When the breachers get breached.
International law enforcement take down the Breachforums domains. Researchers link exploitation campaigns targeting Cisco, Palo Alto Networks, and Fortinet. Juniper Networks patches over 200 vulnerabilities. Apple and Google update their bug bounties. Evaluating AI use in application security (AppSec) programs. Microsegmentation can contain ransomware much faster and yield better cyber insurance terms. The new RondoDox botnet exploits over 50 vulnerabilities. Researchers tag 13 unpatched Ivanti Endpoint Manager flaws. Our guest is Jason Manar, CISO of Kaseya, sharing his insight into how the private and public sectors can work together for national security. Hackers mistake a decoy for glory.
Today is Friday October 10th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
International law enforcement take down the Breachforums domains.
The FBI and French police seized BreachForums domains, shutting down ShinyHunters’ platform used to leak corporate data.
The seizure occurred October 9, with BleepingComputer confirming FBI nameservers now control the sites. ShinyHunters acknowledged the loss in a PGP-signed Telegram post, saying backups since 2023, escrow databases, and backend servers are compromised. They added the forum will not be rebuilt, warning that such platforms have become law enforcement honeypots. Despite the seizure, their dark web leak site remains online, with a Salesforce data dump still scheduled.
The takedown exposes historic forum data and signals closer global cooperation. Still, organizations face looming risk as ShinyHunters claims to hold over a billion stolen Salesforce records.
Researchers link exploitation campaigns targeting Cisco, Palo Alto Networks, and Fortinet.
GreyNoise has linked three exploitation campaigns targeting Cisco, Palo Alto Networks, and Fortinet devices to IPs on the same subnets, suggesting shared threat actors. The firm first observed scanning of Cisco ASA firewalls weeks before Cisco disclosed two zero-day flaws (CVE-2025-20333 and CVE-2025-20362) exploited in China-linked ArcaneDoor espionage attacks. More recently, GreyNoise detected a 500% spike in scanning of Palo Alto GlobalProtect portals, with over 1.3 million login attempts from thousands of unique IPs. These same subnets are now tied to brute-force attacks against Fortinet VPNs. GreyNoise warns that 80% of such spikes precede new firewall or VPN vulnerabilities by about six weeks, advising organizations to harden defenses and block brute-forcing IPs.
Juniper Networks patches over 200 vulnerabilities.
Juniper Networks has patched over 200 vulnerabilities in its Junos Space and Security Director platforms, including nine rated critical. Flaws range from cross-site scripting and privilege escalation to remote command execution and backdoor creation. One critical bug (CVE-2025-59978) allows admin-level command execution. No active exploitation is reported, but Juniper urges immediate patching. The issues pose serious risks to enterprise and telecom networks, especially in Europe, where large Juniper deployments heighten potential impact.
Apple and Google update their bug bounties.
Apple has doubled its top bug bounty payout to $2 million for exploit chains enabling spyware attacks, with total rewards reaching $5 million for findings that also bypass Lockdown Mode or are discovered in beta software. Announced by Apple security chief Ivan Krstić at Hexacon, the expansion underscores the company’s push to incentivize high-impact vulnerability research. Since opening its bounty to the public in 2020, Apple has paid over $35 million to more than 800 researchers. The program now covers one-click WebKit and wireless proximity exploits and adds a “Target Flags” testing feature. Alongside this, Apple introduced Memory Integrity Enforcement in iPhone 17 devices and pledged 1,000 phones to rights groups supporting at-risk users.
Google has launched a new AI Vulnerability Reward Program (VRP) offering up to $30,000 for verified bugs in its AI products, including Search, Gemini, and Workspace. The program streamlines reporting by consolidating AI-related issues previously handled under the Abuse VRP. Eligible vulnerabilities include data leaks, model theft, and phishing enablement involving AI interactions. Since 2018, researchers have earned over $430,000 from AI-related reports. Google says the AI VRP aims to reward high-impact findings while excluding content-based issues like prompt injections.
90% of security leaders are using or evaluating AI in their application security (AppSec) programs.
A new survey from Fastly finds that 90% of security leaders are using or evaluating AI in their application security (AppSec) programs, citing faster vulnerability detection and reduced manual effort. Yet, nearly a third act on AI findings without human review, raising concerns over false positives and misplaced trust. Half of respondents report frequent or occasional inaccuracies, while only 22% rate AI’s accuracy as excellent. Key challenges include integration complexity, skills gaps, and compliance worries. Despite mixed confidence, 80% plan to expand AI use, emphasizing automation, real-time detection, and explainability. Fastly CISO Marshall Irwin cautions that success will depend on reducing false positives and integrating AI effectively to avoid “AI shelfware.”
Microsegmentation can contain ransomware much faster and yield better cyber insurance terms.
Akamai’s new report finds that organizations adopting microsegmentation can contain ransomware much faster and receive better cyber insurance terms.  Surveying 1,200 security leaders, Akamai notes that while 90% use some form of segmentation, only 35% employ microsegmentation across their networks.  Among enterprises already using microsegmentation, ransomware containment times dropped by about 33%.  Seventy-five percent of organizations say insurers now assess segmentation posture during underwriting, and 60% report receiving lower premiums tied to their segmentation maturity.  The report also flags deployment challenges including network complexity (44%), visibility gaps (39%), and organizational resistance (32%) as common barriers to adoption.
The new RondoDox botnet exploits over 50 vulnerabilities.
Trend Micro has identified a new botnet, RondoDox, that exploits over 50 vulnerabilities across routers, servers, cameras, and other devices from more than 30 vendors. Active since mid-2025, RondoDox initially targeted a TP-Link router flaw (CVE-2023-1389) but has since expanded to include DVRs, CCTV systems, and web servers. The botnet leverages both known and unlisted command injection vulnerabilities—18 without CVEs, several on CISA’s Known Exploited Vulnerabilities list. CloudSek reports a 230% surge in RondoDox activity since mid-2025, with compromised devices used for cryptocurrency mining, DDoS attacks, and enterprise intrusions. The malware now spreads via a “loader-as-a-service” model alongside Mirai and Morte payloads, masking activity by mimicking gaming platforms and VPNs.
Researchers tag 13 unpatched Ivanti Endpoint Manager flaws.
Trend Micro’s Zero Day Initiative (ZDI) disclosed 13 unpatched Ivanti Endpoint Manager flaws: one local privilege escalation reported in November 2024 and twelve remote code execution issues reported in June 2025. ZDI labels them “0day” upon disclosure, though they are not actively exploited zero-days. No CVEs exist yet; all are high severity, with one scoring 8.8, one 7.8, and eleven 7.2. The LPE affects AgentPortal via unsafe deserialization to System. The RCEs stem from inadequate input validation across multiple reporting and query classes, mostly leading to authenticated SQL-driven code execution. The highest-severity RCE involves unsafe path use and can be triggered with admin credentials or user interaction. ZDI says patches slipped from September/November to March 2026.
Hackers mistake a decoy for glory.
In a twist worthy of a digital sitcom, pro-Russian hackers spent September loudly celebrating their “takeover” of a Dutch water facility — only to discover they’d been splashing around in a honeypot. The group, calling itself TwoNet, had in fact broken into a decoy network built by researchers at Forescout, who quietly watched as the hackers defaced a login page, disabled alarms, and generally made mischief — all in a sandbox. Their “victory” announcement, complete with the charming signature “HACKED BY BARLATI, FUCK,” was met by the cybersecurity equivalent of polite applause.
Forescout says the incident illustrates how novice hacktivists are increasingly poking at industrial systems they barely understand, mistaking honeypots for heroics. TwoNet, like many of its peers, quickly folded, proving that hacktivist groups often have the lifespan of a mayfly — just louder. Still, researchers warn, these bumbling forays mark a worrying shift toward real-world infrastructure as the next big cyber playground.
As it turns out, the “hack of the year” was really just a splash in a very well-monitored puddle.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.
N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
