CyberWire Daily: "The SMB slip-up."

Date: October 21, 2025
Host: Dave Bittner, N2K Networks

Episode Overview

This episode of CyberWire Daily focuses on a rapidly evolving cybersecurity landscape: critical zero-day vulnerabilities, ransomware threats targeting healthcare and supply chains, new malware campaigns, major law enforcement takedowns, and how security teams can proactively defend against sophisticated adversaries like Scattered Spider. The episode features analysis of current attacks, incident responses, and a deep-dive interview with Josh Kamjoo (CEO, Sublime Security) discussing modern, AI-fueled social engineering and defense strategies.

Key News and Analysis

1. Windows SMB Privilege Escalation Flaw (00:00–03:30)

Active Exploitation Warning: CISA highlights a high-severity (CVSS 8.8) Windows Server Message Block (SMB) vulnerability that’s currently being exploited.
Affected Systems: Windows Server, Windows 10, and Windows 11 (up to 24H2).
Exploit Path: Attackers lure users to connect to malicious SMB servers, compromising the protocol and gaining system-level privileges.
Mitigation: Microsoft released a fix in June 2025; CISA mandates patching for federal agencies by November 10th.
Quote (Host, 01:44):

"An attacker could trick users into connecting to a malicious application server such as an SMB server, then compromise the protocol. Attackers could gain system level privileges, raising a risk of serious compromise."

2. Urgent Microsoft WinRE Patch (03:35–04:05)

Issue: Out-of-band update fixes USB input failures in Windows RE (Recovery Environment).
Symptoms: USB devices become unresponsive (‘silent’) after login.
Advice: Apply update immediately; alternate navigation possible with touch/PS2 devices or PXE deployment for enterprises.
Quote (Host, 03:53):

"Recovery is rescue for responders, and Microsoft recommends users install the update immediately."

3. F5 Nation-State Hack + Emergency Directive (04:08–05:50)

Incident: Nation-state actors maintained long-term access to F5 systems, stealing BIG-IP source code and zero-day data.
Root Cause: Attackers exploited exposed software after staff ignored guidelines.
Impact: No known code modification or exploitation, but data theft increases surveillance risk.
Mandates: CISA issued an emergency directive to federal agencies to update F5 products by October 22; UK NCSC also alerts customers.

4. Oracle E-Business Suite Zero-Day: Ripple Effects (05:55–06:45)

Victims: Envoy Air confirmed as breached via zero-day; campaign likely responsible for recent Harvard attack and may affect American Airlines.
Attacker: Clop Ransomware Group used the flaw for credential-less remote takeover.
Key Risk: Vendor patching lag left systems exposed for three months—revealing critical supply chain vulnerabilities.

5. Haywood Healthcare Attack: Impact on Patient Care (06:50–08:05)

Incident: Massachusetts nonprofit hospital system took networks offline due to attack—ambulances diverted, diagnostics halted, digital systems crippled.
Expert Insight: Ransomware is increasingly about operational disruption, not just data theft.
Recommendations: Experts urge zero trust, better patching, segmenting medical devices, and continuous risk analysis.
Quote (Host, 07:56):

"The attack reflects the healthcare sector's growing vulnerability to ransomware and extortion schemes, where operational disruption, not just data theft, is the goal."

6. Evolving Russian Malware: Cold River’s Chained Suite (08:08–09:17)

New Arsenal: Cold River replaced public malware with new, chained ‘robot’ tools; uses CAPTCHA lures, DLL side-loading, staged Python/PowerShell backdoors.
Target Sectors: NGOs, former intelligence officers, NATO resources.
Defensive Advice: Phishing-resistant controls and detailed monitoring of DLL/process execution.

7. Glass Worm: Developer-Focused Supply Chain Attack (09:20–10:35)

Impact: 35,000 infected marketplace installs (OpenVSX, MS Visual Studio) using invisible Unicode for obfuscation.
Payload: Steals developer credentials, crypto wallet data, propagates further by backdooring extensions, and establishes covert access.
Tactics: Final payloads fetched via Solana blockchain and Google Calendar links.
Security Takeaways: Scrutinize extensions, enforce strong developer account security, scan for unusual code artifacts before inclusion.

8. European Takedown: Latvian SIM Farm Cartel (10:38–11:55)

Operation: Europol, Eurojust dismantle SIM cartel, seizing 1,200 devices (40,000 SIM cards), $835,000 in crypto, and multiple domains.
Criminal Output: 49M fake accounts used for scams across 80 countries; $5.2M in estimated losses.
Lesson: Telecom misuse is integral to organized cybercrime; cross-border collaboration and stricter SIM regulation needed.

9. KK Park Raid: Southeast Asian Scam Disruption (11:58–13:05)

Details: Myanmar military raids a syndicate hub (KK Park), detains 2,000+, seizes 30 Starlink terminals providing global scam connectivity.
Backdrop: Hub for romance/investment fraud; fueled by forced labor and ethnic militia control; region faces increasing pressure from China and Thailand.
Significance: Growing crackdown on cybercrime-compound model exploiting new connectivity like Starlink.

Featured Interview: How to Get Ahead of Scattered Spider

Guest: Josh Kamjoo, CEO & Co-founder of Sublime Security
Segment Start: 15:33

Who is Scattered Spider? (15:33–15:59)

Description:

"Team Scattered Spider is a notorious at this point threat actor...most well known for conducting socially engineered attacks against organizations...typically those are financially motivated objectives."
— Josh Kamjoo (15:33)

Keys to Their Success: Non-Traditional Social Engineering (16:04–17:44)

Multichannel attacks: personal email, calls, voice phishing, help desk targeting.
Rapid adoption of generative AI—seeing deepfakes, voice impersonations.
Kamjoo:

"We're even seeing deepfakes, we're seeing voice impersonations, we're seeing all kinds of different types of techniques."
— Kamjoo (17:16)

Defending Against Broad, Adaptive Playbooks (17:44–19:19)

Defense in depth: Layered controls, least privilege, understand attack surface.
No single control suffices; must map business risks and crown jewels specifically.
"There is no like one control that is going to protect you against a sophisticated and determined adversary. It's about layered defense and...knowing where your attack surface is."
— Kamjoo (17:54)

The State of Email Security (19:19–24:31)

Attacks increasingly tailored (over 90% customized by recipient).
Generative AI accelerates attack adaptation and realism.
Traditional vs. New Defenses:
- Centralized models insufficient for targeted attacks.
- Sublime uses “distributed detection” tailored to customer context, enabling rapid adaptation.
- "Our thinking was how do we prepare for that inevitability and be able to adapt very rapidly to the changes in the landscape?...we designed a distributed detection model where each of our customers gets really their own copy..."
  — Kamjoo (21:06)

Human vs. Automated Analysis (24:31–26:31)

Philosophy: Automate only where reliable; “escape hatches” for human review when confidence is low.
Example: Autonomous Security Analyst agent provides verdicts and escalates ambiguous cases for human intervention.
Configurable risk response for each client.

"We want to automate everything that can be automated with high confidence...we have an escape hatch for the agent to output an unknown verdict."
— Kamjoo (24:48, 25:13)

Memorable Quotes & Moments

On adversary adaptation:

"The security landscape is always a moving target. You've got an adversary...actively looking to bypass the defensive solutions."
— Josh Kamjoo (19:49)
AI overhauls everything:

"Context is really important when conducting defense. But...that's kind of just table stakes. That's the foundation is being able to really understand the tone and intent of a message."
— Kamjoo (20:44)

[27:51] Cybersecurity & AI Merit Badges: Scouts in Cyberspace

Scouting America (formerly Boy Scouts) introduces AI & cybersecurity merit badges, teaching deepfakes, phishing, and ethics.
CEO Roger Crone: Adapting the legacy institution for the digital world.
Early adopters: Brothers Charles and Widell Hendricks—Widell aims for Air Force cyber career.
Note: Girl Scouts launched cyber badges in 2018.

"[The cybersecurity badge] also teaches ethics, proving that even in the age of algorithms, honor codes still matter."
— Host (28:22)

Episode Takeaways

Critical Patch Alerts: Rapid, coordinated patching and supply chain diligence are urgently required as vulnerabilities (SMB, F5, Oracle) are actively targeted.
Evolving Threats: Attackers increasingly use chained malware, Unicode/obfuscation, and generative AI to outpace defenses.
Defensive Evolution: Security teams must adopt defense-in-depth, distributed, context-aware detection, and rapid adaptation—automation and human review working hand-in-hand.
Broader Societal Engagement: New programs (e.g., Scouting merit badges) signal the growing role of cyber education at all levels of society.

For full details and links to all stories, visit thecyberwire.com

CyberWire Daily: "The SMB slip-up."

Date: October 21, 2025
Host: Dave Bittner, N2K Networks

Episode Overview

Key News and Analysis

1. Windows SMB Privilege Escalation Flaw (00:00–03:30)

Active Exploitation Warning: CISA highlights a high-severity (CVSS 8.8) Windows Server Message Block (SMB) vulnerability that’s currently being exploited.
Affected Systems: Windows Server, Windows 10, and Windows 11 (up to 24H2).
Exploit Path: Attackers lure users to connect to malicious SMB servers, compromising the protocol and gaining system-level privileges.
Mitigation: Microsoft released a fix in June 2025; CISA mandates patching for federal agencies by November 10th.
Quote (Host, 01:44):

"An attacker could trick users into connecting to a malicious application server such as an SMB server, then compromise the protocol. Attackers could gain system level privileges, raising a risk of serious compromise."

2. Urgent Microsoft WinRE Patch (03:35–04:05)

Issue: Out-of-band update fixes USB input failures in Windows RE (Recovery Environment).
Symptoms: USB devices become unresponsive (‘silent’) after login.
Advice: Apply update immediately; alternate navigation possible with touch/PS2 devices or PXE deployment for enterprises.
Quote (Host, 03:53):

"Recovery is rescue for responders, and Microsoft recommends users install the update immediately."

3. F5 Nation-State Hack + Emergency Directive (04:08–05:50)

Incident: Nation-state actors maintained long-term access to F5 systems, stealing BIG-IP source code and zero-day data.
Root Cause: Attackers exploited exposed software after staff ignored guidelines.
Impact: No known code modification or exploitation, but data theft increases surveillance risk.
Mandates: CISA issued an emergency directive to federal agencies to update F5 products by October 22; UK NCSC also alerts customers.

4. Oracle E-Business Suite Zero-Day: Ripple Effects (05:55–06:45)

Victims: Envoy Air confirmed as breached via zero-day; campaign likely responsible for recent Harvard attack and may affect American Airlines.
Attacker: Clop Ransomware Group used the flaw for credential-less remote takeover.
Key Risk: Vendor patching lag left systems exposed for three months—revealing critical supply chain vulnerabilities.

5. Haywood Healthcare Attack: Impact on Patient Care (06:50–08:05)

Incident: Massachusetts nonprofit hospital system took networks offline due to attack—ambulances diverted, diagnostics halted, digital systems crippled.
Expert Insight: Ransomware is increasingly about operational disruption, not just data theft.
Recommendations: Experts urge zero trust, better patching, segmenting medical devices, and continuous risk analysis.
Quote (Host, 07:56):

"The attack reflects the healthcare sector's growing vulnerability to ransomware and extortion schemes, where operational disruption, not just data theft, is the goal."

6. Evolving Russian Malware: Cold River’s Chained Suite (08:08–09:17)

New Arsenal: Cold River replaced public malware with new, chained ‘robot’ tools; uses CAPTCHA lures, DLL side-loading, staged Python/PowerShell backdoors.
Target Sectors: NGOs, former intelligence officers, NATO resources.
Defensive Advice: Phishing-resistant controls and detailed monitoring of DLL/process execution.

7. Glass Worm: Developer-Focused Supply Chain Attack (09:20–10:35)

Impact: 35,000 infected marketplace installs (OpenVSX, MS Visual Studio) using invisible Unicode for obfuscation.
Payload: Steals developer credentials, crypto wallet data, propagates further by backdooring extensions, and establishes covert access.
Tactics: Final payloads fetched via Solana blockchain and Google Calendar links.
Security Takeaways: Scrutinize extensions, enforce strong developer account security, scan for unusual code artifacts before inclusion.

8. European Takedown: Latvian SIM Farm Cartel (10:38–11:55)

Operation: Europol, Eurojust dismantle SIM cartel, seizing 1,200 devices (40,000 SIM cards), $835,000 in crypto, and multiple domains.
Criminal Output: 49M fake accounts used for scams across 80 countries; $5.2M in estimated losses.
Lesson: Telecom misuse is integral to organized cybercrime; cross-border collaboration and stricter SIM regulation needed.

9. KK Park Raid: Southeast Asian Scam Disruption (11:58–13:05)

Details: Myanmar military raids a syndicate hub (KK Park), detains 2,000+, seizes 30 Starlink terminals providing global scam connectivity.
Backdrop: Hub for romance/investment fraud; fueled by forced labor and ethnic militia control; region faces increasing pressure from China and Thailand.
Significance: Growing crackdown on cybercrime-compound model exploiting new connectivity like Starlink.

Featured Interview: How to Get Ahead of Scattered Spider

Guest: Josh Kamjoo, CEO & Co-founder of Sublime Security
Segment Start: 15:33

Who is Scattered Spider? (15:33–15:59)

Description:

"Team Scattered Spider is a notorious at this point threat actor...most well known for conducting socially engineered attacks against organizations...typically those are financially motivated objectives."
— Josh Kamjoo (15:33)

Keys to Their Success: Non-Traditional Social Engineering (16:04–17:44)

Multichannel attacks: personal email, calls, voice phishing, help desk targeting.
Rapid adoption of generative AI—seeing deepfakes, voice impersonations.
Kamjoo:

"We're even seeing deepfakes, we're seeing voice impersonations, we're seeing all kinds of different types of techniques."
— Kamjoo (17:16)

Defending Against Broad, Adaptive Playbooks (17:44–19:19)

Defense in depth: Layered controls, least privilege, understand attack surface.
No single control suffices; must map business risks and crown jewels specifically.
"There is no like one control that is going to protect you against a sophisticated and determined adversary. It's about layered defense and...knowing where your attack surface is."
— Kamjoo (17:54)

The State of Email Security (19:19–24:31)

Attacks increasingly tailored (over 90% customized by recipient).
Generative AI accelerates attack adaptation and realism.
Traditional vs. New Defenses:
- Centralized models insufficient for targeted attacks.
- Sublime uses “distributed detection” tailored to customer context, enabling rapid adaptation.
- "Our thinking was how do we prepare for that inevitability and be able to adapt very rapidly to the changes in the landscape?...we designed a distributed detection model where each of our customers gets really their own copy..."
  — Kamjoo (21:06)

Human vs. Automated Analysis (24:31–26:31)

Philosophy: Automate only where reliable; “escape hatches” for human review when confidence is low.
Example: Autonomous Security Analyst agent provides verdicts and escalates ambiguous cases for human intervention.
Configurable risk response for each client.

"We want to automate everything that can be automated with high confidence...we have an escape hatch for the agent to output an unknown verdict."
— Kamjoo (24:48, 25:13)

Memorable Quotes & Moments

On adversary adaptation:

"The security landscape is always a moving target. You've got an adversary...actively looking to bypass the defensive solutions."
— Josh Kamjoo (19:49)
AI overhauls everything:

"Context is really important when conducting defense. But...that's kind of just table stakes. That's the foundation is being able to really understand the tone and intent of a message."
— Kamjoo (20:44)

[27:51] Cybersecurity & AI Merit Badges: Scouts in Cyberspace

Scouting America (formerly Boy Scouts) introduces AI & cybersecurity merit badges, teaching deepfakes, phishing, and ethics.
CEO Roger Crone: Adapting the legacy institution for the digital world.
Early adopters: Brothers Charles and Widell Hendricks—Widell aims for Air Force cyber career.
Note: Girl Scouts launched cyber badges in 2018.

"[The cybersecurity badge] also teaches ethics, proving that even in the age of algorithms, honor codes still matter."
— Host (28:22)

Episode Takeaways

Critical Patch Alerts: Rapid, coordinated patching and supply chain diligence are urgently required as vulnerabilities (SMB, F5, Oracle) are actively targeted.
Evolving Threats: Attackers increasingly use chained malware, Unicode/obfuscation, and generative AI to outpace defenses.
Defensive Evolution: Security teams must adopt defense-in-depth, distributed, context-aware detection, and rapid adaptation—automation and human review working hand-in-hand.
Broader Societal Engagement: New programs (e.g., Scouting merit badges) signal the growing role of cyber education at all levels of society.

For full details and links to all stories, visit thecyberwire.com

The SMB slip-up.

Powered by Wave AI

Summary

CyberWire Daily: "The SMB slip-up."

Episode Overview

Key News and Analysis

1. Windows SMB Privilege Escalation Flaw (00:00–03:30)

2. Urgent Microsoft WinRE Patch (03:35–04:05)

3. F5 Nation-State Hack + Emergency Directive (04:08–05:50)

4. Oracle E-Business Suite Zero-Day: Ripple Effects (05:55–06:45)

5. Haywood Healthcare Attack: Impact on Patient Care (06:50–08:05)

6. Evolving Russian Malware: Cold River’s Chained Suite (08:08–09:17)

7. Glass Worm: Developer-Focused Supply Chain Attack (09:20–10:35)

8. European Takedown: Latvian SIM Farm Cartel (10:38–11:55)

9. KK Park Raid: Southeast Asian Scam Disruption (11:58–13:05)

Featured Interview: How to Get Ahead of Scattered Spider

Who is Scattered Spider? (15:33–15:59)

Keys to Their Success: Non-Traditional Social Engineering (16:04–17:44)

Defending Against Broad, Adaptive Playbooks (17:44–19:19)

The State of Email Security (19:19–24:31)

Human vs. Automated Analysis (24:31–26:31)

Memorable Quotes & Moments

[27:51] Cybersecurity & AI Merit Badges: Scouts in Cyberspace

Episode Takeaways

Summary

CyberWire Daily: "The SMB slip-up."

Episode Overview

Key News and Analysis

1. Windows SMB Privilege Escalation Flaw (00:00–03:30)

2. Urgent Microsoft WinRE Patch (03:35–04:05)

3. F5 Nation-State Hack + Emergency Directive (04:08–05:50)

4. Oracle E-Business Suite Zero-Day: Ripple Effects (05:55–06:45)

5. Haywood Healthcare Attack: Impact on Patient Care (06:50–08:05)

6. Evolving Russian Malware: Cold River’s Chained Suite (08:08–09:17)

7. Glass Worm: Developer-Focused Supply Chain Attack (09:20–10:35)

8. European Takedown: Latvian SIM Farm Cartel (10:38–11:55)

9. KK Park Raid: Southeast Asian Scam Disruption (11:58–13:05)

Featured Interview: How to Get Ahead of Scattered Spider

Who is Scattered Spider? (15:33–15:59)

Keys to Their Success: Non-Traditional Social Engineering (16:04–17:44)

Defending Against Broad, Adaptive Playbooks (17:44–19:19)

The State of Email Security (19:19–24:31)

Human vs. Automated Analysis (24:31–26:31)

Memorable Quotes & Moments

[27:51] Cybersecurity & AI Merit Badges: Scouts in Cyberspace

Episode Takeaways