CyberWire Daily Podcast Summary

Episode: Windows servers under siege
Date: October 28, 2025
Host: Dave Bittner, N2K Networks
Featured Segment: Threat Vector with David Moulton, Sarit Tagar, Krithi Macheri (Palo Alto Networks)

Overview

This episode provides a comprehensive briefing on current and emerging cybersecurity threats, focusing on the ongoing exploitation of a critical Windows Server Update Services (WSUS) flaw, high-profile supply chain attacks, the realities behind alleged major data breaches, novel malware targeting, cybercrime trends, and the evolving challenges of securing AI-driven software development. The episode concludes with a memorable story of AI mistaken identity involving a bag of Doritos.

Key Discussion Points & Insights

1. Critical Windows WSUS Vulnerability Actively Exploited

[00:59 – 02:25]

Researchers warned about an unpatched WSUS flaw allowing remote code execution on Windows Server 2012-2025.
Trend Micro observed 100,000+ exploitation attempts within a week, estimating nearly half a million exposed servers.
Attackers could hijack update processes to deliver malicious code downstream.
Microsoft’s emergency patch has not fully stopped exploitation.
Notable Quote:
“Researchers warn that a critical Windows Server Update Services, or wsus vulnerability is being actively exploited despite Microsoft's recent emergency patch.” – Dave Bittner [01:21]

2. Enterprise Supply Chain Attack Update

[02:26 – 03:37]

CLOP ransomware group listed Schneider Electric and Emerson as victims—implicating Oracle E-Business Suite vulnerabilities.
Claims of stealing and leaking large volumes of corporate data (e.g., 2.7TB from Emerson).
Other organizations like Harvard and Envoy Air affected.
This campaign is reminiscent of previous MOVEit and Fortra attacks, highlighting persistent enterprise software risks.

3. Gmail Data Breach Reports Debunked

[03:38 – 04:15]

Google refuted claims of a recent Gmail breach—they were based on recycled data from malware logs, not a new incident.
Researcher Troy Hunt clarified that 183 million credentials added to “Have I Been Pwned” stem from old infostealer logs.
Google recommends two-factor authentication as a best practice.

4. Advanced Banking Trojan: Herodotus

[04:16 – 05:18]

ThreatFabric discovered “Herodotus,” an Android banking trojan that mimics human behavior by inserting short, randomized typing delays, evading simple detection.
Distributed via smishing and sideloaded apps; targets banking and crypto wallet users in multiple countries.
Abuses Android Accessibility Services and can bypass some biometric detection.

5. Critical Infrastructure Targeted: Swedish Power Grid

[05:19 – 06:19]

Svenska Kraftnät, Sweden’s state-owned grid operator, confirmed a cyberattack resulting in a data breach (claimed by Everest ransomware group).
The breach affected an isolated external file sharing system, not primary grid operations.
Draws attention to rising risks for critical infrastructure from extortion groups.

6. Italian Spyware Targets Russian and Belarusian Orgs

[06:20 – 07:18]

Italian vendor Memento Labs’ spyware “DANTE” deployed against organizations in Russia and Belarus, marking its first confirmed use since 2023.
Deployed by “Forum Troll,” a group known for advanced espionage.
Raises concerns about proliferation and oversight of commercial spyware.

7. UN Cybercrime Treaty – US Declines to Sign

[07:19 – 08:08]

Over 70 countries signed a new global cybercrime convention; the US has withheld its signature pending review.
Treaty aims at facilitating global cybercrime law enforcement, but privacy advocates warn of expanded surveillance powers.
The US hesitates over potential impact on digital freedoms.

8. Collapse in Ransomware Payments

[08:09 – 09:09]

Coveware reports historic lows in ransomware payment rates (23% of victims paid in Q3).
Attributed to improved defense, coordinated law enforcement response, and less incentive to pay.
Average payments: $377,000; median: $140,000.

9. US Policy Updates – China and “Clean Tech Stack”

[09:10 – 10:10]

National Cyber Director Shawn Cairncross urged building a “clean American tech stack” to counter China’s global surveillance ambitions.
Emphasized the importance of a robust cybersecurity strategy and renewing expired information-sharing laws for industry-government collaboration.

10. Memorable Anecdote: AI Mistakes Doritos for a Gun

[21:13 – 21:56]

Baltimore County police, responding to an AI gun detection system alert, found only a football player eating Doritos. The system falsely flagged the snack bag as a weapon.
Raises questions about the reliability—and societal consequences—of automated surveillance and AI-powered public safety technologies.
Notable Quote:
“The culprit? Not Taki, but an AI gun detection system with a vivid imagination. It flagged the glint of his packet of chips as a firearm, prompting what one might call a highly seasoned police response.” – Dave Bittner [21:24]

Feature Segment: Threat Vector – Securing Modern Development in the Age of AI

[14:07 – 20:46]

Main Theme

David Moulton explores urgent challenges in securing modern software development pipelines, especially as AI rewrites the rules and accelerates code generation and delivery.

Key Points & Quotes

AI Introducing New Development Risks
Sarit Tagar (VP Product Management, Palo Alto Networks):
- AI-driven code generation shifts responsibility between developers and agents—sometimes diminishing code understanding and accountability.
  [15:21]
  “Before, the developer was the one that's responsible for the vulnerabilities… Now we have some kind of an agent that is writing the code and the responsibility is kind of being shifted between the developer and the agent.”
- Security scanning must shift from a post-coding phase to a prerequisite, integrated into the code generation process itself.
- AI-centric tools risk introducing new supply chain threats—unauthorized or insecure components, code injection, etc. [17:15]
  “…an agent, they have the LLMs that they are working on. Not all of them are secure…You may find yourself with a lot of servers that are not approved by your application security practitioners and they're not part of your organization's approval whitelist…”
Need for Specialized AI Security Training
David Moulton emphasizes the importance of specialized training in AI usage, not just classic phishing or cyber hygiene, but new risks from AI acceleration and business-driven adoption. [18:38]
“…there’s got to be AI training. And I think what you're talking about is beyond just the regular security training…The amount of risk and the ease at which the risk is taken is… everywhere right now.”
Critical Vulnerabilities in AI-Generated Code
Krithi Macheri (Sr. Director, Product Security): [19:34]
“…with the amount of choices developers have…These are all built on functional correctness, lacks sometimes security context…We have seen input validation missing, weak access control, hard coded credential…”
- AI models can hallucinate, recommending non-existent or vulnerable packages, enabling supply chain attacks.
- Emphasizes the challenge of automated, large-scale detection and remediation as code velocity increases.
Practical Approach: Security as a Business Accelerator
The discussion champions context-aware tools (ASPM, secure base images, automated PRs) that empower teams to prevent issues without disrupting code velocity.
- Notable Quote:
  “Tools that turn prevention into speed and help developers move fast, fix early and still sleep at night.” – David Moulton [14:50]

Timestamps for Key Segments

WSUS Vulnerability & Patch Fails: [01:21]
Supply Chain Oracle EBS Attack: [02:26]
Gmail Breach Myths Debunked: [03:38]
Herodotus Trojan Tactics: [04:16]
Sweden Power Grid Hack: [05:19]
Italian Spyware in Russia/Belarus: [06:20]
UN Treaty & US Position: [07:19]
Ransomware Payments Drop: [08:09]
China, US Tech Policy: [09:10]
AI & Doritos Incident: [21:13]
Threat Vector – Securing AI Development: [14:07 – 20:46]

Tone & Style

The episode balances industry urgency with moments of dry wit – especially in the AI-Doritos anecdote (“highly seasoned police response”), while the expert interview proceeds in a candid, practical, and informed tone. The host and guests communicate clearly, offering actionable insights for technical and non-technical listeners.

Conclusion

This episode of CyberWire offers a thorough roundup of top global cyber threats and policies, alongside a high-value expert discussion about the new frontiers (and landmines) introduced by AI in software development. It underscores that security must evolve, becoming both a business enabler and a deeply integrated part of modern build pipelines.

For an in-depth deep-dive into AI-driven software security, listen to the full "Shifting Security Left" episode on the Threat Vector podcast feed.

Transcript

A (0:02)

You're listening to the Cyberwire Network, powered by N2K.

B (0:12)

Risk and compliance shouldn't slow your business down. Hyperproof helps you automate controls, integrate real time risk workflows, and build a centralized system of trust so your teams can focus on growth, not spreadsheets. From faster audits to stronger stakeholder confidence, hyperproof gives you the business advantage of Smarter compliance. Visit www.hyperproof.IO to see how leading teams are transforming their GRC programs. At Talas, they know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Talas T H A L E S learn more@talasgroup.com cyber WSUS attacks Escalade as an emergency patch fails to fully contain exploited flaws Schneider Electric and Emerson are listed among victims in the Oracle EBS cyber attack. Google debunks reports of a massive Gmail breach. A new banking Trojan mimics human behavior for stealth. Sweden's power grid operator confirms a cyber attack. Italian spyware targets Russian and Belarusian organizations. The US Declines to sign the new UN Cyber Treaty. Ransomware payments fall to record lows. The US Cyber chief calls for a clean American tech stack to counter China's global surveillance push. On today's Threat Vector segment, David Moulton speaks with two cybersecurity leaders from Palo Alto Networks, Sarit Tagar and kritivasan macheri and AI mistakes doritos for a deadly weapon it's Tuesday, October 28, 2020. Dave I'm Dave Buettner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great as always to have you with us. Researchers warn that a critical Windows Server Update Services, or wsus vulnerability is being actively exploited despite Microsoft's recent emergency patch. The flaw enables unauthenticated remote code execution on Windows Server 2012 through 2025 stemming from insecure deserialization of untrusted data. Google's Threat Intelligence Group confirmed multiple intrusions by a threat actor it calls UNC6512 observing reconnaissance and data exfiltration from compromised hosts. Trend Micro reports roughly 100,000 exploitation attempts in a week, with nearly half a million Internet exposed WSUS servers potentially vulnerable. Experts warn that exposed servers could allow attackers to distribute malicious updates downstream. Amplifying the threat Cybercriminals tied to the CLOP ransomware operation have named Schneider Electric and Emerson as victims of an ongoing campaign exploiting Oracle E business suite vulnerabilities. The attackers, believed to be associated with the financially motivated Fin11 group, claim to have stolen large volumes of corporate data later posted on Klopp's leak site. The site lists 2.7 terabytes of data allegedly from Emerson and 116 GB from Schneider Electric, with file structures suggesting origin in Oracle environments. Other organizations, including Harvard University and Envoy Air, have confirmed impact from the same campaign. Researchers say the operation mirrors prior large scale attacks on MoveIt and Fortra systems, underscoring persistent risks in enterprise software supply chains. Widespread reports of a massive Gmail data breach grabbed headlines this week, but Google says the claims are false. The confusion began after researcher Troy Hunt added 183 million credentials to his have I been Pwned Service sourced from old infostealer malware logs, not a new Gmail hack. Google confirmed there's no evidence of compromise, calling the reports a misunderstanding of recycled data. The company emphasized that Gmail's defenses remain strong and advised users to enable two factor authentication. Researchers at ThreatFabric have identified a new Android banking trojan called Herodotus that uses randomized pauses to evade basic behavioral detection systems. The malware inserts delays of up to three seconds when entering stolen credentials, mimicking human typing speed to appear legitimate. Distributed through smishing links and sideloaded apps, Herodotus abuses Android accessibility services to steal banking credentials, intercept SMS1 time passcodes and display fake login overlays. It shares limited code overlap with the Brokewell Trojan discovered earlier this year. Though currently active in Italy and Brazil, Herodotus includes templates for banks and crypto wallets in multiple countries, suggesting broader campaigns ahead. More advanced biometric systems may still detect its automated behavior. Sweden's state owned power grid operator Svenska Krafnot confirmed a cyber attack that led to a data breach but did not affect the country's electricity supply. The incident, discovered Saturday, targeted an isolated external file transfer system, according to the organization's chief information security officer. Ransomware Group Everest has claimed responsibility, adding Svensa Krafnot to its leak site and alleging theft of roughly 280GB of data. The company reported the attack to authorities and is investigating the breach's scope. While no critical systems were compromised, the attack underscores the growing threat to critical infrastructure operators from data extortion groups, researchers from Kaspersky say. Italian spyware from Memento Labs, formerly known as Hacking Team, was used in cyber attacks targeting organizations in Russia and Belarus. The commercial surveillance tool called Dante appeared in incidents linked to a threat group dubbed Forum Troll, which has previously targeted Russian institutions with phishing and Chrome Zero day exploits. Kaspersky could not confirm who commissioned the attacks or whether Memento Labs knew of Dante's deployment. The discovery marks the spyware's first confirmed use since its 2023 debut for law enforcement clients. Forum Trolls campaigns leveraged a custom loader leet agent to deploy DANTE in select cases showing advanced espionage capabilities. Memento Labs declined to comment on the findings. More than 70 countries, including the UK, China, Russia and the European Union signed the new UN Convention against Cybercrime in Hanoi, while the United States notably withheld its signature. The treaty establishes the first global framework for sharing electronic evidence and coordinating cross border cybercrime investigations. UN Secretary General Antonio Guterres called the convention a powerful, legally binding instrument against crimes like ransomware, money laundering and online trafficking. But critics warn it could enable mass surveillance and suppress digital freedoms under authoritarian regimes. The State Department said the US is still reviewing the treaty, which will take effect after 40 ratifications. Ransomware payments have fallen to their lowest level on record, with just 23% of victimized organizations paying attackers in the third quarter of this year, according to Coveware. The firm says the steady six year decline reflects stronger defenses, improved incident response and growing pressure from authorities not to pay. Average ransom payments dropped to $377,000, with median payments at 140 grand. Data theft now dominates ransomware activity featured in 76% of incidents and payment rates fall to 19% when only exfiltration is involved. Groups like Akira and Keelin increasingly target medium sized firms, while remote access, compromise and software vulnerabilities remain top entry points. Coveware says every avoided payment constricts attackers of oxygen, validating collective defensive progress. National Cyber Director Shawn Cairncross warned that China is attempting to export a surveillance state across planet Earth and urged the US to promote a clean American tech stack as a democratic alternative. Speaking at the 2025 Meridian Summit, Cairncross said Washington must engage both current and emerging partners to push back against Beijing's growing digital influence, which he described as destabilizing and aimed at undermining US decision making. He said the upcoming US cybersecurity strategy under President Trump will emphasize posture and action over length or rhetoric. Strengthening the office of the National Cyber Director remains his top priority, following recommendations from the Cyberspace Solarium Commission. Cairn Cross also urged Congress to renew the expired Cybersecurity Information Sharing act, calling its protections essential for industry collaboration on cyber threats. Coming up after the break in our Threat Vector segment, David Moulton speaks with his Palo Alto Network colleagues about urgent challenges of securing modern development in the age of AI and shifting security left and AI mistakes Doritos for a deadly weapon. Stick around. And now a word from our sponsor, Threat Locker, the powerful zero Trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat locker. What's your 2am Security worry? Is it do I have the right controls in place? Maybe? Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber on today's threat Vector segment, David Moulton speaks with a pair of his Palo Alto Networks colleagues, Sarit Tagar and Krithi Macheri. They're diving into some of the urgent challenges of securing modern development in the age of AI. Here's their conversation.