CyberWire Daily - CISA’s steady hand in a stalled senate.

Starting point is 00:00:00 You're listening to the Cyberwire Network, powered by N2K. Risk and compliance shouldn't slow your business down. Hyperproof helps you automate controls, integrate real-time risk workflows, and build a centralized system of trust so your teams can focus on growth, not spreadsheets. From faster audits to stronger stakeholder confidence, hyperproof gives you the business advantage of smarter compliance. Visit www.hyperproof.io to see how leading teams are transforming their GRC programs. And now a word from our sponsor, Threat Locker, the powerful zero-trust enterprise solution that stops ransomware in its tracks.

Starting point is 00:01:00 Allow listing is a deny-by-default software that makes application control simple and fast. Ring fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources, and other applications they truly need to function. Shut out cybercriminals with world-class endpoint protection from threat locker. Sysa says cooperation between federal agencies and the private sector remains steady. Longstanding Linux kernel vulnerability in active ransomware campaigns confirmed. A Chinese-linked group targets diplomatic organizations in Hungary, Belgium, and other European nations.

Starting point is 00:01:52 A government contractor breach exposes data of over 10 million Americans. Luxury fashion brands fall victim to impersonation scams. fishing shifts from email to LinkedIn. Advocacy groups urge the FTC to block meta from using chatbot interactions to target ads. A man pleads guilty to selling zero days to the Russians. Emily Austin, principal security researcher at census, discusses why nation-state attackers continue targeting critical infrastructure.

Starting point is 00:02:23 And when MNS went offline, shoppers hit next. Today is Friday, October 31st, 2025. Happy Halloween. I'm Maria Varmazes, host of T-minus Space Daily, here on the N2K Cyberwire Network, filling in today for Dave Bittner. And this is your Cyberwire Intel briefing. Thanks for joining me today, everyone. Let's get into it. First up, despite the recent expiration of the 2015 Cybersecurity Information Sharing Act, according to Nick Anderson of the Cybersecurity and Infrastructure Security Agency,

Starting point is 00:03:15 aka CISA, cooperation between federal agencies and the private sector on cyber threat data sharing remains steady. Anderson credited the sustained collaboration to CISA's strong reputation and established long-term partnerships, but emphasized that the lapsed authority is core and critical to managing national cyber risk. Lawmakers are seeking a 10-year renewal, though efforts have been repeatedly stalled in the Senate amid the ongoing U.S. government shutdown. National Cyber Director Sean Cairncross also called the statute vital, urging swift reauthorization to preserve the trust and information exchange that underpins U.S. cybersecurity. Elsewhere, SISA and the NSA, joined by cyber agencies in Australia and Canada,

Starting point is 00:04:04 released new guidance to help organizations secure Microsoft Exchange servers from attack. The advisory urges IT administrators to harden authentication, limit administrative access, enforce strong encryption, and adopt zero-trust principles. It strongly recommends decommissioning outdated or hybrid exchange servers after migrating to Microsoft 365, warning that unsupported systems pose major breach risks. The agencies outlined over a dozen key steps, including enabling multi-factor authentication, keeping servers patched, using Kerberos instead of NTLM, enforcing transport layer security, and applying role-based access controls.

Starting point is 00:04:46 This guidance follows SISA's August emergency directive, requiring federal agencies to rapidly address a critical exchange role. vulnerability. Sisa has also confirmed that a high-severity Linux kernel flaw is now being exploited in ransomware attacks, and the vulnerability is a use-after-free bug in the Net Filter NFTables component, and it allows attackers to gain root-level privileges. It affects major Linux distributions, including Debian, Ubuntu, Fedora, and Red Hat. This escalation flaw enables system takeover, lateral movement, and data theft once route access is achieved. Organizations that are unable to patch are urged to block NF tables, restrict user namespaces, or load the Linux kernel runtime guard module.

Starting point is 00:05:36 Arctic Wolf Labs has uncovered an active cyber espionage campaign by Chinese-linked group UNC-6384, targeting diplomatic organizations in Hungary, Belgium, and other European nations in September and October 2025. The operation exploits a Windows shortcut vulnerability that was disclosed earlier this year, combined with convincing fishing lures themed around European Commission and NATO events. The multi-stage attack delivers plug-X remote access malware via DLLL side-loading of legitimate cannon printer utilities. Researchers say that the campaign shows rapid adoption of newly disclosed flaws, advanced social engineering aligned with diplomatic calendars, and expansion beyond UNC-6384's usual Southeast Asia focus. Arctic Wolf attributes the campaign with high confidence

Starting point is 00:06:28 based on tooling, tactics, and infrastructure overlaps with prior operations. Government contractor conduit has disclosed that a January cyber attack exposed personal data belonging to more than 10 million people across multiple U.S. states. The breach investigation found that attackers had access to content, Conduant's systems from October 21st to January 13th, stealing files that are tied to its government service contracts. Impacted states include Texas, Washington, South Carolina, and others with compromised data such as social security numbers and health information. The Safe Pay ransomware gang claimed responsibility saying that it stole 8.5 terabytes of data. Conduant says no stolen data has serviced publicly.

Starting point is 00:07:17 systems have been restored and law enforcement is investigating. That said, the company provides technology services for Medicaid, child support, and EBT programs, serving about 100 million U.S. residents. Researchers at Pre-Crime Labs, which is part of B4A.I, uncovered a surge in malicious domains impersonating luxury fashion brands ahead of the 2025 holiday season. Between mid-August and late September, they identified 1,330 domains with over 1,200 mimicking 23 major brands. These fraudulent sites exploit brand prestige to lure customers into scams and fishing attacks, causing both financial and reputational harm. Coordinated domain registrations, recurring email operators, and exploitation of current events

Starting point is 00:08:10 suggest an organized criminal network preparing large-scale fraud campaigns. Hackers are exploiting LinkedIn to fish finance executives with fake invitations to join a Commonwealth Investment Funds Executive Board, aiming to steal Microsoft credentials. According to push security, victims receive LinkedIn messages containing malicious links that redirect through Google and Firebase to a fake LinkedIn cloud share site. The page ultimately displays a spoofed Microsoft login to harvest credentials and session cookies. Push warns that fishing now frequently occurs outside of email, with LinkedIn-based attacks rapidly increasing in sophistication and volume.

Starting point is 00:08:59 A coalition of more than 30 consumer and children's advocacy groups is urging the Federal Trade Commission to block META from using users' chatbot interactions to target ads or personalize content. Meta plans to begin this practice on December 16, without opt-in consent. The groups, including Epic and the Center for Digital Democracy, argue that the move violates Section 5 of the FTC Act on unfair practices. They call it an industrial-scale privacy abuse, pressing the FTC to act decisively.

Starting point is 00:09:37 Former L3 Harris Executive Peter Williams, aged 39, pleaded guilty to two counts of theft of trade secrets for selling eight U.S. government developed zero-day exploits to a Russian broker in exchange for millions in cryptocurrency. Prosecutors said that Williams stole the tools while working at Trenchant, which is an L3 Harris subsidiary, and then sold them to a firm believed to be Operation Zero, which is a Russian platform advertising exploits for non-NATO clients. The scheme running from 2022 to 2025 caused approximately $35 million in losses and risked arming adversaries with advanced cyber capabilities. Williams faces up to 20 years in prison, fines exceeding $300,000 and $1.3 million in restitution.

Starting point is 00:10:31 Sentencing is scheduled for January. And stick around after the break, when Dave Bittner is joined by Emily Austin, principal security researcher at Census, as they discuss why nation-state attackers continue targeting critical infrastructure. And when M&S went offline, shoppers hit next. at talus they know cyber security can be tough and you can't protect everything but with talus you can secure what matters most with talus's industry leading platforms you can protect critical applications data and identities anywhere and at scale with the highest ROI that's why the most trusted brands and largest banks retailers and healthcare companies in the world rely on talus to protect what matters most. Applications, data, and identity. That's TALIS. T-H-A-L-E-S.

Starting point is 00:11:49 Learn more at TALIS Group.com slash cyber. What's your 2-A-M-S-E-M-S-E-M-Squiry? Is it, do I have the right controls in place? Maybe are my vendors secure? or the one that really keeps you up at night, how do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual works

Starting point is 00:12:20 so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started at Vanta.com slash cyber. That's V-A-N-T-A-com slash cyber.

Starting point is 00:13:06 Dave Vittner recently sat down with Emily Austin, principal security researcher at census, as they discuss why nation-state attackers continue targeting critical infrastructure. Here's their conversation. The biggest summary statement I could give around this is that critical infrastructure is it's still exposed on the internet. This is not a new problem. This is a problem the security community has been talking about for years. But unfortunately, they're still interesting and in. enticing targets for nation-state actors, for hacktivists, you name it. They're quite enticing as far as

Starting point is 00:13:44 that goes. Well, let's dig into some of the details of the research you and your colleagues have done here recently. You were looking at things going on with Iranian devices? Yeah, so devices that were actually being targeted by Iran in the past. So over the summer, you know, there was this uptick and kinetic activity in that region. And the U.S. Department of Homeland Security actually issued an advisory in June, warning against a heightened threat environment in the U.S. And then a few days later, SISA came out with an alert as well, telling critical infrastructure operators in the U.S. to stay vigilant for targeted activity by Iranian threat actors. And at Census, for the last, I'd say, two years or so, we've really focused in different ways on understanding the industrial control

Starting point is 00:14:33 systems exposure landscape. And one of the questions that I had was, well, okay, we know that Iranian threat actors have gone after particular types of critical infrastructure before. What do we see in terms of things that we know that they've targeted before or been interested in before? And that's really kind of where this research started, was wanting to kind of measure. So what do we see? What is the potential blast radius of industrial control systems that they might be interested in. Well, let's get into some of the details together here. What did you discover? Yeah, so we whittled down the list. There is quite a long list, but I ended up going with four different device types that, you know, again, have been previously targeted or known to be of

Starting point is 00:15:18 interest. And that included things like Unitronics Vision PLCs, or PACS, Sight-O-MAT, fuel automation systems, any kind of Red Lion equipment or things running the Tritium Niagara framework. And the way we chose that one was actually kind of interesting, I think. So it was based on a 2024 report from OpenAI, where they were reporting on influence and cyber operations that they identified on their platform. And in this report, they actually were addressing activity that they had attributed to an Iranian-linked hacktivist group called the Cyber Avengers. And this group apparently had used OpenAI models to conduct research on different types of

Starting point is 00:15:58 ICS devices, you know, asking about different types of industrial routers, PLCs, utility companies in certain regions, and also looking for default passwords for different types of devices, and that included Tridium Niagara devices. So we wanted to look at that as well. We thought that was kind of an interesting perspective. Well, can you put that in perspective for us as to what those devices are used from and the potential impact here? Yeah. So just kind of at a high level. So Unitronics makes PLCs and HMIs and things like that. Most of these are software that you can find on the internet through a browser, through VNC, through RDP. And they're essentially used to manage or monitor industrial control processes.

Starting point is 00:16:45 You know, in the case of Unitronics a few years ago, there was an attack. I think it was in late 2023 where Iranian actors were targeting these devices and defacing them. there were a couple of water plants in the United States that were affected. So they control a variety of processes that relate to energy, water, power, things like that, things that we do consider very critical. You know, the ORPAC site, OMAT things, those are fuel station automations, types of software fleet management. Tridium Niagara is used often in building automation and for like HVAC and alarms and security systems and things like that.

Starting point is 00:17:25 So kind of a variety of different types of uses, purposes of these types of software. So lots of different ways to potentially have an impact, unfortunately. And what sort of access do the Iranians seem to be gaining here? So in the cases that we looked at, right, and what we are aware of from previous research, because again, we can't really see attack traffic. We just, we see exposures. We see exposure numbers. But from what we've seen, you know, a lot of these things,

Starting point is 00:17:55 are access through default credentials. So these interfaces will be, you know, available through your browser, available through an RDP session, and they'll use default credentials. And so maybe you can go in and toggle on or off an alarm or you can maybe change levels of chemicals added to wastewater treatment or water treatment things. Lots of different opportunities to affect processes. Fortunately, it doesn't seem like any of the, the attacks that we've seen reported on, you know, sort of a TLP clear sense, have been

Starting point is 00:18:32 catastrophic in nature, at least in this realm. But it certainly does raise questions around, you know, the security of these devices, the management of these devices, and kind of the onus on the manufacturers to make sure that they're not shipping with really insecure default settings. Do you have any sense for how broad the Iranians' interest might be here? other words, are they, do they seem to have specific interests in specific types of critical infrastructure, or do they just go where they have access? So I think it sort of depends, at least in the cases that we've looked at, and again, I'm not an expert necessarily in Iranian threat operations, but based on reporting that I've,

Starting point is 00:19:18 that I've read and have come to understand, I think it really sort of depends on the group behind it, whether we're talking about like actual nation state affiliation or sort of hacktivism in some ways. And so I think that starts to be where things diverge a little bit, whereas, you know, the hacktivist groups will want to deface things. They'll want to say, you know, look at us. Here's what we're doing, you know, down with this country, down with this government, down with these people. Whereas an actual nation state might be more motivated to be a little more stealthy, a little bit quiet, and potentially a little more disruptive. Well, based on the information you've gathered here, what are your recommendations then for

Starting point is 00:19:58 organizations to best protect themselves? Yeah, so I think this is boring, you know, and I feel like any time that someone's asked about this, it's the same thing. It's, you know, these systems really shouldn't be exposed directly to the internet. This is just not a good practice. So if you are a critical infrastructure operator, regardless of yourself, sector, try not to put these things online, use, put, you know, put them behind a VPN, put them behind a firewall, use some kind of protection so that they aren't just sitting out on the internet. But I also think there's a burden on the manufacturers as well that I don't think we talk about quite as much because at least two of the four systems that we studied in this

Starting point is 00:20:38 particular research shipped or used to ship with default credentials, which is just, I mean, it's 2025. Like, we can't, we can't do that. anymore. We never should have done it, but we really can't do it now. And I will say one of the manufacturers, Unitronics, who used to ship with default credentials, they actually, after that 2023 campaign, I mentioned with their HMI as being defaced, about a month later, they actually pushed a patch that removed the default admin username and password. So there's effort, but I think we need to see it maybe a little bit more widespread from these manufacturers. That was Dave Bidner, sitting down with Emily Austin from Census discussing why nation state attackers continue targeting critical infrastructure.

Starting point is 00:21:48 an ex-con who ran this place for years. And now, now you can't do that. And BAFTA award winner, Lenny James. You're about to have a plague of outsiders descend on your town. Let me tell you this. It's going to be consequences. Mayor of Kingstown, new season now streaming on Paramount Plus. You know what's better than the one big thing? Two big things. Exactly. The new iPhone 17 pro on TELUS's five-year rate plan price lock. Yep, it's the most powerful iPhone ever, plus more peace of mind with your bill over five years. This is big. Get the new iPhone 17 Pro at tellus.com slash iPhone 17 Pro on select plans. Conditions and exclusions apply.

Starting point is 00:22:33 And finally, British Retailer Next has discovered that one company's cyber misfortune can be another's sales strategy. In a trading update on Wednesday, Next credited favorable weather and competitor disruption. Translation, Marx and Spencer's Cyber Meltdown for a tidy 7.6% sales jump and a 30 million pound profit boost. M&S, while still nursing its digital hangover after months of outages, expects to lose around 300 million pounds this year. And while next Zara and H&M cashed in, retailers without robust online stores didn't see the same windfall. Meanwhile, Jaguar Land Rover's separate cyber incident wiped 1.9 billion pounds off of the British economy. A very sobering reminder that not all disruptions come with silver linings.

Starting point is 00:23:32 Lawmakers say that stronger cybersecurity laws can't come soon enough. And that's the Cyberwire. check out our daily briefing at thecyberwire.com. And be sure to join us for a new research Saturday, where Dave Bittner sits down with Dario Pasquini, principal researcher at RSAC, discussing the team's work on when AIOps becomes AI Oops, subverting LLM-driven IT operations via telemetry manipulation.

Starting point is 00:24:11 And that is Research Saturday, folks. Definitely check it out. And that's the CyberWire Daily brought to you by N2K CyberWire. We'd love to know what you think of our podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like this show, please share a rating and review in your podcast app. Please also fill up the survey in the show notes or send an email to Cyberwire at N2K.com. N2K's senior producer is Alice Carouse. Our producer is Liz Stokes. We are mixed by Elliot Peltzman and Trey Hester with original music.

Starting point is 00:24:48 by Elliot Peltzman. Our executive producer is Jennifer Eibon. Peter Kielfey is our publisher. And I'm Maria Vermazas in for host Dave Bittner. Thank you for listening. Have a lovely weekend. Cyber Innovation Day is the premier event for cyber startups, researchers, and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology.

Starting point is 00:25:41 In the afternoon, the eighth annual Data Tribe Challenge takes center stage as elite startups pitch for exposure. acceleration and funding. The Innovation Expo runs all day, connecting founders, investors, and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. Discover the startups building the future of cyber. Learn more at cid.d. datatribe.com.

CyberWire Daily - CISA’s steady hand in a stalled senate.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.