Transcript
A (0:02)
You're listening to the Cyberwire Network powered by N2K. Step into the digital upside down with Cyber Things Armis new three part podcast series which will dive into the unseen world of cybersecurity. From real life hacks to the digital shadows of the dark web, we connect pop culture and protection, fear and control. Episode one drops soon, so look out for Cyber Things in partnership with Cyberwire.
B (0:39)
From phishing to ransomware, cyber threats are constant. But with NORD layer, your defense can be too. NORD layer brings together secure access and advanced threat protection in a single seamless platform. It helps your team spot suspicious activity before it becomes a problem by blocking malicious links and scanning downloads in real time, preventing malware from reaching your network. Work it's quick to deploy, easy to scale, and built on zero trust principles so only the right people get access to the right resources. Get 28% off on a yearly plan at nordlayer.com cyberwire daily with code CYBERWIRE28 that's nordlayer.com CyberWire Daily Code CYBERWIRE28 that's valid through December 10, 2025. The Pentagon spends millions on AI hacking the New York Times investigates illicit crypto funds. Researchers uncover widespread remote code execution flaws in AI inference engines. Police in India arrest CCTV hackers Payroll pirates use Google Ads to steal credentials and redirect salaries. A large scale a brand impersonation campaign delivers ghost rat to Chinese speaking users. A Bitcoin mining company CEO gets scammed. We got our Monday business brief on our Industry Voices segment with our knowledge partner Spectrops Chief Technology Officer Jared Atkinson is discussing attack path management and Bitcoin bigwigs learn to bite through plastic. Foreign. November 17, 2025 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great as always to have you with us. Federal records show the US Is investing in AI driven offensive cyber capabilities, awarding up to $12.6 million to a stealth Arlington startup called 20, which also secured Navy funding and backing from in Q Tel and major VCs. 20, staffed by former cyber command and intelligence veterans, focuses on automating operations that can strike hundreds of targets at once. Job listings indicate work on AI powered attack tools, autonomous agent frameworks and social engineering Personas. The company's emergence reflects a broader shift toward automated cyberwarfare as other nations, including China, also use AI agents for hacking. While firms like 26 Technologies have developed AI to assist human operators, 20 appears positioned to push far more autonomous offensive capabilities. The crypto industry has gained mainstream momentum bolstered by President Trump's new crypto business and his pledge to make the United States a global leader. But an international investigation by the New York Times, the international consortium of investigative journalists, and dozens of partner outlets found that more than $28 billion in illicit funds has flowed into major crypto exchanges over the past two years. Hackers, scammers and criminal networks, including North Korean groups and global fraud rings, routinely moved money through top platforms such as Binance and OKEx. Binance, which settled U.S. money laundering charges in 2023, continued receiving hundreds of millions tied to sanctioned entities and hacked funds. Exchanges have pledged to improve compliance, but investigators say law enforcement cannot keep up with the scale of abuse. Victims of scams, from individual investors to bank executives, rarely recover lost funds. Meanwhile, lightly regulated crypto to cash storefronts worldwide offer criminals an easy path to convert digital assets into untraceable money. Researchers at Oligo Security report a widespread set of remote code execution flaws impacting major AI inference engines from Meta, Nvidia, Microsoft Azure, and open source projects such NAS VLLM and SGLang. The vulnerabilities, called Shadow MQ, stem from unsafe use of the Zero MQ messaging library and Python's Pickle deserialization. Multiple AI systems replicated the same insecure pattern through code reuse, exposing sensitive prompts, model weights and customer data across Internet reachable servers. Additional vulnerabilities were found in Vllm, Nvidia, Tensor rt, LLM Modular MAX Server, Microsoft's sarithiserv and sglang, with several projects still incompletely patched. Oligo says the issue shows how unsafe components propagate quickly through the AI ecosystem and urges immediate patching and strict limits on zero MQ exposure and pickle use. Police in India say hacked CCTV footage from a maternity hospital was sold on Telegram, exposing severe privacy and security gaps as cameras become widespread nationwide. Investigators uncovered a large cybercrime network that had breached at least 50,000 CCTV systems in hospitals, schools, offices and private homes. Hackers exploited weak or default passwords using brute force tools to access and sell sensitive videos for small payments, with some channels even offering live feeds. Eight people have been arrested and videos were removed after police contacted YouTube and Telegram. Experts warn that poorly secured CCTV systems, often managed by untrained staff, leave Indians vulnerable to voyeurism, extortion and data theft. Advocates urge stronger manufacturer safeguards, mandatory password changes and better protections, especially in sensitive spaces. A financially motivated group known as the Payroll Pirates has been hijacking payroll systems, credit unions, retailers and trading platforms across the US since mid-2023 using malvertising first identified by Checkpoint. The operation uses Google Ads to impersonate payroll portals, steal credentials and redirect salaries. After going quiet in late 2023, the group resurfaced in mid 24 with upgraded kits capable of bypassing two factor authentication through real time telegram interactions. Investigations by Malwarebytes, Silent Push and Checkpoint showed the activity was part of a unified network, not shared tools with at least four admins and indications of operators based in Ukraine. Two main clusters run the operation, Google Ads with cloaking redirects and Bing ads using aged domains. The campaign remains active, highly adaptive and difficult to disrupt. Palo Alto Networks unit 42 reports two interconnected 2025 malware campaigns using large scale brand impersonation to deliver Ghost RAT variants to Chinese speaking users. The first campaign trio ran February through March of this year, mimicked three popular apps such as i4 Tools and UDAO, and used over 2,000 domains to distribute Trojanized installers from centralized infrastructure. The second campaign chorus began in May of this year, expanded to more than 40 impersonated applications and adopted a far more evasive multi stage infection chain including cloud hosted payload delivery, VB script droppers and DLL sideloading through a signed executable. Both campaigns rely on mass automated domain generation, focus on software favored by Chinese speaking users and ultimately deploy ghostrat for full system control. Palo Alto provides indicators of compromise. In their research, the CEO of Bitcoin mining company SaaS Mining Kent Halliburton was conned out of $220,000 in Bitcoin by fraudsters posing as representatives of a wealthy Monaco family office, Wired reports. The supposed investors courted him over lavish in person meetings in Amsterdam, dangling a $4 million mining hardware deal tied to a side purchase of Bitcoin. They persuaded him to create a new atomic wallet on his phone and move funds into it to prove capacity for the transaction. Once the bitcoin arrived, it was instantly drained and laundered through exchangers, mixers and cross chain bridges, making it difficult to trace or recover. Researchers believe the scammers captured his seed phrase, likely via discreet visual surveillance. The theft created a serious cash crunch for SaaS Mining, but the company ultimately remained solvent. Elsewhere, British prosecutors obtained a civil recovery order to seize £4.1 billion in crypto from Twitter hacker Joseph James O', Connor, reclaiming profits from the 2020 breach that hijacked celebrity accounts to push a bitcoin scam. O', Connor, already serving five years in the US for computer intrusions, fraud and money laundering helped run a sim swapping scheme that netted over $100,000. The order targets Bitcoin, Ethereum and stablecoins and shows UK authorities can recover illicit assets even when convictions occur abroad. Turning to our Monday Biz brief, cybersecurity funding and acquisitions surged last week, led by Israel's Tenzai emerging from stealth with a $75 million seed round to build an AI agent driven penetration testing platform. Suite Security also raised $75 million to expand its runtime CNAPP and AI security offerings. Truffle Security secured $25 million to grow its Secrets exposure detection tools, while Identity focused Olyria raised $19 million and application security startup CISO raised 7 million. Threat detection firm Rylovera added $3 million in seed funding. The M and A front was equally active. Coalition acquired MDR provider wirespeed, Arctic Wolf bought ransomware prevention firm Upsight Morgan Franklin Cyber acquired Lynx Technology Partners, Hexaware purchased IAM provider Cybersolve, Axiom GRC acquired IS Partners, Archon bought cloud security firm Scalesec and Pantera acquired offensive security firm EVA Information Security to expand adversarial testing for AI integrated environments. Be sure to check out our Cyberwire Business Briefing part of Cyberwire Pro. You can find that on our website and a programming note Join us for Cyber Things Armis special edition podcast series that pulls back the curtain on the eerie parallels between our real cyber landscape in a certain Hawkins shaped sci Fi universe. Episode one, the Unseen World premieres today, revealing the hidden dangers lurking just beneath our digital surface. On your favorite podcast app, look for Cyber Things. Tune into the trailer and Episode one and subscribe now before the shadows start moving. We'll have a link in our show notes as well. Coming up after the break, Chief Technology Officer from Spectre Ops, Jared Atkinson discusses attack path management and Bitcoin bigwigs learn to bite through plastic. Stay with us. At Talas. They know cybersecurity can be tough and you can't protect everything, but with Thales, you can secure what matters most. With Thales industry leading platforms you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world are rely on Thales to protect what matters most applications, data and identity. That's Talas T H A L E S learn more@talasgroup.com cyber. Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks, including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling, or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. Jared Atkinson is Chief Technology Officer at our new N2K knowledge partner, Spectrops. On today's sponsored Industry Voices segment, we discuss attack path management identities in transit.