Whistle-blown and wide open.

A

You're listening to the Cyberwire network. Powered by N2K.

B

The DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington, D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot. Risk and compliance shouldn't slow your business down. Hyperproof helps you automate controls, integrate real time risk workflows and build a centralized system of trust so your teams can focus on growth, not spreadsheets. From faster audits to stronger stakeholder confidence, Hyperproof gives you the business advantage of Smarter compliance. Visit www.hyperproofio to see how leading teams are transforming their GRC programs. A whistleblower claims Doge uploaded a sensitive Social Security database to a vulnerable cloud server Allies push back against North Korean IT scams Zipline is a sophisticated phishing campaign targeting US Based manufacturing. Researchers uncover a residential proxy network operating across at least 20 US states. Flock safety license license plate readers face increased scrutiny. A new report chronicles DDOs through the first half of the year. LLM guardrails fail to defend against run on sentences A South American apt targets the Colombian government. Our guest is Harry Thomas, founder and CTO at Frenos, on the benefits of curated and vetted AI training data and one man's fight against phantom jobs. Posts.

C

Foreign.

B

August 27, 2025 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great as always to have you with us. A whistleblower complaint has revealed that the Department of Government Efficiency doge, a group tied to Elon Musk's Government Tech initiative, uploaded a copy of The Social Security Administration's Numident database containing records of over 548 million Social Security numbers to a vulnerable cloud server back in June, the New York Times reports the database includes full names, addresses and birth dates, making it one of the most sensitive US Repositories of personal information. The complaint, filed by Social Security's chief data Officer Charles Borges, warns of catastrophic impact if the data were exposed, including mass identity theft and the costly reissuance of Social Security numbers. Borges alleges Doge bypassed standard security oversight, excluded him from discussions and ignored risk assessments, labeling the project high risk. While no breach has been confirmed, documents show Doge pushed forward despite repeated warnings. The complaint, supported by whistleblower lawyers, claims Doge's actions may have violated federal laws protecting government data. Governments and tech firms met in Tokyo this week to share strategies against North Korea's covert IT workers scheme. Organized by the U.S. japan and South Korea, the forum gathered over 130 participants from payment providers, crypto exchanges, AI companies and freelance platforms. For years, North Korean citizens posing as foreign contractors have landed IT jobs at Western firms using stolen IDs earning millions to fund Pyongyang's weapons programs. Hundreds have secured roles, sometimes holding multiple jobs at Fortune 500 companies. While their work often appears competent, U.S. officials warn of risks including data theft, reputational harm and insider access for future hacks. North Korea linked groups like Lazarus have stolen over $600 million from crypto firms, prompting tighter cooperation and recent sanctions. Researchers at Check Point have uncovered Zipline, a sophisticated phishing campaign targeting U S based manufacturing and supply chain critical indust. Unlike traditional phishing, attackers begin contact through a victim's public contact US form, prompting companies to respond and creating an appearance of legitimacy. They then sustain weeks of credible email exchanges, often under the guise of business partnerships or AI transformation initiatives. Before delivering a malicious zip file. The payload contains Mix Shell, a custom in memory implant. Using DNS tunneling and HT fallback for command and control. Mix Shell enables file operations, proxying, command execution and persistence. Attackers leverage aged U.S. registered domains with cloned websites to boost credibility. Dozens of organizations, including large manufacturers and smaller firms were targeted. The campaign demonstrates how patient trust based social engineering combined with advanced malware can bypass traditional defenses, highlighting the need to scrutinize even routine inbound business interactions. Elsewhere, Fortiguard Labs has uncovered a global phishing campaign using personalized emails and spoofed websites to spread Upcryptor, a malware loader that deploys multiple remote access tools including Pure hvnc, DC rat and Babylon rat. Attackers use convincing lures such as missed voicemail messages or purchase orders with malicious HTML attachments. These scripts redirect victims to phishing pages tailored with their email domains and logos, making the sites appear legitimate. Once on the page, victims are prompted to download a zip file containing an obfuscated JavaScript dropper. This triggers powershell commands, bypasses security checks and executes payloads directly in memory. Upcryptor ensures persistence, evades analysis and and retrieves additional malware from attacker controlled servers. The campaign has already spread rapidly across multiple industries, highlighting how attackers now use advanced loaders to maintain long term control inside networks far beyond simple phishing attempts, Infrawatch and Krebson Security have identified DSLroot, a residential proxy network operating across at least 20 US states. Unlike typical proxy providers that rely on mobile SDKs, DSLroot installs dedicated hardware in American homes, creating persistent access to residential IPs. The service is managed by Andrei Hollas, a Belarusian national with residences in Minsk and Moscow. Researchers estimate roughly 300 active devices, primarily using CenturyLink and Frontier IP space. Technical analysis shows DSLroot's custom software can remotely manage consumer routers and even Android devices, enabling IP rotation and anonymous traffic routing. The network operates without authentication, exposing US infrastructure to foreign control. DSLroot markets its proxies on underground forums alongside related services like virtual credit cards and company formation, offering global clients Stealth access to U S based IPs for $190 per month. Customs and Border Protection quietly gained access to more than 80,000 flock safety license plate reader cameras nationwide, giving federal agents sweeping visibility into vehicle movements across the US according to reporting from 404 Media. This access extended far beyond what local jurisdictions had been told, with many city officials unaware their camera data was being shared. In response to the revelations, Flock announced it would pause all federal pilot programs and limit direct federal access. The fallout is already unfolding at the local level. Yesterday, Evanston, Illinois voted to shut down its license plate reader system and terminate its contract with flock safety by September 26th. The decision followed a state audit revealing that Flock had illegally shared Illinois plate data with federal agencies, including CBP, in violation of a 2024 state law. Evanston officials cited both the privacy risks and the company's non compliance as reasons for ending the program. A new report from Netscout recorded over 8 million global DDoS attacks in the first half of 2025, the highest ever. Hacktivists and nation states now time their assaults with major political events, crippling communications, energy and transport. Europe, the Middle east and Africa bore 3.2 million attacks, including a 3.12 terabit per second strike. In the Netherlands, groups like Noname O5 716 dominate, launching hundreds monthly, while newcomers like Dinet and Kimas quickly spread with AI driven automation, cheap DDoS for hire services and vast IoT botnets. Experts warn traditional defenses are increasingly obsolete. Researchers at Palo Alto Networks unit 42 have found a simple but powerful way to jailbreak large language models run on sentences with bad grammar. By packaging all instructions into one continuous clause without punctuation, attackers can bypass safety guardrails before they activate. Tests showed an 80 to 100% success rate against major models like Llama, Gemma and Quen. The team introduced the concept of the refusal affirmation logit gap, highlighting that alignment training only reduces but not erase the chance of harmful outputs. Their proposed defenses include a sort sum stop method and layered protections such as input sanitization, external AI firewalls and post generation filtering. Senior Director Billy Hewlett stressed that alignment is a patch on top of models that still contain unsafe knowledge, meaning jailbreak risks will persist. While the technique hasn't been observed in the wild yet, researchers warn this cat and mouse game will likely continue recorded futures Insict group has linked five activity clusters to tag 144, also known as blind Eagle, a South American APT that conducts cybercrime alongside espionage. The clusters share tactics such as using cracked rats, dynamic DNS services and legitimate Internet services for staging, but differ in infrastructure and malware deployment. Most victims are within the Colombian government at multiple levels. Tag 144 also shows ties to Red Akadon and has leveraged compromise government email accounts for spear phishing. Recommended defenses include IP and domain blocking, enhanced email filtering data, exfiltration monitoring, and updated Yara, Sigma and SNORT rules. Coming up after the break, my conversation with Harry Thomas, founder and CTO at frenos. We're discussing the benefits of curated and vetted AI training data and one man's fight against phantom job posts. Stick around Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for A free demo that's V A N T a dot com Cyber.

A

Running a business comes with a lot of what ifs, but luckily there's a simple answer to them. Shopify. It's the commerce platform behind millions of businesses including Thrive Cosmetics and Momofuku. And it'll help you with everything you need. From website design and marketing to boosting sales and expanding operations. Shopify can get the job done and make your dream a reality. Turn those what ifs into sign up for your $1 per month trial@shopify.com specialoffer.

B

Now, I'll admit right up front this next segment is a bit self promotional, but do stick with me because I think you'll see why it matters. Here at N2K, we've been curating and refining our certify knowledge base for more than 25 years. We think it's the gold standard for cybersecurity certification practice exams. And now we're opening it up to help power the next wave of AI driven innovation. So yes, I'm bragging a little bit, but I promise there's real value here, especially as we talk about our new partnership with Franos, an OT security innovator working to protect critical infrastructure. And joining me now is Harry Thomas, founder and CTO at Franos. Harry, thanks so much for taking the time for us today.

D

Hey, nice to be here. Thanks, Dave.

B

So I want to start from the very beginning here. Can you describe for our audience what this partnership between N2K and Franos is all about?

D

Yeah, certainly. So the partnership, what it really comes down to is large language models. AI models right now are generally benchmarks on how well they do at general education or general math being done. And it's really hard to understand how these language models perform with task specific results. Our partnership with N2K is really utilizing your training data, your exams to benchmark and understand how our language model at Franos it will perform. Right? I mean, language models need some form of intelligence and utilizing the data from N2K allows us to bake in the intelligence of professionals within our field to assist with cybersecurity.

B

So unlike data that's scraped from the open web, our knowledge base is highly curated. Can you explain why that matters in an AI context?

D

So even like scraping general web data, it needs to go through some sort of fine tuning, process, some formatting so that language models understand and can utilize it. You can't just scrape the web and utilize it that way. The same thing is with this highly curated N2K data. What it does is it gives us like up to date information on how current technologists should operate within a professional setting. Because the problem with just scraping data off the Internet is that it's historic data, right? Sometimes since the Internet's been around and it's really hard to tell a language model to put less emphasis on that type of data when you're training it. So the benefit of the M2K curated data is that it kind of mimics how professionals now operate rather than historically type of training or historical type of data.

B

There's been references in the information about this effort that the data set is living and continuously updated to reflect evolving certification standards and vendor technologies. What part does that play in all of this?

D

I mean, it plays a big part in all of this, right? I mean, technology is evolving day after day. There's new innovations, new, you know, we're talking about cybersecurity, new cybersecurity principles that we need to worry about. And the fact that, you know, N2K data is living and it gets updated quite frequently really helps us out here at Franos, because then we can utilize that data, train a language model, or utilize some of the data within retrieval, augmented generation so that, you know, the language model doesn't necessarily need to be trained. It already has this base foundational knowledge. But with all this extra information that we're able to get from this N2K partnership, we're able to be on the cutting edge, bleeding edge of cybersecurity and ensuring that our customers are able to reap the benefits of having kind of this kind of consultant in a box. You know what I mean?

B

Yeah, let's talk about that. I mean, your focus is innovation in OT security. What do you hope comes out of this for your customers?

D

That is a really good question. Well, what I'm really expecting for our customers to understand and utilize this language model that's been trained on this data for is really understand that it's kind of like a trusted partner, right? I mean, obviously trust by verify, that's Cybersecurity 101. But certainly work with our language model or our AI reasoning agent, we've named her Saira. Work with her to understand and gain a grasp of kind of your environment, how your environment might operate against threat actors. But also look to Cyra to help you figure out what you need to work on next. And like I said, in a kind of trusted advisorship, what do you think.

B

Distinguishes this resource from some of the other data sets that are out there?

D

I mean, the first and foremost, you have a Whole company behind this data set putting in hours and hours of work to ensure that it is up to snuff to train human cybersecurity professionals in the field and make them successful. What you really lack from the other data sets that are out there is they're, you know, open source. Open source isn't a bad thing, but you don't have somebody, you know, getting paid to pour in all of those working hours to make sure that this data set is really like up to snuff and can benefit a lot of other individuals or a lot of other AI models. You know what I mean?

B

Yeah. What sort of timeline are we on here? When do we expect this to be available to folks out there who want to take advantage of it?

D

Well, the language model is built inside the Fronos platform and we're already utilizing some of the N2K data. Right now we internally benchmark our language models on N2K data. I probably should put out a blog post about that, showing how Cyra operates with the N2K data and the benchmarks that we're getting from it. Quite frankly, just our internal testing and results. Our language model Cyra is doing close to on par with these larger language models like ChatGPT and Claude. Right. You know, they might get a 80, 90%, but our language models are coming very close to those task specific results, which is pretty cool. But yeah, to answer your question, as we continue releasing the Franos platform through our release cycle for the rest of the year, more and more of the N2K data is coming into and influencing Cyra.

B

All right, well, there you have it. We took a minute to brag about our own work and our collaboration with Franos and we hope our audience will forgive us because we think it really does matter. The N2K certify knowledge base isn't just about practice exams anymore. It's becoming part of the foundation for AI solutions that can help keep our critical infrastructure safe. And that is what Franos is working on. Harry Thomas is the founder and CTO at Franos. Harry, thanks so much for joining us.

D

Yeah, thank you. Pleasure being here.

B

Foreign, you hear from us here at the Cyberwire daily every single day now. We'd love to hear from you. Your voice can help shape the future of N2K networks. Tell us what matters most to you by completing our annual audience survey. Your insights help us grow to better meet your needs. There's a link to the survey in our show notes. We're collecting your comments through August 31st. Thanks.

C

Hey guys, it's CD Lam wide receiver for the Dallas Cowboys. I'm partnering with Abercrombie this season to tell you all about their viral denim. All you need to know is denim should fit like this. My jeans need to check a lot of boxes fit first, trend second. They need to go with whatever I'm feeling, and Abercrombie Denim has it down whether I'm throwing on a tee or putting a whole fit together. Shop Abercrombie Denim in the app, online and in store.

E

This episode is brought to you by Indeed. When your computer breaks, you don't wait for it to magically start working again. You fix the problem. So why wait to hire the people your company desperately needs? Use Indeed's sponsored jobs to hire top talent fast. And even better, you only pay for results. There's no need to wait. Speed up your hiring with a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply.

B

And finally, when Eric Thompson lost his job in late 2024, he expected the usual frustration of job hunting. Awkward interviews, long silences, maybe even a rejection or two. What he didn't expect was to spend months chasing ghost jobs, positions posted online that employers never actually planned to fill. Annoyed enough to turn ghostbusting into a side hustle, Thompson founded the Truth in Job Advertising and Accountability act working group. The group's draft proposal would require employers with over 50 staff to list details like start dates, whether a role is new or just recycling, and even how many times it's been posted. Violators could face fines of at least $2,500. About 17% of jobs on Greenhouse in the second quarter of 2025 fell into the ghost category, making it a common headache. Thompson now spends 20 to 30 hours a week pitching the idea to Congress. Whether lawmakers will prioritize ghostbusting remains hauntingly unclear. And that's the Cyberwire. For links to the all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August, so there's just a few days left. There's a link in the show Notes. Please do check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.