A

You're listening to the Cyberwire Network powered by N2K. Step into the digital Upside down with Cyber Things Armis new three part podcast series which will dive into the unseen world of cybersecurity. From real life hacks to the digital.

B

Shadows of the dark web, we connect pop culture and protection, fear and control.

A

Episode one drops soon, so look out for Cyber Things in partnership with Cyberwire Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire Anthropic claims China Linked hackers used Claude AI in an automated espionage campaign Google reconsiders its upcoming developer verification policy for Android. AT&T customers affected by two data breaches in 2024 can now file claims. Nearly 10,000 Washington Post employees were affected by a data breach. ASUS and Immunify360 patch critical flaw DoorDash discloses a data breach. Checkout.com donates the ransom to researchers. Kraken Ransomware benchmarks systems before encryption Our guest is Mike Arrowsmith, chief trust officer at NinjaOne, sharing his thoughts on how Cyber may be heading for its California Fire insurance moment and AI chatbot toys behave badly Friday, November 14, 2025. I'm Dave Buettner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. Happy Friday. It's great to have you with us. Chinese state sponsored hackers used Anthropic's Claude AI tools in a September cyber espionage campaign that the company describes as the first reported case of an AI agent automating most phases of an attack with limited human input. According to Anthropic, the group assessed with high confidence as China Linked used Claude code to handle up to 90% of tasks across reconnaissance, exploitation and data collection, with humans guiding only a handful of key decisions. The operation targeted about 30 technology firms and government agencies, though only a small number of attempts succeeded. Outside researchers questioned the significance, noting that attackers relied on common open source tools and that Claude frequently hallucinated results, limiting effectiveness. They also argued that AI has not yet produced the dramatic offensive gains, some vendors suggest. China's Foreign Ministry rejected unproven accusations. Researchers broadly agree that AI can streamline workflows, but fully autonomous high impact attacks remain elusive. Google is softening its upcoming developer verification policy after significant backlash from Android users and developers. The policy, announced in August and set to begin in 2026, would require all apps on certified Android devices to come from developers who verified their identities, a move meant to curb malware in sideloaded apps. Critics objected to the required fees and government ID checks, and projects like FDROID warned the rules threatened the open Android ecosystem. In response, Google will create a lighter weight account for developers distributing apps to small audiences and a new install flow that lets advanced users sideload unverified apps with added warnings. Early access invitations are rolling out now. Verification becomes mandatory in select countries in late 2026, with worldwide adoption planned for 2027. AT&T customers affected by two data breaches in 2024 can file claims for part of a $177 million class action settlement. The first breach, disclosed in March, exposed sensitive personal data on the dark web. A second breach in July, involved limited data taken from a third party cloud workspace. Eligible customers may receive up to $5,000 or $2,500 depending on the incident, with some qualifying for both. Claims are due by December 18th and can be submitted at telecom data settlement.com nearly 10,000 current and former Washington Post employees and contractors were affected by a data breach tied to attacks on vulnerable Oracle E business suite systems. A threat actor linked to clop ransomware exploited zero day flaws across dozens of organizations, stealing more than 120 gigabytes of post data and later attempting extortion. Compromised information includes names, bank and routing numbers, Social Security numbers and tax IDs. The post says hackers accessed data between July and August, aligning with reports that exploitation began months before patches were released. ASUS has issued new firmware to fix a critical authentication bypass flaw affecting multiple models of their routers. The vulnerability lets remote, unauthenticated attackers access unpatched devices exposed online with minimal effort. The latest firmware version resolves the issue, and ASUS urges all users to update for devices that cannot be patched. ASUS advises disabling Internet facing services such as remote WAN access port forwarding DDNs, VPN servers, DMZ and FTP. Users should also strengthen passwords, avoid credential reuse, and regularly check for updates. While there are no active exploitation reports, router flaws are frequently targeted for botnet activity. Asus has recently patched other serious vulnerabilities, and past incidents show attackers leveraging router bugs to compromise thousands of devices. A newly patched flaw in Immunify360, a security suite protecting roughly 56 million Linux hosted websites, could allow attackers to execute arbitrary code and potentially take over shared hosting environments. Patchstack says the issue is triggered when Immunify360's AI bullet malware scanner processes a specially crafted file, allowing code to run with root privileges. Cloud Linux confirmed the critical vulnerability and released a fix on October 21, though no CVE was assigned. Technical details and a proof of concept are now public, and providers are urged to check for compromise. DoorDash has disclosed an October 2025 data breach caused by a successful social engineering scam against an employee. The company says an unauthorized party accessed and took user contact information, including names, physical addresses, phone numbers and email addresses. DoorDash did not specify how many people were affected, but confirmed that consumers, dashers and merchants were among those impacted. Notifications began going out on November 13, with many reaching Canadian users, though a broader advisory suggests the incident may extend beyond Canada. This is DoorDash's third major breach after incidents in 2019 and 2022. Users have criticized the company for taking 19 days to issue notices. DoorDash advises customers to watch for phishing attempts and says it strengthened security and notified law enforcement. Checkout.com says it was hit by an extortion attempt by the Shiny Hunters Group, which accessed data stored in a legacy third party cloud system used before 2020. The company estimates that fewer than 25% of current merchants are affected. The compromised systems held internal documents and onboarding materials, not payment data. Checkout.com says its live processing platform was untouched and no card numbers or merchant funds were accessed. The company acknowledges the legacy system should have been properly decommissioned and is contacting impacted partners while working with regulators and law enforcement. Refusing to pay the ransom, checkout.com will instead donate the equivalent amount to cybersecurity research at Carnegie Mellon University and the University of Oxford. The company says transparency and trust remain its priorities. Kraken Ransomware, a successor to the hello Kitty operation, now incorporates a rare benchmarking feature that tests each compromised machine to determine how quickly it can encrypt data without overloading system resources Cisco Talos says Kraken creates and encrypts temporary files to decide between full or partial encryption. Active since 2024, the Group conducts big game hunting attacks with data theft and lists victims across the US uk, Canada, Panama, Kuwait and Denmark. Kraken intrusions typically begin by exploiting SMB flaws, then using stolen admin credentials, cloud flared tunnels, and SSHFs to move laterally and exfiltrate data. Windows and Linux ESXI variants include modules to target databases, network shares, local drives, virtual machines, and more. Kraken also launched a cybercrime forum to support its operations and ransom Demands can reach 1 million doll Coming up after the break, Mike Aerosmith from Ninja 1 shares his thoughts on how Cyber may be heading for its California fire insurance moment and AI Chatbot toys behave badly. Stick around. We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed. When it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed. Indeed's Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first and it works. Sponsored jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed. Plus we with Sponsored Jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed according to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility at indeed.com cyberwire just go to indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need. What's your 2am Security worry? Is it do I have the right controls in place? Maybe Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors Your systems centralizes your data and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber Mike Arrowsmith is Chief Trust Officer at NinjaOne. I recently caught up with him for insights on how cyber may be heading for its California fire insurance moment. Longtime listeners of the Cyber Wire will know that I love analogies. And for years I've been using the analogy or wondering if cyber insurance wasn't headed the same way as, let's say, flood insurance. But you've got an even better analogy here. You're talking about fire insurance, like from California. Did I have this right, Mike?

B

Correct. It's a great example, example and analogy that I think accurately describes where we're heading.

A

Well, let's dig into it here. How does where we stand with cyber insurance compared to the situation folks in California find themselves in?

B

Yeah, great question. So I think, you know, taking a step back, when we think about cyber insurance policies, I think probably the predominant adoption of cyber insurance has probably occurred maybe over the last 10 years is what I kind of recall being asked about IT purchasing policies. So within the last 10 years there's been an uptick of organizations like Ninja 1, others other past employers of mine purchasing these policies that effectively cover themselves in lieu of a breach. So when a breach happens, it provides some kind of financial stability resources for that organization to effectively contain, respond and ultimately remediate any kind of breach that may have happened. Traditionally, we have seen most organizations kind of switch and pivot to away from this kind of ideology. I can absolutely prevent a breach to now everybody accepting it, it will happen. And it's just a matter of timing before that occurs. And so I think it has a really great synergy with the current fire insurance fiascos that are happening in California today. And especially when we start to overlay, what we're already beginning to see is the impacts of how artificial intelligence is actually helping adversaries penetrate, exploit organizations that much faster, that much easier. So we see a lot of these insurance policies being written for flat dollar amounts. I think I need as an example, $1 million in terms of effective coverage to help us when a specific breach was to occur. And typically insurers are banking on, ideally, you know, we're leveraging that policy at some point. In time, in the future, may or maybe it doesn't happen. It's all a factor of how you are specifically targeted, what types of services that you provide to your customers, how easy it is, how much time, energy you invest in your own cybersecurity program. So seeing the advent of what was traditionally a very complex and technically advanced set of skills that were necessary to exploit organizations, AI has significantly lowered that bar of entry for adversaries. It's enabled them to spin up active campaigns to target organizations through spear phishing, to exploit open APIs or web services that you may have available to the point where we're seeing it quite regularly. Whereas in maybe the past, upwards of five years ago, we would see one or two fishes, maybe a month, maybe a quarter, now we're seeing that multiple times happening every day. And we see this compounding in retrospect to insurance carriers that we're seeing an increase of breaches, increase of activity from adversaries. And it's just common sense and logical deduction that the insurers are going to end up having this snowfall effect where more organizations are going to find themselves being breached leveraging these policies and ultimately these insurers, who rightfully so up until recently haven't had to pay out large significant amounts, or like in California, seeing with fire examples and disasters, those policies quickly escalating and quickly having some monetary impact to the insurers themselves. And ideally, this is what we're describing as this watershed moment for cyber insurers.

A

How do you see the cyber insurers adjusting the policies that they offer and the scrutiny that they have for paying people back after an incident?

B

Yeah, great question. So up until recently, most of the time it was filling out a self assessment questionnaire and then based off of how you answered that questionnaire, your policy would be effectively ranked and you would get your premium assigned after that. Now we are seeing insurers begin to do more formal due diligence with insurees to make sure that what they report is factually accurate is to their best of their abilities, actually factually in place. A great set of tools that we're seeing more and more are these types of risk assessment tools. Again, BitSight is one of them. Security Scorecard is another one. It's very easy for organizations to kind of leverage these types of holistic tools that look at organizations, your domain, your emails, your employee accounts, and just try to get a valid, or maybe a maybe a symbolic sense of what the risk profile is for your specific organization. And we're seeing insurers adopt more and more like technologies, or validate that additional protective measures are in place. Show me screenshots, show me examples of where you're actually using these tools. Where in the past it was more of a traditional just questionnaire, true or false, yes or know types of questions to where. Now it's borderline what we would expect in like a compliance audit or some form of due diligence audit by our customers, where we want to make sure that you're actually implementing these various types of controls. You have these tools, you have these teams, you have these technologies in place because they themselves are seeing the increase in policy payouts and it's just a matter of time. With the advent of AI coming into the picture more and more, we're going to see more and more organizations breached every every month, every quarter, every year.

A

What's your advice for the folks who are out there shopping for insurance? What sort of things should they be looking for and what can they put in place to make sure that the insurance companies see them as a good risk?

B

Great, great question. I would think that the first and foremost is to find yourself a really good broker that understands the space in which you operate as an organization. What of customers you typically deal with in and out and have similar like insurees within their portfolio so that you have a really good partnership to be able to provide the right insurance, to be able to provide the right level of comfort and coverage. But also a lot of times with these insurers policies, they are a gateway for a lot of organizations to get that advanced help. And when the stressful time does occur, like a breach. So that would be step number one. Step number two is to really assess what does a breach impact to your organization really mean? So understanding if we were breached, is there some form of reputational damage that will be underway against our organization? Is there some kind of reporting obligation that has to be done to a government or third party agency, a customer base? What does all that mean? What does it mean if we lose customer data? What does it mean if data that customers provide to us is actually exfiltrated, meaning removed from my possession by an adversary? I think a lot of times as consumers we're inundated with breach notifications from this credit reporting agency or this web service. So we kind of get into this false sense of narrative that that was okay. It's not okay by any means. And so trying to wrap our heads around that spec issue as an organization and what does it mean for our future goals, for our milestones, that we as an organization are trying to achieve is really imperative. When you think about am I picking the right cyber insurance policy, the right sets of coverages, the, the policy includes the things that I'm going to need the most, but also the amounts that are going into that policy. Do we believe that will cover us when that breach does occur? And then lastly is really most important, as I'm referencing here, is to really understand and walk through that as an executive team, as a PR function, what does it mean when we actually have a breach and to have everybody be ready for when that event occurs? All of those will impact that policy. All of that will impact which provider you choose and to make sure that partnership is as effective and seamless as possible.

A

It sounds to me like part of what you're saying is people need to be mindful to not just have their insurance policy be a checkbox in the things that they do in business that, you know, the person that you're dealing with, your broker could be a partner in making sure that you're where you.

B

Need to be 1000% and also could be a tremendous partner in Lifeline. When you do have that breach, it's incredibly stressful. You're going to get inundated with lots of customer calls, executives, executive calls. A lot of financial backers, especially investors, will all of a sudden ask lots of questions when that event does occur. And having that amazing partner, a moment phone call away is really a tremendous value. Add that a lot of these brokers, a lot of these insurers will provide if you've picked the correct one. And I often use the analogy of, you know, in our own personal life, we're often motivated by price. So when we go purchase an auto insurance policy, a life insurance policy, price as a consumer is typically one of the greater impacts to why I chose this specific provider. But from a business perspective, price should be secondary and more focused on what is the risk and overall partnership with that provider when that emergency does happen. So unlike, again, I'm trying to use it in generic terms, but you may never use your auto insurance policy, which is a goal. Many of us don't ever use our home insurance policy. In a cybersurance policy perspective, you are almost guaranteed at some point in the future to use that policy because you will be breached. It's just a matter of timing when that will occur. And so having the very best partnership, the most effective policy in place that covers all of the aspects that you as an organization deem necessary or vital to continue operations, is really, we cannot stress that enough with more and more people.

A

More like a life insurance policy where, you know, nobody gets out alive. Right. Like we all, we all meet up that day.

B

That's exactly it. That's a great analogy. And so again, it's inevitable.

A

Right?

B

And so thinking through that life insurance is a great analogy. How does it get paid out? Why does it get paid out? What does it mean for my heirs? What does it mean for my family? Those types of similar type conversations we conduct as an organization to make sure we're, we're properly insured. Again, it's always that balance. You know, a lot of times we don't want too much insurance policy. We don't want to be stuck with too little either. So trying to find that balance, I think is also another important aspect.

A

That's Mike Arrowsmith, chief trust officer at NinjaOne foreign they know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales. Th A L E s. Learn more@thalesgroup.com cyber and now a word from our sponsor, ThreatLocker. The powerful Zero Trust Enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class end point protection from Threat Locker. And finally, researchers have now confirmed what many parents long suspected. Giving a teddy bear the verbal powers of a Silicon Valley chatbot may in fact be a terrible idea. In tests of three AI powered toys, the US Public Interest Research Group found the gadgets behaved less like cuddly companions and more like unfiltered Internet strangers. Given just a bit of conversation, the toys began offering children tips on locating kitchen knives, lighting matches and in one memorable case, exploring a wide range of eroticism. The worst offender, Folo Toys Kuma managed to pivot from safety first little buddy to full blown kink tutorials with unsettling enthusiasm. Researchers warn that the holiday rush will put millions of these lightly regulated devices into homes long before anyone understands their developmental impact. As the Public Interest Research Group's R.J. cross put it, if she were a parent, she would not hand her child a chatbot in a bear suit, no matter how cute and cuddly it may be. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at the Cyberwire. Be sure to check out this weekend's Research Saturday and my conversation with Dr. Renee Burton, Vice president of Threat intelligence at Infoblox. We're discussing their research Deniability by Design, DNS driven insights into a Malicious ad network. That's Research Saturday. Do check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.