Maria Varmazes

You're listening to the Cyberwire Network powered by N2K.

Dave Bittner

We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed when it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed Indeed. Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first. And it works. Sponsored Jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed. Plus with Sponsored Jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed according to Indeed Data worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility at indeed.com cyberwire just go to indee indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need.

Maria Varmazes

A record breaking Bitcoin Seizure Patch Tuesday Notes Capita fined for Unlawful Access to Personal data Unity site Skimmed by malicious Script Vietnam Airlines breached, potentially exposing 20 million passengers an automotive giant experiences a third party breach Tim Starks from Cyberscoop is discussing how Senator Peters tries another approach to extend expired cyber threat information sharing. In our latest threat vector, David Moulton sits down with Harish Singh about hybrid work and inside North Korea's blueprints for deception. Today is October 15, 2025. I'm Maria Varmazes, host of N2K's T Minus Space Daily, taking the mic for Dave Vittner and this is your Cyberwire Intel Brief. Thank you for joining me on this Wednesday. Let's dive in. US and UK law enforcement have seized approximately 127,271 bitcoins valued at around US$15 billion linked to the so called Prince Group scam empire. This marks the largest cryptocurrency seizure in U.S. history. Authorities alleged that the group, run by Cambodian based operator Chen Xi, operated large scale pig butch scams, also known as romance or investment frauds, enforced labor camps across Southeast Asia. The crackdown also includes sanctions on 146 entities tied to the criminal network and the freezing of luxury properties in London while Changi remains at large. Officials say that the move targets the financial backbone sustaining one of the most expansive cyber fraud operations ever identified. Yesterday, Microsoft issued patches for 172 vulnerabilities, including six zero day flaws, according to a report from Bleeping Computer. Three of the zero days are actively being exploited, while the others were publicly disclosed before a patch was available. Krebs on Security notes that this is the last month that Windows 10 will receive security patches unless customers enroll in the Extended Security Updates program. The operating system has officially reached end of life, and the Register reports that Adobe has fixed 36 vulnerabilities in its products, including several critical remote code execution flaws. SAP has issued 13 new security notes and updated four previous security notes. Three of the flaws are deemed critical. Security Week notes that Fortinet and Ivanti have also fixed high severity flaws. Capita, which is a major UK outsourcing and IT services firm, has been fined 14 million pounds by the UK Information Commissioner's Office for a 2023 data breach affecting over 6.6 million individuals. The breach involved unlawful access to personal data, including names, addresses, phone numbers and sensitive identifiers, all stemming from inadequate security measures at a third party provider. The Information Commissioner's Office, or ico, ruled that Capita failed to take appropriate technical and organizational measures to protect the data, particularly during transfers to and from its subcontracted systems. The penalty reflects both the scale of harm and the company's level of responsibility as data processor and controller. Capita has committed to improving its security posture and embedding stricter oversight over subcontractors. A malicious script was discovered on Unity's website that skimmed sensitive information from hundreds of users during checkout for asset packages. The information included names, email addresses, phone numbers and credit card details. Security Week reports that the injection persisted for at least five days in August and the script targeted Unity's store and Asset Store services. Unity confirmed the incident and stated that it had removed the code and launched an investigation, though it did not publicly disclose the full extent of the data exposure. The company advised defected customers to monitor financial accounts and consider changing their credentials. The personal data of potentially 20 million Vietnam Airlines passengers were exposed due to a security breach. The threat actor may have accessed certain customer data, but the airline says the breach did not affect payment information, passwords, travel itineraries, Lotus mile balances or passport details. The airline attributed the exposure to unauthorized access within third party systems that interface with its operations. While the company insists that it is investigating. It has not fully disclosed the breach's scope or whether those affected have been notified. The incident reportedly involves the airline's Salesforce instance and the Scattered Lapsus Hunters Group has claimed responsibility for the attack. Stellantis, which is the automotive giant behind brands like Jeep and Chrysler, confirmed a data breach via a third party service provider supporting its North American customer service operations. The exposed data was limited to basic contact details like names, email addresses and phone numbers, and did not include financial or deeply sensitive personal information. That said, while the company has initiated its incident response, notified affected customers and engaged authorities, it did not specify how many individuals were impacted. The breach arises amid a broader uptick in cyber attacks that are targeting automakers and their third party connectors. Coming up after the break, Dave Bittner is joined by cyberscoop's Tim Starks to unpack Senator Peters latest push to revive a key cyber threat information sharing law. Then in our Cyber Vector segment, YPro's Harish Singh joins David Moulton to explore how hybrid work SaaS and AI are reshaping the cybersecurity game and North Korea's blueprints for deception. Stick around.

Dave Bittner

What's your 2am security worry? Is it do I have the right controls in place?

Harish Singh

Maybe?

Dave Bittner

Are my vendors secure or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale and it fits right into your workflows. Using AI to streamline evidence collection, flag risks and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's V-A-N-T a.com cyber and now a word from our sponsor, ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker.

Maria Varmazes

Today, Dave Buettner is joined by cyberscoop's Tim Starks to unpack Senator Peters latest push to revive a key Cyber Threat Information sharing law. And here is their conversation and it's.

Dave Bittner

Always my pleasure to welcome back to the show Tim Starks. He is a senior reporter at cyberscoop. Tim, welcome back.

Tim Starks

Hi, Dave.

Dave Bittner

So as you and I are recording this, we are still in the midst of a government shutdown, and that has led to the Cybersecurity and Information sharing act of 2015 expiring. There's been a, a senator who's trying to address that issue. And you've reported on it. What's the latest, Tim?

Tim Starks

Yeah, the latest is that Senator Gary Peters, who's the top Democrat on the Homeland Security and Governmental Affairs Committee, has introduced a new bill to try and plug this gap. He did two very important things with it that were, that were simply beyond just trying to extend it for 10 years, which is the base bill that he, he introduced at an earlier point this year. One of the first initiatives to try to actually address this, this expiring law. First, it makes its provisions retroactive to October 1, which is when the law expired. And maybe the most important part for me, just as a reporter renaming the thing.

Dave Bittner

Let'S dig into that, because it sounds silly, but it is actually important.

Tim Starks

Yeah, I'm obviously being a little comedic about it, but this is actually something that might be affecting things. So the Cybersecurity Information Sharing act shares an acronym with the Cybersecurity and Infrastructure Security Agency. And this has been causing confusion for anybody who talks about either of these things. But according to Senator Peters, who talked with some reporters about this, it's actually probably complicating the chances of it passing, that there's been some confusion, he said, with some Republicans who have animosity with cisa, the agency, not the law, over their belief, much denied by people who worked at CISA at the time, that they were engaging in anything like social media censorship. So because there's been some confusion and there have been times where I've been hearing, when I've heard Senator Rand Paul talk about this, and he's, of course, a very important person. He is the chairman of the Homeland Security and Government Affairs Committee who has been causing some hiccups on getting this going. He has talked about CISA like He's talking about CISA 2015 and vice versa.

Dave Bittner

He's talked about CISA like he's talking about cisa.

Tim Starks

Yes.

Dave Bittner

When he's actually talking about cisa.

Harish Singh

Yeah.

Tim Starks

You could see how complicated this gets, right, to reflect on, talk about for anybody. You know, he, he, he clearly has some problems with cisa. The Agency. He has not said hardly anything about what he thinks about cisa, the law, outside of his original objections to it in 2015. He doesn't seem to any longer have major issues with it, although he is, you know, we can get into some of the details of this. He has proposed his own version of this that, that leaves out some of the protections that the law provided. Nonetheless, I have spoken to him directly and asked him, when you talk about reauthorizing CISA, are you talking about CISA 2015 or, or the agency CISA. And he said directly, CISA 2015. So maybe, maybe Senator Peters misunderstands, maybe Senator Paul has understood it sometimes and not other times, but the naming is important. So the new name would be the Protecting America from Cyber Threats Act, a PACT Act. There is a House bill, I forget what the name, what the acronym stands for, but it would be the winwig Act. I think PACT is a little catchier. Yeah, winwig doesn't seem to have any significance in terms of its meaning. PACT seems pretty obvious, right? We're talking about an agreement. So that is what this bill does.

Dave Bittner

Can we touch on the free speech element of this? Because there's talk that any version that's going to pass may have to include this or at least acknowledge it.

Tim Starks

Yeah, it's, you know, Senator Paul has always been, he talks and he talks a great deal about free speech as one of his big, big issues. He's a libertarian who, his politics can get a little murky at times. But, but what it, what it seems like he's saying, at least for this bill, is that he wants, he wants assurances that CISA will not. Cisa, the agency will not conduct any censorship as a condition for passing a CISA 2015 reauthorization. So he put forward a bill at the end of September that would basically do that, combine those two things. It got a little, it ran into some difficulties because the provisions on free speech weren't that popular with everyone. Not that anybody was saying we don't like free speech, but they were thinking this was sort of an unnecessary, unrelated. Some people don't even think, you know, especially on the Democrat side, that it even was a problem for assists of the agency. But also the agent, the industry groups and cyber pros who took a look at it said actually this, this might actually lead to less sharing because there were fewer legal protections. So it kind of, it basically what my understanding from my reporting extensively was that the industry groups and Republicans were, were going to make it difficult for Senator Paul to pass his version of the bill. So they pulled the markup. Senator Paul's office says that's not the case. They say Democrats wanted to delay. I talked, you know, when I asked Senator Peters about this just a couple days ago, you know, did you guys ask for delay? He said absolutely not. We're the ones who want to get this going.

Dave Bittner

Have you heard any indications that the expiration of CISA 2025 has led to folks dialing back their information sharing?

Tim Starks

Yeah, so I, I've talked to a few people. You know, the people who I've talked to, it's either not on their radar. You know, I'm talking about cybersecurity companies that you would think it would be on their radar. So that, that would be one hint that it's actually not that big a deal. Politico had a story where they talked to some cybersecurity companies, most of whom kind of ducked the question. I talked to Michael Daniel, who's the head of the Cybersecurity Threat alliance, and that organization is a little different because they say if you're going to be a member and the members are cybersecurity companies, you need to commit to sharing cyber threat data. So they have contractual implications. But despite Michael Dinger having warned to me and other venues that he's concerned that CISA 2015 expiring would lead to some potentially very devastating consequences, he did talk about them in a more of a theoretical standpoint. And what he's saying now is we're only kind of in the first few hours of this, really in the lifespan of a 10 year law, that it has gone away. We're probably not going to see major changes in people's behavior until people start to get worried that this is not going to be, this is basically not going to be revived in any way, shape or form. We'll see. You know, Senator Peter said that he's talking to people who are really nervous about it, but that's a big kind of a far cry from nervous to actually stopping sharing. So right now the evidence of stopping sharing isn't there. It doesn't mean it's not happening. It's just as of this time, it doesn't, we don't have evidence that people have stopped sharing.

Dave Bittner

So when the government eventually opens up again, where does something like this sit on the timeline of priorities, of all the things that need to happen when the government opens up again?

Tim Starks

Yeah, I think it kind of depends honestly on the degree to which any deal for reopening the government includes any kind of Short term reauthorization. You know, as a, as a longtime follower of Congress, they are a little bit like me in college, we're waiting till the very last minute to write the term paper. So what might happen is, you know, the continuing resolution that, that had gone through the House, that didn't make it through that, it didn't make it through the Senate, but that had had some provisions to extend CISA for a couple months, CISA 2015 for a couple months. And if that had been the case, I think we would have seen lawmakers really put their nose to the grindstone and try to get something before that expiration. Because appropriators don't tend to want to keep extending things for people over and over again for months, for a few months at a time. They kind of are like, we'll give you a little help, but we don't want to keep doing this for forever. You need to go fix this. So I think there will be some urgency if there is a deadline given in any kind of short term reauthorization, assuming we get one, which I do at this point, assume we'll get one. You can never predict Congress, but that's my assumption. If the CR is long ways away or if the CR doesn't include this authorization, throw those predictions out the window. It gets difficult for anything standalone to make it through the Senate unless it's constituents are yelling and screaming, Everybody's on a 5 alarm fire because any one person can stop it. And that's what's been happening. So since it's 2015, there have been attempts on the floor to make it so that, hey, let's pass this by voice vote. Well, Senator Paul has been objecting, so it gets difficult unless you can hit your right on something, unless you get everybody on board. So that's where things get a little complicated. I wouldn't be surprised if we said short term authorization at some point, but when we get a long term reauthorization that's a little bit difficult to anticipate.

Dave Bittner

All right, well, as we love to.

Tim Starks

Say, time will tell you love it, you love.

Dave Bittner

Tim Starks is senior reporter at cyberscoop. We will have a link to his coverage in our show notes. Tim, thanks so much for taking the time for us.

Tim Starks

Thank you, Dave.

Maria Varmazes

That was Dave Bittner joined by Cyber scoops Tim Starks to unpack Senator Peters latest push to revive a key cyber threat information sharing law on our threat vector segment. Now wipro's Harish Singh joins David Moulton to explore how hybrid work SaaS and AI are reshaping the cybersecurity game.

David Moulton

Hi, I'm David Moulton, host of the Threat Vector podcast where we break down cybersecurity threats, resilience, and the industry trends that matter the most. What you're about to hear is a snapshot of my conversation with Spencer Thielman, Principal Product Manager at Palo Alto Networks, where he leads AI runtime security. Spencer's team tracks AI applications across the enterprise landscape. What his team discovered reveals the scope of this challenge. Last December, they cataloged 800 AI applications applications. By May, that number hit 2,800. That's 250% growth in just five months. Meanwhile, over half of enterprise employees now use generative AI apps daily. And up to 30% of what they send contains sensitive data. If you're still thinking AI security is a future problem, you're already behind Spencer. Welcome to Threat Vector. I've been excited to have you here. I've been dying to have this conversation with you for weeks.

Harish Singh

So happy to be here. Looking forward to it.

David Moulton

How should enterprises think about their AI security strategy? And maybe what are the most impactful mental models that you use?

Harish Singh

Certainly. So before we get into this, I think it's always important to start with why we do what we do. And in the context of AI. Like our why is that we believe that the benefits of AI are profound, but so are the risks. And we therefore have a kind of like moral obligation to help our customers capture the power of AI, but do so safely and securely. Right. So that's where we're always coming from when we have these kind of conversations. And the way that we think about this is you can break enterprise AI security down into basically two pillars. The first is I need to think about how to secure my employee use of generative AI SaaS, apps like ChatGPT, Perplexity, and Grammarly. That's the first part. And the second piece is how do I go about securing the AI apps, models and agents that I'm running in my own cloud environment? That could be aws, Google Cloud, Azure, on prem, or some other variation of those. So those are the two things that matter. What are my employees doing? How can I control that and have deep visibility into it? The other piece is how do I secure the AI apps, models and agents that I run in my own cloud environment? That's how we kind of split up the problem, so to speak.

David Moulton

All right, let's shift gears a little bit and talk about holistic AI security. How do you break down the pillars of AI Security. I know we've got model scanning, AI red teaming, posture management, LLM security, agent security. Am I missing another big area that we should talk about today?

Harish Singh

So we break AI security down into five pillars. And again, I want to kind of recenter this to the mental model that's guiding the whole conversation. Whenever we speak about securing AI, it's about thinking about how employees are using generative AI SaaS, apps. We just covered that in the last 10 minutes or so. And then the second piece is how do I go about securing the AI apps, the models and the agents that I'm running in my own environment or that I've built? Right. And for that second problem to secure, like enterprise AI apps, models and agents, we've constructed kind of five pillars that define this. The first is model scanning. So I want to scan my model files to make sure that my models don't do things like contain malware or are vulnerable to deserialization attacks. And I want to do it as part of my ops process so that bad models don't ever even end up in production. We scan them before they go to prod. That's the first piece. And the second part is looking at AI apps, models and agents at the posture level. Great example of this with agents is like looking at their permissions. Are they excessive? If yes, let's scope those down. That's the second piece. The third part is red teaming. Here we want to attack AI apps, models and agents to see which threats go through and which don't, which then informs the runtime security part of AI security. So once you've made sure that the model file is free of threats, that it's secure at the posture level, you've red teamed it to understand which threats go through, then it's time to secure, like let's say that AI app at runtime by looking at inputs and outputs to it prompts and model responses, for example, and checking for threats like prompt injections, sensitive data, malicious URLs and the like. And then the final piece of all this is AI Agent security, which kind of spans across the preceding four columns. But agent security is primarily broken down into runtime security and posture. And a great way to think about agent security is that it's kind of a superset of large language model security. Every threat that applies to large language models applies to agents. But because of what agents are, and we can talk about that, there's kind of a broader threat surface here.

David Moulton

Well, let's just hop right into it. When you're talking about an AI Agent. How do you define that? You know, what are the bounds? What's not an agent?

Harish Singh

Maybe, Certainly. So last year was all about chatbots, right? And if you think about what is a chatbot, it's an inherently passive interface, right? I ask a question, the chatbot runs inference, something comes back to me, and then the interaction is over until I ask another question. But agents differ in the way that they take action on behalf of users and organizations. A good working definition for an agent is that it's an application that's autonomous, has the ability to reason and to take action in pursuit of a goal. I'll give you an example from my personal life to maybe make this a little bit more real. So a few weeks ago, I went to Las Vegas to see one of my favorite bands at the Sphere, Dead and Company. And as an experiment, I had a chatbot determine the entire trip where I stayed, which restaurants I saw, et cetera, because I wanted to experience the city that I'd been to many times, kind of through a new lens. So the chatbot told me what to do, where to stay, where to go, but I couldn't book any of that. I then had to spend about an hour on Expedia, Uber, OpenTable, et cetera, to kind of construct that trip from beginning to end. An agent could do that for me, right? I could tell my agent, hey, here's my budget, here's what I like, here's what I don't like. Go construct this for me. And the agent would interact with APIs again for Expedia, Uber, OpenTable, et cetera, to just kind of put that together for me. And it's that autonomy that make agents profoundly powerful, right? I work with some enterprise customers, for example, that kind of leapfrog chatbots. Chatbots weren't really interesting to them, but agents are because of the productivity and efficiency gains that they can leverage. Because now you have, again, almost like a synthetic virtual employee that's interacting on your behalf. That's a really big moment for the notion of work. But it carries these risks because in order to do what an agent does, it needs to be autonomous, it needs to have memory, and it needs to interact with your tools. And all three of those carry some novel risks that we actually outlined in a paper called the OWASP AI Agent Threat Report. Things like tool misuse, memory manipulation, and cascading hallucinations. I'll give you just one example, right? So let's say that one of your employees has gone and built an agent in Microsoft Copilot Studio, and It's designed to kind of ingest leads and send them to Salesforce, right? That's a pretty common workflow. But what if its permissions are excessive? What it could. What if it could delete records in Salesforce, right? It probably shouldn't be able to do that. An agent shouldn't be able to go drop tables in Salesforce, right? Because the impact of that could be destructive. What we need to do is look at here's all the things that an agent could do and then restrict its freedoms down to just the things it needs to do to accomplish its goal.

David Moulton

Spencer calls this the biggest challenge in cybersecurity today, when half your workforce is using tools that leak sensitive data. By design, the window for getting ahead of this threat is closing fast. If this got your attention, don't wait. Listen to the full episode now in your Threat Vector podcast feed. It's called Inside AI Runtime Defense and it's live now. This one's a reality check you can't afford to miss.

Maria Varmazes

That was David Moulton with YPRO's Harish Singh, and if you enjoyed that conversation, be sure to check out more episodes of Threat Vector, available every Thursday. Wherever you get your podcasts.

Dave Bittner

Foreign they know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales. T H A L E S learn more@talasgroup.com Cyber.

Maria Varmazes

And finally, in a surprising twist to North Korea's cyber playbook, researchers say that operatives from the DPRK have taken up a new trade architecture. Yeah. Cybersecurity firm Kela uncovered evidence showing North Korean workers posing as US Based architects and structural engineers using fake resumes, forged Social Security numbers, and even counterfeit professional seals to land freelance design jobs online. Investigators found detailed floor plans, 3D renderings, and construction documents for projects ranging from decks and farmhouses to tree houses and swimming pools, all traced back to accounts linked to the regime's IT operations. IT is the latest evolution in North Korea's digital money making machine. The United nations estimates that thousands of DPRK tech workers generate up to $600 million a year for the regime, often funneling their earnings back home to fund nuclear programs and evade sanctions. Experts say that the scheme raises new concerns about safety, integrity, and just how deeply these operators have blended into legitimate industries. So while North Korea's builders might be branching out, it is a good reminder that not every blueprint has an honest foundation. And that's the Cyberwire Daily brought to you by N2K CyberWire the links to all of the today's stories. Check out our daily briefing@thecyberwire.com we'd always love to know what you think of our podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review on your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our producer is Liz Stokes. We are mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Maria Varmazes in this week for Dave Pitner. Thank you for listening. We'll see you tomorrow.

Dave Bittner

Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more at cid datatribe. Com.