as Chinese national Guo Hua Ping. The Presidential Anti Organized Crime commission called the ruling both a legal and moral victory. Seven others were also convicted and the facility was ordered forfeited to the state. Guo, removed from office in 2024 and captured in Indonesia after fleeing Senate hearings, faces additional charges including graft and money laundering. Her case has intensified national scrutiny of Chinese linked criminal activity and the now banned Philippine Offshore Gaming Operators sector. Coming up after the break break Cliff Crossland from Scanner.dev discusses why security data lakes are ideal for AI in the SOC and green energy gets hijacked for a blockchain side hustle. Stick around. Foreign.

C

They know cybersecurity can be tough.

B

And you can't protect everything, but with Thales, you can secure what matters most. With Thales's industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S learn more@thalesgroup.com cyber.

C

Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple?

B

Meet Meter, the company reimagining enterprise networking.

C

From the ground up.

B

Meter builds full stack zero trust networks.

C

Including hardware, firmware and software, all designed to work seamlessly together.

B

The result?

C

Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified plat. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your.

B

Business and customers thrive.

C

Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire.

B

Cliff Crossland is CEO and co founder@scanner.dev and in today's sponsored Industry Voices conversation we discuss why security data lakes are ideal for AI in the society.

A

The most common way that people construct data lakes is to store significant amounts of messy ish data in object storage buckets. So this might be like AWS S3 or Azure Blob storage or Google Cloud storage buckets. It's just basically storage locations that can scale forever and they tend to interact with this data with various kinds of SQL based engines that's the most common way to query this data. But yes, data lakes, the most common way that the people build their data lakes is to build them on top of object storage.

B

And so when we're talking about AI and its ability to improve the lives of people in the SoC, how do these two things cross paths?

A

Yes, it's super interesting. So we found that more than half of our customers are building agentic AI workflows on top of their data lakes and on top of many other tools for all of their SecOps responsibilities just to speed things along. No one is fully removing people from the workflows, but they are finding a tremendous amount of value in speeding up things like investigations. When an alert is triggered by having a data lake that's easy to access with a huge amount of data, just way easier to get lots of data into a data lake than into a traditional siem, then the agents can go and pull in rich context from many different sources. So AI together with data lakes we think is really the future of doing SecOps investigations and diving into log data. There's just a lot of power in having access to more and more log sources and more and more historical data too. Going back not just a few weeks, but months or years to do like a deep dive threat hunt. It's super cool.

B

Well, can we dig into some of the details here? I mean when somebody has this sort of thing up and running, how does it work?

A

Yes. So what folks tend to do is their first cut at building a data lake. It tends to be using a SQL based tool like maybe it's Apache Presto or Amazon Athena is very common in our world. We're like very AWS focused. But what they will do is they will then use different kinds of SDKs that interact with MCP servers. So model context protocol, it's very cool. And then they will use that to go and interact with their data lake and interact with different security tools that they have. So like a very concrete example might be something like an alert lands from something like Amazon GuardDuty and then the agent will then go and pick up the ticket that got created in jira and then we'll go do an investigation in the data lake. It might ping some other tools, it might write up a little summary in Slack and write some comments in the JIRA ticket. And then it might also do something cool like open a pull request in the team's GitHub repository to tweak like some code or maybe a detection rule that they have in there. And then humans can kind of review everything that it just did the code review the change that it's making against the code. They'll go and review the comments that are being added to the ticket. So it can be very cool if your data lake is working well for you and you've done the work to make it fast, it can be a very cool source of additional rich context for agents to use when they're doing investigations.

B

Now, my understanding is that query speed in particular is really critical for enabling these AI agents. Can you unpack that for us? Why does that matter?

A

Yes, it is really interesting. So this is a common theme that we run into and why people come and talk to us is when they are trying to use Amazon, Athena or Presto to go and query a data lake, sometimes the query will run for hours and then the agentic workflow just doesn't work. It's just sitting there constantly pinging over and over again waiting for a query to return. And so what you really want, if you want an agent to do a good job at doing an investigation quickly, on an alert that comes in, you want your data lake to be really fast to go and query. We really are obsessed with what the future of data lakes looks like. We think data lakes are just going to get faster and faster. And this common complaint about data lakes being slow, that's going to go away over time. It's getting easier to do data engineering on traditional data lakes to make them faster to query with Apache, iceberg and parquet formats and so on. But there are also other cool things going on, like being able to support full text search just even on the messiest of log data and getting results back rapidly. That's something that we are super excited about. As data lakes get faster, it'll just be easier and easier for agents to rapidly investigate incidents like do detection engineering on your behalf and speed up everyone's job. In the SoC.

B

Years ago, when AI was just starting to become the hot thing along with machine learning, of course, I remember reading an article and it was about the state of a computer's ability to play chess against humans. And they were talking to a chess grandmaster and they were saying that, you know, humans can play against the machine, the machine can play against another machine, but really the human combined with the AI was the best chess player in the world and that combination was hard to beat. Is my understanding correct that human, you all have done some testing on this internally and you're finding similar sorts of results?

A

Yes, we definitely think that, I mean we could be wrong as like artificial general Intelligence or artificial superintelligence lands on the scene in a decade, if we're lucky. I don't know if that's really going to happen, but maybe at that point, the AI can just take over the job. But it was really interesting. There was some research done at Stanford that showed that doctors actually, by using AI, that the AI does better on its own, rather than doctor plus AI at doing diagnosis for a certain kind of symptom, evaluation, testing that they were doing, which was surprising. And so in our minds, we thought, wouldn't it be really cool to see if AI can do the job of a SOC analyst better than humans can by themselves, or even humans plus AI? The interesting thing that we found there is that human plus AI together does far better. There are a couple of different interesting findings. One is that it just seems to be that there is a lot more medical data out there for foundation models to train on, like, millions of research papers. And so it makes sense that they're good at diagnosing medical problems. But in cybersecurity, the false negative rate, that's the scary thing. If a true positive alert, if a real threat is present in your log data and you're under attack and the agent doesn't find it and thinks everything is peachy, that is scary. And that was very common with AI running entirely by itself. But what we found to be really effective was AI and humans working together, where a human can kind of just use their judgment to nudge the AI along and iterate together on an investigation report, like in an artifact, that they can continue to develop together. So, like, the AI will do a first stab at an investigation. A human can say, you totally, like, missed something over here. You mentioned it, but you didn't really, deep dive. Go dive deeply into this weird data exfiltration. Like, what is happening there? Why are there so many downloads from an S3 bucket in the logs? And then the AI will often say, like, wow, you're right, this is actually really bad. Let me go dive more deeply into this. But the cool thing is, instead of a human taking hours to write queries, to dig through logs, you can really just start to use your intuition, your judgment as a person and as a security practitioner to just come up with great ideas for the AI to go and explore. And then there's this really fast translation between the messy data, the deep, hard to understand, obscure data sources, and then insights from it. So we think together, humans and AI are awesome. And in our own testing, the false positive rate got a lot better when humans were involved but also the false negative rate was a lot better. Humans were like, we're better at being maybe a little paranoid and nudging the AI along in the right direction.

B

How do you go about dialing in the degree to which the humans are having oversight over the AI?

A

Yes, this is really tricky. I think what you want is you want an AI agent and a bunch of agentic workflows to make your life easier. You don't want to have to micromanage them. And so it could be a challenge if you have hundreds or maybe even thousands of alerts being triggered per day. So you don't want to have to go and do a deep dive review on every single response that your agent is making to these alerts. But what is really effective is to keep humans in the loop, but then to do things like let the AI give you a batch understanding, like a global understanding of the patterns of those hundreds of alerts and then surface the highest priority things for you to go review. We don't think it's time to let agents go and make a final call on really important investigations and do things like immediately change your code and change your detections. We think instead, if it can open up a pull request for humans to review, if it can add comments for humans to review, and then humans can just click accept or approve or dive deeply into the details if they want to, it can really speed people along. So, yes, it is a challenge. I think if you can get your detections to be tuned to reduce your alerts to something that is reviewable, like maybe dozens of alerts a day, that that can be wonderful. And we actually find that AI agents are really helpful in helping you tune your detections to remove the noise and giving you ideas for how to reduce the false positive rate. So, yeah, I think you kind of need to get your alerts under control and then only have a volume at which humans can afford to go and review what the agents are doing, what their investigation conclusions are.

B

Yeah, it strikes me that approaching it this way, maybe it's an opportunity for your humans in the loop to stay sharper because they don't have that, that grunt work of like, as you said, you know, going through so much data manually, they're able to apply their intuition where it really matters.

A

Yes. There was a fun interview with Ali Mellon who talked about how in the future the SOC analyst, like the low level SOC analyst role is going to evolve and it will become more about detection engineering together with an AI. And we definitely see that it's really fun to Watch with our users. They will build workflows where if an alert is really noisy, an AI will do an initial attempt at writing code to change the detection rule to make it less noisy to reduce the false positive rate. Humans can review and then it's just so much more fun than going and manually triaging dozens or hundreds of alerts per day. You can just use your high level judgment, your creative ideas to look at instead of getting into the weeds and into the details on every single alert that happens. You can guide and shape almost like managing agents to write code for you and get a lot of great work done and clean up your detections. Tune them better. Yeah, we see a lot of people instead of just trusting the out of the box detections from their SIEM or their security data lake tool, they will customize and tune hundreds of detections from their vendor to be more appropriate to their business context. And they can only do that because AI is helping them speed that along. They're not doing it all by hand, they're just doing code reviews and maybe giving the agent feedback and maybe tuning the code a little bit more. But yeah, I completely agree that it helps people be sharper, see and focus on better, more high leverage projects. It's exciting.

B

What are some of the things that you and your colleagues have learned along the way in terms of having your own unique approach to this? The things that you believe differentiates you from other folks who are out there doing this?

A

Yes, I think what's going to happen is all of the efforts that a lot of organizations are going to to try to do data engineering to get all of their data in their data lake to conform to a common schema. That's not going to be important anymore in the future. Instead of like every single one of your 50 log sources, you have to get to conform to a schema like OCSF instead. Tools are going to be very good at handling messiness and that's something that our tool at scanner we really care about is. Logs can be very messy. And because of the way that we're approaching running queries and analyzing data in data lakes is about embracing the messy and text based nature, deeply nested JSON schema, less nature of logs in security. It just makes it much easier to gather many different log sources together. You don't need to do as much engineering work to get them to conform to a common schema, but it's really critical that that data be fast to search through so that the agent can actually make progress. So yeah, we're excited about adopting many of the same ideas that you see in tools like Lucene or elasticsearch, building an inverted index, but making that inverted index extremely, extremely friendly to data lakes and data lake scale and object storage that allows you to go and execute very, very fast searches over massive data sets without doing a significant amount of data engineering to get your data to conform to a particular schema. Just let the logs come in as they may and be messy and then what the future looks like is gathering more and more log sources cheaply in data lakes and in object storage and then letting agents do the really cool fuzzy sorts of correlations and searching across them to do deep dives and powerful investigations. So yeah, we're excited about that. We think that that is the direction things will go in with object storage and data lakes in the future is more and more friendliness to unstructured and semi structured structured data and faster and faster search across that data.

B

That's Cliff Crossland, CEO and co founder at Scanner.dev.

C

What's your 2am Security worry? Is it do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out any endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber.

B

And finally, Nordex's wind turbines were built to power communities, though one technical manager apparently believed they should also bankroll his crypto ambitions. While the company was still recovering from a Conti ransomware attack, he slipped three mining rigs into a substation and hid two helium nodes inside the turbines themselves, treating critical infrastructure like a very large, very noisy piggy bank. From August through November 2022, his setup quietly siphoned energy until Nordex discovered that its clean power was moonlighting as a blockchain side hustle, a court later noted he showed no concern about interfering with equipment that keeps thousands of homes running. The judge rewarded this creative misuse of renewable energy with 120 hours of community service and more than €8,000 in damages. It is, if nothing else, a gentle reminder that insider threats are alive and well and that even in the age of green tech, not every watt is yours to monetize. And that's the Cyberwire. For link to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

C

Sat.