Podcasts
CyberWire Daily
Ep 2433
The CyberWire Daily Podcast 11.13.25
Ep 2433 | 11.13.25

404: Cybercrime not found.

Show Notes
Transcript

Operation Endgame expands global takedowns. The U.S. is creating a Scam Center Strike Force. Microsoft rolls out its delayed “Prevent screen capture” feature for Teams. Proton Pass patches a clickjacking flaw. Researchers uncover previously undisclosed zero-day flaws in both Citrix and Cisco Identity Services Engine. Android-based digital picture frames contain multiple critical vulnerabilities. Lumma Stealer rebounds after last month’s doxxing campaign. Our guest is Garrett Hoffman, Senior Manager of Cloud Security Engineering from Adobe, talking about achieving cloud security at scale. X marks the spot… where your passkey stops working.

Today is Thursday November 13th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Operation Endgame expands global takedowns. 

Authorities dismantled three major cybercrime platforms and arrested a key suspect during the latest phase of Operation Endgame, coordinated from Europol’s headquarters in The Hague.

Between 10 and 13 November 2025, officials targeted the Rhadamanthys infostealer, the VenomRAT remote access Trojan, and the Elysium botnet. According to the provided report, the operation removed more than 1 025 servers, seized 20 domains, and included searches across Germany, Greece, and the Netherlands. Hundreds of thousands of computers were infected, and millions of stolen credentials were stored in the dismantled infrastructure. Authorities say the VenomRAT suspect was arrested earlier on 3 November in Greece.

The takedown disrupts major tools used in global cybercrime and highlights the scale of compromised systems worldwide. Victims may still be unaware of infections, and the report urges them to check their devices.

The U.S. is creating a Scam Center Strike Force. 

The U.S. is creating a Scam Center Strike Force to confront cyber scam compounds across Southeast Asia that have stolen billions from Americans in recent years. Treasury says the team will include Justice Department, Secret Service, State Department and FBI personnel who will investigate, disrupt and prosecute major scam operations in Burma, Cambodia and Laos. Officials plan to use sanctions, asset seizures and criminal cases while helping victims with restitution and scam-avoidance education. The government estimates Americans lost at least 10 billion dollars in 2024 to romance schemes, fake investment platforms and fraudulent cryptocurrency sites. New sanctions target Myanmar’s Democratic Karen Benevolent Army, several of its leaders and Thai companies accused of supporting scam compounds that rely on human trafficking and fund armed groups in Myanmar’s civil war.

Microsoft rolls out its delayed “Prevent screen capture” feature for Teams. 

Microsoft has begun rolling out its delayed “Prevent screen capture” feature for Teams Premium, designed to block screenshots and recordings during meetings. Originally planned for July 2025, the rollout shifted to early November. The feature restricts visual content capture on Windows and Android by forcing screenshots to display a black box or showing a warning message. Unsupported platforms join meetings in audio-only mode. It is off by default and must be enabled per meeting by organizers, while Microsoft 365 admins manage device enrollment and licensing through Entra ID. Microsoft notes the feature does not stop someone from photographing a screen. The update follows similar privacy protections from WhatsApp and broader Microsoft efforts to strengthen security in Teams chats.

Proton Pass patches a clickjacking flaw. 

Proton Pass has released version 1.31.6 of its browser extension to fix a DOM-based clickjacking flaw demonstrated at DEF CON 33. Researcher Tóth showed that attackers could invisibly trigger password manager UI elements, tricking users into approving autofill or exposing sensitive data with a single misleading click. The vulnerability affected most major managers, though only some vendors have patched it. The update hardens Proton Pass’s injected UI against manipulation. Users are urged to update immediately and consider disabling autofill on untrusted sites.

Researchers uncover previously undisclosed zero-day flaws in both Citrix and Cisco Identity Services Engine. 

Amazon’s threat intelligence team has uncovered a highly sophisticated actor exploiting previously undisclosed zero-day flaws in both Citrix and Cisco Identity Services Engine (ISE). Amazon’s MadPot honeypots detected Citrix Bleed Two (CVE-2025-5777) exploitation before public disclosure, leading investigators to a second zero-day in Cisco ISE (now CVE-2025-20337) that enabled pre-authentication remote code execution. The actor weaponized both vulnerabilities before patches were available, a sign of advanced capability. After gaining access, the attacker deployed a custom in-memory web shell tailored for Cisco ISE, using reflection, encrypted communication, and Tomcat listener registration to evade detection. Amazon notes the campaign reflects a growing focus on identity and network access infrastructure. Security teams are urged to enforce strict access controls and strengthen behavioral detection.

Elsewhere, CISA is urging federal agencies to fully patch two actively exploited Cisco ASA and Firepower vulnerabilities, CVE-2025-20362 and CVE-2025-20333. The flaws allow unauthenticated access to restricted URLs and remote code execution, and when chained can give attackers complete control of unpatched devices. Cisco confirmed both were zero-day exploits tied to the ArcaneDoor campaign. CISA’s Emergency Directive 25-03 mandates agencies secure all Cisco firewalls within 24 hours, noting some mistakenly applied incomplete updates. Shadowserver still tracks over 30,000 vulnerable devices online.

Android-based digital picture frames contain multiple critical vulnerabilities. 

Quokka researchers found that Uhale Android-based digital picture frames contain multiple critical vulnerabilities, including behavior that downloads and executes malware at boot. Many frames fetch an app update from China-based servers that installs a payload linked to the Voi1d and Mzmess malware families, which then runs at every startup. Devices ship with SELinux disabled, are rooted by default, and use insecure configurations that enable remote code execution, command injection, and unauthorized file access. ZEASN, the vendor behind the platform, has not responded to repeated disclosures.

Lumma Stealer rebounds after last month’s doxxing campaign. 

Trend Micro’s latest research shows Lumma Stealer (tracked as Water Kurita) has rebounded after last month’s doxxing campaign, with activity rising again starting October 20. The malware now uses browser fingerprinting alongside its traditional command-and-control methods, collecting extensive system, network, hardware and browser details through JavaScript payloads and stealthy HTTP traffic. These additions help operators evaluate victim environments, guide follow-on actions and evade detection. Trend also observed process injection into Chrome and new fingerprinting endpoints on the C&C infrastructure. Despite reduced underground visibility and signs of operational strain, Lumma Stealer remains active, continues targeting endpoints and deploys secondary payloads like GhostSocks. 

 

X marks the spot… where your passkey stops working. 

Yesterday, reports were bubbling up across social media that users of Elon Musk’s X are now trapped in an endless two-factor authentication obstacle course. The trouble started when X told anyone using passkeys or hardware keys to re-enroll on the shiny x.com domain, a necessary side effect of retiring the creaky old twitter.com address. Unfortunately, those keys still think Twitter exists, and they refuse to make the jump.

After the November 10 deadline, many users found themselves locked out entirely, stuck between error messages and looping setup screens. It’s the latest in a long string of headaches since Musk bought the platform for 44 billion dollars, though his own account seems blissfully unaffected. X has yet to comment, perhaps still circling the login page with the rest of us.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by Adobe
Sponsored by Adobe

Adobe empowers secure digital experiences by embedding robust cybersecurity measures across its creative, document, and customer experience solutions. With a focus on data protection and compliance, Adobe safeguards user content, workflows, and cloud-based collaboration at scale. Learn more.