Podcasts
CyberWire Daily
Ep 2387
The CyberWire Daily Podcast 9.8.25
Ep 2387 | 9.8.25

Big tech, bigger fines.

Show Notes
Transcript

The EU fines Google $3.5 billion over adtech abuses. Cloudflare blocks record-breaking Distributed Denial of Service (DDoS) attacks. The Salesforce-Salesloft breach began months earlier with GitHub access. Researchers say the new TAG-150 cybercriminal group has been active since March. Hackers use stolen secrets to leak more than 6,700 Nx private repositories. Subsea cable outages disrupt internet connectivity across India, Pakistan, and parts of the UAE. Monday Business Breakdown. On our Industry Voices segment Todd Moore, Global Vice President, Data Security at Thales, unpacks the perils of insider risk. Hackers claim Burger King’s security flaws are a real whopper.

Today is Monday September 8th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The EU fines Google $3.5 billion over adtech abuses. 

The European Commission has fined Google €2.95 billion ($3.5 billion) for abusing its dominance in the digital advertising technology market, citing “self-preferencing” and anti-competitive practices. Regulators ordered Google to stop these behaviors and prevent future conflicts of interest in adtech. Google disputes the ruling, calling it “wrong” and vowing to appeal. The company argues the fine is unjustified and will harm European businesses, claiming its services face strong competition. This marks the fourth major EU antitrust fine against Google, following penalties in 2017, 2018, and 2019 for abuses involving Android, search, and online ads. Separately, France’s CNIL fined Google €325 million ($378 million) for displaying ads between Gmail users’ emails without consent and violating cookie rules.

Cloudflare blocks record-breaking Distributed Denial of Service (DDoS) attacks. 

Cloudflare says it blocked record-breaking Distributed Denial of Service (DDoS) attacks, including one peaking at 11.5 terabits per second (Tbps) and 51 billion packets per second. The massive attack, largely sourced from IoT devices and Google Cloud, lasted 35 seconds and resembled a UDP flood. It surpassed Cloudflare’s previous 7.3 Tbps record. The company says its architecture easily handled the surge, dropping malicious traffic at the edge. 

The Salesforce-Salesloft breach began months earlier with GitHub access. 

Following up on the Salesforce-Salesloft data theft campaign, new details confirm the breach began months earlier. Salesloft revealed attackers accessed its GitHub account between March and June 2025, laying groundwork for the August 8–18 incident where compromised Drift OAuth tokens were used to siphon data from Salesforce environments. Attributed to UNC6395, the attack impacted hundreds of organizations, with stolen data including AWS keys, passwords, and Snowflake tokens. Initially believed limited to the Salesforce-Salesloft integration, the breach also extended to Google Workspace customers. Salesforce disabled the integration, while Drift was taken offline and restored September 7. Mandiant’s investigation confirmed hackers exploited GitHub access, not flaws in Drift. Roughly 700 companies, including major security vendors, were affected, with stolen data often tied to customer support records.

Researchers say the new TAG-150 cybercriminal group has been active since March. 

Recorded Future’s Insikt Group has identified a new cybercriminal group, TAG-150, active since March 2025. The actor is notable for its rapid development, technical sophistication, and ability to quickly adapt after public reporting. TAG-150 operates a large, multi-tiered infrastructure, with victim-facing servers running as C2 nodes for various malware families and deeper layers supporting operations. The group has released several self-developed tools, including CastleLoader, CastleBot, and now CastleRAT, a newly documented remote access trojan available in Python and C. CastleRAT enables data collection, payload delivery, and command execution through CMD and PowerShell. TAG-150 also uses third-party services such as file-sharing platforms and the anti-detection tool Kleenscan. 

Hackers use stolen secrets to leak more than 6,700 Nx private repositories. 

Hackers behind the recent Nx supply chain attack, dubbed s1ngularity, used stolen secrets to leak more than 6,700 private repositories, according to Wiz. The attack began when threat actors used a compromised NPM token to publish eight malicious versions of Nx. These versions executed a telemetry.js script that searched infected machines for sensitive data—API keys, GitHub/NPM tokens, SSH keys, and crypto wallets—then exfiltrated files to public GitHub repositories. Wiz found over 20,000 stolen files from at least 225 users, with 2,300+ secrets leaked, impacting 1,700 accounts. The malware also modified shell startup files to crash terminals and misused AI CLIs like Claude and Gemini for reconnaissance and data theft. In phase two, attackers leveraged compromised credentials to access 480 accounts, exposing thousands of secrets from organizations, including one with 700 repositories. Wiz urges victims to rotate secrets, hunt for IoCs, and review GitHub logs, warning that some NPM tokens remain valid.

Subsea cable outages disrupt internet connectivity across India, Pakistan, and parts of the UAE. 

Subsea cable outages in the Red Sea have disrupted internet connectivity across India, Pakistan, and parts of the UAE, according to Netblocks. Failures were traced to cable systems near Jeddah, Saudi Arabia, though the cause remains unclear. Microsoft said Azure users may see higher latency after multiple fiber cuts, as traffic through the Middle East was rerouted to alternative paths. While no outages occurred, Microsoft warned of slower connections for some services. Other regions not routed through the Middle East remain unaffected.

Monday Business Breakdown. 

Time for our Monday Business Breakdown.  Last week saw just over $65 million raised across three investments and six acquisitions. 

On the investment front, the majority of the fundraising came from CATO Networks, which raised an additional $50 million after expanding its Series G round from July, bringing the round’s total funding to $409 million. The additional fundraising came alongside CATO acquiring AIM Security, an AI security firm. This is CATO Network’s first-ever acquisition.

Okta, a US IAM platform, also acquired Israeli privileged access management firm Axiom Security for $100 million. With this acquisition, Okta aims to integrate Axiom’s technology into its identity security fabric.

ImageSource, a US enterprise content management company, acquired US cybersecurity company Zorse Cyber. This acquisition included Zorse’s threat detection and prevention platform, Bouncer, which adds advanced email, web, and file-based security technologies to the company’s platform portfolio.

Also making headlines, eight US and Indian VCs and PEs are teaming up to provide additional support for India’s growing tech start-ups.

And that wraps this week’s Business Breakdown. For deeper analysis on major business moves shaping the cybersecurity landscape, subscribe to N2K Pro and check out thecyberwire.com every Wednesday for the latest updates.

Hackers claim Burger King’s security flaws are a real whopper. 

Two self-styled white hats—BobDaHacker and BobTheShoplifter—say they uncovered security so flimsy at Restaurant Brands International (RBI) that even a soggy napkin might have put up more resistance. RBI, the parent company of Burger King, Tim Hortons, and Popeyes, runs systems across 30,000+ restaurants worldwide. According to the Bobs, every one of those systems could be exploited with laughable ease.

Among the goodies they claim to have found: passwords hard-coded into HTML, a “signup-for-anyone” API, and drive-thru tablets that politely accepted “admin” as the password. Once inside, they could edit employee accounts, order equipment, and even eavesdrop on raw drive-thru audio—including the occasional personal detail slipped in between orders of fries and nuggets.

The Bobs insist they followed responsible disclosure, keeping customer data safe. RBI, however, apparently didn’t acknowledge their report. Their final jab? A simple verdict in their blog’s closing line: “Wendy’s is better.”

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by Thales
Sponsored by Thales

Thales is a global leader in cybersecurity, helping businesses, governments and the most trusted organizations protect critical applications, data, identities and software anywhere at scale. Learn more.