Podcasts
CyberWire Daily
Ep 2438
The CyberWire Daily Podcast 11.20.25
Ep 2438 | 11.20.25

Eviction notice for Media Land.

Show Notes
Transcript

The US and allies sanction Russian bulletproof hosting providers. The White House looks to sue states over AI regulations. The US Border Patrol flags citizens’ “suspicious” travel patterns. Lawmakers seek to strengthen the SEC’s cybersecurity posture. A new Android banking trojan captures content from end-to-end encrypted apps. A hidden browser API raises security concerns. Fortinet patches a zero-day. A Philippine former mayor gets life in prison for scam center human trafficking. Our guest is Cliff Crosland, CEO and Co-founder at Scanner.dev, discussing why security data lakes are ideal for AI in the SOC. Green energy gets hijacked for a blockchain side-hustle.

Today is Thursday November 20th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The US and allies sanction Russian bulletproof hosting providers. 

The United States, United Kingdom, and Australia announced new sanctions against Russian bulletproof hosting (BPH) providers that support ransomware gangs and broader cybercrime operations. BPH providers lease infrastructure to threat actors and ignore takedown requests, enabling phishing campaigns, malware delivery, command and control operations, illicit content hosting, and distributed denial-of-service attacks. The U.S. Treasury’s Office of Foreign Assets Control designated Media Land and three affiliated companies, noting the group’s links to ransomware operations including LockBit, BlackSuit, and Play. Three Media Land executives were also sanctioned, with U.K. officials stating that one, Aleksandr Volosovik, has worked with groups such as Evil Corp and Black Basta. OFAC additionally sanctioned Aeza Group LLC, previously targeted in July, as well as Hypercore Ltd and related support entities. Five Eyes cybersecurity agencies issued accompanying guidance urging defenders to use threat intelligence, traffic analysis, boundary filtering, and stronger customer verification. The sanctions freeze assets and expose intermediaries to secondary penalties.

The White House looks to sue states over AI regulations. 

The Trump administration is preparing an executive order that would direct the Justice Department to sue states that pass laws regulating artificial intelligence, according to a draft reviewed by The Washington Post. The move follows a failed Republican Senate effort to block state AI rules amid concerns about risks to jobs, children, and energy consumption. The order argues that state regulations interfere with interstate commerce, though legal experts say this likely exceeds presidential authority. It would also create a federal task force to review state AI laws and allow the Commerce Department to withhold broadband funding from states deemed out of line. Trump continues to push for a single national AI standard, though several Republican governors and lawmakers object to federal preemption.

The US Border Patrol flags citizens’ “suspicious” travel patterns. 

The Associated Press reports that U.S. Border Patrol is running a secretive surveillance program that tracks millions of American drivers and flags “suspicious” travel patterns.

The system uses a vast network of license plate readers and algorithms to analyze where vehicles come from, where they go, and which routes they take. Alerts lead to “whisper” or “wall” stops, where local police pull drivers over for minor infractions, then question and search them without revealing Border Patrol’s role. Cameras are often hidden in traffic equipment and extend far beyond the traditional 100-mile border zone, reaching deep into major metro areas.

Civil liberties experts say this mass data collection and pattern analysis raises serious Fourth Amendment and free-movement concerns.

Lawmakers seek to strengthen the SEC’s cybersecurity posture. 

A bipartisan pair of Georgia lawmakers, Democrat David Scott and Republican Barry Loudermilk, have reintroduced the SEC Data Protection Act of 2025 to strengthen the Securities and Exchange Commission’s cybersecurity posture. The bill would require the SEC to adopt modern data-protection protocols aligned with federal and National Institute of Standards and Technology best practices, create uniform policies for handling sensitive market information, and improve internal accountability. The lawmakers say rising cyberattacks and recent government breaches underscore the need for updated safeguards, warning that outdated frameworks risk undermining trust in the U.S. financial system. The measure, which would take effect one year after enactment, previously stalled in 2020. The SEC declined to comment.

A new Android banking trojan captures content from end-to-end encrypted apps. 

A newly identified Android banking trojan named Sturnus can capture content from end-to-end encrypted apps like Signal, WhatsApp, and Telegram by reading messages directly from the device screen after decryption. Researchers at ThreatFabric say the malware, still in development but already fully functional, targets European financial accounts using region-specific HTML overlays to steal credentials. Sturnus supports full device takeover through Android Accessibility abuse and real-time remote control via an AES-encrypted WebSocket VNC channel. It spreads through malicious APKs disguised as Chrome or Preemix Box apps, though its distribution method remains unclear. After installation, it establishes encrypted connections with its command-and-control server, gains Device Administrator privileges, blocks removal attempts, and can silently conduct actions such as transfers by hiding activity behind fake system update screens.

Elsewhere, researchers at Trustwave SpiderLabs have identified a new Brazil-focused banking Trojan called Eternidade Stealer that marks an escalation in the region’s cybercrime activity. The malware spreads through WhatsApp, using a Python-based worm to hijack accounts, steal contact lists, and send personalized malicious messages. An accompanying installer deploys a Delphi-built stealer that activates only on systems using Brazilian Portuguese and targets banking, fintech, and cryptocurrency apps with credential-harvesting overlays. Eternidade also uses hard-coded email credentials to retrieve fresh command-and-control details via IMAP, improving resilience. Additional AutoIt scripts perform reconnaissance and evade antivirus tools. Researchers traced the infrastructure to interconnected domains, observing more than 450 connection attempts from 38 countries, mainly from desktop systems, despite the malware’s Brazil-centric design.

A hidden browser API raises security concerns. 

SquareX has uncovered an undocumented system-level API inside the Comet AI browser that allows its hidden embedded extensions to run arbitrary commands and launch applications, bypassing protections enforced by mainstream browsers for more than a decade. The custom MCP API, found in Comet’s Analytics Extension, can be invoked directly from perplexity.ai and could be exploited through common techniques such as compromised extensions, cross-site scripting, or phishing. SquareX demonstrated how a spoofed extension used the API to execute WannaCry on a device. Because Comet conceals its embedded extensions, users cannot disable them, and SquareX warns that other extensions may also gain access to the API. Analysts say the finding reinforces enterprise reluctance toward AI browsers and highlights the need for transparency, independent audits, and user control.

Fortinet patches a zero-day. 

A newly patched FortiWeb zero-day, CVE-2025-58034, is being actively exploited despite its medium CVSS 6.7 rating. The flaw allows authenticated attackers to execute unauthorized OS commands via crafted HTTP requests or CLI input, stemming from improper command neutralization. Trend Micro’s Jason McFadyen discovered the issue, which affects FortiWeb versions 7.0 through 8.0.1, with fixes now available. It follows last week’s silent patch of a separate critical FortiWeb path traversal flaw, CVE-2025-64446, which allowed unauthenticated command execution and has also seen reported exploitation.

A Philippine former mayor gets life in prison for scam center human trafficking. 

A Philippine trial court has sentenced former Bamban mayor Alice Guo to life imprisonment for human trafficking, following a police raid that uncovered a scam centre employing hundreds of trafficked foreign and local workers. Authorities later identified Guo, who had run for office as a Filipino citizen, as Chinese national Guo Hua Ping. The Presidential Anti-Organised Crime Commission called the ruling both a legal and moral victory. Seven others were also convicted, and the facility was ordered forfeited to the state. Guo, removed from office in 2024 and captured in Indonesia after fleeing Senate hearings, faces additional charges including graft and money laundering. Her case has intensified national scrutiny of Chinese-linked criminal activity and the now-banned Philippine Offshore Gaming Operators sector.

Green energy gets hijacked for a blockchain side-hustle. 

Nordex’s wind turbines were built to power communities, though one technical manager apparently believed they should also bankroll his crypto ambitions. While the company was still recovering from a Conti ransomware attack, he slipped three mining rigs into a substation and hid two Helium nodes inside the turbines themselves, treating critical infrastructure like a very large, very noisy piggy bank.

From August to November 2022, his setup quietly siphoned energy until Nordex discovered that its clean power was moonlighting as a blockchain side hustle. A court later noted he showed “no concern” about interfering with equipment that keeps thousands of homes running.

The judge rewarded this creative misuse of renewable energy with 120 hours of community service and more than €8,000 in damages. It is, if nothing else, a gentle reminder that insider threats are alive and well, and that even in the age of green tech, not every watt is yours to monetize.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by Scanner
Sponsored by Scanner

Scanner.dev makes security data lakes easy. With schemaless search and threat detection, you can instantly answer questions like, "Were we exposed to this threat 6 months ago?" Scanner runs entirely in your own S3 buckets - no more vendor lock-in. Learn more.