A

You're listening to the Cyberwire Network powered by N2K. Are you ready for AI in cybersecurity? Demand for these skills is growing exponentially for cybersecurity professionals. It's why CompTIA, the largest vendor neutral certification authority, is developing SEC AI Plus. It's their first ever AI certification for focused on artificial intelligence and cybersecurity and is designed to help mid career cybersecurity professionals demonstrate their competencies with AI tools. And that's why N2K's SEC AI practice exam is coming out this year to help you prepare for the certification release in 2026. To find out more about this new credential and how N2K can help you prepare today, check out our blog@certify.cybervista.net.

B

And.

A

Thanks.

B

At Thales they know cybersecurity can be tough and you can't protect everything. But with Thales you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on TALAS to protect what matters most applications, data and identity. That's Talas T H A L E S learn more at talasgroup.com cyber warns a Windows SMB privilege escalation flaw is under active exploitation. Microsoft issues an out of band fix for a Winre USB input failure. Nation state hackers had long term access to F5 Envoy Air confirms it was hit by the zero day in Oracle's E business suite. A non profit hospital system in Massachusetts suffers a cyber attack. Russia's Cold River Group rapidly retools its malware arsenal. Glass worm malware hides malicious logic with invisible Unicode carriers. European authorities dismantle a large scale Latvian sim farm operation. Myanmar's military raids a notorious cybercrime hub. Our guest is Josh Kamjoo from Sublime Security discussing how teams should get ahead of scattered spiders. Next move and Eagle Scouts are soaring into cyberspace. It's Tuesday, October 21, 2020. I'm Dave Buettner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great as always to have you with us. CISA warns attackers are exploiting a Windows server message block flawless to gain system privileges on unpatched Windows systems. With a CVSS score of 8.8. The vulnerability affects Windows Server, Windows 10 and Windows 11 through 24H2. Microsoft addressed it in June's 2025 Patch Tuesday. An attacker could trick users into connecting to a malicious application server such as an SMB server, then compromise the protocol. Attackers could gain system level privileges, raising a risk of serious compromise. CISA requires federal civilian executive branch agencies to secure affected systems by November 10th, and organizations should apply Microsoft's June 2025 security updates. Microsoft shipped an out of band update that revives Windows RE on systems where USB input went silent. The company acknowledged the bug on Friday. It blocked navigation inside Windows recovery environment while mice and keyboard still worked after login. Microsoft began rolling out the update today. Obviously, recovery is rescue for responders, and Microsoft recommends users install the update immediately. If you cannot boot, use a touch Keyboard or a PS2 device or a USB recovery drive. Enterprises can deploy via PXE or use Windows 80K and Winpe. F5 says Nation State Hackers maintained long term access, stealing big IP code and vulnerability data, prompting urgent government warnings, according to Bloomberg. Access began in late 2023 and was discovered Aug. 9, per FFile's filing. People briefed say attackers exploited exposed F5 software after staff ignored company guidelines. Intruders downloaded big IP files, including source code and data on undisclosed flaws. F5 reports no code modification or known active exploitation. Stolen code and vulnerability details raise the risk of silent surveillance, manipulation or disruption of big IP traffic. CISA issued an emergency directive requiring federal agencies to identify and update F5 products by October 22nd. The UK National Cybersecurity center also warned customers. Envoy Air has confirmed it was hit in a coordinated wave of attacks, exploiting a zero day in Oracle's E Business suite, a system critical to global enterprise operations. The Clop Ransomware Group, long associated with large scale extortion, leveraged the flaw for remote takeover without credentials. The same campaign hit Harvard earlier this month and may extend to American Airlines. The vulnerability remained unpatched for nearly three months, underscoring the danger of lagging vendor response times in supply chain software dependencies. Haywood Healthcare, a nonprofit system in north central Massachusetts, has taken its IT network offline after a cyber attack disrupted operations at its two hospitals. The outage has forced ambulance diversions, halted CT imaging and affected radiology lab, phone and email systems while inpatient and outpatient care continues. Digital systems are severely limited, experts warn the attack reflects the healthcare sector's growing vulnerability to ransomware and extortion schemes, where operational disruption, not just data theft, is the goal. Analysts from Lumify, Rapid7 and Clearwater note that weak vendor security, delayed patching and poor segmentation remain systemic risks. They urge hospitals to prioritize zero Trust architectures, faster patch management, segmentation of medical devices and continuous risk analysis to build resilience against the accelerating wave of financially motivated AI assisted attacks targeting patient care infrastructure. Russian linked Cold river has rapidly retooled its malware arsenal, replacing the publicly exposed lost keys with a chained suite. GTIG calls no robot, yes robot and maybe robot and has used it more aggressively than prior campaigns. The attack begins with a click fix captcha lure that tricks victims into running a malicious dll via rundll32, which then fetches staged components, initially a Python based backdoor and later a lighter, more flexible PowerShell backdoor, Google's threat intelligence group notes. Cold river alternated noisy and stealthy delivery chains, rotated infrastructure and tweaked components to frustrate analysis, signaling a higher development and operations tempo aimed at credential theft and espionage against NGOs, former Intel officers and NATO aligned targets. Defenders should prioritize phishing resistant controls, robust detonation and DLL executable monitoring and rapid capture of multi component chains. A developer focused supply chain campaign named Glass Worm has infected roughly 35,000 Marketplace installs across OpenVSX and Microsoft Visual Studio by hiding malicious logic with invisible Unicode characters. Once deployed, it steals GitHub, NPM and OpenVSX credentials and crypto wallet data, self propagates using compromised accounts to backdoor more extensions and installs a SOCKS proxy plus HVNC for covert remote access. Its final payload, zombie, which is massively obfuscated JavaScript that turns workstations into criminal nodes, is fetched via links embedded in Solana blockchain transactions with Google Calendar and a fallback IP as backups, making takedown and attribution difficult. Key defensive actions include treating extensions as supply chain risks, enforcing MFA and least privilege for developer accounts, scanning repos for invisible or unusual characters, monitoring outbound traffic for proxies or hvnc and validating third party code before inclusion. European authorities dismantled a large scale sim farm operation in Latvia known as Sim Cartel, which provided millions of fake mobile numbers used in phishing, smishing and fraud across 80 countries. Coordinated by Europol and Eurojust, the raid resulted in seven arrests, the seizure of 1200 SIM boxes operating 40,000 SIMs, cryptocurrency worth $835,000 and the takedown of several domains. The group's infrastructure enabled the creation of 49 million fraudulent online accounts supporting scams that impersonated police, ran fake marketplaces and stole financial credentials. Victim losses exceeded $5.2 million. Investigators say the service's bulk SIM access masked identities fueled transnational cybercrime and exposed the blurred boundary between telecom misuse and organized fraud, highlighting the need for stricter SIM registration and cross border digital forensics collaboration. Myanmar's military has raided KK Park, a notorious cybercrime hub near the Thai border, detaining over 2,000 people and seizing 30 Starlink terminals used to power global online scam operations. The crackdown, launched in September, targeted networks behind romance and investment fraud schemes that trafficked foreign workers and forced them into criminal labor. KK park, near Miawadi in Cayenne State, lies in a contested region partly controlled by ethnic militias. The junta accuse the Karen National Union of complicity, which that group denies. The raid follows international sanctions against similar scam syndicates in Cambodia and reflects mounting regional pressure, especially from China and Thailand, to dismantle Southeast Asia's human trafficking linked cybercrime compounds exploiting unlicensed Starlink connectivity to evade surveillance and fuel transnational fraud. Coming up after the break, Josh Can Kamjoo from Sublime Security discusses how teams can get ahead of Scattered Spider's next move and Eagle Scouts are soaring into cyberspace. Stick around. What's your 2am Security worry? Is it do I have the right controls in place?

C

Maybe?

B

Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber and now a word from our sponsor. The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program, study alongside world class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition, textbooks and a laptop, as well as providing a $34,000 additional annual stipend. Apply for the fall 2026 semester and for this scholarship by February 28th. Learn more at CS JHU. Edu MSSI. Josh Kamju is CEO and co founder of Sublime Security he joins us to discuss how teams can get ahead of Scattered Spider's next move.

C

Yeah, so team Scattered Spider is a notorious at this point threat actor that is most well known for conducting socially engineered attacks against organizations of various sizes and various industries in order to achieve various objectives. And typically those are financially motivated objectives.

B

And what sets them apart. What's been the secret to their success?

C

Well, I think we've seen a huge adoption or explosion in different kinds of social engineering tactics and techniques. And one of the things that Scattered Spider has been doing is using kind of non traditional types of, well, historically been more non traditional forms of social engineering. So things like delivering attacks via various different mediums and you know, that could be some of their target's personal email address. It could be a different, you know, it could be some other form of electronic medium. It could also be voice phishing, it could be, you know, calling up the help desk and getting them to install something or follow certain instructions. So there's, there's a lot of different techniques that we're seeing a big adoption of. And especially as of late, you've seen our adversaries start to adopt more and more generative AI tooling to conduct their attacks. We're an email security company, so we see that primarily in the email domain with more sophisticated types of email attacks like bec fraud, even credential theft or malware ransomware delivery. But at the threat landscape writ large, we're seeing all kinds of attacks. I mean, we're even seeing deepfakes, we're seeing voice impersonations, we're seeing all kinds of different types of techniques.

B

So if you're a defender, how do you establish a baseline against a group like this that has such a broad playbook?

C

I think as a practitioner, prior to Sublime, I spent my career as a security practitioner and the age old saying is defense in depth, right? And so there is no like one control that is going to protect you against a sophisticated and determined adversary. It's about layered defense and it's around knowing where your attack surface is. So whether you do have a help desk, whether you are the type of business that only does business online or over email or whatever that might be. So it's around knowing what your attack surface is, knowing where your crown jewels are and just where, where the risks are in the business and building multiple layers of defense against those. And obviously that only it's a very kind of high level description. But you know, there's many different techniques around, like, you know, principles of least privilege. If you do have People on the front lines, you're only giving them access to what they need and you've got just multiple layers of, of defense in depth to, to prevent these types of attacks.

B

Help me understand where we stand when it comes to email security these days. I mean, can you take me through the spectrum of from someone setting up a free Gmail account and counting on Google to be their line of defense all the way through people who have very specific needs and they know that they are being targeted. What's the state of the art these days?

C

Yeah, I mean. You mean from an email defense perspective? Yeah, yeah, yeah. Well, we are seeing there's been. Email is always, I would say the security landscape is always a moving target. Right. You've got an adversary on the other side that's trying to, that's motivated to achieve some objective and they want that. They are actively looking to bypass the defensive solutions. And you know, we've seen new types of techniques over the course of, since email security has been a thing. But we're starting to see more rapid adaptation of threats, I think in large part due to generative AI. And what that means from a defensive standpoint is a few things. One is that as attacks become more and more targeted to their recipient, we put out a threat report a couple months ago around some of the insights that we're seeing across our customers. Over 90% of attacks that we see are customized to the recipient in some way. And they're getting more tailored, they're getting more contextual, they're leveraging more real information because you can automate it all. You can have an agent go and do recon on your target and that can be used to make a more convincing phishing email. And so context is really important when conducting defense. But I would say that that's kind of just table stakes. That's the foundation is being able to really understand the tone and intent of a message. There's natural language understanding techniques, there's all kinds of machine learning techniques that I would say are pretty table stakes. These, what I think is needed and this is really kind of segues into what Sublime does and how we do things a little bit differently. Is that the way that traditional email security has been done over the past 20 years or so is that you've got this centralized detection model where you train a model and you train it to understand what bad looks like and you deploy that to all your customers. And one of the challenges with that, as attacks become more targeted and as adversaries figure out ways to deliver their attacks and Bypass security solutions, it's inevitable that an attack will get through or that any security solution is going to eventually misclassify something. So our thinking was how do we prepare for that inevitability and be able to adapt very rapidly to the changes in the landscape? So at Sublime, we designed a distributed detection model where each of our customers gets really their own copy, in essence, that's tailored to them of our detection engine and that ends up being much more contextually aware. And you know, every, every environment is so different. Like you've got, you know, if I were to just pick a couple of our customers, you've got like Netflix is on one end where their environment and kind of the behavior that you see is very distinct to Netflix, whereas you've got ASOs, you know, like a retail company is going to be also just very different. So the distributed model kind of makes detection more tailored, but it also allows defenses to be adapted much more rapidly when we get something wrong. And so that's been one of the keys to how we've been able to keep up with the advances in, and how quickly the landscape is moving. So we've built a couple agents within Sublime that will actually autonomously investigate, triage, detect, respond and even adapt defenses on a per customer basis. And that allows us to much more rapidly, within hours instead of like weeks or months, deploy new detections. So I think that this is kind of, this approach to just being much more rapidly adaptable, I think is going to be the key, one of the big keys to this more autonomous offense that we are seeing more and more where you've got a machine on one side and you've got a machine on the other side?

B

How do you strike the balance between human analysis and automated response when we've got these threat actors embracing AI and I think it's fair to say increasing their own velocity.

C

Yeah, I mean, our kind of mindset is that we want to automate everything that can be automated with high confidence. We don't want to just make assumptions.

B

And.

C

Without knowing or learning what the organization's preference is and the risk tolerance is. So, for example, to give you a very concrete example, one of our agents is called the autonomous Security analyst. So it basically acts as a tier 1, tier 2 SOC analyst to triage alerts, phishing alerts. And our directive to this agent is essentially not to make decisions unless it is high, highly confident. The output of the agent is a verdict. It's whether it's malicious, it's whether it's graymail, spam. But really really importantly, I would say just as importantly is that we have an escape hatch for the agent to output an unknown verdict. And so that is the point at which we can escalate to a human to actually review. And based off a customer's preference, we can actually still take some action in those cases, but may maybe it's not as severe of an action. So if we know it's malicious, for example, we're going to probably quarantine it if that's what the configuration is set to. But for unknown, maybe the tolerance is let's insert a warning banner so that the user when they pull up the message they see an informative banner that because we're not sure, maybe that'll actually reduce that ends up reducing risk.

B

That's Josh Kamju from Sublime Security.

A

When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together. Use polls to settle dinner plans, send event invites and pin messages so no one forgets mom 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone. Learn more at WhatsApp.com Ford BlueCruise Hands Free highway driving takes the work out of being behind the wheel, allowing you to relax and reconnect while also staying in control. Enjoy the drive in BlueCruise enabled vehicles like the F150 Explorer and Mustang Mach E. Available feature on equipped vehicles terms apply does not replace safe driving. See Ford.com BlueCruise for more details.

B

And finally, Scouting America, formerly the Boy Scouts, is boldly venturing into the digital wilderness with new AI and cybersecurity merit badges. Once the domain of knots, compasses and campfires, the Scouts are now learning about deepfakes, phishing and machine learning models. CEO Roger Crone says the goal is to stay relevant in an increasingly digital world. The AI badge asks Scouts to explore ethical impacts and build tech savvy projects, while the cybersecurity badge arms them with tools to stay safe online. No neckerchief required. Early adopters like brothers Charles and Widell Hendricks already earned theirs. Widell plans a cyber career in the Air Force, noting the badge also teaches ethics, proving that even in the age of algorithms, honor codes still matter. Not for nothing, the Girl Scouts introduced their first cybersecurity badges back in 2018. And that's the Cyber Wire for Lynx. To all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our Executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Foreign Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, DC. Discover the startups building the future of cyber. Learn more@cid.datatribe.com.