Cybersecurity today, we'd like to thank Meter for their support in bringing you this podcast meter delivers a complete networking stack, wired, wireless, and cellular in one integrated solution that's built for performance and scale.

You can find them at meter.com/cst.

The Kim Wolf botnet is stalking your Safe Local Network.

Another file share breach, Massachusetts Lobster Heist shows how cybercrime hits the physical supply chain, and I'm calling it Whitey Leaks.

a hacker named Root takes down white supremacist sites live on stage.

This is Cybersecurity today.

I'm your host, Jim Love.

The short version is that everything you thought you knew about security of the internal network behind your internet router is out of date.

That line is from Krebs on Security, a story about a fast growing botnet called Kim Wolf, and it's worth taking literally Researchers at the firm, Synthient say they're seeing more than 2 million infected devices with heavy concentrations in countries including Vietnam, Brazil, India, Saudi Arabia, Russia, and the United States.

They also found that roughly two thirds of infections were Android TV boxes with no security or authentication built in.

what makes Kim Wolf different is how it spreads.

It abuses residential proxy networks services that route traffic through ordinary consumer devices to make it look like you're browsing from a specific city or country.

Kim Wolf Operators figured out a way to tunnel back through those proxy endpoints and reach into the local network sitting behind the victim's router.

in Krebs reporting, Cynthia and founder Benjamin Brundage, described how attackers can bypass private IP blocking by using DNS records that resolve to internal addresses, letting them send crafted requests to the device itself or other devices on the local network.

From there, the botnet leans on a second bad habit.

Many unofficial Android TV boxes ship with Android debug bridge, a DB connections, which can hand over super user access with a single command Krebs on security reports that Synthient is seeing more than 2 million infected devices Separately, Kean ING's.

X Lab says it briefly observed at least 3 million distinct source IPs connecting to a seized Kim Wolf command server over a three day window in early December, 2025, which is a strong signal of scale even though IP counts aren't a perfect one-to-one match for devices.

Kim Wolf is a classic money botnet with some nasty twists.

It can generate large distributed denial of service attacks.

It can also sell residential proxy access, meaning criminals can rent traffic that looks like it's coming from normal homes.

That proxy capability also makes it useful for ad fraud, account takeover attempts and large scale content scraping because it helps attackers blend in and evade rate limits.

And X Lab says the malware includes proxy forwarding, a reverse shell and file management functions, which suggests interactive control once a device is compromised.

the twist is the tunnel back behavior.

Researchers say Kim Wolf can pivot from a residential proxy endpoint into the local network, behind the victim's router, and then abuse exposed android debug bridge or a DB often on port 5, 5, 5, 5 to expand its control.

There are few or maybe no simple solutions to this.

We do need to treat cheap Nona smart devices like their untrusted laptops.

Never touch those shady devices that can offer access to paid services for free.

But even what might seem legitimate, like online picture frames can also be affected.

It's probably best to put any suspicious device on a guest or isolated network and don't let them share the same trusted land as your work machines or servers.

Cynthia says that users can check whether they're affected via their site and that infected TV boxes should be wiped or destroyed.

In the brief time I had before we went to air today, I couldn't figure out how the average person would use Cynthia's tool set.

So the bottom line is we do need to forget everything We know the security model that the router will protect us is wildly out of date.

I'm also open to anyone who has a simple solution for home networks that the average person could follow, drop me a note.

I explain how to contact me at the end of the show.

A threat actor known as Zestix, is advertising corporate data for sale after what Hudson Rock says, were break-ins to ShareFile next cloud and own cloud environments used by a number of organizations.

Hudson Rock is a cybercrime intelligence firm that tracks credential theft from info stealing malware and how those stolen logins get reused in real intrusions.

The alleged entry point is stolen employee credentials.

Hudson Rock says initial access was likely obtained from info Steeler malware like Redline, Luma, and Vidar on employee machines, and then used to log in to file sharing portals where and wait for this multi-factor authentication.

MFA wasn't enabled.

Bleeping computer notes.

Hudson Rock also found some of the stolen credentials had been sitting in criminal databases for years, which points to passwords not being rotated and active sessions not being invalidated.

To put this into perspective, these platforms are big targets because they're not one time transfer tools.

They're living workspaces.

But it is reminiscent of the last time that File Movement products became a household name in security circles.

When the move It Transfer Wave hit in 2023 and the LOP Ransomware Gang exploited a zero day CVE 20 23, 3 4 3 6 2 to steal data at scale.

CISA's Advisory at the time described the mass exploitation and EMS iof tracked the fallout as it grew across thousands of victims.

So the next practical question for defenders is simple.

If your share file next cloud or own cloud instance is reachable from the internet, do you have a strong authentication, tight logging, and a realistic plan for what happens when a valid username and password shows up in a leak?

Because attackers don't need zero day when they can just log in.

Recommendation is to make MFA mandatory rotate credentials after any info stealer exposure and explicitly revoke active sessions.

So old browser tokens.

Don't keep working after a password change This next story might sound like a novelty, cyber crooks, steel, lobster.

But listen up on this one.

There's something to be learned.

Okay, police say a shipment of about 40,000 pounds of lobster meat.

Valued at around $400,000 disappeared after being picked up from a facility in Taunton, Massachusetts.

It was headed to Costco locations in Illinois and Minnesota.

And the local detail that should make every logistics team flinch is that about 10 days earlier, a large crab shipment was also stolen from the same facility.

In many cases, these would be standard thefts.

They take goods that are easy to resell and untraceable for the most part.

But the cyber component makes the attack increasingly strategic instead of a smash and grab.

Proofpoint has documented cyber enabled cargo theft campaigns where criminals use phishing and remote monitoring and management tools, RMM software, and get inside freight and logistics Workflows then reroute or impersonate legitimate carriers to physically collect the load.

You get the paperwork, the timing, the credibility to take real cargo without ever needing a weapon.

And while lobster is memorable, the pattern is the story.

Once criminals can get into the digital supply chain, they can cherry pick higher value targets for logistic companies.

This is a reminder that cybersecurity is no longer just about data loss.

Sometimes it's literally inventory walking out the door, And for all of us, it's an idea that cyber attacks used to facilitate physical thefts are an added area we have to consider.

A Hacktivist who goes by the name Martha Root Wiped.

Three white supremacist websites live on stage at the Chaos Communication Congress in Hamburg.

White Date White Child and White Deal.

Bit the dust root didn't just knock them offline.

She also scraped and published data from White Date, which is exactly what the name implies, a dating service for white supremacists.

But the take down wasn't the worst of it.

Her commentary was devastating.

Root said the site had poor cybersecurity hygiene that would make even your grandma's AOL account blush.

She also pointed out that the user's images included precise geolocation metadata that practically hands out the home addresses with a side of awkward selfies.

You gotta like this lady.

TechCrunch reported that the leaked data sets included user profiles with names, pictures, descriptions, age, location, data, including precise coordinates as well as user set, country and state, plus fields like gender, language, race, and other personal info users uploaded.

And for anyone wondering what the dating pool looks like, white date had more than 6,500 users, and the leaked data showed 86% men and 14% women Root joked.

It was a gender ratio that makes the Smurf Village look like a feminist utopia.

Root.

Turned over the files to DDoS Secrets, who says it has a hundred gigabyte white leaks dataset marked for limited distribution and notes.

It's intended for verified journalists and researchers so know if you're looking for Mr.

Far right.

You're not gonna get root access on this one either.

And that's our show.

If you like what we're doing, please share the show with others.

Give us a like or a comment on your favorite podcast app or site.

We're found everywhere, apple, Spotify, YouTube, and more.

And we love to hear from you.

You can reach me@technewsday.ca or.com.

Take your pick.

Just go to the contact us page, And if you're watching this on YouTube, just leave a comment under the video or find me on LinkedIn.

A lot of people do.

Finally, we'd like to thank Meter for their support in bringing you this podcast Meter delivers full stack networking infrastructure, wired, wireless, and cellular to leading enterprises and working with their partners.

Meter designs, deploys and manages everything required to get performant, reliable, and secure connectivity in a space.

They design the hardware, the firmware, build the software, manage deployments, and run support.

It's a single integrated solution that scales from branch offices to warehouses and large campuses to data centers.

Book a demo at meter.com/cst.

That's METE r.com/cst.

I'm your host, Jim Love.

Thanks for listening.