CyberWire Daily: "The November that never ended" (September 29, 2025)
Episode Overview
This episode of CyberWire Daily, hosted by Dave Bittner and produced by N2K Networks, delivers incisive coverage of the latest in global cybersecurity news. Key topics include a major Chinese state-sponsored espionage campaign, the UK’s financial backing of Jaguar Land Rover after a cyberattack, active exploitation of a critical file transfer vulnerability, the volatility of the AI tech boom, high-profile ransomware tactics, youth espionage for Russia, a Harrods data breach, Interpol’s strike against African cybercrime rings, a roundup of major business moves in cyber, and a look at "cyber privateering" legislation. Featured guest Brandon Karpf discusses the risks and realities of granting private companies authority to "hack back."
Key News Highlights & Industry Analysis
1. Red November’s Espionage Campaign
[00:02–02:30]
- Actors: China-backed “Red November" group.
- Scope: Hit US defense contractors, 30+ Panamanian agencies, European, Asian, South American firms, including aerospace and law firms.
- Techniques: Exploited VPN/firewall flaws faster than patches were applied, used off-the-shelf tools (Pardaga Backdoor, Cobalt Strike, Sparkrat).
- Objective: Persistent access for intelligence gathering, sometimes for months.
- Insight:
- “The campaign highlights how quickly adversaries can weaponize newly disclosed vulnerabilities, underscoring the need for rapid patching and tighter monitoring of network infrastructure.” — Dave Bittner [00:54]
2. Jaguar Land Rover’s £1.5 Billion UK Loan Post-Cyberattack
[02:31–03:10]
- Details: Cyberattack stopped production across four countries.
- Impacts: Disrupted supply chains, vendors unpaid, staff sent home.
- Action: UK government, via Export Finance, guarantees 5-year loan to stabilize supply chain; further help possible.
3. Fortra GoAnywhere MFT Flaw Under Active Exploitation
[03:11–04:15]
- Flaw: Maximum severity deserialization bug—remote unauthenticated code injection.
- Timeline: Evidence of attacks before public disclosure.
- Risks: Creation of backdoor accounts, privilege escalation, lateral movement.
- Advice: Patch immediately, restrict Internet exposure, scrutinize logs.
4. AI Boom Sustainability Questioned
[04:16–05:11]
- Concerns: Deutsche Bank warns AI investments keeping US out of recession; Bain projects $800B revenue gap for hardware by 2030.
- Market Effects: Tech stock gains dominate S&P 500; analysts warn of a “Magnificent Seven” concentration.
- Contrasting View:
- “Goldman Sachs offered a more optimistic view, predicting significant long term productivity gains once AI adoption matures.” — Dave Bittner [05:08]
5. Akira Ransomware Bypasses MFA in SonicWall Devices
[05:12–06:07]
- Vector: Exploits access control flaws, uses stolen credential seeds for OTP.
- Impact: Attackers can access VPNs even if MFA’s enabled; target backup servers, disable endpoint protection via “bring-your-own-vuln-driver."
- Warning: “Even fully patched systems remain at risk if credentials were compromised.” — Dave Bittner [06:01]
- Advice: Reset VPN credentials, upgrade firmware.
6. Teen Spies for Russia in The Hague
[06:08–07:08]
- Incident: Two Dutch teens arrested, recruited via Telegram to sniff Wi-Fi near Europol and other sensitive sites.
- Authorities: Europol confirmed their systems uncompromised; parents reportedly unaware.
- Context:
- “The case highlights a troubling escalation in Russian recruitment of European youths for low-level espionage and sabotage activities.” — Dave Bittner [07:03]
7. Harrods Confirms Customer Data Breach
[07:09–07:52]
- Lost Data: Names, contacts, loyalty card data (but not payment/order info).
- Position: Refuses to negotiate with attackers, focusing on customer support.
8. Interpol Busts African Cybercrime Rings
[07:53–09:00]
- Results: 260 arrested across Africa; $2.8M in losses, mostly from romance, sextortion, and celebrity impersonations.
- Notable: 1,200+ devices seized.
- Warning: Rise in digital-enabled crime, major psychological/financial toll.
Business & Industry Updates
9. Cybersecurity M&A and Funding Roundup
[09:01–10:30]
- Acquisitions:
- Cyberbit ⟶ Rangeforce (cyber training)
- Halon ⟶ 11th Cybersecurity (threat intel)
- Spreedly ⟶ Dodgeball (fraud prevention)
- Spectratel ⟶ Mosaic Networks (networking)
- Echostor ⟶ Cyber North (MSSP)
- Unico ⟶ Ownid (passwordless)
- Digicert ⟶ Valimail (Zero Trust Email)
- Blue Mantis ⟶ Coreo (MSP)
- Funding News:
- Terra Security ($30M, AI red teaming)
- Kertos ($16.5M, GDPR compliance)
- Silent Push ($10M, global expansion)
- Unit 221B ($5M, threat intel)
- Mycroft ($3.5M, compliance automation)
- Eve Security ($3M, AI observability platform)
- Resource: “If business news is your thing, be sure to check out our weekly Cyber Business Brief part of Cyberwire Pro.” — Dave Bittner [10:21]
Featured Interview: "Letters of Marque" in Cybersecurity
[15:22–21:43]
Guest: Brandon Karpf, Leader of International Public-Private Partnerships, NTT
Segment Summary:
A thought-provoking discussion about the proposed U.S. “Scam Farms Mark and Reprisal Authorization Act,” which would revive “letters of marque” for cyber, essentially deputizing private companies to conduct offensive operations on behalf of the government.
Key Discussion Points & Quotes
History & Origin
- Brandon:
- “They created these things called letters of marque that allowed them to basically deputize a private captain who owned his own ship...to do legal piracy against the enemies of that nation...” [16:11–16:56]
Diplomatic and Legal Risks
- Brandon:
- “This was...an antiquated practice. The purpose was to disrupt civilian infrastructure, what we today would call critical infrastructure...Today, that's frowned upon...there's laws of armed conflict that we have to adhere to.” [17:30–18:00]
- “Using this idea of the letters of marque, which is deputizing private citizens...in the cyber realm, it would be really private companies to go after independently, maybe cybercrime infrastructure, etc. It raises...major concerns around legality, but of course, as you said, geopolitics and international relations.” [18:12–18:38]
Risks of Abuse and Oversight
- Brandon:
- “You would end up seeing exactly what happened during the Age of Sail, which is these private pirates...taking advantage of these letters of Mark for their own personal gain.” [18:40–19:20]
- “When you give a letter of mark to a private citizen or a private company, they have no obligations to protect...civil liberties.” [19:24–20:10]
Feasibility and Politics
- Brandon:
- “Usually closely...mentioned with hack back, which is authorizing companies to offensively hack against foreign nations...both broadly seen in the cybersecurity community and the policy world as bad ideas for a number of reasons...” [20:19–20:59]
- “There’s a world in which this could very well get through Congress.” [21:21]
Humor and Tone
- Brandon, tongue in cheek:
- “The only reason I went to the Naval Academy is I wanted to be a pirate.” [15:41]
- “Big balls as the new hacker, which is a perfect nom de plume...” [21:28]
Summary:
While the “letters of marque” concept is rooted in history, Karpf and Bittner agree it raises serious modern concerns—oversight, abuse, and international blowback—in an era where state-sponsored retaliation and rule of law are paramount.
Notable Incident: BBC Journalist Receives “Retirement” Offer from Ransomware Group
[25:05–26:00]
- Victim: Joe Tidy, BBC cyber correspondent
- Attack Vector: Hacker “Syndicate” (Medusa group) DM’d him, offered him a cut of a multimillion ransom for insider BBC credentials (starting at 15%, up to 25%).
- Tactics: “Charm offensive” became harassment—MFA bombings.
- Outcome: No payout, Tidy’s account locked/reset, attackers vanished.
- Takeaway:
- “Insider recruitment isn’t theoretical. It’s happening and it can come knocking in your DMs.” — Dave Bittner [25:56]
Memorable Quotes
- “The campaign highlights how quickly adversaries can weaponize newly disclosed vulnerabilities, underscoring the need for rapid patching and tighter monitoring of network infrastructure.” — Dave Bittner [00:54]
- “When you give a letter of mark to a private citizen or a private company, they have no obligations to protect...civil liberties.” — Brandon Karpf [19:24]
- “There’s a world in which this could very well get through Congress.” — Brandon Karpf [21:21]
- “Insider recruitment isn’t theoretical. It’s happening and it can come knocking in your DMs.” — Dave Bittner [25:56]
Timestamps: Key Segments
- [00:02] Major news briefing—Red November, Jaguar Land Rover, ongoing exploits, AI, ransomware, Harrods, Interpol
- [09:01] Cybersecurity business & funding news
- [15:22] Interview: Brandon Karpf on letters of marque and cyber privateering
- [25:05] BBC journalist targeted by ransomware gang for insider credentials
This episode covers a full spectrum—from nation-state espionage and risky legislative ideas to the very real risks of insider compromise—combining technical depth, industry analysis, and wry commentary, essential for anyone keeping up with global cyber threats and policy.