Dave Bittner

You're listening to the Cyberwire Network, powered by N2K.

Podcast Announcer

Risk and compliance shouldn't slow your business down. Hyperproof helps you automate controls, integrate real time risk workflows and build a centralized system of trust so your teams can focus on growth, not spreadsheets. From faster audits to stronger stakeholder confidence, Hyperproof gives you the business advantage of Smarter compliance.

Dave Bittner

Visit www.hyperproof.IO to see how leading teams are transforming their GRC program. Explosions rock A shuttered Myanmar cybercrime hub. The Isuru botnet shifts from DDoS to residential proxies. Dentsu confirms data theft at Merkel Boston bans biometrics Proton restores journalists email accounts after backlash. Memento Labs admits Dante spyware is theirs Australia accuses Microsoft of improperly forcing users into AI upgrades. CISA warns of active exploitation targeting manufacturing management software A covert cyber attack during Trump's first term Disabled vendors Venezuela's intelligence network Our guest is Ben Serry, co founder and CTO of Zafran, discussing the trend of AI Native attacks and new glasses deliver fashionable paranoia. It's Wednesday, October 29th, 2025. I'm Dave Buettner and this is your Cyberwire Intel Brief. Thanks for joining us here today. Great to have you with us as always. Thailand's military says the flow of people fleeing Myanmar after a major cybercrime hub was shut down has nearly stopped following a week in which more than 1500 crossed the border. Myanmar's army raided the KK park complex near Mywadi in mid October, part of an ongoing campaign against online scams and illegal gambling networks. Explosions reportedly leveled parts of the site, damaging homes on the Thai side. Most who fled are believed to have been foreign workers forced into scam operations, with Thai authorities sheltering and screening people from 28 countries to determine if they were trafficking victims. KK park had been a key node in Myanmar's expanding cyberscam industry, where criminal groups lure workers with fake job offers before coercing them into online fraud. Despite the raid, independent reports suggest similar operations remain active in My Wadi, underscoring Myanmar's ongoing struggle to dismantle cross border cybercrime networks. The Isuru botnet, once known for record breaking DDoS attacks, has shifted toward a more profitable model, renting infected IoT devices as residential proxies. Krebson Security estimates ISURU controls about 700,000 compromised routers and cameras. These devices now help anonymize cybercriminal traffic and power large scale data scraping for AI training. Experts say the flood of cheap proxy access is driving explosive growth across proxy services, some tied to Chinese conglomerates like IPDA's HK network. Many of these networks rely on SDKs secretly installed on user devices, selling their bandwidth to proxy resellers. While legitimate firms such as OxyLabs and Bright Data deny exaggerated growth claims, analysts warn that botnet driven proxy ecosystems blur the lines between lawful data collection and cybercrime infrastructure. Japanese advertising giant Dentsu has confirmed a cybersecurity incident affecting its US Subsidiary Merkel, exposing employee and client data. The company detected abnormal network activity, shut down certain systems and notified authorities in affected countries. Internal reports suggest the breach involves staff, financial and personal data, including payroll and bank details. Dentsu later confirmed that attackers stole files containing information on clients, suppliers and current and former employees while its Japan based systems were unaffected. The company anticipates some financial impact. Merkel, which employs 16,000 people and serves major global brands, continues to investigate with third party forensics experts. No ransomware group has claimed responsibility and the full scope of the breach remains under review. The Boston City Council has unanimously voted to ban the use of facial recognition technology by all city departments, including the police, making Boston the largest east coast city to do so. The ordinance prohibits officials from acquiring or using facial recognition systems or or contracting third parties to do so, though police may still follow up on leads generated by other agencies, citing racial bias and accuracy issues. The law aims to protect residents privacy and prevent discrimination against communities of color. Supported by the ACLU of Massachusetts and local advocacy groups, the measure aligns Boston with cities like San Francisco and Oakland that have enacted similar bans. The ordinance was sponsored by counselors Michelle Wu and Ricardo Arroyo. The company behind ProtonMail suspended the accounts of two journalists investigating South Korean government hacks, prompting backlash over its commitment to privacy and press freedom. The reporters, publishing under pseudonyms in Frack magazine, had responsibly disclosed their findings linked to North Korea's Kimsuki Threat Group to South Korean authorities using ProtonMail accounts. After the print issue appeared, Proton disabled their accounts, citing policy violations following a complaint from an unspecified cybersecurity agency. Despite appeals, Proton offered little explanation until public criticism forced reinstatement weeks later. Press advocates warned the move undermines trust among journalists who rely on Proton for secure communications. Proton later said it was acting on a cert alert but admitted its automated anti abuse process may have mistakenly affected legitimate users. Yesterday, we reported cybersecurity firm Kaspersky has identified a new Windows spyware strain called Dante, which it links to Memento Labs, the rebranded successor to the notorious spyware maker Hacking Team In a key confirmation, Memento CEO Paolo Lezzi told TechCrunch that the spyware detected by Kaspersky does indeed belong to his company, blaming a government client for using an outdated version. This discovery follows earlier reporting on Memento's continued development of surveillance tools despite hacking team's collapse after major scandals and leaks. Kaspersky says the forum troll group used Dante in targeted attacks on Russian and Belarus and organizations including media and government entities. Memento has since urged customers to discontinue use of its Windows spyware as it shifts focus to mobile surveillance tools. Australia's competition regulator, the Australian Competition and Consumer Commission, or ACCC, has filed suit against Microsoft, alleging the company misled Office 365 customers by forcing an upgrade to its Copilot AI service and charging higher subscription fees without proper consent. The ACCC claims Microsoft falsely represented that users had to accept the AI integration and pay more to retain access, violating multiple provisions of Australian consumer law. The regulator seeks penalties, refunds and injunctions. Microsoft, which told customers they risked losing access if they didn't upgrade, says it's reviewing the claim and will cooperate with regulators. The accc, known for strong consumer enforcement, says affected users can revert to their original plans and should contact Microsoft for refunds if charged improperly. CISA has warned that attackers are actively exploiting two critical flaws in Dassault Systems Delmia Apreso manufacturing management software. The bugs, which allow remote privilege escalation, enabling arbitrary code execution with existing elevated access, affect multiple versions. Dassault patched both vulnerabilities in August of this year, and CISA urges organizations to apply updates immediately and isolate affected systems from untrusted networks to prevent compromise. In the final year of Donald Trump's first term, the CIA launched a covert cyberattack that disabled Venezuela as intelligence network. The operation, described by sources as perfectly successful, was intended to appease Trump's push for aggressive action against Nicolas Madura without escalating into open conflict. Officials characterized the move as part of broader covert maneuvers to pressure Caracas, though Maduro remained in power. The revelation emerges as Trump's current administration ramps up military activity near Venezuela, including the deployment of 10,000 US troops and an aircraft carrier, raising fears of a potential regime change effort. Former officials say Trump's renewed maximum pressure campaign reflects lessons from his first term when military and intelligence leaders resisted riskier operations. Analysts warn that today's military buildup, framed as a counter narcotics mission, may mask preparation for direct strikes. Coming up after the break, my conversation with Ben Serry from Zafran discussing the Trend of AI native attacks and new glasses deliver fashionable paranoia. Stay with us Foreign they know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales. T H A L E S Learn more@talasgroup.com Cyber.

Podcast Announcer

What'S your 2am Security worry? Is it do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's v a n t a dot com cyber.

Dave Bittner

Ben Serry is co founder and CTO of Zafran. I recently sat down with him for information on the trend of AI native attacks.

Ben Serry

I think there is a great interest in this field and how it can actually be a force multiplier for practitioners in their day to day. I think there is still a question about how much of the human should be still in the loop and be the one controlling the AI or how much agency essentially should the AI be given. But I think there is the basic of it. There is many, much, much curiosity and wonder about what is the opportunities of this market. And this is a great thing for innovation. This is a great opportunity for companies like ourselves and others to offer new solutions and see how the market reacts.

Dave Bittner

Well and I suppose it's fair to say to a certain degree it's a necessity because the adversaries are adopting this rather quickly.

Ben Serry

That is completely true. Attackers have been observed to be using AI to exploit vulnerabilities, to develop malware, to scan the Internet and find and find prey. And unfortunately they've been very successful at it. And so defenders need to up their game and to see how they can also Adopt new tech to better defend themselves.

Dave Bittner

So what are some of the opportunities that you see here in terms of using this technology to better protect people?

Ben Serry

So being a bit technical, I think from a technical perspective, LLMs and agentic AI, the potential of it is to be a great tool to analyze text. That is the basics of it, right? That's how it began. And many of our problems also in cybersecurity include unformatted non structured text. And there is expertise into understanding this text. And this is why vendors are required to train or to at least guide the AI towards sensible outcomes. But at the principle of it, at the basis of it, it's a tool that is awesome, that is really incredible at analyzing text and reacting to it. And from that and from there it can create plans. And from plans it can also do actions.

Dave Bittner

What are some of the specific things that you see there being a future here?

Ben Serry

So in our field of exposure management or continuous threat exposure management, there is a just a huge pile of vulnerabilities that practitioners need to deal with on a daily basis. Many of these are actually false positives that are not exploitable vulnerabilities in their environment. But it's very difficult for practitioners to know what is false and what is true. Some automation in existing tools in CTIM like Safran already provide great context to be able to better prioritize and understand this data. And then agent technology can come on top of that and actually also make sense of that last mile. I understand that I have an impact. Is this impact actually relevant for me? And then how can I remediate it? So connecting the dots between potential impact to actual impact to remediation plans, concrete remediation plans, is something that we are seeing that the genetic technology can be a great opportunity in.

Dave Bittner

How do you recommend that organizations balance the need for putting guardrails on this technology, but at the same time taking advantage of the speed with which it can do things?

Ben Serry

I think it's the beginning of it is here in the loop that is essential. And so it's twofold. I would say let me, let me go back. It's twofold. One is you have to understand how the solutions that you are buying in this field, how they work. So you can't just connect them and trust them out of the box. Each solution that takes on a gentic topology needs to implement on its end. A guard rules. What data does the tool have access to, what tools it can then interact with and at which points will the human be in charge in approving actions. So it's essential to understand guardrails that are provided by vendors. And then it's essential to ask what would the human be validating in this process? It's not only I would approve what is present off me. I also need to be a feedback loop to be cognitive of the fact that AI needs to be validated at our current stage. We have all experienced the fact that it can hallucinate, it can come up with wrong evidence or distorted realities. And the human needs to be also a guardrail in that sense. But I do believe that not far from now, humans will try this tool on, in our field, not in other fields. They'll find the 90% or 98% or 95% of cases where it is accurate, where it is offering them good advice. And then there's an opportunity to automate further and say, okay, for these actions, for these insights that you're providing, you don't need me in the loop. You can provide that as a report. I can get that offline, right? So starting with human envelope, that's required. But as trust is gained, there is opportunity to do more.

Dave Bittner

What sort of results are you and your colleagues seeing here? What does success look like?

Ben Serry

So what we have published is research and a blueprint of how agentic tech can also be the remediator of vulnerabilities in production environments. So there are various types of vulnerabilities and various types of environments. And what we found is that you are giving an instruction to the agent. Here is an asset. It has a certain exposure, a certain vulnerability. Now investigate that in depth. Understand the potential impact of patching this. What will it do to my system if I actually remediate it? Because that is a primary risk, not only the cyber risk, but the operational risk of remediation. So understanding dependencies, understanding interaction between different parts of your system is one thing that we found that it can be, it can do very well. And then that second half is. It can then simulate the path or offer actual scripts, create code that will do the remediation. And that makes sense because these models by Anthropic, for example, have been trained on code, so they know how to produce code. That is one of the use cases that they are doing very good. And doing patching and doing remediation involves creating these upgrade packages. So that piece came quite natural to these tools to do because they have been trained on doing code. So to summarize, they can actually be a remediator of vulnerabilities. They can be one that interacts with your endpoints and or your servers and offer concrete plans to how to do the patch. And that is a huge gap on how predictors are trying to do that today. And we are seeing that as a huge opportunity.

Dave Bittner

For folks who are curious about this or think perhaps it's a good fit. What sort of questions should they be asking, what sort of things should they be considering to discover if it really is a good match for them?

Ben Serry

I think like a very basic question to ask. It's, it's about AI, but it's not only about AI is do you believe in your current state that you are able to actually remediate everything that you're impacted by or to actually prioritize? Well, have enough context to know that you are patching, you're remediating against the threats that are going to pose the most risks to you. And that is basic and basic questions that needs to be asked continuously. And now as attackers are using AI, that question needs to be asked twice as much because the speed in which attackers are able to exploit vulnerabilities is not matching the speed in which defenders are able to remediate against emerging threats. So the combination of the two means that there is opportunity for attackers to be much, much faster. And they don't need to find zero days vulnerabilities, they can just exploit vulnerabilities that were known for some time. So from the corporation's point of view, he needs to ask himself, is there a tool that I can take on, agentic or otherwise, that can allow me to actually be much quicker than I am today and maybe to also shorten the gap not only between attackers and defenders, but also between security and it. Security used to have one job is to say, this is critical, go ahead and patch it, and then it takes it on. And does the remediation side, one of the questions I think that practitioners need to ask themselves, can I shorten this gap? Are there cases where security can be while acting on the remediation side? Can I provide more context and more practical tips to it on how to attach as well as to the DevOps and to the engineers? So I think that is the main question. Can we be faster with this tool? Much, much faster.

Dave Bittner

All right, terrific. Well, I think I have everything I need for our story here. Is there anything I missed? Anything I didn't ask you that you think it's important to share?

Ben Serry

Yes, I think one of the elements that we're seeing becoming a growing concern is the fact that not only are attackers using AI, more and more vendors, more and more customers are now part of enterprises that are developing AI in house. And there is also risk in the applications that these enterprises develop. And it's very new field. It's unknown in many regards what will be the greatest risk of developing applications that use AI for customers for enterprises. I think that is one of the things that is also looking to be a partner for enterprises to find vulnerabilities and to find exposures in their AI applications. That is a field that will become significant because as more AI becomes inherent in coding, the more vulnerabilities and new types of risks include.

Dave Bittner

That's Ben Serry from Zafran. And finally Zenni. The online glasses retailer best known for affordable frames and bold colors now sells eyewear that claims to block facial recognition because apparently that's where we are as a society. The company's new ID guard coating gives lenses a subtle pink shimmer that reflects infrared light blinding the cameras used in some surveillance Systems. Tests by 404 Media confirmed the glasses can foil Apple's Face ID and turn wearers eyes into mysterious voids under infrared cameras. Unfortunately, they're less effective against the more mundane threat of someone photographing your face in daylight and uploading it to a search engine. Still, there's something comforting about the idea. When the world is one big panopticon, at least Xeni will sell you reasonably priced rebellion in a flattering shade of rock. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher and I'm Dave Bittner. Thanks for listening.

Podcast Announcer

We'll see you back here tomorrow. Cyber Innovation Day is the premier event.

Dave Bittner

For cyber startups, researchers and top VC.

Podcast Announcer

Firms building trust into tomorrow's digital digital world. Kick off the day with unfiltered insights.

Dave Bittner

And panels on securing tomorrow's technology.

Podcast Announcer

In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding The Innovation Expo runs all day, connecting founders.

Dave Bittner

Investors and researchers around breakthroughs in cybersecurity.

Podcast Announcer

It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more at CID Datatribe. Com.