A

You're listening to the Cyberwire network, powered by N2K. AI agents are now reading sensitive data, executing actions and making decisions across our environments. But are we managing their access safely? Join Dave Bittner and Barak Shalef from Oasis Security on on Wednesday, December 3rd at 1pm Eastern for a live discussion on agentic access management and how to secure non human identities without slowing. Innovation can't make it live. Register now to get on demand access after the event, visit events.thecyberwire.com that's events with an s.thecyberwire.com to save your spot.

B

What's your 2am Security worry? Is it do I have the right controls in place?

A

Maybe?

B

Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale and it fits right into your workflows, using AI to streamline evidence collection, flag risks and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber.

A

Report sheds light on cyber activity targeting space related organizations during the Gaza war Russian Threat actor targets US civil engineering firm FBI says $262 million has been stolen in account takeover scams this year Tricks AI browser assistance London Council's disrupted by cyber attacks Russia's Gamarudan and North Korea's Lazarus Group appear to be sharing infrastructure. Cannon says subsidiary was breached by Oracle EBS Flaw Dave Buettner was joined by Cynthia Kaiser, SVP of the Ransomware Research Institute at Halcyon Sharing Deep dive on Akira Ransomware and Campbell's Soup CISO placed on leave following lawsuit. Today is Wednesday, November 28th and I'm your T minus Space Daily host Maria Varmazes in for Dave Bittner, who is preparing for tomorrow's turkey feast. Thank you for joining us for your Cyber Wire intel briefing. We're starting today with a new report out of ETH Zurich that sheds light on a spike in cyber activity targeting space related organizations during the Gaza war. Researchers at the center for security studies tracked 237 cyber operations aimed at the space sector over the course of the conflict, and here is the striking Only 11 of those incidents happened before October 7, according to the study. Once the war began, hacktivist groups, mostly pro Palestinian groups, either emerged or significantly ramped up activity. And most of what they did was not subtle. The bulk of These operations were DDoS attacks. One of the most frequent targets was the Israel Space Agency, even though it does not operate satellites or maintain deep space infrastructure and has a pretty limited attack surface. But because hacktivist campaigns often recycle huge lists of government related URLs, the agency became a recurring name on those target lists. The authors of the report say that this is part of a broader pattern that we are seeing in modern conflict. Cyber operations against space sector organizations are now a routine element of geopolitical escalation. The Russia aligned threat actor Rom com used Soc Golish to breach a US based civil engineering company that had done work for Ukraine, according to researchers at Arctic Wolf. While Soc Golish is operated by a criminal malware as a service group, Arctic Wolf assesses with a medium to high confidence level that Russia's GRU unit 29155 is utilizing Sokolish to target victims, the researchers note. This sock goal ish activity demonstrates the ongoing exploitation of compromised legitimate websites as a malware delivery framework, turning routine web browsing into a potential vector for ransomware access. The U.S. federal Bureau of Investigation has issued an advisory on account takeover fraud schemes, noting that these attacks have caused $262 million in losses since January 2025. The attackers use well known social engineering techniques to impersonate financial institutions and trick users into granting access to their accounts. The crooks are targeting banks, payrolls and health savings accounts, the FBI notes. In some instances, cybercriminals impersonating financial institutions reported to the account owner that their information was used to make fraudulent purchases, including firearms. The cybercriminal convinces the account owner then to provide information to a second cybercriminal impersonating law enforcement, who then convinces the account owner to provide account information. Cato Networks has published a report on an indirect prompt injection technique affecting several AI browser assistants, including Perplexity's Comet Copilot for Edge and Gemini for Chrome. The technique, which Cato calls Hash Jack, uses the pound symbol or hashtag sign, depending on what generation you're in, to place malicious prompts after legitimate URLs, the researchers explain. When an AI browser loads a page and the user interacts with the AI assistant, these hidden prompts are fed directly into large language models in agentic AI browsers like Comet, the attack can escalate further with the AI assistant automatically sending user data to threat actor controlled endpoints. Perplexity and Microsoft have since implemented mitigations against this technique, while Google acknowledged the issue and gave Cato permission permission to publicly disclose the flaw. The issue is still unresolved in the Chrome browser. The BBC reports that at least three London councils were hit by disruptive cyber attacks over the last few days. The Royal Borough of Kensington and Chelsea or RBKC and the Westminster City Council sustained an attack that affected shared IT systems and took down phone services, while Hammersmith and Fulham Council said it was working to recover from a serious cybersecurity incident. The Hammersmith and Fulham attack appears to be connected to the incident affecting RBKC and Westminster City. A memo from the Hammersmith and Fulham council instructed staff not to click on any Outlook or Teams links from RBKC and Westminster City colleagues until further notice. The BBC says the Met Police is investigating the incidents. Researchers from genthreat Labs have seen evidence that Russia's Gamarudon and North Korea's Lazarus Group are sharing infrastructure, indicating that the two state sponsored actors may be coordinating at an operational level. The researchers Observed a Gamaridon C2 server hosting invisible Ferret, which is a strain of malware attributed to the Lazarus Group. The malware was then delivered through an identical server structure used in Lazarus's contagious interview campaign. Jen notes while the IP could represent a proxy or VPN endpoint, the temporal proximity of both groups activity and the shared hosting pattern is indicate probable infrastructure reuse with moderate confidence of operational collaboration. Canon has confirmed that one of its subsidiaries was breached by an attack campaign targeting Oracle E business suite instances, the company told Security Week, quote, we have confirmed that the incident only affected the web server and we have already taken security measures and resumed service. In addition, we are continuing to investigate further to ensure that there is no other impact. The Klopp extortion gang listed Cannon as one of its victims, but has not leaked any data from the company. Stick around after the break as we have Cynthia Kaiser, SVP of the Ransomware Research center at Halcyon, sharing a deep dive on Akira ransomware and Campbell's Soup CISO placed on leave following lawsuit.

B

From phishing to ransomware Cyber threats are constant, but with Nordlayer your defense can be too. Nord layer brings together secure access and advanced threat protection in a single seamless platform. It helps your team spot suspicious activity before it becomes a problem. By blocking malicious links and scanning downloads in real time, preventing malware from reaching your network. It's quick to Deploy easy to scale and built on zero trust principles so only the right people get access to the right resources. Get 28% off on a yearly plan at nordlayer.com cyberwire daily with code CYBERWIRE28 that's nordlayer.com CyberWire Daily Code CYBERWIRE28 that's valid through December 10, 2025. Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allow listing, you stop unknown executables cold. With Ringf Fencing, you control how trusted applications behave. And with Threat Locker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. Threat Locker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today.

A

Foreigner recently sat down with Cynthia Kaiser, SVP of the Ransomware Research center at Halcyon, as they took on a deep dive on Akira ransomware. Here's their conversation.

C

It's really one of the most aggressive ransomware actors that we're tracking, and that's saying something right among all these people who are really the lowest of the low. But I think one of the most important things to know about Akira is it's all about speed with them. So we're seeing ransomware attacks getting faster and faster, but Akira's really at the front edge of getting all of these attacks happening in a really quick way.

B

Well, let's dig into that together. What are some of the tactics, techniques and procedures that they use to make that happen?

C

So we don't actually see them encrypting the full file. They're encrypting a small percentage of files as they go through in an effort to encrypt as much as they can as quick as they can, which I think, you know, makes sense when you think about it, but also isn't something that we'd ne I necessarily had at the front of my mind as we were starting to look at that, the actor, and see some of the incidents that we're responding to. They, of course, are doing what has become really typical of ransomware actors, which is looking to kind of Blind or tamper with endpoint detection, because they want to try to figure out ways to be able to be stealthy, to not let somebody know they're there. And that helps them enumerate the whole network, have everything in place so that when they're staged, when they're going for patient zero, it's only going to take minutes for them to encrypt over a hundred or more across the systems. And they're starting with those portions of your network that'll give them a lot of access at once, the hypervisors. So as you increase your virtualization in your network, they're going after those components so that they can reach more of your network more quickly.

B

Help me understand the infection vectors here. How do they typically get on someone's system?

C

We're seeing them use the sonic wall vulnerabilities that have been widely published over, I think, since the summer. You normally can get some type of Compromise credentials for SonicWall and then be able to utilize that for the known vulnerability that's on them to get onto a system. And then once they're on a system, they create admin credentials for themselves so that it's no longer really detectable what they do. So unless you're kind of detecting them at that sonic wall, that early initial access, it becomes harder and harder to find them until they're ready to encrypt.

B

Hmm. Are they using living off the land techniques here to keep themselves hidden?

C

Absolutely. We see that among a lot of ransomware actors, where they're using the tools that you already have in your system to be able to conduct their activities. So what was interesting here and some of the tactics you see among some of the actors, is they will basically try to trick trusted apps on your system into running a malicious tool. DLL sideloading. We saw them in one incident because we were responding, and we actually were able to block encryption through almost the whole network. And they didn't know what was going on. And so they started trying all these different tricks. And some of it was they were going around, they were like, trying to figure out a different way in a different way to do the encryption. And one of those was I doing that DLL sideloading, tricking trusted apps on systems. They use anydesk. They use several different tools that are on a system, but all of that's really fueled by creating those credentials for themselves. So they just look like a typical user.

B

And who do they seem to be targeting here? Are there any particular sectors that have their attention?

C

It feels like manufacturing, business services, and Construction take the brunt of the hits. But there's absolutely affects across all industries. Think like retail, it, education, finance. If you look at where they've claimed to have done attacks, so, you know, whether they're, you know, posting data on their leak site, et cetera, it's about 60 attacks just in November alone. That's a crazy amount. And so really, you have to think about everybody is being targeted because they're trying to maximize the vulnerabilities they have now to be able to get onto systems.

B

And they're running an affiliate model here. That's part of how they have such breadth, widespread attack capabilities, I suppose.

C

Yeah, they're a ransomware as a service, which group, which really means somebody develops the malware, and then there are affiliates who borrow the malware from the developers, go out and conduct the attacks against various targets, and then give a share of the profits back to the developers themselves. I mean, in this way, it really shields the developers from a lot of the risk of actually conducting the attacks, but it allows the larger group itself to just have a lot more reach across, to be able to conduct simultaneous attacks at once. There's some downsides to that model, I think. We've seen exit schemes from certain groups. We've seen various ways in which those groups are more easily infiltrated by law enforcement, which, I mean, negative for them, positive for us. Right. But overall, they do this to try to see if they can make the most money that they can as quickly as they can.

B

I feel funny asking this question, but are they an honorable group as far as ransomware groups go? If you pay them, are you going to get your stuff back?

C

That's always a hard question. Right? Because a lot of the. In most cases you receive a decryptor, whether it works on all your files is a different story for Akira itself. Overall, I think we. Our experience has seen, yes, for the most part, the decryptor would work, but there's a lot of other groups that you get the decryptor and like, it turns out, like malware developers don't spend a lot. They spend a lot of time breaking things and they don't spend a lot of time figuring out how to fix them. Again, you know, there are a lot of, a lot of careless decryptors out there. But more so this is a group that also steals data. And there are, in. Most ransomware groups will come out and say, oh, if you pay us this ransom, we won't leak your data. Some claim, oh, we won't. We'll Delete your data. I mean, there has not been a group that I've seen who says they were going to delete the data. Where, when I was over at the Bureau or now, so I was at the FBI right before and now I'm at Halcyon. I've not seen any instance where once we were able to look under the hood of what was going on and those ransomware groups and their infrastructure that they actually deleted customer data. Right, Right.

A

Yeah.

B

Why would they?

C

Right. I mean, part of it's like, why would they just spend the time doing it? They don't need to.

B

Right, right. So what are your recommendations then? I mean, for folks to best protect themselves here. What, what should they be doing?

C

The first thing I advise is going to the updated cybersecurity advisory that was put out by FBI, CISA and a host of other agencies last week where they recommend prioritizing, remediating, known exploited vulnerabilities. So like the sonicwall vulnerability that I was talking about earlier, enabling and enforcing phishing resistant multi factor authentication. So not necessarily just text based, you get a code, but using authenticator apps or some other type of phishing resistant multi factor. And the kind of normal ransomware advice we give, which is maintaining regular backups of data, ensuring backups are stored offline, and regularly testing the restoration process. In addition to what that cybersecurity advisory noted, I'd also note ensuring that you have some type of a defense in depth that ensures if your endpoint detection is turned off or blinded in some way, you still are able to identify the actors or that at least something funny is going on across your network. Having lots of different points of security is just essential nowadays to all of these advancing ransomware actors.

B

How do you rate the sophistication of Akira?

C

Akira is very sophisticated. It's incredibly difficult to identify them when they're on a system. Even in the after, when you're doing an incident response, it can be hard to determine how information might have been taken from your network, what information was taken from your network, or really what happened between them getting onto the network and then getting to that final encryption event. So it's aggressive, but it's also sophisticated, which is a terrible combination for all of us.

A

That was Cynthia Kaiser, SVP of the Ransomware Research center at Halcyon, sharing a deep dive on Akira ransomware. Learn more on Halcyon's threat actor profile of Akira and how they fit into their latest malicious quartile report. There's a link for you in the show Notes. At Thales, they secure what matters most. The most trusted companies and organizations utilize Thales cybersecurity products to protect critical applications, sensitive data and identities anywhere at scale. Through their innovative services and integrated platforms, Thales provides customers a greater visibility of risks, the ability to defend against cyber threats, close compliance gaps, and deliver trusted digital experiences for billions of consumers every day. That's Thales T H A L E S learn more@cpl.talasgroup.com. Give Big Save big with RACC Friday deals at Nordstrom Rack For a limited time, take an extra 40% off red tag clearance for a total Savings up to 75% off. Save on gifts for everyone on your list from brands like Vince Cole, Hahn, Sam Edelman and more. All sales final and restrictions apply. The best stuff goes fast, so bring your gift list and your wish list to your nearest Nordstrom Rack today. And finally today, Campbell Soup Chief Information Security Officer, is in hot water after a lawsuit claimed that he made disparaging remarks about the company's soup as well as racist comments about his Indian co workers. The executive, Martin Valley, has been placed on leave pending an investigation. The lawsuit was filed by a former employee of the company, remote security analyst Robert Garza. Garza recorded Bali's comments during a lunch meeting and claims that he was fired after bringing the recording to a superior. Bally allegedly said that Campbell's makes unhealthy soup for, quote, poor people using 3D printed chicken and bioengineered meats. For its part, Campbell said in a statement, and I quote, the comments on the recording are not only inaccurate, they are patently absurd. Keep in mind the alleged comments are made by an IT person who has nothing to do with how we make our food. End quote. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com a quick programming note everybody. We will not be publishing tomorrow through Sunday in observance of the Thanksgiving holiday here in the United States States. We do have some great content planned for you though to check out in our Cyberwire Daily Podcast feed and we will see you back here on Monday. Enjoy your turkey everyone, and Happy Thanksgiving. And that's the Cyberwire Daily brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carruth. Our producer is Liz Stokes. We are mixed by Elliot Piltzman and Trey Hester with original music by Elliot Piltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Maria Varmazis in for host Dave Bittner. Thank you for listening. Have a wonderful Thanksgiving. Hey, Ryan Reynolds here wishing you a very happy half off holiday because right now Mint Mobile is offering you the gift of 50% off unlimited. To be clear, that's half price, not half the service. Mint is still premium unlimited wireless for a great price. So that means a half day.

C

Yeah.

A

Give it a try@mintmobile.com Switch upfront payment.

C

Of $45 for three month plan equivalent to $15 per month required new customer offer for first three months only. Speed slow hacker 35 gigabytes of networks busy taxes and fees extra. See mint mobile.com.