Prosper’s not so prosperous week.

Prosper data breach reportedly affected more than 17 million accounts. Microsoft revokes certificates used in Rhysida ransomware operation. Threat actors exploit Cisco flaw to deploy Linux rootkits. Europol disrupts cybercrime-as-a-service operation. BeaverTail and OtterCookie merge and display new functionality. Singapore cracks down on social media. On our Industry Voices segment, we are joined by Danny Jenkins who is talking about defending against AI. And who let the bots out?

Today is Friday, October 17th, 2025. I’m Maria Varmazis, host of T-Minus Space Daily, taking the mic for Dave Bittner. And this is your CyberWire Intel Briefing.

Prosper data breach reportedly affected more than 17 million accounts

A data breach disclosed last month by financial services company Prosper affected more than 17 million accounts according to BleepingComputer. Prosper disclosed that the attackers stole Social Security numbers belonging to Prosper customers and loan applicants, but didn't share how many users were impacted. Have I Been Pwned disclosed the alleged scope of the breach yesterday, saying the breach affected 17.6 million unique email addresses, as well as names, dates of birth, government-issued IDs, employment status, credit status, income levels, physical addresses, IP addresses, and browser user agent details.

A Prosper spokesperson told BleepingComputer that the company "is not able to validate" Have I Been Pwned's report, adding, "The investigation to determine what data was affected and to whom it belongs remains ongoing."

Microsoft revokes certificates used in Rhysida ransomware operation.

Microsoft disrupted a Rhysida ransomware operation by revoking more than 200 certificates that were being used to sign malicious Teams installers, SecurityWeek reports. The company attributes the activity to the financially motivated threat actor "Vanilla Tempest."

Microsoft stated, "Running the fake Microsoft Teams setups delivered a loader, which in turn delivered a fraudulently signed Oyster backdoor. Vanilla Tempest has incorporated Oyster into their attacks as early as June 2025, but they started fraudulently signing these backdoors in early September 2025. To fraudulently sign the fake installers and post-compromise tools, Vanilla Tempest was observed using Trusted Signing, as well as SSL[.]com, DigiCert, and GlobalSign code signing services."

Threat actors exploit Cisco flaw to deploy Linux rootkits.

Trend Micro has published a report on the exploitation of a Cisco SNMP vulnerability (CVE-2025-20352) to deploy rootkits on older Linux systems. The researchers have dubbed the operation "Zero Disco" after the universal password used by the malware. The report notes, "Trend Micro telemetry has, as of writing, detected that Cisco 9400 series and 9300 series are affected by this operation. The operation also affected Cisco 3750G devices with no guest shell available, but this type of device has already been phased out."

Trend Micro adds, "Currently there is no universal automated tool that can reliably determine whether a Cisco switch has been successfully compromised by the ZeroDisco operation. If you suspect a switch is affected, we recommend contacting Cisco TAC immediately and asking the vendor to assist with a low-level investigation of firmware/ROM/boot regions."

Critical vulnerabilities in ConnectWise disclosed.

Security researchers have disclosed critical vulnerabilities in ConnectWise, a widely used remote monitoring and management (RMM) platform. Attackers could exploit these flaws to gain unauthorized access, execute arbitrary commands, or escalate privileges across managed networks. Some of the issues stem from inadequate input validation and weak authentication checks in key modules, including web interfaces and API endpoints. Because RMM tools inherently have deep privileged access, exploiting them can grant attackers broad control over client environments. Users are strongly urged to apply vendor patches immediately, audit all privileges and sessions, and monitor logs for suspicious behavior. The situation underscores how RMM and MSP (managed service provider) software remain prime targets — when compromised, they act as force multipliers for attackers.

Europol disrupts cybercrime-as-a-service operation.

A Europol-coordinated operation resulted in the arrest of five Latvians accused of operating a service that sold phone numbers to scammers, according to The Record. Police seized 1,200 SIM box devices and 40,000 active SIM cards. Europol stated, "The online service created by the criminal network offered telephone numbers registered to people from over 80 countries for use in criminal activities. It allowed perpetrators to set up fake accounts for social media and communication platforms, which were subsequently used in cybercrimes while obscuring the perpetrators’ true identity and location."

BeaverTail and OtterCookie merge and display new functionality.

North Korea–linked operators are using stealthy, modular malware and social engineering to steal credentials and cryptocurrency. Cisco Talos and Google’s Threat Intelligence Group observed campaigns linked to Famous Chollima that involved the use of BeaverTail and OtterCookie — separate but complementary malware strains frequently used by the North Korea-aligned threat group. Researchers said their analysis determined the extent to which BeaverTail and OtterCookie have merged and displayed new functionality in recent campaigns. Recent campaigns trick job seekers into installing loaders that deploy infostealers, backdoors, and ransomware—often rotating toolsets and infrastructure to evade detection. Attackers favor low-noise tactics: Rust-based binaries, transacted hollowing, and impersonation of legitimate services to blend malicious traffic and reduce forensic footprints. Compromised endpoints are leveraged for targeted crypto theft, data exfiltration, and follow-on ransomware, while operators rapidly switch payloads and C2 servers to frustrate defenders. 

Singapore cracks down on social media. 

Singapore’s parliament passed a sweeping new law granting authorities broad powers to block “harmful” online content, target platforms with fines up to S$1 million (≈ US$740,000), and require removal of content at “short notice.” The legislation empowers the Infocomm Media Development Authority (IMDA) to issue take-down orders without court approval and mandate platforms to use proactive monitoring tools. Platforms failing to comply may be blocked in Singapore, and foreign services face stricter obligations if they reach large audiences in the country. While dubbed a move to protect society from disinformation and cyber harm, critics warn it risks censorship and overreach, especially given its vague definition of “harmful” speech. Civil liberties groups say the law could chill online discourse and give the state sweeping control over public narratives.

After the break we have our Industry Voices segment with Danny Jenkins, CEO and Co-Founder of ThreatLocker, talking about defending against AI. And who let the bots out?

On our Industry Voices segment, Dave Bittner recently sat down with Danny Jenkins, CEO and Co-Founder of ThreatLocker, to talk about defending against AI. Here’s their conversation.

That was Dave Bittner sitting down with Danny Jenkins, CEO and Co-Founder of ThreatLocker, to talk about defending against AI. If you enjoyed their conversation and want to hear the full interview, head over to our Industry Voices page, there’s a link in the show notes. 

Who let the bots out?

And finally today, Niantic, the company that gave us Pokémon Go, is once again blending the digital world with the real one. Their AR pet game, Peridot, now comes with a new twist: your alien dog can talk.

Through a partnership with Hume AI and Snap’s latest Spectacles, Niantic’s “Dots” — those colorful, dog-sized companions you can only see through AR — can now act as your personal tour guide. Picture walking along the San Francisco waterfront when your virtual pet pipes up to share a fun historical fact about the pier. It’s part navigation, part trivia night, and part fever dream.

Developers say it’s a glimpse of the future — one where AI companions help guide us through the world around us. For now, it’s a chance to see what happens when man’s best friend meets machine learning. Just remember: if your alien dog starts giving you directions, don’t forget who’s really holding the leash.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Be sure to tune in to an all new Research Saturday tomorrow, where Dave Bittner is joined by Eclypsium researchers Jesse Michael and Mickey Shkatov to share their work on "BadCam - Now Weaponizing Linux Webcams." That’s Research Saturday check it out. 

And that’s the CyberWire Daily, brought to you by N2K CyberWire. It's the end of this stint sitting in for Dave, he will be back behind the mic on Monday. Please check out our sister podcast, T-Minus Space Daily, where yours truly is the host on your favorite podcast app. 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Maria Varmazis for host Dave Bittner. Thanks for listening.