A

You're listening to the Cyberwire network, powered by N2K. And now a word from our sponsor. The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program. Study alongside world class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition, textbooks and a laptop, as well as providing a $34,000 additional annual stipend. Apply for the fall 2026 semester and for this scholarship by February 28th. Learn more at CS JHU. Edu MSSI International Law Enforcement Take down the Breach Forums Domains Researchers link exploitation campaigns targeting Cisco, Palo Alto and Fortinet Juniper Networks patches over 200 vulnerabilities Apple and Google update their bug bounties evaluating AI use in application security programs. Micro segmentation can contain ransomware much faster and yield better cyber insurance terms. The new Rondo Docs botnet exploits over 50 vulnerabilities. Researchers tag 13 unpatched Avanti Endpoint Manager flaws. Our guest is Jason Minar, CISO of Kaseya, sharing his insights into how the private and public sectors can work together for national security and hackers Mistake a decoy for GLORY It's Friday, October 10th, 2024. I'm Dave Buettner and this is your Cyberwire Intel Brief. Thanks for joining us here today. Happy Friday. It's great to have you with us. The FBI and French police seized Breach Forums domains, shutting down Shiny Hunter's platform used to leak corporate data. The seizure occurred October 9, with bleeping computer confirming FBI name servers now control the sites. Shiny Hunters acknowledged the loss in a PGP signed telegram post saying backup since 2023 escrow databases and backup servers are now compromised. They added the forum will not be rebuilt, warning that such platforms have become law enforcement honeypots. Despite the seizure, their Dark Web leak site remains online, with a Salesforce data dump still scheduled. The takedown exposes historic forum data and signals closer global cooperation. Still, organizations face looming risk as Shiny Hunters claims to hold over a billion stolen Salesforce records. Gray Noise has linked three exploitation campaigns targeting Cisco, Palo Alto networks and Fortinet devices to IPs on the same subnets, suggesting shared threat actors. The firm first observed scanning of Cisco ASA firewalls weeks before Cisco disclosed two zero day flaws exploited in China linked arcane door espionage attacks. More recently, granoise detected a 500% spike in scanning of Palo Alto global protect portals with over 1.3 million login attempts from thousands of unique IPs. These same subnets are now tied to brute force attacks against Fortinet VPNs. Granoise warns that 80% of such spikes precede new firewall or VPN vulnerabilities by about six weeks, advising organizations to harden defenses and block brute forcing. IPs. Juniper Networks has patched over 200 vulnerabilities in its Juno, Space and Security Director platforms, including nine rated critical flaws range from cross site scripting and privilege escalation to remote command execution and backdoor creation. One critical bug allows admin level command execution. No active exploitation is reported, but Juniper urges immediate patching. The issues pose serious risks to enterprise and telecom networks, especially in Europe, where large Juniper deployments heighten potential impact. Apple has doubled its top bug bounty payout to $2 million for exploit chains enabling spyware attacks, with total rewards reaching $5 million for findings that also bypass lockdown mode or are discovered in beta software. Announced by Apple security chief Ivan Krstyk at Hexacon, the expansion underscores the company's push to incentivize high impact vulnerability research. Since opening its bounty to the public in 2020, Apple has paid over $35 million to more than 800 researchers. The program now covers one click WebKit and wireless proximity exploits and adds a target flags testing feature. Alongside this, Apple introduced memory integrity enforcement in iPhone 17 devices and pledged 1,000 phones to rights groups supporting at risk users. Google has launched a new AI vulnerability reward program offering up to $30,000 for verified bugs in its AI products, including Search, Gemini and Workspace. The program streamlines reporting by consolidating AI related issues previously handled under the Abuse vrp. Eligible vulnerabilities include data leaks, model theft and phishing enablement involving AI interactions. Since 2018, researchers have earned over $430,000 from AI related reports. Google says the AI VRP aims to reward high impact findings while excluding content based issues like prompt injections. A new survey from Fastly finds that 90% of security leaders are using or evaluating AI in their application security programs, citing faster vulnerability detection and reduced manual effort. Yet nearly a third act on AI findings without human review, raising concerns over false positives and misplaced trust. Half of the respondents report frequent or occasional inaccuracies, while only 22% rate AI's accuracy as excellent. Key challenges include integration, complexity, skills gaps and compliance worries. Despite mixed confidence, 80% plan to expand AI use, emphasizing automation, real time detection and explainability fastly. CISO Marshall Irwin cautions that success will depend on reducing false positives and integrating AI effectively to avoid AI shelfware. A new report from Akamai finds that organizations adopting micro segmentation can contain ransomware much faster and receive better cyber insurance terms. Surveying 1200 security leaders, Akamai notes that while 90% use some form of segmentation, only 35% employ micro segmentation across their networks. Among enterprises already using micro segmentation, ransomware containment times dropped by about 33%, 75% of organizations say insurers now assess segmentation posture during underwriting, and 60% report receiving lower premiums tied to their segmentation maturity. The report also flags deployment challenges including network complexity, visibility gaps and organizational resistance as common barriers to adoption. Trend Micro has identified a new botnet, Rondodocs, that exploits over 50 vulnerabilities across routers, servers, cameras and other devices from more than 30 vendors active since mid-2025. Rondo Docs initially targeted a TP link router flaw, but has since expanded to include DVRs, CCTV systems and web servers. The botnet leverages both known and unlisted command injection vulnerabilities 18 without CVEs, several on CISA's known exploited vulnerabilities list. CloudSec reports a 230% surge in Rondo Docs activity since mid-2025 with compromised devices used for cryptocurrency mining, DDoS attacks and enterprise intrusions. The malware now spreads via a loader as a service model alongside Mirai and Morta payloads, masking activity by mimicking gaming platforms and VPNs. Trend Micro's zero day initiative disclosed 13 unpatched Ivanti endpoint manager flaws, one local privilege escalation reported in November 2024 and 12 remote code execution issues reported in June of this year. Zdi labels them zero day upon disclosure. Though they're not actively exploited zero days. No CVEs exist yet all are high severity with one scoring 8.8. The local privilege escalation affects agent portal via unsafe deserialization to system. The RCEs stem from inadequate input validation across multiple reporting and query classes, mostly leading to authenticated SQL driven code execution. The highest severity, RCE involves unsafe path use and can be triggered with admin credentials or user interaction. Trend Micro says patches slipped from September and November to March of next year. Coming up after the break, my conversation with Jason Minar from Kaseya, sharing his insights on public private cooperation for national security and hackers mistake a decoy for glory. Stay with us Foreign they know cybersecurity can be tough and you can't protect everything, but with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales. T H A L E S Learn more@talasgroup.com Cyber what's your 2am Security worry? Is it do I have the right controls in place? Maybe Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's v a n t a dot com cyber Jason Minar is CISO at Kaseya. We recently caught up to discuss his insights on how the private and public sectors can work together for national security.

B

So I would give a generalized statement first, that when I think about cybersecurity and when I think about politics in general, I think about Congress's ability or inability to pass meaningful legislation that keeps up with cybersecurity, if you will, cybersecurity technology and cybersecurity issues and problems. For example, I am a very data analytically driven human being and as such I am still amazed that we don't have certain mandatory reporting requirements or some type of standard that the government has deemed that must be in place with the exception of Fedramp for governmental utilization. But you're truly asking about what we see politically and what we see politically. Unlike some of our adversaries, quite frankly, we oftentimes change every four years or potentially eight years. We change even ever so slightly our initiatives and one of the things that has been changed as of late is the mission of cisa. And looking at that there's been some impact and looking at that there's been some concern. Now I see it from both sides. I see when CISA was started very early on it was very hard for them to find their Footing.

A

Right.

B

And then they started coming into their own and they started really filling in some voids within the community. We seem to be pulling away from that and pulling back from that now. It's going to be very interesting to see what governmental or private resources that we have to step in and fill the void.

A

My perspective has been that for many, many years, cybersecurity kind of enjoyed broad bipartisan support. It stayed out of the fray of any particular side's interests. Everyone agreed this was important for our national security, for the security of our citizens. And my sense is that the past couple of years that's kind of drifted away a little bit, or perhaps would it be fair to say we lost a little of our innocence? Is that an acceptable way to frame it?

B

Yeah, I would say we lost a little of our innocence. But being in government, I would say that depending upon which part of government you're in, it's no different than certain businesses. There are different silos, and people understand the problem differently. So those that are closest to it. Right. The line level agents within various organizations that are combating these adversaries and actors every day have a very different understanding of what's going on, quite frankly, than some other parts of the government. And sometimes I think our attention is somewhat diverted. I pause and I hesitate to say because. And this is Jason Manar's take. Right. What I continue to see is in certain ways, Congress and our congressional delegates and representatives having a very difficult time providing legislation, whether it's on cybersecurity or other matters. And I think that affects cybersecurity in a meaningful way. And if you look back to, you know, when the last true legislation was passed, and I'm not talking about, you know, presidential, you know, some type of presidential directive, but actual, you know, congressional cybersecurity legislation, you know, it's truly been some time. And even the laws around cybersecurity, when you look at the laws around cybersecurity, many times they are using financial fraud laws, they're using RICO laws, they're using other laws that aren't necessarily specific. Because all that we have, you know, is one law that was passed back in, I think it was back in the 80s on the books, at least federally for cybersecurity.

A

Yeah. So do you think there's kind of a fundamental velocity mismatch here between the ever accelerating rate at which things happen in the cyber domain and Congress's inability to squeeze anything through?

B

Well, I think it's that, but I also think, and I want to give Congress and I want to give our government the benefit of the doubt somewhat. You know, there are many, many issues to address at any given moment. But I think, truly understanding, right. That where our technology, our data, our intellectual property, and a lot of things that make this a great, great country resides in the digital realm and digital space. And as such, I really believe that we need to give a lot more bandwidth to thinking about how we're protecting, addressing that and how we're doing that, you know, across the board through public and private partnerships. I'm not just speaking to, you know, potential regulatory compliance or congressional mandates, but true public private, you know, collaborations that move the needle in a meaningful way, that protect America's interest while protecting, you know, the interest of our businesses.

A

What do you suppose something like that could look like?

B

Wow, Isn't that the $50,000 question? Or maybe in this realm, 50, you know, $50 trillion question.

A

Yeah.

B

Well, first it's. It has to always start with the dialogue. And I will say cisa, the FBI, and several other entities are trying very hard at getting that dialogue going and keeping that going through several different initiatives. I'm very excited what some agencies are doing to try to bridge that gap. I would obviously like to see that expand. Because truly, the way that I think you get everyone involved is if you get all stakeholders in a room. I know CISA for a while last year, the year before that, they had a committee for RMM security standards, and we were able to push out some security standards for, you know, companies that were selling rmm. And RMM can be a very, very powerful tool, which is why we chose to start there. And there were really legs on continuing that legislation and rolling that into what that looked like with the, you know, SDLC process, CIDC pipeline, and how we could meaningfully look at technology and businesses that were making products, what that public private partnership look like so that we could have some directions to continue to make things in a safer way for the ultimate end consumer. Right. And I think that's a great place to start. And then I think from that you get some wonderful ideas around things that then grow legs. Because in these meetings, you have not only people from the top sectors within business, but you have representatives that. That are a part of the legislative. Legislative team. So you won't necessarily have legislatures there, but you'll have part of the legislative team. You'll have people from, you know, cyber warfare from all aspects. You'll have people from all agencies that you can think about, and they're all sharing ideas and trying to come up with that $40 trillion answer, if you will, and how we slowly get there. And I think that's where you kind of have to start, right? Because some of the best intended legislation, especially when it starts out, if you don't involve the in technical user, while it may be well intentioned, can lead to adverse consequences. And that's where we don't want to be.

A

Do you suppose that we have what it takes to make these things happen? Is there political will there? Is there good faith partnerships in the making?

B

Yeah. So I will say my time during the FBI, we spent a lot of time building those relationships within Fortune 50 and 100 companies and even some smaller. And so I would say that there are things even from back then a decade ago that are still bearing fruit and there are still some really good traction to be had there with some of the other initiatives. I'll be honest, I'm not sure what the newer initiatives are. I and part of that I will take personal blame for because I am set to go to D.C. and meet with some folks. But unfortunately I think it was just a time of transition last year. So unfortunately that didn't happen. So I'll be going to dc. I'll be seeing if those things potentially even exist. And I'm just unaware. But I know as I said before, several of the initiatives with CISA and DHS have kind of gone away and those were some of the ones that I was most engaged with. So while they are reconstructing what that looks like, we're engaging more with other government entities and trying to be of service and trying to make sure that we are a voice for MSPs and small and mid sized businesses to whom we protect and sell services to.

A

That's Jason Minar from Kaseya.

B

When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together. Use polls to settle dinner plans, send event invites and pin messages so no one forgets mom 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone.

A

Learn more@WhatsApp.com this episode is brought to you by Indeed. When your computer breaks, you don't wait for it to magically start working again. You fix the problem. So why wait to hire the people your company desperately needs? Use Indeed's sponsored jobs to hire top talent fast and even better, you only pay for results. There's no need to wait. Speed up your hiring with a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply. And finally, in a twist worthy of a digital sitcom pro Russian hackers spent September loudly celebrating the takeover of a Dutch water facility, only to discover they'd been splashing around in a honey pot. The group calling itself twonet, had in fact broken into a decoy network built by researchers at Forscout, who quietly watched as the hackers defaced a login page, disabled alarms, and generally made mischief all in a sandbox. Their victory announcement, complete with the charming signature Hacked by Barlotti F, although the F was another word, was met by the cybersecurity equivalent of polite applause. Forscout says the incident illustrates how novice hacktivists are increasingly poking at industrial systems they barely understand. Mistaking honeypots for heroics, twonet, like many of its peers, quickly folded, proving that hacktivist groups often have the lifespan of a mayfly. Just louder still, researchers warn, these bumbling forays mark a worrying shift toward real world infrastructure as the next big cyber playground. So it turns out the heck of the year was really just a splash in a very well monitored huddle. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com a quick program note we will not be publishing this coming Monday in observance of the federal holiday. We'll see you back here on Tuesday. Be sure to check out this weekend's Rule Research Saturday and my conversation with John Focker, head of threat intelligence at Trellix. We're discussing their research gang, Breaking Trust among Cybercriminals. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration, and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more at cid datatribe. Com.