CyberWire Daily - America’s tech turn.
Episode Date: December 8, 2025How might Trump’s new National Security Strategy impact cyber? The UK’s NCSC warns LLMs may never get over prompt injection. At least 18 U.S. universities were hit by a months-long phishing campai...gn. Russia blocks FaceTime. A bipartisan group of senators reviving efforts to strengthen protections across the health sector. Portugal provides legal safe harbor for good-faith security research. A large-scale campaign targets Palo Alto GlobalProtect portals. A Maryland man gets 15 months in prison for his part in a North Korean IT worker scam. Business Brief. Tim Starks from CyberScoop unpacks the President's pending cybersecurity strategy release. An AI image sends UK train schedules off the rails. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Tim Starks, senior reporter from CyberScoop, discussing President Trump's pending cybersecurity strategy release and the end of Sean Plankey’s nomination process. Selected Reading National Security Strategy (The White House) The National Security Strategy: The Good, the Not So Great, and the Alarm Bells (CSIS) UK intelligence warns AI 'prompt injection' attacks might never go away (The Record) Over 70 Domains Used in Months-Long Phishing Spree Against US Universities (Hackread) Russia restricts FaceTime, its latest step in controlling online communications (AP News) Bipartisan health care cybersecurity legislation returns to address a cornucopia of issues (CyberScoop) Portugal updates cybercrime law to exempt security researchers (Bleeping Computer) New wave of VPN login attempts targets Palo Alto GlobalProtect portals (Bleeping Computer) Maryland man sentenced for N. Korea IT worker scheme involving US government contracts (The Record) ServiceNow reportedly intends to acquire Veza for more than $1 billion (N2K Pro Business Briefing) Trains cancelled over fake bridge collapse image (BBC News) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use Indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post.
noticed. Indeed's sponsored jobs helps you stand out and hire fast. Your post jumps to the top
of search results, so the right candidates see it first. And it works. Sponsored jobs on Indeed
get 45% more applications than non-sponsored ones. One of the things I love about Indeed is how
fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K Cyberwire. Many
of my colleagues here came to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed,
according to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75-sponsored job credit to get your job.
more visibility at indeed.com slash cyberwire.
Just go to indeed.com slash cyberwire right now
and support our show by saying you heard about Indeed on this podcast.
Indeed.com slash cyberwire.
Terms and conditions apply. Hiring?
Indeed is all you need.
How might Trump's new national security strategy impact cyber?
The UK's NCSE warns, LLMs may never get over-prompt injection.
At least 18 U.S. universities were hit by a months-long fishing campaign.
Russia blocks FaceTime.
A bipartisan group of senators revive efforts to strengthen protections across the health sector.
Portugal provides legal safe harbor for good faith security research.
A large-scale campaign targets Palo Alto Global Protect Portals.
A Maryland man gets 15 months in prison for his part in a North Korean IT worker scam.
We got our Monday business brief.
Tim Starks from CyberSoup unpacks the president's pending cybersecurity strategy release.
And an AI image sends UK train schedules off the rails.
It's Monday, December 8th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
to have you with us.
Late last Friday, the White House released the United States' new national security strategy,
a 33-page document that puts technology leadership and economic protection at the center
of national power.
It also signals a sharper global contest over cyber influence.
The document ties America's security to control of advanced technologies and stopping foreign
cyber-enabled threats.
According to the strategy, China's intellectual property theft, industrial espionage, and influence operations
remain major targets for defensive and offensive cyberactivity.
The administration links real-time network discovery, attribution, and response to close cooperation
between government and private industry.
It also calls for hardened communication networks across the Western Hemisphere that rely on American
encryption and security tools.
The strategy positions U.S. technology standards in AI, biotech, and quantum computing as the preferred global model.
The administration's new national security strategy signals a decisive break from past foreign policy.
It replaces democracy promotion with a tightly focused vision of self-interest that aims to make the United States more powerful and prosperous.
According to some analysis, that shift may create a lonelier and more.
fractured future for America as global partnerships adjust to the new doctrine.
For cybersecurity, the biggest change is the elevation of economic power,
industrial capacity, and supply chain control as core strategic tools.
The document points to re-industrialization, critical mineral security,
and tight government industry collaboration,
all of which raise the stakes in cyber espionage and digital competition.
Europe's expected shock at the end.
NSS could weaken coordination on cyber defense and counter disinformation efforts.
China may welcome the emphasis on sovereignty, but will oppose U.S. efforts to curb its influence
abroad, increasing tension in technology and cyber domains.
The reduced focus on democracy also suggests fewer constraints on partners that use
surveillance, censorship, or digital repression.
Large language models may never be fully protected from prompt.
Injection, a cyber threat that tricks AI systems into following malicious instructions.
That's according to new warnings from the UK's National Cybersecurity Center.
Because LLMs treat all text as tokens to predict, they can confuse user input for commands,
enabling attackers to reveal hidden system prompts, extract sensitive data, or manipulate
automated decisions.
NCSC researchers argue that prompt injection is fundamentally
unlike SQL injection, making traditional defenses ineffective.
Attempts to distinguish instructions from data remain limited
because LLMs inherently do not separate the two.
The NCSC concludes that prompt injection will remain a persistent risk
and that widespread embedding of generative AI could trigger significant global security breaches
unless systems are designed with strong limitations and careful risk management.
A report from InfoBlocks reveals that at least 18 U.S. universities were hit by a months-long
fishing campaign from April through November of this year.
Attackers used the evil jinx adversary in the middle toolkit to bypass multifactor authentication
by stealing session cookies after victims clicked tiny URL fishing links disguised as campus
SSO pages. Info blocks traced nearly 70 shifting attacker domains used.
used to target schools, including UC Santa Cruz, UC Santa Barbara, the University of San Diego,
VCU, and Michigan. The firm warns universities remain prime, high-impact targets for cybercriminals.
Russian authorities have restricted Apple's FaceTime service, accusing it of being used to support
terrorism, recruitment, fraud, and other criminal activity. Regulators also disclosed that Snapchat
chat was blocked on October 10th for the same stated reasons.
The moves reflect Russia's broader effort to tighten control over online communication under
President Vladimir Putin, including restrictive laws, bans on non-compliant platforms,
and advanced systems for monitoring and shaping Internet traffic.
Apple did not comment on the accusations or restrictions.
A bipartisan group of senators is reviving the health care cybersecurity and resilience
Act to strengthen protections across the health sector. The bill, originally introduced in late
2024 but never advanced, would modernize regulations, clarify federal roles, offer training,
and authorize grants to improve cybersecurity readiness. Lawmakers say health care remains highly
vulnerable with cyber attacks exposing sensitive medical data and disrupting patient care,
especially in rural areas with limited resources. The legislation aimed at
to boost coordination between the Department of Health and Human Services and the Cybersecurity
and Infrastructure Security Agency, requiring HHS to update HIPAA rules with modern security practices,
develop an incident response plan, and provide breach prevention guidance. It also establishes
a five-year grant program for select health care entities. Senators argue patients deserve confidence
that their data is protected from ransomware and other threats.
Portugal has amended its cybersecurity law to create a legal safe harbor for good faith security researchers,
exempting certain hacking activities from punishment under strict conditions.
The new article protects researchers who probe only existing vulnerabilities,
avoid financial gain, report flaws immediately,
limit their actions to what's necessary, avoid harmful techniques,
and delete any collected data once fixed.
Consent-based testing is also covered.
The change aligns Portugal with similar moves in Germany and the United States
to support responsible vulnerability disclosure and safer cybersecurity research.
A large-scale campaign has targeted Palo Alto Global Protect Portals
and later Sonic Wall Sonic OS API endpoints, according to gray noise.
Beginning December 2nd, attackers launched credential stuffing and scanning
activity for more than 7,000 IP addresses tied to German hosting provider 3xK GMBH.
Initial waves focused on brute forcing Global Protect VPN logins across multiple profiles
using client fingerprints previously seen in millions of scan sessions dating back to September.
By mid-November, the infrastructure generated another 2.3 million global protect scans,
mostly from Germany.
On December 3rd, the same fingerprints appeared probing Sonic Wall API endpoints,
activity typically used to identify exposed systems or future exploitation targets.
Gray noise attributes both clusters to the same actor.
Hallowato Networks confirmed increased credential-based attacks
and urged customers to enforce MFA.
A Maryland man, Minfong Gok Vong, has been sentenced to 15.
months in prison for allowing North Korean IT workers to use his identity to obtain software
development jobs at 13 U.S. companies, including work contracted to federal agencies such as the
FAA. Prosecutors say that from 2021 to 2024, Vaughn collected over $970,000 in salary while North
Korean nationals performed the work overseas, using his credentials to access U.S. systems.
One Virginia tech firm, Vong lied about his background, verified his identity with U.S. documents,
and was assigned to FAA systems handling sensitive national defense information.
He installed remote access tools that enabled workers in China to operate under his name.
The case is part of broader DPRK-I-T worker schemes that U.S. officials say fund sanctioned North Korean government operations.
Turning to our Monday business brief, cybersecurity funding and acquisition activity remains strong
with multiple firms announcing sizable investments.
Israel-based Zafron Security raised $60 million in Series C financing
to accelerate product innovation and expand globally.
Microsoft 365 security provider Augment secured $18 million to advance its roadmap and deepen MSP partnerships,
Software supply chain firm Code Notary raised $16.5 million to grow engineering, AI research, and international go-to-market efforts.
Zero Trust Networking Company Net Foundry added Cisco investments to its Series A, bringing the round above $15 million.
Cloud security startup blast security emerged from stealth with a $10 million seed round,
while Swiss identity security firm Sapporo raised 7 million euros to scale R&D and expand across Europe.
M&A activity included Service Now's planned acquisition of Identity Service Company Vesa for a reported $1 billion.
McAfee's purchase of consumer privacy app say mine,
a Lurity's acquisition of OT security firm MSF partners,
and Wallach's acquisition of French cybersecurity analytics,
analytics company, Malazan, to accelerate its AI roadmap.
Be sure to check out our complete business briefing on our website.
That's part of CyberWire Pro.
Coming up after the break, Tim Starks from CyberScoop unpacks the president's pending cybersecurity
strategy release, and an AI image sends UK train sketch.
Schedules, off the rails.
Stick around.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave,
and with Threat Locker, DAC, defense against configurations,
you get real assurance that your environment is free of misconfigurations
and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CISO's real visibility, real control, and real peace of mind.
Threat Locker makes zero-trust attainable.
even for small security teams.
See why thousands of organizations
choose Threat Locker to minimize alert fatigue,
stop ransomware at the source,
and regain control over their environments.
Schedule your demo at Threatlocker.com
slash N2K today.
AI is transforming every industry,
but it's also creating new risk
that traditional frameworks can't keep up with.
Assessments today are fragmented, overlapping,
and often specific to industries, geographies, or regulations.
That's why Black Kite created the BKGA3 AI Assessment Framework
to give cybersecurity and risk teams
a unified, evolving standard for measuring AI risk
across their own organizations and their vendors' AI use.
It's global, research-driven, built to evolve with the threat landscape,
and free to use.
Because Black Kite is committed to strengthening the entire cybersecurity community.
Learn more at Blackkite.com.
It's always my pleasure to welcome back to the show.
Tim Starks, he is a senior reporter at CyberScoop.
Tim, welcome back.
Hi, Dave.
Really interesting.
in your reporting here about this draft from the Trump administration about their cyber strategy,
what is going on here, Tim?
Well, there's some substance and some style questions to address here.
Okay, fair enough.
The style questions have actually gotten a little bit more of the attention in terms of how people have been responding to the story.
This is a five-page document.
That is a really short strategy.
The Biden administration's cyber strategy was 35 pages.
And here's the thing.
There are six pillars to this strategy, which means less than one page per pillar.
So that's something that people have talked about is focused on like, like, wow, this is a really short strategy.
And some people have told me that it's not viewed so much as a traditional strategy document, more a messaging document, a statement of purpose than a full-fledged strategy.
And that the most important work that will be done on it will be done in the implementation.
side. So that's the style side of things. The substance side of things is, you know,
despite the fact that it's so short, they cover a lot of topics. The six pillars are cyber
offense and deterrence. That's first and foremost for this administration, imposing cost of
adversaries, as they like to say. Then there's regulatory harmonization, you know, just
aligning these regulations and make them so they're a little more streamlined with each other
from a sector to sector, agency to agency, bolstering the cyber workforce, which is an interesting
one from this administration because they've been cutting a lot of the cyber workforce.
Federal procurement, there's a thing that's Sean Karen Cross, the National Cyber Director,
has been saying about thinking that we're not getting the best technology because we have
a slow process for authorizing that for the federal government.
So that's a focus, critical infrastructure protection and emerging technologies.
And you might think that some of these things will go line up.
For instance, you might think AI goes right into that emerging technologies bucket.
But AI is addressed apparently throughout the document.
I've not seen it myself.
I've just talked to people who are familiar with it.
And other topics are in there, post-quantum cryptography, China, cybercrime, you name it.
There's a lot in this five-page document.
It's something that caught my eye in your reporting was this notion of a more muscular approach,
which to me seems very on-brand for this administration.
Yeah, yeah.
I think from what I've been told, there's an opening section that takes up a lot of the six pages,
I don't mean like, you know, it takes up most of it or anything like that.
I just mean that you would think with a five-page document, they wouldn't have a preamble,
but as drafted, they do.
And it talks about this sort of idea of America first.
And we need to sort of the kind of Trumpian rhetoric you hear from Trump himself in this administration on a pretty regular basis about, you know, in particular in cyberspace,
going on the offense and making the enemies fear America essentially is kind of the, the,
the gist of the rhetoric.
And given that your sense here is that this is going to be released probably in January,
was this leak strategic or just folks who are familiar with the document deciding to sort of
share what they know?
That's an interesting question to answer on the air.
Fair enough.
I'll say that it was, you know, I'm not trying to puff myself up.
I've been trying to report on this document.
So I don't want to say anything about what?
I got it from, but, um...
Good old-fashioned shoe leather on the ground, right?
From a, from a, uh, an experienced reporter.
Yes, uh, dead drops, you know, things, putting messages under rocks so that I can find out
about this strategy.
All right.
Fair enough.
Well, um, the other article that you wrote that caught my eye here is about, uh, Sean
Planky and, uh, evidently his nomination to lead Sissa is in jeopardy here?
Yeah, and it might be worse than that.
both of these stories, I'll brag slightly about.
I don't think anybody else has reported on these to the extent that I have.
John Planky has been the nominee for some time, and he's got a committee vote and all sorts of things.
But my sources seem to think that this is as close to dead as you can have for a nomination without it actually being fully deceased.
For a variety of reasons, but one in particular, his nomination is probably not going forward.
He had a good chance to move forward if he was part of this package of nominees.
They got moved on the Senate floor.
There's this procedural change that Republicans have put in place because they're trying to get around what they call Democratic obstruction to sort of do on bank.
I believe this is a terminology nominations and just have one big vote on all of them.
He was left out of that package.
And for at least two of the reasons that have held up his nomination, nothing to do with cybersecurity.
Well, so help me understand here, is the fact that his nomination is falling apart?
Does that have anything to do with him personally?
Or is it just one of those administrative things that frustrate the process?
I think it's a little bit of a mix.
I mean, certainly on the on the cybersecurity front, he has the credentials, he has the backing of people.
You know, there are some Democrats who voted against them in committee.
But I think temperament expertise, I think a lot of people think he checks all the boxes.
So is it administrative partially?
I mean, if they can't get him in this package, they'll have to resubmit paperwork.
That presents a hurdle.
But what really, really seems to be the issue, and this is where it gets closer to personal,
is that while he's been awaiting his nomination to go through the Senate,
he has been serving as a special advisor on Coast Guard reform to Secretary Nome,
at the Department of Homeland Security.
And one of the things that happened under the Coast Guard reform,
I always hate using that term because I feel like it's loaded,
but I'm using the terms they use,
is that they canceled a rather significant part of a large contract for shipbuilding.
That was a multi-billion dollar contract,
and that supplied some significant amount of jobs to a company in Florida.
And the person who has the most resilient, hard-to-overcome hold on that nomination is Senator Rick Scott of Florida.
And he's a Republican.
So there's some intrigue there.
There are some other holds, but I think most people consider the other two rather not so hard to overcome.
You know, in the sense that Senator Wyden has a hold related to wanting to get a telecommunications cybersecurity report out of SISA, one that Sessa said in July they were willing to provide.
they have not done yet. The senators from North Carolina, both Republicans, Ted Bud and Tom Tillis,
want some more disaster funding for North Carolina. I think that's theoretically easier to
release. But the idea of undoing a contract that has been terminated, or at least partially
terminated, that's where things get a little harder. And that's even if the administration
wanted to do that, if they wanted to reverse what they've done, you still would have some real
difficulties with that. And by virtue of him being involved with the Coast Guard's reform effort,
I think Senator Scott is saying, this guy can't go.
Yeah.
All right.
Intriguing for sure.
Quite.
Yeah.
Tim Starks is senior reporter at CyberScoot.
Tim, thanks so much for joining us.
I'd be here.
And finally, trains across Northern England briefly ground to a halt after an AI-generated photo
claimed that Lancaster's Carlyle Bridge had crumbled spectacularly following a late-night earthquake.
The image, which apparently showed enough rubble to make a Stone Mason weep, surfaced on social media.
Network rail, taking no chances, pause traffic while inspectors confirmed the bridge was as in
as ever. A BBC journalist asked an AI model to review the image, which obligingly pointed out
its suspiciously artistic damage. The rail line reopened, though not before 32 trains, some all the way
up into Scotland, were delayed by what amounted to a digital prank gone wrong. Network Rail
gently reminded the public that manufacturing disaster for fun tends to inconvenience real humans and
taxpayers. Experts noted few passengers were affected since the whole caper took place after hours,
but the hoax still forced teams to scramble. As one rail specialist put it, what seems like
a game can derail someone's very real plans.
And that's the CyberWire for links to all of today's stories.
Check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast
where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
You know,