CyberWire Daily - A softer touch on cyber.
Episode Date: February 4, 2026The White House preps a major overhaul of U.S. cybersecurity policy. A key Commerce security office loses staff as regulatory guardrails weaken. Lawmakers Press AT&T and Verizon after months of silenc...e on Salt Typhoon. A vulnerability in the React Native Metro development server is under active exploitation. Amaranth Dragon leverages a WinRAR flaw. A coordinated reconnaissance campaign targets Citrix NetScaler infrastructure. CISA warns a SolarWinds Web Help Desk flaw is under active exploitation. Zach Edwards, Senior Threat Researcher at Silent Push, is discussing a hole in the kill chain leaving law enforcement empty-handed. Cops in Northern Ireland get an unwanted data breach encore. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Zach Edwards, Senior Threat Researcher at Silent Push, discussing a hole in the kill chain leaving law enforcement empty-handed. You can read more from Zach’s team here. Selected Reading White House Cyber Director Charts New Course for Digital Defense Through Private Sector Partnership (Web Pro News) Another Misstep in U.S.-China Tech Security Policy (Lawfare) Cantwell claims telecoms blocked release of Salt Typhoon report (Cyberscoop) Hackers exploit critical React Native Metro bug to breach dev systems (Bleeping Computer) New Amaranth Dragon cyberespionage group exploits WinRAR flaw (Bleeping Computer) Wave of Citrix NetScaler scans use thousands of residential proxies (Bleeping Computer) Fresh SolarWinds Vulnerability Exploited in Attacks (SecurityWeek) ‘It defies belief’: Names of PSNI officers published on court website in new breach (Belfast Telegraph) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Most security conferences talk about zero-trust.
Zero-Trust world puts you inside.
This is a hands-on cybersecurity event designed for practitioners who want real skills, not just theory.
You'll take part in live hacking labs, where you'll attack real environments, see how modern threats actually work, and learn how to stop them before they turn into incidents.
But Zero Trust World is more than labs.
You'll also experience expert-led sessions, practical case studies, and technical deep dives focused on real-world implementation.
Whether your blue team, red team, or responsible for securing an entire organization, the content is built to be immediately useful.
You'll earn CPE credits, connect with peers across the industry, and leave with strategies you can put into action right away.
Join us March 4th through the 6th in Orlando, Florida.
Register now at ZTW.com and take your zero-trust strategy from theory to execution.
The White House preps a major overhaul of U.S. cybersecurity policy.
A key commerce security office loses staff as regulatory guardrails weaken.
Lawmakers press AT&T and Verizon after months of silence on Salt Typhoon.
A vulnerability in the React Native Metro development server is under active
exploitation. Amaranth Dragon leverages a Wynr-R flaw. A coordinated reconnaissance campaign
targets Citrix net-scaler infrastructure. Sissal warns a solar winds web help desk flaws under
active exploitation. Our guest is Zach Edwards, senior threat researcher at Silent Push,
discussing a hole in the kill chain, leaving law enforcement empty-handed. And cops in
Northern Ireland get an unwanted data breach encore. It's Wednesday, February 4th,
2026. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today.
It's great as always to have you with us. The Trump administration is preparing a major overhaul of
U.S. cybersecurity policy led by National Cyber Director Harry Coker Jr. with a strong emphasis
on private sector collaboration and regulatory reform. The forthcoming National Cybersecurity Strategy
aims to reduce overlapping and contradictory federal requirements that industry leaders say
divert resources from real security improvements.
Koker has signaled a shift away from top-down mandates toward a more bottom-up approach,
actively soliciting industry input on which rules create friction without improving outcomes.
The strategy is also expected to modernize threat intelligence sharing
by strengthening legal protections for companies that disclose cyber incidents,
addressing long-standing fears of liability and regulatory retaliation.
Cross-sector coordination will be prioritized to reflect how modern cyber attacks cascade across industries,
while longer-term goals include expanding the cybersecurity workforce
and investing in emerging technologies like AI.
Despite the ambitious vision, success will hinge on,
sustained funding, cultural change within government and rebuilding trust with a private sector
wary of past unfulfilled promises.
The Wall Street Journal reports that the Trump administration has removed two senior officials
from the Commerce Department's Bureau of Industry and Security, specifically within its Office
of Information and Communications, Technology, and Services.
While little known publicly, ICTS plays a critical role in protecting
U.S. technology supply chains from foreign adversary influence. Its sideline is portrayed as part of a
broader rollback since January of last year that has weakened federal technology and national security
oversight through staffing cuts and reduced regulatory enforcement. Created under Donald Trump's
2019 executive order, ICTS was designed to block or restrict high-risk technologies tied to
countries like China and Russia. It has acted only twice, including bans on Kasperski software and
certain connected vehicles. Critics argue that recent personnel moves, combined with cuts across
agencies like SISA and regulatory reversals, collectively undermine U.S. efforts to counter-escalating
cyber and supply chain threats with damage that may be difficult to reverse.
Senator Maria Cantwell, the top Democrat on the Senate-Cubrower,
Committee overseeing telecommunications, is calling for public hearings with the CEOs of
AT&T and Verizon following revelations that the Chinese-linked hacking group Salt Typhoon infiltrated
U.S. telecom networks. In a letter to committee chair Ted Cruz, Cantwell said both companies
have refused to provide documentation supporting claims their networks are now secure,
raising concerns about ongoing risks to Americans' communications. The intrusion
Exposions exposed sensitive data tied to U.S. officials, yet congressional action and regulatory
oversight have largely stalled. An investigation by the Department of Homeland Security's
Cyber Safety Review Board was terminated, and emergency FCC rules issued late in the Biden
administration to hold telecoms accountable were rescinded by the Trump administration.
Cantwell argues telecoms have taken minimal action due to cost concerns and says executives
must testify to restore public confidence.
Researchers warn that attackers are actively exploiting the vulnerability dubbed Metro
for Shell in the React Native Metro Development Server to compromise developer systems.
Discovered by JFrog, the flaw allows remote code execution via an exposed open URL endpoint.
Volchek observed real-world exploitation delivering Windows and Linux payloads that disable defenses,
and fetch malware.
Roughly 3,500 exposed metro servers remain online,
despite available fixes and ongoing attacks.
Researchers at Checkpoint report
that a newly identified threat actor, Amaranth Dragon,
linked to state-sponsored Chinese operations
associated with APT-41,
is exploiting a vulnerability in espionage campaigns.
The attacks targeted government and law enforcement organizations
across Southeast Asia, including Singapore, Thailand, and the Philippines.
Amaranth Dragon leveraged the Wyn RR flaw to achieve persistence
by planting malicious files in Windows startup folders,
later deploying a custom Amarath loader to fetch encrypted payloads
from Cloudflare-protected command and control servers.
Campaigns were tightly geofenced and used region-specific lures.
More recent attacks delivered a new telegram-based remote access tool,
TG Amaranth Rat.
Researchers warn the activity shows high technical maturity
and urge organizations to upgrade WynRAR to patched versions.
Researchers at Grey Noise report a coordinated reconnaissance campaign
targeting Citrix net-scaler infrastructure
between January 28th and February 2nd.
The activity used more than 63,000 IP addresses,
largely residential proxies,
to identify exposed login panels and enumerate product versions.
Gray noise says the behavior indicates pre-exploitation mapping rather than random scanning,
potentially tied to exploit development.
The campaign follows recent critical Citrix flaws,
raising concerns of imminent follow-on attacks.
CISO warns that attackers are actively exploiting a critical remote code execution flaw
in SolarWind's web help desk.
The unauthenticated decerealization bug was patched last week,
but SISA has now added it to the known-exploited vulnerabilities catalog,
ordering federal agencies to remediate within three days.
The move confirms in the wild exploitation and highlights continued risk to unpatched solar winds deployments.
Coming up after the break, Zach Edwards from Silent Push discusses a hole in the kill chain,
leaving law enforcement empty-handed.
And cops in Northern Ireland get an unwanted data breach on core.
Stay with us.
Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple?
Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack zero-trust networks, including hardware, firmware, and software,
all designed to work seamlessly together.
The result?
fast, reliable, and secure connectivity without the constant patching, vendor juggling, or hidden costs.
From wired and wireless to routing, switching, firewalls, DNS security, and VPN,
every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service,
you skip the heavy capital costs and endless upgrade cycles.
Meader even buys back your old infrastructure to make switching,
effortless. Transform complexity into simplicity and give your team time to focus on what really
matters, helping your business and customers thrive. Learn more and book your demo at meter.com
slash cyberwire. That's M-E-T-E-R dot com slash cyberwire. If securing your network feels harder than it
should be, you're not imagining it. Modern businesses need strong protection, but they don't always have the
time, staff, or patients for complex setups. That's where Nordlayer comes in. Nordlayer is a toggle-ready
network security platform built for businesses. It brings VPN, access control, and threat protection
together in one place. No hardware, no complicated configuration. You can deploy it in minutes
and be up and running in less than 10. It's built on zero-trust principles, so only the right
people can get access to the right resources. It works across all major platforms, scales easily
as your teams grow, and integrates with what you already use. And now Nordlayer goes even further
through its partnership with CrowdStrike, combining Nordlayer's network security with Falcon endpoint
protection for small and mid-sized businesses. Enterprise-grade security made manageable. Try Nordlayer
risk-free and get up to 22% off yearly plans, plus an extra 10,000,
with the code Cyberwire 10.
Visit Nordlayer.com slash Cyberwire Daily to learn more.
Zach Edwards is senior threat researcher at Silent Push.
I recently got together with him to discuss a hole in the kill chain that leaves
law enforcement empty-handed.
Yeah, thank you so much.
Our team at Silent Push has been looking at different ways to classify the internet since
we were founded.
We are essentially a company that scans the internet, and we are creating feeds of known bad infrastructure for our clients.
So pretty much an early thing that we were looking at was malicious ASN ranges, bulletproof hosts, and how could we classify large groups of the infrastructure as bad?
Well, define for us what exactly bulletproof hosting entails today.
Yeah, that's a good question.
bulletproof posting is a practice that's been around for about two decades, and it really was a term created to describe the Russian business network, which was essentially a malicious hosting company based out of Moscow around 2006, and they were essentially hosting anything bad they could possibly find from malware, fishing, financial fraud, CSAM, and pretty much everything bad on the internet that some criminal wanted to host.
they were open to hosting it.
And so when that sort of came about,
a lot of folks were trying to figure out,
what is this?
How do we talk about this?
And so we sort of came up with the idea of a bulletproof host,
or rather the industry did.
And it really is a hosting company
that ignores legitimate abuse complaints.
So when a cybersecurity company identifies a domain
that's promoting malware or fishing infrastructure,
they may send in abuse complaints to that hosting company or the registrar that registered the domain
and try and get that infrastructure taken offline.
And when you do that with a Cloudflare or Google or Microsoft or any of the major hosting companies,
they absolutely review those requests and they take action when something is malicious.
But a Bulletproof hosting company, you may send that in to some email address they have.
And really that complaint just kind of goes right into the dumpster.
They explicitly say they're going to ignore entire categories of abuse, and threat actors love that.
And is it the fact that, as you mentioned, most of these folks are operating out of Russia, does the government simply turn a blind eye?
Yeah, that's the geography of where these BPHs are hosted is really interesting.
They are typically and historically have been in jurisdictions which essentially,
ignore international laws which they don't have within that country. So Russia has very specific
legal frameworks. And so if there's a basically a hosting company that's violating the laws in
the United States, that hosting company isn't technically under the same pressure in Russia,
whereas many other countries, let's say Europe, Latin America, Africa, African countries,
there's a lot of places where they play ball,
where it may not be their law,
but let's say someone is violating a U.S. law,
like the DMCA, the Digital Millennium Copyright Act.
That's sort of the classic law that was used to take down
illicit sports streaming,
illicit movie and TV show streaming,
and that's the basis of torrenting.
And there's many BPAs that love to have this type of illicit streaming.
because it's, quote, not illegal in their home country.
And so they're essentially just ignoring certain U.S. laws.
And that is sort of the modus operandi where a BPA is ignoring laws from other countries.
And they're based in specific jurisdictions where they usually aren't worried about law enforcement,
raiding them or holding them accountable to foreign laws.
And so for decades, it really, the first decade or so, it was primarily in Russia where we were seeing these.
But now two decades or so since the start of this problem, they're everywhere.
We're tracking over 100 ASNs that are operating as Bulletproofos.
And while many are located in Russia, they're located in Hong Kong, other places in Asia.
Some of these are legally registered in the UK.
some are legally registered in Wyoming.
There's a whole different ecosystem now.
So looking at the research here,
what are some of the things that you hope people take away from it,
that maybe they don't know about bulletproof hosts?
Yeah, so we think it's really important for everyone to be
not only trying to understand what is a bulletproof host,
what are the crimes that they support,
who are their criminal clients,
but also how are they getting online?
And so we have a lot of details in our report about peering.
And without getting two in the weeds on the technical details,
the internet is a series of tubes.
And a famous former senator from Alaska Ted Stevens said that many years ago.
And a lot of people were critical of that.
But it is actually a really simple way to think about it,
where the internet is broken up by ASNs
and autonomous system numbers.
they essentially are where IP addresses are associated.
And so an organization like Cloudflare, Google, Microsoft,
they have an ASN number or maybe even a couple ASN numbers,
and they could have tens of thousands or hundreds of thousands of IPs they map to it.
And then in order for people to be able to connect to their websites,
they basically need to connect their ASN up to other ASNs.
And so imagine I'm a Cox communication ISPsps,
user and I want to connect to infrastructure on Cloudflare, that Cox ASN needs to have a peering
relationship in some way that connects to Cloudflare. And so someone like a Cloudflare or these
other enterprise hosts typically have hundreds of peers or thousands even, but the Bulletproof
hosting providers may only have one or two peers. And what this means in practice is that really
suspicious hosting company that's operated out of the basement of someone's house.
They maybe rented some infrastructure.
They've been able to get an ASN, but no one can connect to their infrastructure.
They're just sitting off alone.
The internet doesn't connect to them because they have no peers.
They can start reaching out to other bulletproof hosting companies, other low-quality
hosting companies, and say, hey, will you peer your ASN to my ASN so that everyone in the
world can connect to us?
And so when you start to investigate a BPH, you can see who they're basically working with,
how those data flows between their malicious host and the rest of the internet work.
And we can start to hold these peering partners accountable.
And there was a really interesting law enforcement action just last month against Medialand and HyperCore.
And these are basically BPH operators that were,
financially sanctioned in the U.S., the U.K. and Australia.
But what's really important about it is these are basically Russian bulletproof hosts.
We are not going to be able to raid their facilities.
We're not going to be able to seize the servers.
But they took this opportunity to issue the financial sanctions because the primary
peer for those bulletproof hosts is an ISP located in the UK.
And so by having those financial sanctions, they could then go to that peer in the UK and say,
hey, one of your partners actually is completely doing illegal stuff.
And there's now financial sanctions so that if you continue to do business with them,
you're going to be held accountable for all of these sanctions frameworks and potentially face fines or other ramifications.
And so it was a really savvy way to try and disconnect that BPH from,
the internet. Are law enforcement efforts like that effective? I mean, you know, we always,
it was that old chestnut about this being a game of whackamol. Yeah, that's absolutely the case.
And with BPH operators, it is absolutely true that whackamol would be the simplest way to
describe them, where when there is a takedown, their clients may all run to another BPA, BIPs that
were rented at that BPA may suddenly show up somewhere else. And we see that. And we see that.
that basically every month. There's law enforcement actions happening that are quite public and
others somewhat more behind the scenes. But in just the last couple of years, there's been a
dramatic increase in law enforcement actions against BPH providers. And we should all be
really encouraged by that, where in November, Dutch authorities literally raided one Bulletproof
hosting provider named Crazy RDP and seized the servers.
And that's really the gold standard where when law enforcement is able to physically locate the bulletproof hosting operator and has jurisdiction to go into that location, then that shuts down the operation.
All of those clients immediately lose their infrastructure and it really creates chaos for them.
But the second best option really is still that those financial sanctions.
And we've seen quite a few financial sanctions being issued, not only Media Land and HyperCorp,
the funnel CDN out of China was sanctioned in May 2025 by U.S. authorities.
And the funnel CDN is a very interesting threat actor hosting company because they've been
hosting investment scam websites that have resulted in more losses than any other network
that exists with U.S. victims losing over $200 million through just this one
bulletproof hosting provider.
And so we're at a place where the losses are significant with some of the infrastructure
that can be hosted on a bulletproof host.
And they're clearly, those threat actors that host on them target a lot of those malicious
sites to U.S. folks.
For the defenders who are in our audience here, where should bulletproof hosting be on
their spectrum of awareness. How important a thing is this to keep an eye on? Yeah, I would say it's
easily in the top five for all priorities. And the way we sort of advise our clients, there's over
100 BPHs and 99.99% of the stuff on those is malicious. It could be malware, could be C2 hosting,
could be fishing infrastructure, financial fraud, C-SAM, all types of horrible things.
And the reality of that is that if we aren't approaching it as though it's a threat that every threat actor loves to use, a tool set that every threat actor loves to use, then you're going to be attacked by a lot of stuff that you don't have defenses for.
And so we urge people to know what the BPAs are, to have a defense strategy, and at the very least be alerting on connections from those.
BPH hosts. And we know many of our clients and many folks in the industry actually block,
outright block connections from BPHs. And that's absolutely also a good strategy. But at the bare
minimum, folks need to have knowledge of what these ASNs are and have a process that allows
them to alert when any domains that are mapped to an IP on one of those BPAs somehow
either connects to their infrastructure or one of their users reaches out and has their device
reaching out to one of those hosts.
That's Zach Edwards from Silent Push.
We have a link to his team's research in the show notes.
Local news is in decline across Canada, and this is bad news for all of us.
With less local news, noise, rumors, and misinformation fill the void, and it gets harder to
separate truth from fiction.
That's why CBC News is putting more journalists in more places across Canada,
reporting on the ground from where you live,
telling the stories that matter to all of us,
because local news is big news.
Choose news, not noise.
CBC News.
With Amex Platinum, $400 in annual credits for travel and dining
means you not only satisfy your travel bug, but your taste buds too.
That's the powerful backing of Amex.
Conditions apply.
And finally, for some police service of Northern Ireland officers, a 2023 data breach is starting to look less like a one-off disaster and more like an unwanted subscription service.
After their names were mistakenly exposed last year, dozens of those same officers briefly reappeared this week on the N.I. Court's website.
Their Department of Justice says the listings were promptly removed and emphasis.
that court information is usually public unless lawyers ask otherwise, a policy that works
best when nobody is already living through a privacy nightmare. Police Federation Chair Liam Kelly
called the episode avoidable and embarrassing, while politicians warned of renewed anxiety for officers
and families. The timing, however, has not gone unnoticed. These same officers are still pursuing
compensation over the original breach, and some are now openly wondering whether this latest
slip-up might qualify as a sequel. That possibility lands, just as the Police Federation for
Northern Ireland welcomed a 7,500-pound compensation offer for the thousands affected in 2023.
In Northern Ireland's data-handling saga, even mistakes appear to be compounding and possibly accruing
interest. And that's the Cyberwire for links to all of today's stories. Check out our daily briefing
at the Cyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we
deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Heltzman.
Our executive producer is Jennifer Ibn.
Peter Kilby is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
If you only attend one cybersecurity conference this year,
make it R-SAC 2026.
It's happening March 23rd through the 26th in San Francisco,
bringing together the global security community for four days of expert insights,
hands-on learning, and real innovation.
I'll say this plainly, I never miss this conference.
The ideas and conversations stay with me all year.
Join thousands of practitioners and leaders tackling today's toughest challenges
and shaping what comes next.
Register today at rsacconference.com slash cyberwire 26.
I'll see you in San Francisco.