Summary6 min read

CyberWire Daily Podcast Summary

Episode: Windows servers under siege
Date: October 28, 2025
Host: Dave Bittner, N2K Networks
Featured Segment: Threat Vector with David Moulton, Sarit Tagar, Krithi Macheri (Palo Alto Networks)

Overview

This episode provides a comprehensive briefing on current and emerging cybersecurity threats, focusing on the ongoing exploitation of a critical Windows Server Update Services (WSUS) flaw, high-profile supply chain attacks, the realities behind alleged major data breaches, novel malware targeting, cybercrime trends, and the evolving challenges of securing AI-driven software development. The episode concludes with a memorable story of AI mistaken identity involving a bag of Doritos.

Key Discussion Points & Insights

1. Critical Windows WSUS Vulnerability Actively Exploited

[00:59 – 02:25]

Researchers warned about an unpatched WSUS flaw allowing remote code execution on Windows Server 2012-2025.
Trend Micro observed 100,000+ exploitation attempts within a week, estimating nearly half a million exposed servers.
Attackers could hijack update processes to deliver malicious code downstream.
Microsoft’s emergency patch has not fully stopped exploitation.
Notable Quote:
“Researchers warn that a critical Windows Server Update Services, or wsus vulnerability is being actively exploited despite Microsoft's recent emergency patch.” – Dave Bittner [01:21]

2. Enterprise Supply Chain Attack Update

[02:26 – 03:37]

CLOP ransomware group listed Schneider Electric and Emerson as victims—implicating Oracle E-Business Suite vulnerabilities.
Claims of stealing and leaking large volumes of corporate data (e.g., 2.7TB from Emerson).
Other organizations like Harvard and Envoy Air affected.
This campaign is reminiscent of previous MOVEit and Fortra attacks, highlighting persistent enterprise software risks.

3. Gmail Data Breach Reports Debunked

[03:38 – 04:15]

Google refuted claims of a recent Gmail breach—they were based on recycled data from malware logs, not a new incident.
Researcher Troy Hunt clarified that 183 million credentials added to “Have I Been Pwned” stem from old infostealer logs.
Google recommends two-factor authentication as a best practice.

4. Advanced Banking Trojan: Herodotus

[04:16 – 05:18]

ThreatFabric discovered “Herodotus,” an Android banking trojan that mimics human behavior by inserting short, randomized typing delays, evading simple detection.
Distributed via smishing and sideloaded apps; targets banking and crypto wallet users in multiple countries.
Abuses Android Accessibility Services and can bypass some biometric detection.

5. Critical Infrastructure Targeted: Swedish Power Grid

[05:19 – 06:19]

Svenska Kraftnät, Sweden’s state-owned grid operator, confirmed a cyberattack resulting in a data breach (claimed by Everest ransomware group).
The breach affected an isolated external file sharing system, not primary grid operations.
Draws attention to rising risks for critical infrastructure from extortion groups.

6. Italian Spyware Targets Russian and Belarusian Orgs

[06:20 – 07:18]

Italian vendor Memento Labs’ spyware “DANTE” deployed against organizations in Russia and Belarus, marking its first confirmed use since 2023.
Deployed by “Forum Troll,” a group known for advanced espionage.
Raises concerns about proliferation and oversight of commercial spyware.

7. UN Cybercrime Treaty – US Declines to Sign

[07:19 – 08:08]

Over 70 countries signed a new global cybercrime convention; the US has withheld its signature pending review.
Treaty aims at facilitating global cybercrime law enforcement, but privacy advocates warn of expanded surveillance powers.
The US hesitates over potential impact on digital freedoms.

8. Collapse in Ransomware Payments

[08:09 – 09:09]

Coveware reports historic lows in ransomware payment rates (23% of victims paid in Q3).
Attributed to improved defense, coordinated law enforcement response, and less incentive to pay.
Average payments: $377,000; median: $140,000.

9. US Policy Updates – China and “Clean Tech Stack”

[09:10 – 10:10]

National Cyber Director Shawn Cairncross urged building a “clean American tech stack” to counter China’s global surveillance ambitions.
Emphasized the importance of a robust cybersecurity strategy and renewing expired information-sharing laws for industry-government collaboration.

10. Memorable Anecdote: AI Mistakes Doritos for a Gun

[21:13 – 21:56]

Baltimore County police, responding to an AI gun detection system alert, found only a football player eating Doritos. The system falsely flagged the snack bag as a weapon.
Raises questions about the reliability—and societal consequences—of automated surveillance and AI-powered public safety technologies.
Notable Quote:
“The culprit? Not Taki, but an AI gun detection system with a vivid imagination. It flagged the glint of his packet of chips as a firearm, prompting what one might call a highly seasoned police response.” – Dave Bittner [21:24]

Feature Segment: Threat Vector – Securing Modern Development in the Age of AI

[14:07 – 20:46]

Main Theme

David Moulton explores urgent challenges in securing modern software development pipelines, especially as AI rewrites the rules and accelerates code generation and delivery.

Key Points & Quotes

AI Introducing New Development Risks
Sarit Tagar (VP Product Management, Palo Alto Networks):
- AI-driven code generation shifts responsibility between developers and agents—sometimes diminishing code understanding and accountability.
  [15:21]
  “Before, the developer was the one that's responsible for the vulnerabilities… Now we have some kind of an agent that is writing the code and the responsibility is kind of being shifted between the developer and the agent.”
- Security scanning must shift from a post-coding phase to a prerequisite, integrated into the code generation process itself.
- AI-centric tools risk introducing new supply chain threats—unauthorized or insecure components, code injection, etc. [17:15]
  “…an agent, they have the LLMs that they are working on. Not all of them are secure…You may find yourself with a lot of servers that are not approved by your application security practitioners and they're not part of your organization's approval whitelist…”
Need for Specialized AI Security Training
David Moulton emphasizes the importance of specialized training in AI usage, not just classic phishing or cyber hygiene, but new risks from AI acceleration and business-driven adoption. [18:38]
“…there’s got to be AI training. And I think what you're talking about is beyond just the regular security training…The amount of risk and the ease at which the risk is taken is… everywhere right now.”
Critical Vulnerabilities in AI-Generated Code
Krithi Macheri (Sr. Director, Product Security): [19:34]
“…with the amount of choices developers have…These are all built on functional correctness, lacks sometimes security context…We have seen input validation missing, weak access control, hard coded credential…”
- AI models can hallucinate, recommending non-existent or vulnerable packages, enabling supply chain attacks.
- Emphasizes the challenge of automated, large-scale detection and remediation as code velocity increases.
Practical Approach: Security as a Business Accelerator
The discussion champions context-aware tools (ASPM, secure base images, automated PRs) that empower teams to prevent issues without disrupting code velocity.
- Notable Quote:
  “Tools that turn prevention into speed and help developers move fast, fix early and still sleep at night.” – David Moulton [14:50]

Timestamps for Key Segments

WSUS Vulnerability & Patch Fails: [01:21]
Supply Chain Oracle EBS Attack: [02:26]
Gmail Breach Myths Debunked: [03:38]
Herodotus Trojan Tactics: [04:16]
Sweden Power Grid Hack: [05:19]
Italian Spyware in Russia/Belarus: [06:20]
UN Treaty & US Position: [07:19]
Ransomware Payments Drop: [08:09]
China, US Tech Policy: [09:10]
AI & Doritos Incident: [21:13]
Threat Vector – Securing AI Development: [14:07 – 20:46]

Tone & Style

The episode balances industry urgency with moments of dry wit – especially in the AI-Doritos anecdote (“highly seasoned police response”), while the expert interview proceeds in a candid, practical, and informed tone. The host and guests communicate clearly, offering actionable insights for technical and non-technical listeners.

Conclusion

This episode of CyberWire offers a thorough roundup of top global cyber threats and policies, alongside a high-value expert discussion about the new frontiers (and landmines) introduced by AI in software development. It underscores that security must evolve, becoming both a business enabler and a deeply integrated part of modern build pipelines.

For an in-depth deep-dive into AI-driven software security, listen to the full "Shifting Security Left" episode on the Threat Vector podcast feed.

Loading summary

Transcript11 lines

[00:02]
A
You're listening to the Cyberwire Network, powered by N2K.
[00:13]
B
Risk and compliance shouldn't slow your business down. Hyperproof helps you automate controls, integrate real time risk workflows, and build a centralized system of trust so your teams can focus on growth, not spreadsheets. From faster audits to stronger stakeholder confidence, hyperproof gives you the business advantage of Smarter compliance. Visit www.hyperproof.IO to see how leading teams are transforming their GRC programs. At Talas, they know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Talas T H A L E S learn more@talasgroup.com cyber WSUS attacks Escalade as an emergency patch fails to fully contain exploited flaws Schneider Electric and Emerson are listed among victims in the Oracle EBS cyber attack. Google debunks reports of a massive Gmail breach. A new banking Trojan mimics human behavior for stealth. Sweden's power grid operator confirms a cyber attack. Italian spyware targets Russian and Belarusian organizations. The US Declines to sign the new UN Cyber Treaty. Ransomware payments fall to record lows. The US Cyber chief calls for a clean American tech stack to counter China's global surveillance push. On today's Threat Vector segment, David Moulton speaks with two cybersecurity leaders from Palo Alto Networks, Sarit Tagar and kritivasan macheri and AI mistakes doritos for a deadly weapon it's Tuesday, October 28, 2020. Dave I'm Dave Buettner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great as always to have you with us. Researchers warn that a critical Windows Server Update Services, or wsus vulnerability is being actively exploited despite Microsoft's recent emergency patch. The flaw enables unauthenticated remote code execution on Windows Server 2012 through 2025 stemming from insecure deserialization of untrusted data. Google's Threat Intelligence Group confirmed multiple intrusions by a threat actor it calls UNC6512 observing reconnaissance and data exfiltration from compromised hosts. Trend Micro reports roughly 100,000 exploitation attempts in a week, with nearly half a million Internet exposed WSUS servers potentially vulnerable. Experts warn that exposed servers could allow attackers to distribute malicious updates downstream. Amplifying the threat Cybercriminals tied to the CLOP ransomware operation have named Schneider Electric and Emerson as victims of an ongoing campaign exploiting Oracle E business suite vulnerabilities. The attackers, believed to be associated with the financially motivated Fin11 group, claim to have stolen large volumes of corporate data later posted on Klopp's leak site. The site lists 2.7 terabytes of data allegedly from Emerson and 116 GB from Schneider Electric, with file structures suggesting origin in Oracle environments. Other organizations, including Harvard University and Envoy Air, have confirmed impact from the same campaign. Researchers say the operation mirrors prior large scale attacks on MoveIt and Fortra systems, underscoring persistent risks in enterprise software supply chains. Widespread reports of a massive Gmail data breach grabbed headlines this week, but Google says the claims are false. The confusion began after researcher Troy Hunt added 183 million credentials to his have I been Pwned Service sourced from old infostealer malware logs, not a new Gmail hack. Google confirmed there's no evidence of compromise, calling the reports a misunderstanding of recycled data. The company emphasized that Gmail's defenses remain strong and advised users to enable two factor authentication. Researchers at ThreatFabric have identified a new Android banking trojan called Herodotus that uses randomized pauses to evade basic behavioral detection systems. The malware inserts delays of up to three seconds when entering stolen credentials, mimicking human typing speed to appear legitimate. Distributed through smishing links and sideloaded apps, Herodotus abuses Android accessibility services to steal banking credentials, intercept SMS1 time passcodes and display fake login overlays. It shares limited code overlap with the Brokewell Trojan discovered earlier this year. Though currently active in Italy and Brazil, Herodotus includes templates for banks and crypto wallets in multiple countries, suggesting broader campaigns ahead. More advanced biometric systems may still detect its automated behavior. Sweden's state owned power grid operator Svenska Krafnot confirmed a cyber attack that led to a data breach but did not affect the country's electricity supply. The incident, discovered Saturday, targeted an isolated external file transfer system, according to the organization's chief information security officer. Ransomware Group Everest has claimed responsibility, adding Svensa Krafnot to its leak site and alleging theft of roughly 280GB of data. The company reported the attack to authorities and is investigating the breach's scope. While no critical systems were compromised, the attack underscores the growing threat to critical infrastructure operators from data extortion groups, researchers from Kaspersky say. Italian spyware from Memento Labs, formerly known as Hacking Team, was used in cyber attacks targeting organizations in Russia and Belarus. The commercial surveillance tool called Dante appeared in incidents linked to a threat group dubbed Forum Troll, which has previously targeted Russian institutions with phishing and Chrome Zero day exploits. Kaspersky could not confirm who commissioned the attacks or whether Memento Labs knew of Dante's deployment. The discovery marks the spyware's first confirmed use since its 2023 debut for law enforcement clients. Forum Trolls campaigns leveraged a custom loader leet agent to deploy DANTE in select cases showing advanced espionage capabilities. Memento Labs declined to comment on the findings. More than 70 countries, including the UK, China, Russia and the European Union signed the new UN Convention against Cybercrime in Hanoi, while the United States notably withheld its signature. The treaty establishes the first global framework for sharing electronic evidence and coordinating cross border cybercrime investigations. UN Secretary General Antonio Guterres called the convention a powerful, legally binding instrument against crimes like ransomware, money laundering and online trafficking. But critics warn it could enable mass surveillance and suppress digital freedoms under authoritarian regimes. The State Department said the US is still reviewing the treaty, which will take effect after 40 ratifications. Ransomware payments have fallen to their lowest level on record, with just 23% of victimized organizations paying attackers in the third quarter of this year, according to Coveware. The firm says the steady six year decline reflects stronger defenses, improved incident response and growing pressure from authorities not to pay. Average ransom payments dropped to $377,000, with median payments at 140 grand. Data theft now dominates ransomware activity featured in 76% of incidents and payment rates fall to 19% when only exfiltration is involved. Groups like Akira and Keelin increasingly target medium sized firms, while remote access, compromise and software vulnerabilities remain top entry points. Coveware says every avoided payment constricts attackers of oxygen, validating collective defensive progress. National Cyber Director Shawn Cairncross warned that China is attempting to export a surveillance state across planet Earth and urged the US to promote a clean American tech stack as a democratic alternative. Speaking at the 2025 Meridian Summit, Cairncross said Washington must engage both current and emerging partners to push back against Beijing's growing digital influence, which he described as destabilizing and aimed at undermining US decision making. He said the upcoming US cybersecurity strategy under President Trump will emphasize posture and action over length or rhetoric. Strengthening the office of the National Cyber Director remains his top priority, following recommendations from the Cyberspace Solarium Commission. Cairn Cross also urged Congress to renew the expired Cybersecurity Information Sharing act, calling its protections essential for industry collaboration on cyber threats. Coming up after the break in our Threat Vector segment, David Moulton speaks with his Palo Alto Network colleagues about urgent challenges of securing modern development in the age of AI and shifting security left and AI mistakes Doritos for a deadly weapon. Stick around. And now a word from our sponsor, Threat Locker, the powerful zero Trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat locker. What's your 2am Security worry? Is it do I have the right controls in place? Maybe? Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber on today's threat Vector segment, David Moulton speaks with a pair of his Palo Alto Networks colleagues, Sarit Tagar and Krithi Macheri. They're diving into some of the urgent challenges of securing modern development in the age of AI. Here's their conversation.
[14:08]
C
Hi, I'm David Moulton, host of the Threat Vector podcast where we break down cybersecurity, threats, resilience and the industry trends that matter most. Today I'm joined by Sarithi Tajer, Vice President of Product Management, and Kurithi Vastan, Senior Director of Product Security, both from Palo Alto Networks. We dig into how to truly shift security left, build prevention first programs, and how to keep code velocity high without creating chaos. Context aware ASPM keeps teams focused on what actually matters in production. Think golden templates, secure base images, automated pull requests, tools that turn prevention into speed and help developers move fast, fix early and still sleep at night. Saret Krithi welcome to Threat Vector. I'm really excited to have both of you here today.
[15:02]
D
Thank you, David. Great to be here.
[15:04]
A
Hey David, great to be here.
[15:07]
C
You know, I know that AI is rewriting the rules of development. It's accelerating code delivery by at least 10x. What security risk do you see this creating?
[15:21]
A
So this is a great question. Actually it's not one, but it's few problems. So one will be that I would say the shift in responsibility. If you think about it, before developer was the one that's responsible for the vulnerabilities or the problems that were getting into the code. Now we have some kind of an agent that is writing the code and the responsibility is kind of being shifted between the developer and the agent. Sometimes the developer accept or reject approval, reject things from the agent. But this will be the first one. It's not just a shift in responsibility, it's also a shift in knowledge. I was a developer a few years ago, then I knew my code, I understand exactly what I did and hence I could have remediated it. Now that an agent did it, this is kind of a surprising one. The second one will be if you think about agents and the way they. Even if they kind of have like MCPS and you add your scanners and you say yes, let's do scanning. It has to be done as a prerequisite and not a post one. A post scanning like we do today. Today we first write the code and then do the scanning. In AI coding vibe coding has to change. That has to be part of the way you generate the code. And then comes some questions. For example, will the agent adhere to the requirement by the scanners? It's not necessarily happening. So this is something that we need to kind of take care of. And another one is the entire new attack surface that are being created by this wipe coding. Think about how Cursor or Windsurf are working. Just an example. Of course they have an agent, they have the LLMs that they are working on. They have the MCPs, not all of them are secure. You may find yourself and Preeti can say that with a lot of MCPS servers that are not approved by your application security practitioners and they are not part of your organization approval whitelist or something like that. And then you may find yourself in a way that things the agent will do things in the computer that you are not protected from. So first will be the problems of the post scanning. The fact it's not longer only the developer that is responsible for. The second will be the new attack surface. Like there are MCPs new supply chain attacks, so there are a Lot of different areas in which wipe coding is bringing value by generating code velocity. Very important. But it also has a risk in which you have to protect your environment in a better way and make sure that you know exactly what is going to be applied to your code. How do you protect the users? So a lot of interesting stuff ahead.
[18:18]
C
Yeah, you know, I was just on a interview with a research firm asking about AI and its usage inside of marketing organizations. That was specifically what she was looking at. And I think that alongside our, like different corporate trainings for security policy or for, you know, how to be inclusive, how to make sure that we're upholding our ethics and our values as an organization, there's got to be AI training. And I think what you're talking about is beyond just the regular security training of don't click on the phishing link and you know, stay away from some of those things that we see as patterns. But what are the types of things that are gonna happen when you are using AI tools to accelerate your ability to succeed in a corporate environment? And what are the types of things that you open the business up to? And maybe that's not necessarily the path that both of you are, you know, thinking about, but I think if we don't see that in the training within the next six months, that there's been a massive miss because the amount of risk and the ease at which the risk is taken is. It's just, it's everywhere right now. It's actually quite wild to me. Kriti, I want to switch it over to you. From your vantage point in AI security, what vulnerabilities do your teams see that are often overlooked in that AI generated code?
[19:34]
D
That's my favorite question actually out of in the podcast. So here's my take. Okay, so with the amount of choices developers have of using different models, different code generation tools, right. These are all built on functional correctness, lacks sometimes security context, but so leading to many code related vulnerabilities. Most of the times we have seen input validation, missing, weak access control, hard coded credential. So it becomes super important one, to understand how these tools work fundamentally. Second, also we have seen because of hallucinations, models and tools recommending packages which don't even exist, which leads to typosquirting, recommending packages, older versions of vulnerable packages. So it kind of opens up an interesting perspective because you have to now detect everything at scale. And that is what I say it is as a challenge and an exciting problem to go solve from a practitioner's point of view.
[20:47]
C
If your teams are drowning in alerts, this conversation shows how to turn security into a business accelerator. Listen to the full episode now in your Threat Vector Podcast feed. It's called Shifting Security Left and it's live now. Thanks for listening. Stay secure. Goodbye for now.
[21:14]
B
Be sure to check out the full Threat Vector podcast wherever you get your favorite podcasts. We'll also have a link in our show notes and finally, 16 year old Taki Allen was finishing football practice and a bag of Doritos when Baltimore County Police, eight cars deep, arrived with guns drawn. The culprit? Not Taki, but an AI gun detection system with a vivid imagination. It flagged the glint of his packet of chips as a firearm, prompting what one might call a highly seasoned police response. The school's principal quickly realized it was a false alarm, but not before the teen was handcuffed and thoroughly confused. Police insist they responded proportionally, though one wonders what a disproportionate response would look like. An airstrike, perhaps? The AI vendor Omni Alert said its system operated as designed, which may concern anyone who snacks in public. Takei said he now avoids eating chips outdoors, citing safety concerns because in 2025America, even Doritos can trigger an incident report. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Foreign Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual Data Tribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more@cid.datatribe.com.