A

You're listening to the Cyberwire Network powered by N2K. At Talas, they know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Talas to protect what matters most applications, data and identity. That's Talas. T H A L E S learn more@talasgroup.com cyber a Chinese state sponsored group exploited enterprise devices in a global espionage effort. The UK government guarantees £1.5 billion financing to help Jaguar Land Rovers recovery efforts. A maximum severity flaw in Fortress Go Anywhere managed file transfer product is under active exploitation. The AI boom faces sustainability questions. Akira ransomware bypasses MFA on SonicWall devices. Dutch teens are arrested for allegedly spying for Russia. Luxury retailer Harrods confirms a data breach. An Interpol crackdown targets African cybercrime rings. We got our Monday business briefing. Brandon Karpf joins us to discuss the cybersecurity ecosystem in Japan. And cyber crooks offer a BBC journalist an early retirement package. It's Monday, September 29, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. Happy Monday. It's great to have you with us. A Chinese state sponsored group known as Red November has carried out a sweeping espionage campaign from June 2024 through July of this year. The hackers targeted defense contractors, government agencies and corporations worldwide, exploiting flaws in VPN appliances and firewalls faster than organizations could patch them. Researchers at recorded future documented breaches of at least two U.S. defense contractors, more than 30 Panamanian government agencies and firms across Europe, Asia and South America. Victims included aerospace manufacturers and law firms. Red November relied on publicly available tools like the Patagana Backdoor, Cobalt Strike and Sparkrat to maintain persistent access, sometimes for months at a time. The campaign highlights how quickly adversaries can weaponize newly disclosed vulnerabilities, underscoring the need for rapid patching and tighter monitoring of network infrastructure. The UK government will guarantee a 1.5 billion pounds loan for Jaguar Land Rover after a cyberattack forced the automaker to halt production at plants in the uk, Slovakia, Brazil and India. The attack disrupted supply chains, leaving some vendors unpaid and staff sent home. The five year loan, arranged through a commercial bank and backed by UK Export Finance, is intended to stabilize suppliers. Officials signaled that further government assistance for JLR and its network of 120,000 UK linked jobs remains possible. Hackers are actively exploiting a maximum severity flaw in Fortra's Go Anywhere managed file transfer product. The deserialization vulnerability, located in the license servlet, allows attackers to inject commands remotely without authentication. Security firm Watchtower Labs reports credible evidence of exploitation as early as September 10, eight days before Fortra publicly disclosed the flaw. Attackers leverage the bug to achieve remote command execution, create backdoor accounts and deploy secondary payloads, including a repurposed simple help binary for persistence. Researchers also observed privilege checking commands and attempts to enable lateral movement. Admins are urged to patch immediately, restrict Internet exposure of the admin console and review logs for suspicious entries. The current artificial intelligence boom may be unsustainable, according to new research from Deutsche bank and Bain & Company. Deutsche warned that AI related capital expenditure has become so large it is effectively keeping the US out of recession. Without tech spending, the bank said, the economy would be near contraction. Bain, meanwhile, projected an $800 billion shortfall in revenues needed to sustain AI's demand for computing by 2030. Even factoring in efficiency gains, this wave of spending has distorted financial markets, with half of the S&P 500's gains this year tied to tech stocks. Analysts noted that growth is being driven not by AI's output, but by building the infrastructure to power it. Some warn the market is dangerously concentrated in the magnificent seven tech giants. Still, Goldman Sachs offered a more optimistic view, predicting significant long term productivity gains once AI adoption matures. Akira ransomware operators are continuing to exploit SonicWall SSL VPN devices successfully logging into accounts even when one time password multi factor authentication is enabled. Researchers at Arctic Wolf say the activity links back to an improper access control flaw by patched in August 2024. However, attackers appear to be reusing credentials and possibly one time password seeds stolen before devices were updated. Google Threat Intelligence Group has observed similar behavior, assessing with high confidence that stolen OTP seeds are enabling renewed access to patched devices. Once inside, Akira, affiliates move quickly, scanning networks, enumerating active directory and targeting VEEAM servers to extract backup credentials. They also deploy bring your own vulnerable driver techniques to disable endpoint protection before encryption. Researchers stress that even fully patched systems remain at risk if credentials were compromised. SonicWall urges administrators to reset all VPN credentials and ensure devices are running the latest firmware. Dutch Police have arrested two 17 year old boys accused of spying for Russia using WI Fi sniffer devices near sensitive locations in the Hague, including Europol, Eurojust and the Canadian embassy according to De Telegraph. The teens were recruited via telegram and caught following a tip from the Dutch intelligence service aivda. Europol confirmed awareness of the case but said its systems remain uncompromised, citing robust security safeguards. Authorities believe the teens intercepted wireless traffic for reconnaissance, though the full extent of their activity is under investigation. One was reportedly arrested at home while doing homework with parents unaware of his espionage involvement. The suspects remain in custody for at least two weeks as charges proceed. The case highlights a troubling escalation in Russian recruitment of European youths for low level espionage and sabotage activities. Luxury retailer Harrods has confirmed that hackers contacted the company after stealing data tied to 430,000 customer records in a breach involving a third party provider. The stolen information includes names, contact details and loyalty card data, but no passwords, payment details or order histories. Harrod said it will not engage with the attackers and is focused on supporting affected customers while cooperating with authorities. The company emphasized that most shoppers are in store, limiting the breach's overall impact. Interpol announced that 260 people were arrested across several African countries in a coordinated crackdown on online fraud networks. Authorities identified more than 1400 victims who collectively lost 2.8 million doll through romance scams, sextortion and related schemes. Police dismantled scam infrastructure and seized over 1200 devices including SIM cards and USB drives. Ghana reported the most arrests, detaining 68 suspects and recovering $70,000 of $450,000 in losses. Senegalese police arrested 22 for impersonating celebrities to defraud victims, while the Cote d' lavore identified nearly 810 sextortion victims tied to 24 suspects. Angola detained eight linked to Cross border fraud cases. Interpol warned of a sharp rise in digital enabled crimes across Africa, stressing that online platforms have expanded opportunities for exploitation with both financial and psychological harm to victims. It's Monday, which means it's time for our weekly business briefing. The cybersecurity market saw a wave of acquisitions this past week. Cyberbit acquired Rangeforce to expand its Live Fire training catalog, While Halon bought Germany's 11th cybersecurity to strengthen its email threat intelligence offerings. Spreedly added fraud prevention firm Dodgeball. Spectratel picked up Mosaic Networks to boost secure networking and Echostor acquired Cyber north to extend MSSP services. Other deals included Unico buying Ownid for passwordless authentication, Digicert acquiring Valimail for Zero Trust Email and Blue Mantis acquiring Canadian MSB Coreo. On the funding side, terra Security raised $30 million to advance AI driven red teaming and GDPR compliance startup Kertos closed a $16.5 million round. Silent Push secured $10 million for global expansion. Unit 221B raised $5 million to enhance threat intelligence collaboration and Mycroft emerged from stealth with $3.5 million to accelerate compliance automation. Finally, Austin based Eve Security raised $3 million. 20 to develop its AI powered observability platform. If business news is your thing, be sure to check out our weekly Cyber Business Brief part of Cyberwire Pro. All the details on that are on our website, TheCyberWire.com coming up after the break, Brandon Karpf joins us to discuss the cybersecurity ecosystem in Japan. And cyber crooks offer a BBC journalist an early retirement package. Stay with us. Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo that's V A n T a dot com Cyber Foreign adoption is exploding and security teams are under pressure to keep up. That's why the industry is coming together at the Data SEC AI Conference, the premier event for cybersecurity, data and AI leaders. Hosted by data security leader ciara. Built for the industry, by the industry, this two day conference is where real world insights and bold solutions take center stage. Data SEC AI25 is happening November 12th and 13th in Dallas. There's no cost to attend. Just bring your perspective and join the conversation. Register now at data sec ai2025.com cyberwire. And joining me once again is Brandon Karp. He's the leader of international public private partnerships at nt. Brandon, welcome back.

B

Thanks, Dave. Good to be back as always.

A

So, interesting article that came by. I wanted to check in with you on as a former sailor, Naval Academy.

B

Grad and wannabe pirate, I will say.

A

And wannabe pirate, Absolutely. I mean, what Naval Academy grad doesn't have that aspiration?

B

You know, it's the only reason I went to the Naval Academy is I wanted to be a pirate.

A

I understand. Your parents must be proud. Interesting article that came by. This is from Erik, Arizona Republican David Schweikart, who has introduced a bill called the Scam Farms Mark and Reprisal Authorization act into the House of Representatives Letters of marque, my understanding, go back to pirate days. Can you give us a little of the background here?

B

Certainly, certainly. So when you think about kind of the age of sail and how expensive it was for nations to maintain ships when they went into war, they didn't always have a standing navy, or at least they had a standing navy, but they wanted more to have a larger effect overseas, especially against the shipping of their adversary. And so they created these things called letters of marque that allowed them to basically deputize a private captain who owned his own ship, and I'll say his because almost all of them were men. There actually were a few instances of female captains here, but essentially allowed them to do legal piracy against the enemies of that nation and usually against actually the civilian traffic, like the trade traffic that that nation was using ships to transport. And it was a way for a nation to kind of expand its capabilities in terms of naval operations.

A

So how did this affect diplomacy? If I'm out there deputizing these folks to go attack other nations, private ships, this not going to generate a good response.

B

No. And, and I will say that when you think about it, right, this, this was and is an antiquated practice. Right. This is really the purpose was to disrupt civilian infrastructure, what we today would call critical infrastructure, and really attack the population, the civilian populations of your adversary by affecting their trade and their finances. You know, it was broadly accepted as just a part of warfare during this age. Today, that's frowned upon going after civilian infrastructure and civilian critical infrastructure, especially in a time of war, there's laws of, of armed conflict that we have to adhere to. And thinking about using this idea of the letters of marque, which is deputizing private citizens, and more specifically in the cyber realm, it would be really private companies to go after Independently, maybe cybercrime infrastructure, etc. It raises some, I would say, major concerns around legality, but of course, as you said, geopolitics and international relations.

A

Well, go on.

B

Well, well, first, you know, without a controlling, you know, infrastructure here in place, you, you would end up seeing exactly what happened during the Age of Sail, which is these private pirates, which they really were private pirates, just taking advantage of these letters of Marx for their own personal gain. Some of these private pirates who were legally authorized to do what they were doing became fabulously wealthy because they were using it as an opportunity to basically steal and do piracy under the guise of support from the nation. This potentially opens up the door to those types of, of nefarious activities, even for authorized people.

A

Reverse ransomware.

B

Right. Especially when you consider the fact that any cyber operation, especially offensive operations, are so carefully constructed and so carefully authorized under legal frameworks, starting at the President, all the way down to the unit that is conducting these operations in the US at Cyber Command or the National Security Agency. There's so much consideration given to what the actual legal authorities are, what the equities are. If we're looking at information purely from a foreign perspective, if any US person's information happens to get accidentally scooped up, that goes through a whole legal review and audit process. All these things that are meant to help protect our civil liberties. Now, when you give a letter of mark to a private citizen or a private company, they have no obligations to protect to any of that stuff.

A

H. So the reporting I've seen on this seems pretty skeptical that this could actually make its way through. What's your take?

B

I in general would say, yeah, this has been talked about for at least a decade. We've seen articles talking about letters of mark for cyber operations, usually closely or within the same breath mentioned with hack back, which is authorizing companies to offensively hack against foreign nations and adversaries, both broadly seen in the cybersecurity community and the policy world as bad ideas for a number of reasons that I've mentioned. There are others, of course. That being said, in this day and age, who knows? I mean, this, this bill, and if you read the text of the bill, it's actually directly authorizing the President, the US President, giving the President direct authority to create these letters of marque and give authorization for reprisals, basically privately arm and equipped persons in the cyber domain. I don't know, seeing what's happening with immigration enforcement in the country, seeing what's happening and what the National Guard is being used as. There's A world in which this could very well get through Congress.

A

Yeah. The new assignment for the DOGE team, right?

B

And our favorite Dozier, big balls as the new hacker, which is a perfect nom de plume for a hacker. I guess.

A

I guess it is. All right, well, time will tell.

B

Time will tell.

A

All right, well, Brandon Karp is leader of international Public Private Partnerships at ntt. Brandon, thanks so much for taking the time. Thank you, Dave. Foreign Think your certificate security is covered. By March 2026 TLS, certificate lifespans will be cut in half, meaning double today's renewals. And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal volume. That's exponential complexity, operational workload and risk unless you modernize your strategy. Cyberark proven in identity security is your partner in certificate security. Cyberark simplifies lifecycle management with visibility, automation and control at scale. Master the 47 day shift with CyberArk. Scan for vulnerabilities, streamline operations, scale, security. Visit cyberark.com47day. That's cyberark.com the numbers 47D A Y. And now a word from our sponsor, ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker. And finally, BBC cyber correspondent Joe Tidey got a firsthand lesson in insider threat recruitment when a hacker calling himself Syndicate slid into his signal inbox with a tempting hand over. BBC credentials get a cut of a multi million dollar ransom. The offer started at 15%, then sweetened to 25% and promises of early retire. The hackers tied to ransomware group Medusa even offered a trust payment in Bitcoin. Because nothing says reliable business partner like cybercriminals promising not to scam you. When Tidy stalled, the charm offensive shifted to harassment with a barrage of MFA pop ups flooding his phone. Ultimately, Tydi walked away with no beachside villa but a hard reset from BBC security. The crooks vanished, account deleted as if ghosting was part of their benefits package. His takeaway, insider recruitment isn't theoretical. It's happening and it can come knocking in your DMs. And that's the cyber wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks Podcast, where I contribute to a regular segment on Jason and Brian's show. Every week you can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cyber security. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilby is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Foreign Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual Data Tribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more@cid.datatribe.com.