CyberWire Daily Podcast Summary

Episode: Windows servers under siege
Date: October 28, 2025
Host: Dave Bittner, N2K Networks
Featured Segment: Threat Vector with David Moulton, Sarit Tagar, Krithi Macheri (Palo Alto Networks)

Overview

This episode provides a comprehensive briefing on current and emerging cybersecurity threats, focusing on the ongoing exploitation of a critical Windows Server Update Services (WSUS) flaw, high-profile supply chain attacks, the realities behind alleged major data breaches, novel malware targeting, cybercrime trends, and the evolving challenges of securing AI-driven software development. The episode concludes with a memorable story of AI mistaken identity involving a bag of Doritos.

Key Discussion Points & Insights

1. Critical Windows WSUS Vulnerability Actively Exploited

[00:59 – 02:25]

Researchers warned about an unpatched WSUS flaw allowing remote code execution on Windows Server 2012-2025.
Trend Micro observed 100,000+ exploitation attempts within a week, estimating nearly half a million exposed servers.
Attackers could hijack update processes to deliver malicious code downstream.
Microsoft’s emergency patch has not fully stopped exploitation.
Notable Quote:
“Researchers warn that a critical Windows Server Update Services, or wsus vulnerability is being actively exploited despite Microsoft's recent emergency patch.” – Dave Bittner [01:21]

2. Enterprise Supply Chain Attack Update

[02:26 – 03:37]

CLOP ransomware group listed Schneider Electric and Emerson as victims—implicating Oracle E-Business Suite vulnerabilities.
Claims of stealing and leaking large volumes of corporate data (e.g., 2.7TB from Emerson).
Other organizations like Harvard and Envoy Air affected.
This campaign is reminiscent of previous MOVEit and Fortra attacks, highlighting persistent enterprise software risks.

3. Gmail Data Breach Reports Debunked

[03:38 – 04:15]

Google refuted claims of a recent Gmail breach—they were based on recycled data from malware logs, not a new incident.
Researcher Troy Hunt clarified that 183 million credentials added to “Have I Been Pwned” stem from old infostealer logs.
Google recommends two-factor authentication as a best practice.

4. Advanced Banking Trojan: Herodotus

[04:16 – 05:18]

ThreatFabric discovered “Herodotus,” an Android banking trojan that mimics human behavior by inserting short, randomized typing delays, evading simple detection.
Distributed via smishing and sideloaded apps; targets banking and crypto wallet users in multiple countries.
Abuses Android Accessibility Services and can bypass some biometric detection.

5. Critical Infrastructure Targeted: Swedish Power Grid

[05:19 – 06:19]

Svenska Kraftnät, Sweden’s state-owned grid operator, confirmed a cyberattack resulting in a data breach (claimed by Everest ransomware group).
The breach affected an isolated external file sharing system, not primary grid operations.
Draws attention to rising risks for critical infrastructure from extortion groups.

6. Italian Spyware Targets Russian and Belarusian Orgs

[06:20 – 07:18]

Italian vendor Memento Labs’ spyware “DANTE” deployed against organizations in Russia and Belarus, marking its first confirmed use since 2023.
Deployed by “Forum Troll,” a group known for advanced espionage.
Raises concerns about proliferation and oversight of commercial spyware.

7. UN Cybercrime Treaty – US Declines to Sign

[07:19 – 08:08]

Over 70 countries signed a new global cybercrime convention; the US has withheld its signature pending review.
Treaty aims at facilitating global cybercrime law enforcement, but privacy advocates warn of expanded surveillance powers.
The US hesitates over potential impact on digital freedoms.

8. Collapse in Ransomware Payments

[08:09 – 09:09]

Coveware reports historic lows in ransomware payment rates (23% of victims paid in Q3).
Attributed to improved defense, coordinated law enforcement response, and less incentive to pay.
Average payments: $377,000; median: $140,000.

9. US Policy Updates – China and “Clean Tech Stack”

[09:10 – 10:10]

National Cyber Director Shawn Cairncross urged building a “clean American tech stack” to counter China’s global surveillance ambitions.
Emphasized the importance of a robust cybersecurity strategy and renewing expired information-sharing laws for industry-government collaboration.

10. Memorable Anecdote: AI Mistakes Doritos for a Gun

[21:13 – 21:56]

Baltimore County police, responding to an AI gun detection system alert, found only a football player eating Doritos. The system falsely flagged the snack bag as a weapon.
Raises questions about the reliability—and societal consequences—of automated surveillance and AI-powered public safety technologies.
Notable Quote:
“The culprit? Not Taki, but an AI gun detection system with a vivid imagination. It flagged the glint of his packet of chips as a firearm, prompting what one might call a highly seasoned police response.” – Dave Bittner [21:24]

Feature Segment: Threat Vector – Securing Modern Development in the Age of AI

[14:07 – 20:46]

Main Theme

David Moulton explores urgent challenges in securing modern software development pipelines, especially as AI rewrites the rules and accelerates code generation and delivery.

Key Points & Quotes

AI Introducing New Development Risks
Sarit Tagar (VP Product Management, Palo Alto Networks):
- AI-driven code generation shifts responsibility between developers and agents—sometimes diminishing code understanding and accountability.
  [15:21]
  “Before, the developer was the one that's responsible for the vulnerabilities… Now we have some kind of an agent that is writing the code and the responsibility is kind of being shifted between the developer and the agent.”
- Security scanning must shift from a post-coding phase to a prerequisite, integrated into the code generation process itself.
- AI-centric tools risk introducing new supply chain threats—unauthorized or insecure components, code injection, etc. [17:15]
  “…an agent, they have the LLMs that they are working on. Not all of them are secure…You may find yourself with a lot of servers that are not approved by your application security practitioners and they're not part of your organization's approval whitelist…”
Need for Specialized AI Security Training
David Moulton emphasizes the importance of specialized training in AI usage, not just classic phishing or cyber hygiene, but new risks from AI acceleration and business-driven adoption. [18:38]
“…there’s got to be AI training. And I think what you're talking about is beyond just the regular security training…The amount of risk and the ease at which the risk is taken is… everywhere right now.”
Critical Vulnerabilities in AI-Generated Code
Krithi Macheri (Sr. Director, Product Security): [19:34]
“…with the amount of choices developers have…These are all built on functional correctness, lacks sometimes security context…We have seen input validation missing, weak access control, hard coded credential…”
- AI models can hallucinate, recommending non-existent or vulnerable packages, enabling supply chain attacks.
- Emphasizes the challenge of automated, large-scale detection and remediation as code velocity increases.
Practical Approach: Security as a Business Accelerator
The discussion champions context-aware tools (ASPM, secure base images, automated PRs) that empower teams to prevent issues without disrupting code velocity.
- Notable Quote:
  “Tools that turn prevention into speed and help developers move fast, fix early and still sleep at night.” – David Moulton [14:50]

Timestamps for Key Segments

WSUS Vulnerability & Patch Fails: [01:21]
Supply Chain Oracle EBS Attack: [02:26]
Gmail Breach Myths Debunked: [03:38]
Herodotus Trojan Tactics: [04:16]
Sweden Power Grid Hack: [05:19]
Italian Spyware in Russia/Belarus: [06:20]
UN Treaty & US Position: [07:19]
Ransomware Payments Drop: [08:09]
China, US Tech Policy: [09:10]
AI & Doritos Incident: [21:13]
Threat Vector – Securing AI Development: [14:07 – 20:46]

Tone & Style

The episode balances industry urgency with moments of dry wit – especially in the AI-Doritos anecdote (“highly seasoned police response”), while the expert interview proceeds in a candid, practical, and informed tone. The host and guests communicate clearly, offering actionable insights for technical and non-technical listeners.

Conclusion

This episode of CyberWire offers a thorough roundup of top global cyber threats and policies, alongside a high-value expert discussion about the new frontiers (and landmines) introduced by AI in software development. It underscores that security must evolve, becoming both a business enabler and a deeply integrated part of modern build pipelines.

For an in-depth deep-dive into AI-driven software security, listen to the full "Shifting Security Left" episode on the Threat Vector podcast feed.

CyberWire Daily Podcast Summary

Overview

Key Discussion Points & Insights

1. Critical Windows WSUS Vulnerability Actively Exploited

[00:59 – 02:25]

Researchers warned about an unpatched WSUS flaw allowing remote code execution on Windows Server 2012-2025.
Trend Micro observed 100,000+ exploitation attempts within a week, estimating nearly half a million exposed servers.
Attackers could hijack update processes to deliver malicious code downstream.
Microsoft’s emergency patch has not fully stopped exploitation.
Notable Quote:
“Researchers warn that a critical Windows Server Update Services, or wsus vulnerability is being actively exploited despite Microsoft's recent emergency patch.” – Dave Bittner [01:21]

2. Enterprise Supply Chain Attack Update

[02:26 – 03:37]

CLOP ransomware group listed Schneider Electric and Emerson as victims—implicating Oracle E-Business Suite vulnerabilities.
Claims of stealing and leaking large volumes of corporate data (e.g., 2.7TB from Emerson).
Other organizations like Harvard and Envoy Air affected.
This campaign is reminiscent of previous MOVEit and Fortra attacks, highlighting persistent enterprise software risks.

3. Gmail Data Breach Reports Debunked

[03:38 – 04:15]

Google refuted claims of a recent Gmail breach—they were based on recycled data from malware logs, not a new incident.
Researcher Troy Hunt clarified that 183 million credentials added to “Have I Been Pwned” stem from old infostealer logs.
Google recommends two-factor authentication as a best practice.

4. Advanced Banking Trojan: Herodotus

[04:16 – 05:18]

ThreatFabric discovered “Herodotus,” an Android banking trojan that mimics human behavior by inserting short, randomized typing delays, evading simple detection.
Distributed via smishing and sideloaded apps; targets banking and crypto wallet users in multiple countries.
Abuses Android Accessibility Services and can bypass some biometric detection.

5. Critical Infrastructure Targeted: Swedish Power Grid

[05:19 – 06:19]

Svenska Kraftnät, Sweden’s state-owned grid operator, confirmed a cyberattack resulting in a data breach (claimed by Everest ransomware group).
The breach affected an isolated external file sharing system, not primary grid operations.
Draws attention to rising risks for critical infrastructure from extortion groups.

6. Italian Spyware Targets Russian and Belarusian Orgs

[06:20 – 07:18]

Italian vendor Memento Labs’ spyware “DANTE” deployed against organizations in Russia and Belarus, marking its first confirmed use since 2023.
Deployed by “Forum Troll,” a group known for advanced espionage.
Raises concerns about proliferation and oversight of commercial spyware.

7. UN Cybercrime Treaty – US Declines to Sign

[07:19 – 08:08]

Over 70 countries signed a new global cybercrime convention; the US has withheld its signature pending review.
Treaty aims at facilitating global cybercrime law enforcement, but privacy advocates warn of expanded surveillance powers.
The US hesitates over potential impact on digital freedoms.

8. Collapse in Ransomware Payments

[08:09 – 09:09]

Coveware reports historic lows in ransomware payment rates (23% of victims paid in Q3).
Attributed to improved defense, coordinated law enforcement response, and less incentive to pay.
Average payments: $377,000; median: $140,000.

9. US Policy Updates – China and “Clean Tech Stack”

[09:10 – 10:10]

National Cyber Director Shawn Cairncross urged building a “clean American tech stack” to counter China’s global surveillance ambitions.
Emphasized the importance of a robust cybersecurity strategy and renewing expired information-sharing laws for industry-government collaboration.

10. Memorable Anecdote: AI Mistakes Doritos for a Gun

[21:13 – 21:56]

Baltimore County police, responding to an AI gun detection system alert, found only a football player eating Doritos. The system falsely flagged the snack bag as a weapon.
Raises questions about the reliability—and societal consequences—of automated surveillance and AI-powered public safety technologies.
Notable Quote:
“The culprit? Not Taki, but an AI gun detection system with a vivid imagination. It flagged the glint of his packet of chips as a firearm, prompting what one might call a highly seasoned police response.” – Dave Bittner [21:24]

Feature Segment: Threat Vector – Securing Modern Development in the Age of AI

[14:07 – 20:46]

Main Theme

David Moulton explores urgent challenges in securing modern software development pipelines, especially as AI rewrites the rules and accelerates code generation and delivery.

Key Points & Quotes

AI Introducing New Development Risks
Sarit Tagar (VP Product Management, Palo Alto Networks):
- AI-driven code generation shifts responsibility between developers and agents—sometimes diminishing code understanding and accountability.
  [15:21]
  “Before, the developer was the one that's responsible for the vulnerabilities… Now we have some kind of an agent that is writing the code and the responsibility is kind of being shifted between the developer and the agent.”
- Security scanning must shift from a post-coding phase to a prerequisite, integrated into the code generation process itself.
- AI-centric tools risk introducing new supply chain threats—unauthorized or insecure components, code injection, etc. [17:15]
  “…an agent, they have the LLMs that they are working on. Not all of them are secure…You may find yourself with a lot of servers that are not approved by your application security practitioners and they're not part of your organization's approval whitelist…”
Need for Specialized AI Security Training
David Moulton emphasizes the importance of specialized training in AI usage, not just classic phishing or cyber hygiene, but new risks from AI acceleration and business-driven adoption. [18:38]
“…there’s got to be AI training. And I think what you're talking about is beyond just the regular security training…The amount of risk and the ease at which the risk is taken is… everywhere right now.”
Critical Vulnerabilities in AI-Generated Code
Krithi Macheri (Sr. Director, Product Security): [19:34]
“…with the amount of choices developers have…These are all built on functional correctness, lacks sometimes security context…We have seen input validation missing, weak access control, hard coded credential…”
- AI models can hallucinate, recommending non-existent or vulnerable packages, enabling supply chain attacks.
- Emphasizes the challenge of automated, large-scale detection and remediation as code velocity increases.
Practical Approach: Security as a Business Accelerator
The discussion champions context-aware tools (ASPM, secure base images, automated PRs) that empower teams to prevent issues without disrupting code velocity.
- Notable Quote:
  “Tools that turn prevention into speed and help developers move fast, fix early and still sleep at night.” – David Moulton [14:50]

Timestamps for Key Segments

WSUS Vulnerability & Patch Fails: [01:21]
Supply Chain Oracle EBS Attack: [02:26]
Gmail Breach Myths Debunked: [03:38]
Herodotus Trojan Tactics: [04:16]
Sweden Power Grid Hack: [05:19]
Italian Spyware in Russia/Belarus: [06:20]
UN Treaty & US Position: [07:19]
Ransomware Payments Drop: [08:09]
China, US Tech Policy: [09:10]
AI & Doritos Incident: [21:13]
Threat Vector – Securing AI Development: [14:07 – 20:46]

Tone & Style

Conclusion

For an in-depth deep-dive into AI-driven software security, listen to the full "Shifting Security Left" episode on the Threat Vector podcast feed.

Windows servers under siege

Powered by Wave AI

Summary

CyberWire Daily Podcast Summary

Overview

Key Discussion Points & Insights

1. Critical Windows WSUS Vulnerability Actively Exploited

2. Enterprise Supply Chain Attack Update

3. Gmail Data Breach Reports Debunked

4. Advanced Banking Trojan: Herodotus

5. Critical Infrastructure Targeted: Swedish Power Grid

6. Italian Spyware Targets Russian and Belarusian Orgs

7. UN Cybercrime Treaty – US Declines to Sign

8. Collapse in Ransomware Payments

9. US Policy Updates – China and “Clean Tech Stack”

10. Memorable Anecdote: AI Mistakes Doritos for a Gun

Feature Segment: Threat Vector – Securing Modern Development in the Age of AI

Main Theme

Key Points & Quotes

Timestamps for Key Segments

Tone & Style

Conclusion

Summary

CyberWire Daily Podcast Summary

Overview

Key Discussion Points & Insights

1. Critical Windows WSUS Vulnerability Actively Exploited

2. Enterprise Supply Chain Attack Update

3. Gmail Data Breach Reports Debunked

4. Advanced Banking Trojan: Herodotus

5. Critical Infrastructure Targeted: Swedish Power Grid

6. Italian Spyware Targets Russian and Belarusian Orgs

7. UN Cybercrime Treaty – US Declines to Sign

8. Collapse in Ransomware Payments

9. US Policy Updates – China and “Clean Tech Stack”

10. Memorable Anecdote: AI Mistakes Doritos for a Gun

Feature Segment: Threat Vector – Securing Modern Development in the Age of AI

Main Theme

Key Points & Quotes

Timestamps for Key Segments

Tone & Style

Conclusion