CyberWire Daily — "Whistle-blown and wide open."
Date: August 27, 2025
Episode Overview
This episode delivers a packed briefing on the latest cybersecurity news, from whistleblower complaints about a massive Social Security data exposure to global responses to North Korean IT scams and new phishing campaigns targeting U.S. manufacturers. The show features an interview with Harry Thomas, founder and CTO at Franos, who discusses the value of curated, regularly updated data in training AI for cybersecurity. The episode wraps with a look into the epidemic of “phantom” job listings haunting job hunters.
Key Discussion Points & Insights
1. Massive Social Security Data Exposure Allegation
[02:37–04:30]
- Incident: A whistleblower claims Doge (a group tied to Elon Musk's Government Tech initiative) uploaded the entire Social Security Administration Numident database (548 million records) to a vulnerable cloud server in June.
- The database contains sensitive details: full names, addresses, birth dates, and Social Security numbers.
- Risks Identified: Catastrophic impacts include mass identity theft and costly reissuance of SSNs.
- Process Failures:
- Doge allegedly bypassed security oversight, excluded chief data officer Charles Borges from discussions, and ignored risk assessments.
- Potential Fallout: The complaint claims federal law violations and calls into question tech industry data handling.
Memorable Quote:
"Borges alleges Doge bypassed standard security oversight, excluded him from discussions and ignored risk assessments, labeling the project high risk."
—Dave Bittner, [03:38]
2. International Efforts Against North Korean IT Worker Scams
[04:30–05:38]
- Background: U.S., Japan, and South Korea convened 130+ stakeholders (payments, crypto, AI, freelance platforms) in Tokyo to strategize against North Korea’s covert IT workforces.
- North Koreans using stolen identities land remote IT jobs in Western firms to fund state weapon programs.
- Scale: Hundreds of jobs at Fortune 500s, millions earned, significant insider risk and potential for future hacks.
- Response: Tighter sanctions and government cooperation ramping up.
Quote:
“For years, North Korean citizens posing as foreign contractors have landed IT jobs at Western firms using stolen IDs earning millions to fund Pyongyang's weapons programs.”
—Dave Bittner, [04:51]
3. Advanced Phishing Campaigns Targeting U.S. Manufacturing & Critical Infrastructure
[05:39–07:23]
- Zipline Campaign (per Check Point research):
- Begins through companies’ public contact forms to establish legitimacy.
- Prolonged, professional email exchanges precede the delivery of a malicious zip file (containing Mix Shell implant).
- Tactics: DNS tunneling, aged legitimate-looking domains, payload performs command execution, persistence.
- Significance: Demonstrates a shift towards “patient,” trust-based social engineering that bypasses controls.
Quote:
“The campaign demonstrates how patient, trust-based social engineering combined with advanced malware can bypass traditional defenses...”
—Dave Bittner, [07:02]
4. Global Upcryptor Malware Loader Campaign
[07:23–08:24]
- Upcryptor Loader (per FortiGuard Labs):
- Spread via personalized emails, spoofed web pages tailored to the victim.
- Acts as a loader for remote access trojans (Pure HVNC, DC rat, Babylon rat).
- Advanced evasion and persistence techniques allow attackers to retain access far beyond standard phishing compromises.
5. Residential Proxy Network "DSLroot" Identified
[08:25–09:31]
- Discovery: Infrawatch and KrebsOnSecurity identified “DSLroot” in 20 U.S. states.
- Installs dedicated hardware in homes, allowing persistent access to residential IPs without authentication.
- Managed by a Belarusian national, providing access to U.S. IPs for $190/month via underground forums.
- Risks: U.S. infrastructure potentially exposed to foreign control; exploited for stealth access.
6. License Plate Reader (LPR) Data Sharing Scandal
[09:32–10:55]
- Disclosure: U.S. Customs and Border Protection had access to 80,000+ Flock Safety LPRs nationwide—often without local knowledge.
- Repercussions: Following a state audit in Illinois revealing illegal data sharing, Evanston terminated its system.
- Flock Safety paused federal pilot programs, now limiting direct federal access.
7. DDoS Attacks Reach Record Highs
[10:56–12:14]
- Headline: Netscout reports over 8 million DDoS attacks worldwide in H1 2025.
- Attacks increasingly timed with major political events.
- AI, cheap DDoS services, and IoT botnets drive unprecedented scale; traditional defenses proving obsolete.
- Most impacted: Europe, Middle East, and Africa.
8. Failures in AI Language Model Guardrails
[12:15–13:46]
- Research (Palo Alto Networks):
- By using run-on sentences and poor grammar, attackers can “jailbreak” LLM guardrails with up to 100% effectiveness.
- Term: “Refusal affirmation logit gap”—alignment reduces but does not eliminate harmful outputs.
- Proposed defenses: Input sanitization, external AI firewalls, layered filtering.
- Jailbreak technique not seen in the wild, but researchers anticipate a continued “cat and mouse” dynamic.
Quote:
"Alignment is a patch on top of models that still contain unsafe knowledge, meaning jailbreak risks will persist."
—Billy Hewlett (Unit 42), [13:25]
9. South American APT "Blind Eagle" (TAG 144) Expands Operations
[13:46–14:50]
- Activity: Five clusters using cracked RATs, dynamic DNS, and legitimate services for staging—targeting Colombian government.
- Spear phishing with government-compromised emails.
- Recommendations: Enhanced blocking, updated rules (Yara, Sigma, SNORT), and stricter monitoring for exfiltration.
10. Interview: Harry Thomas, Founder and CTO at Franos — The Value of Curated AI Training Data
[15:52–23:09]
a. Using Curated Data to Benchmark and Enhance AI for Cybersecurity
- Partnership: Franos is integrating N2K’s curated cybersecurity knowledge base to train and benchmark its language model ("Cyra").
- Why Curation Matters:
- Web-scraped data is often out-of-date or irrelevant; curated data reflects current standards and best practices.
- Curated datasets accelerate fine-tuning and reliability in professional, real-world contexts.
Quote:
“The benefit of the N2K curated data is that it kind of mimics how professionals now operate rather than historically type of training or historical type of data.”
—Harry Thomas, [17:44]
b. Keeping Pace with Change
- Living Dataset: Continuous updates mirror evolving technologies and certifications.
- Enables Franos’ AI to act as a “consultant in a box” aligned with latest threats and standards.
Quote:
"...with all this extra information that we're able to get from this N2K partnership, we're able to be on the cutting edge, bleeding edge of cybersecurity and ensuring that our customers are able to reap the benefits..."
—Harry Thomas, [18:55]
c. Trust and Verification for OT Security
- Vision: The tool becomes a trusted partner for operators in critical infrastructure—advising on threats and best actions, but with the Cybersecurity 101 principle of “trust but verify” always in mind.
Quote:
“I mean, obviously, trust but verify, that's Cybersecurity 101. But certainly work with our language model or our AI reasoning agent, we've named her Cyra...”
—Harry Thomas, [19:57]
d. Distinction From Other Data Sets
- N2K's Edge: Human experts maintain and verify the knowledge base, which is a significant improvement over open-source or web-scraped alternatives.
e. Rollout
- Current Status: Franos already benchmarks internal models with N2K data; performance rivals large LLMs like ChatGPT and Claude on task-specific cybersecurity questions.
- Expansion: More N2K data will be integrated through the rest of 2025.
11. The Epidemic of Phantom Job Listings
[24:53–end]
- After losing his job, Eric Thompson discovered many “ghost jobs” — positions posted online but never intended to be filled.
- New Advocacy: Founded the Truth in Job Advertising and Accountability Act working group (proposed requirements for transparency and penalties).
- Scope: 17% of jobs on Greenhouse in Q2 2025 were ghosts.
- Thompson now lobbies Congress for legislative action.
Notable Quotes & Timestamps
-
On the SSA Data Exposure:
“Borges alleges Doge bypassed standard security oversight, excluded him from discussions and ignored risk assessments, labeling the project high risk.”
—Dave Bittner, [03:38] -
On North Korean IT Worker Risks:
“For years, North Korean citizens posing as foreign contractors have landed IT jobs at Western firms using stolen IDs earning millions to fund Pyongyang's weapons programs.”
—Dave Bittner, [04:51] -
On Evolving DDoS Defenses:
“Experts warn traditional defenses are increasingly obsolete.”
—Dave Bittner, [11:37] -
On AI Guardrails and Ongoing Risks:
"Alignment is a patch on top of models that still contain unsafe knowledge, meaning jailbreak risks will persist."
—Billy Hewlett (Unit 42), [13:25] -
On the Value of Curated AI Data:
“The benefit of the N2K curated data is that it kind of mimics how professionals now operate rather than historically type of training or historical type of data.”
—Harry Thomas, [17:44] -
On Trust in AI for Cybersecurity:
“...work with our language model...to understand and gain a grasp of kind of your environment, how your environment might operate against threat actors.”
—Harry Thomas, [19:57]
Important Timestamps
- [02:37–04:30]: SSA data exposure whistleblower complaint.
- [04:30–05:38]: North Korea IT scam forum.
- [05:39–07:23]: Zipline phishing campaign.
- [07:24–08:24]: Upcryptor malware loader campaign.
- [08:25–09:31]: DSLroot proxy network exposé.
- [09:32–10:55]: Flock LPR and Evanston city response.
- [10:56–12:14]: DDoS attack record.
- [12:15–13:46]: AI guardrail jailbreak research.
- [13:46–14:50]: Blind Eagle/Tag 144 APT update.
- [15:52–23:09]: Interview with Harry Thomas (Franos).
- [24:53–end]: Ghost job advocacy movement.
Conclusion
This episode offers a sweeping and insightful look at top cybersecurity headlines, blending breaking news with in-depth expert analysis. The standout interview with Harry Thomas underscores why curated, up-to-date training data will be foundational for defending critical infrastructure using AI. For the industry and job seekers alike, the episode stresses vigilance—whether against advanced threats or the everyday specter of phantom jobs.
