CyberWire Daily - CISA furlough sparks fears.

Starting point is 00:00:00 You're listening to the Cyberwire Network, powered by N2K. At TALIS, they know cybersecurity can be tough and you can't protect everything, but with TALIS, you can secure what matters most. With TALIS's industry-leading platforms, you can protect critical applications, data and identities, anywhere and at scale with the highest RR. That's why the most trusted brands and largest banks, retailers, and health care companies in the world rely on TALIS to protect what matters most. Applications, data, and identity. That's TALIS.

Starting point is 00:00:44 T-H-A-L-E-S. Learn more at talusgroup.com slash cyber. Sissa furloughs most of its workforce due to the government shutdown. The U.S. Air Force confirms its investigating a SharePoint-related breach. Google warns of a large-scale extortion campaign targeting executives. Researchers uncover Android spyware campaigns disguised as popular messaging apps. An extortion group claims to have breached Red Hat's private GitHub repositories, A software provider for recreational vehicle and power sports dealers suffers a ransomware breach.

Starting point is 00:01:33 Patchwork APT deploys a new power shell loader using scheduled tasks for persistence. A Tennessee senator urges aggressive U.S. action to prepare for a post-quantum future. Our guest is Cynthia Kaiser, SVP of Halcyon's Ransomware Research Center, and former Deputy Assistant Director at the FBI's Cyber Division, joining us with insights on the government shutdown. And a Malaysian man pleads guilty to supporting a massive crypto fraud and protected health information is not a marketing tool. It's Thursday, October 2, 2025.

Starting point is 00:02:20 I'm Dave Bittner, and this is your Cyberwire Intel briefing. Thanks for joining us here today. It's great to have you with us. The U.S. Cybersecurity and Infrastructure Security Agency, responsible for safeguarding the electric grid, water, and other vital services, has furloughed most of its workforce due to the government shutdown. Only 35% of staff remain active, though more may be recalled. for emergencies, according to the Department of Homeland Security.

Starting point is 00:03:02 The disruption coincides with the expiration of SISA 2015, the law shielding companies from liability when sharing cyber threat information. Without reauthorization, some corporations are pulling back from industry security groups, raising fears of weakened collective defense. Experts warn this could hamper efforts against ransomware and Chinese state-linked hacking campaign, The timing is especially awkward, arriving during Cybersecurity Awareness Month, when collaboration and vigilance are traditionally emphasized. Be sure to stay tuned for my conversation with Cynthia Kaiser, Senior Vice President of Halcyon's Ransomware Research Center.

Starting point is 00:03:46 We're discussing her experience with previous government shutdowns. The U.S. Air Force has confirmed its investigating a privacy-related issue after reporting reports surfaced of a Microsoft SharePoint breach that may have exposed personally identifiable and health information. An alleged breach notice shared online warned that all Air Force SharePoint systems would be shut down service-wide, potentially disabling Teams' dashboards for up to two weeks. The Air Force has not confirmed which services, if any, are offline with some personnel reporting continued access. Microsoft declined to comment on any link to earlier SharePoint vulnerabilities

Starting point is 00:04:31 that Chinese hackers, data thieves, and ransomware gangs exploited this summer, compromising hundreds of organizations worldwide. The timing has raised concerns about operational disruptions and sensitive data exposure within the military. Google has warned of a large-scale extortion campaign targeting executives after attackers claimed to have stolen data from Oracle's e-business suite. Since late September, victims have received emails demanding ransoms ranging from millions to as much as $50 million. The campaign appears linked to Finn 11, a group affiliated with the Klopp ransomware gang,

Starting point is 00:05:12 though Google says it cannot yet verify the breach claims. Mandeant confirmed the extortion emails are being sent from hundreds of compromised accounts, with contact details tied to Klop's leak site. Security firm Halcyon suggested attackers may be exploiting password resets in Oracle systems. With Oracle silent so far, Google advises companies receiving these emails to investigate for signs of compromise.

Starting point is 00:05:41 Researchers at ESET uncovered two Android spyware campaigns, pro-spy and two-spy, disguised as popular messaging apps signal and to-talk to target users in the UAE. Spread through fake websites and app stores, the spyware steals contacts, chat backups, media, and other sensitive data while reinstalling legitimate apps to avoid detection. Two-spy appears active since 2022, while Pro-Spy emerged in 2024. Both require manual installation via third-party sites, including

Starting point is 00:06:18 one impersonating Samsung's App Store and are designed for persistent regionally-focused operations. An extortion group calling itself Crimson Collective claims to have stolen 570 gigabytes of data from Red Hat's private GitHub repositories, including 28,000 internal projects and around 800 customer engagement reports. These reports often contain detailed client infrastructure information, configuration data, and authentication tokens that could be exploited to breach networks. Red Hat confirmed a security incident affecting its consulting business but did not validate claims about the stolen repositories or CERs, stressing that its software supply chain remains intact. The attackers, who say the breach occurred two weeks ago, published repository listings

Starting point is 00:07:14 and CERR directories, naming major corporations and U.S. government entities. Crimson Collective alleges Red Hat ignored their extortion demands, responding only with automated support instructions. Motility Software Solutions, which provides dealership software for recreational vehicle and power sport dealers, is notifying just over three-quarters of a million people of a Ransomware breach. Hackers accessed business servers on August 19th, encrypted files, and stole personal data, including names, contact details, dates of birth, social security numbers, and driver's license numbers. Motility says there's no evidence of misuse. They've restored

Starting point is 00:08:00 systems from backups, and they're offering 12 months of identity protection. The Paira ransomware gang later claimed 4.3 terabytes of stolen data, likely from Motility. Patchwork, also known as dropping elephant, monsoon, and hangover group, an advanced persistent threat actor since at least 2015, is deploying a new multi-stage power shell loader that abuses Windows scheduled tasks to persist and run its final payload. Infection begins with a malicious office macro that drops a shortcut and runs a power shell script. The script installs a faux VLC, EXC, places a decoy PDF and creates a scheduled task named Windows Error Report to launch the loader. The loader establishes an encrypted command and control channel, fingerprints

Starting point is 00:08:55 hosts, and uses layered obfuscation for communications. Capabilities include in-memory payload execution, chunked resumable exfiltration, and screenshot capture. In terms of defenses, Experts say enable macros only from trusted sources, monitor for suspicious scheduled tasks, enforce application whitelisting, and run up-to-date endpoint protections. Senator Marcia Blackburn, Republican from Tennessee, is urging aggressive U.S. action

Starting point is 00:09:28 to prepare for a post-quantum future, where current encryption may be broken. Speaking at a Politico event, she confirmed elements of a White House quantum initiative while promoting her own legislative push. Blackburn co-sponsored the National Quantum Cybersecurity Migration Strategy Act, requiring agencies to move at least one high-risk system to quantum-resistant encryption by 2027.

Starting point is 00:09:54 She emphasized the need to counter Chinese ambitions in emerging technologies while praising White House officials' leading federal quantum strategy. Blackburn highlighted workforce development, commercial involvement, and stronger encryption as priorities. She's also backing bills to accelerate Defense Department quantum planning, create a quantum sandbox at NIST, and to establish a federal institute for quantum manufacturing. A Malaysian man pleaded guilty in a London court

Starting point is 00:10:26 to supporting a massive crypto fraud tied to Chinese national Jiming Kwan, also known as Yadi Zhang. Prosecutors say, Sen Ling, age 46, acted as a fixer for Kwan, who ran a Ponzi-style scheme in China that stole $6.2 billion from 128,000 victims. Ling admitted to transferring criminal property and cryptocurrency and helping evade capture by arranging accommodations across the U.K. Police surveillance led to their arrests in York in April 2024, seizing $15 million in assets. Authorities are now pursuing confiscation of 61,000 bitcoins valued at $7.1 billion.

Starting point is 00:11:14 Both face sentencing in November. The case could set a precedent for compensating overseas victims in cross-border crypto fraud. Coming up after the break, my conversation with Cynthia. Kaiser from Halcyon's ransomware research center, we're discussing the government shutdown. And protected health information is not a marketing tool. Stay with us. Compliance regulations, third-party risk, and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down?

Starting point is 00:12:14 If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right. GRC can be so much easier. And it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key areas, compliance, internal, and third-party risk, and even customer trust, so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across

Starting point is 00:12:54 your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. It's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta, GRC, just imagine how much easier trust can be. Visit Vanta.com slash cyber to sign up today for a free demo.

Starting point is 00:13:27 That's V-A-N-T-A.com slash cyber. AI adoption is exploding, and security teams are under pressure to keep up. That's why the industry is coming together at the Datasec AI conference, the premier event for cybersecurity data and AI leaders, hosted by data security leader, Saira. Built for the industry, by the industry, this two-day conference is where real-world insights and bold solutions take center stage. Datasek AI 25 is happening November 12th and 13th in Dallas. There's no cost to attend. Just bring your perspective and join the conversation. Register now at Datasek AI 2025.com backslash cyberwire. Cynthia Kaiser is senior vice president of Halcyon's Ransomware Research Center and former deputy assistant director at the FBI's Cyber Division.

Starting point is 00:14:41 We caught up for insights on the government shut down. Cynthia, thanks for taking the time for us today. I'd love to start with your own personal insights, your time in the government with the FBI. You've experienced some of these government. shutdowns, what's it like? Well, at the FBI, almost all the work that we do is accepted. And what that means is it's essential for the American people. So people still come into work. And they continue to do the work they need to do to keep the American people safe. But that being said,

Starting point is 00:15:16 there's obviously a lot of stress around not knowing when your next paycheck's going to come. it will come, but not kind of knowing that, like having that kind of personal stress on you. I mean, it's trying and it was good to be able to go through that with everybody else at the same time, right, have that support network. But you also find that you don't necessarily have all of your counterparts across government that can help you. So sometimes it almost becomes more busy. Yeah.

Starting point is 00:15:47 Yeah. We are dealing with the, I guess, end of legislation that allowed information sharing, CISA 2015. What do you suppose the impact of that's going to be? Well, from what I'm hearing, it sounds like some of those efforts to get that legislation reauthorized, you know, whether it's in the CISA 2015 name or in a different name, those continue. pace. And I think the ideal outcome would be if when the budget's passed, there's a way in which to include CISA 2015 reauthorization within that. And I'm hearing there's some like good movement towards there. But right now what we find ourselves in is after a decade of having protections, liability protections, antitrust protections, those don't exist anymore. And companies are going to have to

Starting point is 00:16:47 make choices about what their risk tolerance is. At Helcyon, because we have faith that there are some of these ongoing efforts, that it will likely be reauthorized at some point, hopefully in the near future. We're not going to change our sharing posture, our sharing posture with government, our sharing posture across industry. But not every company has that luxury, and especially especially if you're a company and you're dealing with very intimate PII type information, you just can't share the way you would have if you don't have legal protections in place that allow you to give the information about compromises, attacks, campaigns to the government. And take that to its natural conclusion.

Starting point is 00:17:45 If the government doesn't have that information, they can't warn others. Yeah. Well, let's switch gears to the other SISA, cybersecurity infrastructure and security administration. They are saying that they're furlowing up to two-thirds of their folks there. What could the impact of that be? Since I don't have knowledge of who, you know, may. be furloughed and for what amount of time. It's hard to get into the details of impacts. But, you know, I would say that SISA was probably my closest partner when I was in government. Every day,

Starting point is 00:18:29 multiple times a day, I was talking to my Sisa counterparts. We were going back and forth on who was going to be able to do threat hunting, learning information from victims, especially when there's multi-victum campaigns. And it kind of goes back. to my point from earlier, FBI's coming in every day. You know, they're all there, a little stressed about the financial situation, but doing that same work. But if the same people at SISA aren't there, that makes that job all the more difficult because you can't just have one agency

Starting point is 00:19:05 doing their activities and be the same level of effectiveness. If the other agencies that have complementary activities, that's not occurring. In your estimation, what is the material impact of a government shutdown like this on the cybersecurity of our nation? In every shutdown that I was part of, whether partial or full, it felt like we weren't able to have kind of the full spectrum picture of cyber activity that was going on. We would have partial pictures. We would be able to still counter the threats, but it took longer. And when the shutdown was done, you felt like you were playing catch up. And so really, I think there's just a, there's always going to be a natural slowing, not stop,

Starting point is 00:20:03 but slowing of some of the important work that we all rely on to keep ourselves safe. what are your recommendations for the folks who are in the midst of this any words of wisdom based on your own experience especially to the employees who may be going through their first shutdown that's the most stressful my advice is that most of america is really really accommodating and great to these employees and so i could remember talking to a credit card company when there's i think that, like, one that was almost a month long, and them saying, oh, you work for the government, like, that's fine. You'll just pay us when you get paid. So, like, don't be afraid to kind of call, ask for help would be my advice to them financially, because you want to free yourself up emotionally

Starting point is 00:20:56 to be able to do the important work that still has to get done. And so ultimately, do what you need to do, ask for the help that you need, because we all rely on you. And, We want you to be able to counter these criminals that don't care for shutdown or not. That's Cynthia Kaiser, senior vice president of Calcian's Ransomware Research Center. Think your certificate security is covered. By March 26, TLS certificate lifespans will be cut in half, meaning double today's renewals. And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal volume. That's exponential complexity, operational workload, and risk, unless you modernize your strategy.

Starting point is 00:22:03 CyberArk, proven in identity security, is your partner in certificate security. CyberArc simplifies life cycle management with visibility, automation, and control at scale. Master the 47-day shift with CyberArk. Scan for vulnerabilities, streamline operations, scale security. Visit cyberark.com slash 47-day. That's cyberarc.com slash the numbers 47-D-A-Y. And now, a word from our sponsor, Threat Locker, the powerful zero-trust enterprise solution that stops ransomware in its tracks. Allow listing is a deny-by-default software that makes application control simple and fast. Ring fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources, and other applications they truly need to function. Shut out cybercriminals with work.

Starting point is 00:23:09 world-class endpoint protection from Threat Locker. And finally, Kadia Healthcare thought it had found a clever marketing angle, a success stories campaign showcasing patients' recoveries on social media. Unfortunately, regulators saw it less as inspiration and more as a HIPAA-violet. The Office for Civil Rights says the Delaware nursing home chain posted names, photos, and medical details of about 150 patients without the legally required consent forms. One complaint in 2021 unraveled the entire program, leading to a $182,000 fine and a two-year corrective action plan.

Starting point is 00:24:04 Kadia has since pulled the campaign and now faces the less glamorous task of rewriting policies, training staff, and sending belated breach notices. As OCR dryly noted, marketing is important, but valid written authorization tends to be even more so when dealing with protected health information. And that's the CyberWire. For links to all of today's stories, check out our daily briefing at theCiberwire.com. We'd love to know what you think of this podcast.

Starting point is 00:24:51 Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.

Starting point is 00:25:08 N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Cyber Innovation Day is the premier event for cyber startups, researchers, and top VC firms building trust into tomorrow's digital world.

Starting point is 00:26:00 Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the afternoon, the eighth annual day. Data Tribe Challenge takes center stage as elite startups pitch for exposure, acceleration, and funding. The Innovation Expo runs all day, connecting founders, investors, and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. Discover the startups building the future of cyber. Learn more at c.id.d. datatribe.com. Thank you.

CyberWire Daily - CISA furlough sparks fears.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.