CyberWire Daily - America goes solo on cyber.
Episode Date: January 8, 2026The US withdraws from global cybersecurity institutions. A maximum-severity vulnerability called Ni8mare allows full compromise of a workflow automation platform. Cisco patches ISE. Researchers uncove...r a sophisticated multi-stage malware campaign targeting manufacturing and government organizations in Italy, Finland, and Saudi Arabia. The growing rift of defining AI risk. Microsoft gives 365 admins a one-month deadline to enable MFA. The Illinois Department of Human Services inadvertently exposed personal and protected health information of more than 700,000 residents. An Illinois man is charged with hacking Snapchat accounts to steal nudes. Our guest is Caitlin Clarke, Senior Director for Cybersecurity Services at Venable, with insights on CISA 2015. Facial recognition that’s bear-ly controversial. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Caitlin Clarke, Senior Director for Cybersecurity Services at Venable, for a conversation on CISA 2015 and its role in today’s cybersecurity and policy landscape. If you enjoyed this conversation, be sure to tune into the full interview on the next Caveat. Selected Reading US announces withdrawal from dozens of international treaties (The Record) US To Leave Global Forum on Cyber Expertise (Infosecurity Magazine) Max severity Ni8mare flaw lets hackers hijack n8n servers (Bleeping Computer) Cisco warns of Identity Service Engine flaw with exploit code (Bleeping Computer) CISA tags max severity HPE OneView flaw as actively exploited (Bleeping Computer) Threat Actors Exploit Commodity Loader in Targeted Email Campaigns Against Organizations (GB Hackers) Are Copilot prompt injection flaws vulnerabilities or AI limits? (Bleeping Computer) Microsoft to enforce MFA for Microsoft 365 admin center sign-ins (Bleeping Computer) Illinois state agency exposed personal data of 700,000 people (The Record) Oswego man Kyle Svara, 26, allegedly hired by college coach Steve Waithe to get Snapchat access codes from nearly 600 women: FBI (ABC7 Chicago) How facial recognition for bears can help ecologists manage wildlife (The Conversation) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple?
Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack, zero-trust networks, including hardware, firmware, and software,
all designed to work seamlessly together.
The result, fast, reliable, and secure connectivity
without the constant patching, vendor juggling, or hidden costs.
From wired and wireless to routing, switching firewalls, DNS security, and VPN,
every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service,
you skip the heavy capital costs and endless upgrade cycles.
Meter even buys back your old infrastructure to make switching effortless.
Transform complexity into simplicity and give your team time to focus on what really matters,
helping your business and customers thrive.
Learn more and book your demo at meter.com slash cyberwire.
That's M-E-T-E-R dot com slash cyberwire.
The U.S. withdraws from global cybersecurity institutions.
A maximum severity vulnerability called Nightmare allows full compromise of a workflow automation platform.
Cisco patches ISE.
Researchers uncover a sophisticated multi-stage malware campaign targeting manufacturing and government organizations in Italy, Finland, and Saudi Arabia.
The growing rift of defining AI risk, Microsoft gives 365 admins a one-month deadline to enable MFA.
The Illinois Department of Human Services inadvertently exposed personal and protected health information of more than 700,000 residents.
An Illinois man is charged with hacking Snapchat accounts to steal nudes.
Our guest is Caitlin Clark, Senior Director of Cybersecurity Services at Venable, with insights on SISA 2015.
and facial recognition that's barely controversial.
It's Thursday, January 8, 26. I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great as always to have you with us.
The Trump administration is suspending U.S. support for several international organizations,
including two focused on cybersecurity as part of a broader withdrawal from multilateral institutions.
An executive order signed yesterday by Donald Trump,
directs the United States to exit 66 international bodies,
including 31 affiliated with the United Nations,
on the grounds that continued participation is contrary to U.S. interests.
Among the affected organizations are the Global Forum on Cyber Expertise,
which supports Global Cybersecurity Capacity Building,
and the European Center of Excellence for Countering Hybrid Threats,
which focuses on countering blended cyber,
information and political threats. Federal agencies have been instructed to end participation and
funding where legally permitted. Secretary of State Marco Rubio said many of the targeted bodies
are redundant, mismanaged, or driven by ideological agendas that conflict with U.S. priorities.
The withdrawals also include organizations focused on climate, human rights, and international
law, marking one of the most extensive pullbacks from multilateral engagement in years.
A maximum severity vulnerability called Nightmare or Natemare, there's an eight in there,
allows remote unauthenticated attackers to fully compromise locally deployed instances of
the N8N Workflow Automation Platform. The flaw carries a 10.0 severity score and affects more than
100,000 exposed servers, according to researchers at Sierra. The issue stems from content-type
confusion in how N8N parses webhook data, allowing attackers to bypass file upload protections
and read arbitrary files from the underlying system. This can expose secrets such as API
keys, credentials, and session data, and may enable further compromise. N8N developers warn there's
no official workaround beyond restricting public webhooks and urge users to upgrade to the latest
version to fully remediate the risk.
Cisco has released patches for a vulnerability in its identity services engine or ISC network
access control platform after public proof-of-concept exploit code appeared online.
The flaw affects Cisco ISE and ISE passive identity connector regardless of configuration,
According to Cisco, attackers with valid administrative credentials could exploit improper XML parsing in the web interface to read arbitrary files, including sensitive data.
Cisco reports no active exploitation, but urges customers to upgrade promptly.
Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency has flagged a critical HPE-1 view vulnerability as actively exploited in the wild.
The flaw allows unauthenticated attackers to achieve remote code execution on unpatched systems.
According to Sissa and Hewlett-Packard Enterprise, the issue affects all One-View versions before 11.0 and has no mitigations.
Federal agencies must patch by January 28, and others are urged to update immediately.
Researchers at Cyble Research and Intelligence Labs have uncovered a sophisticated multi-searched,
stage malware campaign that uses a shared commodity loader across multiple threat actor groups.
The operation targets manufacturing and government organizations with confirmed activity in
Italy, Finland, and Saudi Arabia. Fishing emails posing as purchase orders deliver weaponized
office files, SVGs, or zip archives containing link shortcuts, all funneling victims into the same
evasive loader. The campaign deploys remote access trojans and information stealers,
including pure log, async rat, and Remcos. Attackers use layered obfuscation, steganography
hosted on legitimate platforms, trojanized open source code, and process hollowing to evade
detection. Analysts assess the shared infrastructure and evolving techniques as evidence of
coordinated high-matured threat activity.
Microsoft is pushing back on claims that several issues reported in its co-pilot AI assistant
qualify as security vulnerabilities, underscoring a growing rift between vendors and researchers
over how AI risk is defined. Security engineer John Russell said Microsoft dismissed
four reported flaws, including prompt injection, system prompt leakage,
sandbox command execution, and a file upload restriction bypass using base 64 encoding.
Microsoft argues these behaviors do not cross a security boundary and therefore fall outside its
vulnerability criteria. Some researchers agree the issues reflect known limitations of large
language models rather than exploitable flaws. Others counter that competing tools such as
clawed from Anthropic appear more resistant, suggesting gaps in input validation.
The OWASP Gen AI project takes a middle ground, warning that prompt disclosure matters only when it
enables real-world impact. The debate highlights unresolved questions about what secure means
for generative AI systems. Elsewhere, Microsoft will begin fully enforcing multi-factor authentication
for all users accessing the Microsoft 365 admin center starting February 9th of this year.
After that date, administrators without MFA enabled will be blocked from signing in to key admin
portals. According to Microsoft, the move builds on a rollout that began in early 2025 and is
intended to reduce the risk of account compromise from fishing and credential abuse. Microsoft is
urging organizations to enable MFA now to avoid administrative access disruptions.
The Illinois Department of Human Services disclosed that it inadvertently exposed personal and
protected health information of more than 700,000 residents by posting data to public online
mapping platforms. The information, including names, addresses, and benefits status, remained
accessible for up to four years before removal in September.
Affected individuals include disabled clients and Medicaid and Medicare Savings Program recipients.
While no misuse is known, the data falls under HIPAA protections, prompting policy changes to prevent
similar disclosures.
An Oswego, Illinois man has been charged in a federal case involving the hacking of Snapchat accounts.
prosecutors say
26-year-old Kyle Svara
obtained Snapchat access codes
for nearly 600 women
and unlawfully accessed
more than 50 accounts to steal
nude images.
He faces charges including
aggravated identity theft,
wire fraud, and computer fraud.
Authorities allege he was hired
by former Northeastern
University coach Steve Waith
who was already imprisoned.
Svara is scheduled to
here in federal court in Boston on February 4th.
Coming up after the break, my conversation with Caitlin Clark,
Senior Director for Cybersecurity Services at Venable.
We're discussing insights on SISA 2015.
And facial recognition that's barely controversial.
Stick around.
What's your 2 a.m. security worry? Is it, do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work, so you can start.
Stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires.
Their trust management platform continuously monitors your systems,
centralizes your data, and simplifies your security at scale.
And it fits right into your workflows, using AI to streamline evidence collection,
flag risks, and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster, scale confidently,
and finally get back to sleep.
Get started at Vanta.com slash cyber.
That's V-A-N-T-A-com slash cyber.
Most environments trust far more than they should,
and attackers know it.
Threat Locker solves that by enforcing default deny
at the point of execution.
With Threat Locker Allow listing,
you stop unknown executables cold.
With ring fencing, you control how trusted applications behave,
and with Threat Locker, DAC, defense against configurations,
you get real assurance that your environment is free of misconfigurations
and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CISO's real visibility, real control, and real peace of mind.
Threat Locker makes zero-trust attainable,
even for small security teams.
See why thousands of organizations
choose Threat Locker to minimize alert fatigue,
stop ransomware at the source,
and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K today.
Caitlin Clark is Senior Dr.com.
director for cybersecurity services at Venable. I recently caught up with her to discuss insights on
SISA 2015. I describe the cybersecurity information sharing act of 2015, which I will be very clear.
I say the full acronym so that we don't confuse it with an agency. I see it as a voluntary
framework that authorizes private sector entities to
monitor and operate defensive measures on its own information systems and then authorizes those
entities to share or receive cyber threat indicators with the federal government and with other
private entities. And the key part of this legislation is as part of that voluntary sharing
framework that there is legal protections for those who are involved in the information sharing
activity so that they are protected from antitrust, from federal and state disclosure
requirements, from how the U.S. government can potentially use that information for enforcement
actions. It's limited. And so it is, it is a voluntary framework that does not require
entities at all to participate, but it is a, it provides clarity and certainty around the legal
environment in which information sharing can happen.
And so what did it enable? What did it allow to happen between the private sector and the
government? So I think it's really important to recognize that information sharing happened
before the passage of this legislation in 2015. What the legislation provided was clarity around
protections, as I just described, for companies who were sharing.
information. So if I were a bank and I had information about a cyber threat that was impacting my
systems or network, I could share that information with another bank through an information
sharing analysis center or other information sharing arrangements without fear that I'm violating
any, you know, antitrust rules or that I might be sued for sharing that information with that
other bank. And then with the government, it's an ability to share what you're seeing on your
network with the government who's getting additional reporting in, and they're able to provide
a picture of potentially ongoing cyber campaigns or new tactics, techniques, and procedures
that are being seen by one company that could help protect others. And so it's just, it really
sped up that process. So as I said, information sharing was happening before, but oftentimes
you'd bring in your lawyers to say,
hey, I want to share this piece of
intelligence with somebody else.
Can you review it and
give me the permission to share?
And that would
potentially take some time to get to yes.
Or not everything could be shared
because they would, there would be concerned
about, again, liability risk
of sharing whatever it is that you had.
The beauty of the voluntary framework
is it took that discussion.
out of the mix. And so information sharing was sped up. You did not need to bring your lawyers
into the conversation. If I was a cyber threat intelligence analyst and I had a piece of
information that I thought was helpful to share with other companies or with the government,
I could do so because I felt I had the clarity around sharing that information. And it just
it sped up cyber defenses for the last 10 years.
Well, it strikes me that this was, I guess,
comparatively non-controversial.
Was there anyone who came out against this sort of thing?
There were.
There were some concerns about the types of information
that may be shared,
and particularly around privacy.
And if there was any personally identifiable information
that could be incorporated into a cyber threat
indicator. And Congress specifically added a requirement in the legislation in 2015 that said
PII must be removed from any cyber threat indicator or defensive measure before it can be
shared. And Congress also added language restricting the government's disclosure and retention
and use of the cyber threat information for very specific purposes, again, for protecting
federal networks or further sharing for protecting other critical infrastructure networks.
So the challenge here was kind of around what could be chaired under the SISA 2015 framework.
And that was really addressed through Congress adding the language around requirements for
removing PII.
And I think I've seen a ton of OIG reports in the year since.
and the inspector generals have not seen any violation of that clause in the legislation
where PII was shared inappropriately, that they've seen that, in fact, it is stripped out before
information is shared.
Well, how successful has it been?
Looking back, do people consider this to be overall a good thing?
Yes, I think that they do.
You know, again, information sharing was happening prior to the passage of this legislation in small pockets of trust, right?
The telecommunication sector was sharing information.
The financial sector was sharing information.
But what you saw after the passage of the Cyber Information Sharing Act of 2015 was the stand-up of a lot of more information sharing organizations.
You saw things like the Cyber Threat Alliance stand up, which is a bunch of.
of cybersecurity companies who have a lot of telemetry and visibility across multiple companies
and they were able to share information amongst themselves, right? So it opened the aperture
from very small circles of trust to an apparatus for cyber defense that really enables real-time
sharing in many different sectors across the U.S. economy. Well, we had the recent government
shut down and this legislation lapsed, where do we find ourselves today?
Well, since the continuing resolution was passed, the SISA 2015 authorities have been extended
to the length of the continuing resolution, so the end of January, 2026. What I think you saw
is what during that lapse is what we saw prior to SISA 2015, in that information was still
being shared, but there was additional friction in the process, right? Because lawyers had to be brought
back in. They had to, and I work in a law firm and I love lawyers. I'm not one myself. But, you know,
they slow things down sometimes. It takes a while for them to do a risk assessment and get to yes.
And I think that there has been some anecdotal evidence that yes, information sharing still occurred,
but not as quickly as it would have occurred if the protections were clear.
clearly in place.
That's Caitlin Clark from Venable.
Just a quick program note, this is an interview from the caveat podcast, so if you'd
like to hear the complete version, do check out caveat.
You can find that on our website or wherever you get your favorite podcasts.
Life's greatest moments are built on a foundation of good health,
from the big milestones to the quiet winds.
That's why our annual health assessment offers a physician-led, full-body checkup
that provides a clear picture of your health today
and may uncover early signs of conditions like heart disease and cancer.
The healthier you means more moments to cherish.
Take control of your well-being and book an assessment today.
Medcan. Live well for life.
Visit medcan.com slash moments to get started.
And finally, when a grizzly injured a group of schoolchildren near Belakula, Canada in late 2025,
officials launched a determined hunt for the responsible bear.
Helicopters flew, traps snapped shut, DNA was tested, and four very innocent bears were briefly inconvenienced before being released.
After three weeks, the case went cold.
The suspect, a mother grisly with cubs, remained anonymous. Bears, it turns out, all look suspiciously like bears. That frustration helps explain growing interest in facial recognition for wildlife. Tools like Bear ID use artificial intelligence to identify individual bears by facial geometry, even as their bodies swing seasonally from lean to Fat Bear Week finalist.
For ecologists, this promises better population counts and behavior tracking.
For humans, facial recognition remains controversial,
often described as dangerous, invasive, and error-prone.
For bears, the ethical stakes are lower.
No surveillance capitalism, no constitutional rights,
just fewer mistaken identities,
and possibly fewer wrong bears getting hauled off for questioning.
The bears have yet to lawyer us.
And that's The CyberWire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilpy is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
If you only
If you only attend one cyber security conference this year, make it RASC 2026.
It's happening March 23rd through the
26th in San Francisco, bringing together the global security community for four days of expert
insights, hands-on learning, and real innovation. I'll say this plainly, I never miss this
conference. The ideas and conversations stay with me all year. Join thousands of practitioners
and leaders tackling today's toughest challenges and shaping what comes next. Register today at
RSAconference.com slash cyberwire 26. I'll see you in San Francisco.
go.