CyberWire Daily - DOGE and the data trail.
Episode Date: January 21, 2026DOGE staff face scrutiny over possible Hatch Act violations. GitLab fixes a serious 2FA bypass. North Korean hackers target macOS developers through Visual Studio Code. Researchers say the VoidLink ma...lware may be largely AI-built. MITRE rolls out a new embedded systems threat matrix. Oracle drops a massive patch update. Minnesota DHS reports a breach affecting 300,000 people. Germany looks to Israel for cyber defense lessons. A major illicit marketplace goes dark. Our guest is Ashley Jess, Senior Intelligence Analyst from Intel 471, with a “crash course” on underground cyber markets. And auditors emerge as an unlikely line of cyber defense. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we have Ashley Jess, Senior Intelligence Analyst from Intel 471, sharing a “crash course” on how underground cyber markets and emerging trends. Selected Reading Trump administration concedes DOGE team may have misused Social Security data (POLITICO) GitLab warns of high-severity 2FA bypass, denial-of-service flaws (Bleeping Computer) North Korean Hackers Target macOS Developers via Malicious VS Code Projects (SecurityWeek) Voidlink Linux Malware Was Built Using an AI Agent, Researchers Reveal (Infosecurity Magazine) MITRE Launches New Security Framework for Embedded Systems (SecurityWeek) Oracle's First 2026 CPU Delivers 337 New Security Patches (SecurityWeek) Minnesota Agency Notifies 304,000 of Vendor Breach (GovInfo Security) Germany and Israel Pledge Cybersecurity Alliance (BankInfo Security) $12B Scam Market Tudou Guarantee Shuts Down (GovInfo Security) Research reveals a surprising line of defence against cyber attacks: accountants (The Conversation) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Most security conferences talk about Zero Trust.
Zero Trust World puts you inside.
This is a hands-on cybersecurity event designed for practitioners who want real skills, not just theory.
You'll take part in live hacking labs where you'll attack real environments, see how modern threats actually work, and learn how to stop them before they turn into incidents.
But Zero Trust World is more than labs.
You'll also experience expert-led sessions, practical case studies, and technical deep dives focused on real-world implementation.
Whether your blue team, red team, or responsible for securing an entire organization, the content is built to be immediately useful.
You'll earn CPE credits, connect with peers across the industry, and leave with strategies you can put into action right away.
Join us March 4th through the 6th in Orlando, Florida.
Register now at ZTW.com and take your zero-trust strategy from theory to execution.
Doge staff face scrutiny over possible hatchact violations.
GitLab fixes a serious 2FA bypass.
North Korean hackers target macOS developers through Visual Studio code.
Researchers say the void link malware may be largely AI built.
Miter rolls out a new embedded system system.
threat matrix. Oracle drops a massive patch update. Minnesota DHS reports a breach affecting 300,000
people. Germany looks to Israel for cyber defense lessons. A major illicit marketplace goes dark.
Our guest is Ashley Jess, senior intelligence analyst from Intel 471, with a crash course on
underground cyber markets. And auditors emerge as an unlikely line of cyber defense. It's Wednesday,
January 21st, 26. I'm Dave Bittner, and this is your Cyberwire Intel briefing. Thanks for joining
us here today. It's great as always to have you with us. Newly disclosed Justice Department court
filings reveal that two members of Elon Musk's Doge team at the Social Security Administration were in
contact with an advocacy group seeking to overturn election results in certain states. One Doge members
signed an agreement that may have involved matching social security data with state voter roles.
According to a filing by Justice Department official Elizabeth Shapiro,
SSA referred both employees for possible Hatch Act violations,
which prohibit political activity by federal workers.
The disclosures contradict earlier testimony during litigation over Doge's access to social security data.
Shapiro said Doge members shared data.
using unapproved third-party servers, including Cloudflare,
and may have accessed restricted personal information despite court limits.
Emails suggest Doge members could have been asked to assist the advocacy group
by using SSA data, though it remains unclear whether any data was actually shared.
Shapiro also reported that a senior Doge advisor received a password-protected file
containing private data on about 1,000 individuals.
SSA says it was unaware of these actions at the time
and that details remain unclear.
GitLab has released security updates to fix a high-severity vulnerability
that allows attackers to bypass two-factor authentication
in both its community edition and enterprise edition platforms.
The flaw is caused by an unchecked return value
in GitLab's authentication services.
According to the company, an attacker who already knows a user's account ID
could submit forge device responses and circumvent two-factor protections.
In the same update, GitLab patched two additional high-severity vulnerabilities
that could enable unauthenticated denial of service attacks
through malformed authentication requests and improper API authorization checks,
to medium severity denial of service issues were also fixed.
GitLab has released multiple patched versions urging self-managed users to upgrade immediately.
GitLab.com is already updated and dedicated customers are not affected.
JAMPF warns that North Korean threat actors are targeting Mac OS developers
by abusing Visual Studio Code Task Configuration files to deliver Malpherns.
The campaign is a new variation of long-running fake job offer lures.
Victims are tricked into cloning malicious GitHub or GitLab repositories posing as coding assignments.
When opened and marked as trusted in VS code, obfuscated JavaScript executes,
retrieves additional payloads and installs a persistent backdoor.
According to Jamp, the malware collects system data, communicates with command and control servers,
and enables remote code execution.
Researchers say VoidLink,
a recently discovered Linux malware targeting cloud servers,
was likely built almost entirely with the help of artificial intelligence.
Initially analyzed by checkpoint research,
VoidLink appeared to be the work of a sophisticated, well-funded threat group
due to its modular design and feature set.
Further investigation, however, suggests the malware was developed
by a single individual using AI tools to plan, structure, and generate code.
Evidence includes exposed development documents outlining a 30-week plan,
even though the malware evolved in roughly four weeks,
a mismatch researchers attribute to AI-generated documentation.
Checkpoint says AI was used not just for coding but for project orchestration,
marking a turning point.
VoidLink demonstrates how AI can significant,
accelerate and amplify advanced malware development when used by skilled actors.
MITR has announced the launch of its embedded systems threat matrix, or ESTM, a new cybersecurity
framework focused on protecting embedded systems.
Modeled on MITER attack, the framework maps attack tactics and techniques specific to hardware
and firmware environments.
According to MITR, ESTM supports threat modeling.
and attack path analysis across sectors such as energy,
industrial control systems, robotics, transportation, and health care.
The framework aligns with existing security models,
works with the embed threat model,
and is now available as the more mature ESTM 3.0
with community contributions encouraged.
Oracle has released its first critical patch update for 2026,
delivering 337 security fixes across more than 30 products.
According to Oracle, the update covers roughly 230 unique vulnerabilities,
including more than two dozen rated critical,
and over 235 exploitable remotely without authentication.
Several patches address a critical Apache TECA flaw with a maximum CVS score.
Oracle Communications and Fusion Middleware received the most fixes.
Oracle also issued separate security updates for Solaris, including remotely exploitable vulnerabilities.
The Minnesota Department of Human Services is notifying nearly 304,000 people about a data breach
involving unauthorized access to its Min Choices eligibility system.
The incident was traced to a user affiliated with a licensed health care provider who accessed
more data than permitted while using systems managed by FEI systems.
The access occurred between late August and September of last year and was detected after
FEI identified unusual activity in November.
State officials say there's no evidence of external hacking.
The exposed information primarily involved demographic data with more detailed personal
and benefits information accessed for a smaller subset of individuals.
DHS has revoked the provider's access, launched fraud monitoring efforts, and reported the incident as a HIPAA breach to federal and state oversight bodies.
Germany is seeking to significantly strengthen its cyber defenses against threats from countries, including Russia, China, Iran, and North Korea, and is turning to Israel for expertise.
Earlier this month, German Interior Minister Alexander Dobry,
signed a cyber defense cooperation agreement in Tel Aviv
with Israeli Prime Minister Benjamin Netanyahu,
citing interest in Israel's Cyberdome system.
Developed under the Israel National Cyber Directorate,
the Cyberdome is a centralized,
partly automated threat detection platform
that uses AI to monitor attacks on critical infrastructure.
German officials and analysts say Israel's experience,
shaped by frequent cyber attacks and a mature offensive and defensive ecosystem could inform Germany's own efforts.
The partnership includes plans for joint development of next-generation cyber defenses,
an AI and Cyber Innovation Center, and cooperation on protecting energy infrastructure,
connected vehicles, and countering drone threats.
To Doe Guarantee, a telegram-based illicit marketplace,
that processed more than $12 billion in fraud-related transactions has shut down,
according to blockchain intelligence firm Elliptic.
Elliptic describes Tudot as the third largest illicit marketplace ever,
facilitating money laundering, sales of stolen personal data, and services supporting online scams.
The shutdown followed the January 6th arrest and extradition to China of Chen Ji,
chairman of Cambodia's Prince Group, after which activity in Tudot's wallets sharply declined.
Some functions, including gambling services, remain active, leaving uncertainty over whether the closure
is complete. The disruption impacts Southeast Asia's fraud ecosystem, where scam operations have
flourished. To Doe had risen rapidly after the shutdown of Huan guarantee its predecessor.
Elliptic expects fraud activity to fragment across multiple smaller marketplaces,
complicating but not preventing tracking efforts.
Coming up after the break, Ashley Jess from Intel 471 has a crash course on underground
cyber markets, and auditors emerge as an unlikely line of cyber defense.
Stay with us.
Ever wished you could rebuild your network from scratch to make it more secure, scalable,
and simple. Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack, zero-trust networks, including hardware, firmware, and software,
all designed to work seamlessly together. The result? Fast, reliable, and secure connectivity
without the constant patching, vendor-juggling, or hidden costs. From wired and wireless
to routing, switching, firewalls, DNS security, and VPN, every layer is,
integrated and continuously protected in one unified platform and since it's delivered as one predictable monthly service you skip the heavy capital costs and endless upgrade cycles meter even buys back your old infrastructure to make switching effortless transform complexity into simplicity and give your team time to focus on what really matters helping your business and customers thrive learn more and book your demo at meter dot com slash cyberwire
That's M-E-T-E-R.com slash cyberwire.
What's your 2-A-M security worry?
Is it, do I have the right controls in place?
Maybe are my vendors secure?
Or the one that really keeps you up at night,
how do I get out from under these old tools and manual processes?
That's where Vanta comes in.
Vanta automates the manual works,
so you can stop sweating over spreadsheets,
chasing audit evidence,
and filling out endless questionnaires.
Their trust management platform continuously monitors your systems,
centralizes your data, and simplifies your security at scale.
And it fits right into your workflows,
using AI to streamline evidence collection, flag risks,
and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster, scale confidently,
and finally get back to sleep.
Get started at Vanta.com slash cyber.
That's V-A-N-T-E-N-T-E.
p.com slash cyber.
Ashley Jess is senior intelligence analyst at Intel 471.
Today, she shares a crash course on underground cyber markets and emerging trends.
So when you're talking about underground marketplaces,
you're talking about the key platforms for the sale and distribution of typically things
like stolen payment card information, personally identifiable information or PII, account
credentials and other sort of sensitive information like the logs from info stealer malware.
So these shops represent sort of the professionalization and commodification of cybercrime
because they are truly a centralized place where they offer this very similar to any sort
of online marketplace where you might buy, you know, gifts or clothing or things like that.
It just happens to be stolen information.
Can you give us an idea of the breadth of these marketplaces and how they're kind of tiered?
Maybe is there, are there top marketplaces that sort of lead everything or how does it work?
Yeah.
So they've gone on, like undergone a significant evolution under the last 10, 15 years.
So you used to have these really prominent marketplaces that were these large sort of multi-purpose
platforms.
And they've shifted more to, you know, a more specialized and fragmented ecosystem.
And this was mostly driven actually from law enforcement action.
So as long as, you know, a mix.
of some new technological advancements, but you used to have really large marketplaces. So some
that might sound familiar to viewers are things like Silk Road, Alpha Bay, and Hydro Market. And those
sold everything from drugs to hacking tools. And those were, you know, the top of their game
at the time. But those law enforcement actions showed that these large, centralized operations
were very vulnerable once they were taken down. So as a result, we've seen actually more niche
marketplaces which specialized offerings. So you might have a marketplace that just offers payment card
information or a marketplace that just offers information stealer logs. So you have some that are,
you know, sort of that single offering type marketplace, something like a dump shop or something like
that. And then there are still some that have multifunctional marketplaces and there are still some that
are kind of top of the game as well. So yeah, for us, we do tier them. We tier them just kind of based off of
the size of them, how long they've been around, how popular they are with cybercriminals.
So there definitely are preferred marketplaces, but kind of two categories, this sort of
multifunctional category and this single-use category.
Am I correct?
Am I understanding that these markets are largely reputational-based?
Yeah.
So in the cyber criminal underground, because you're dealing with people who aim to be anonymous,
your reputation is kind of.
everything. So when you are a successful marketplace in the underground, you're typically
operating similar to an e-commerce store, but you are conducting marketing, much like any other
sort of brand would, except it typically is on underground forums, maybe instant messaging
channels, things like telegram. And then as people use your store, they will leave reviews
or talk about if they happened to purchase something and they felt they got scammed. They'll file a
complaint and all of that is viewable on the underground. So the more reviews you have with the fewer
complaints partnered with how long you've been around increases your reputation as an underground
marketplace, which makes people more likely to continue to use you. And where do we stand when it
comes to law enforcement? How successful have they been at taking these things down? They have been
successful. So there's been a couple notable law enforcement takedowns in recent years.
So they are a compelling target for law enforcement agencies because they are, you know, some of the foundational, these marketplaces offer some foundational products that cyber criminals will use to then commit larger cybercrimes.
So it impacts a large number of cyber criminal operations if you can take it down at that sort of early source.
So in recent years, we've seen several actually significantly popular marketplaces, you know, fall to a well-implemented law enforcement disruption over the years.
So typically what law enforcement will do is seize the domain, but we have seen administrators get arrested.
And, you know, with any of these sort of disruptions, just like any of the other ones you might see for ransomware organizations or something similar, some weather the disruption, some might have spawned a successor and some never recovered.
So some of the ones we've seen recently and earlier in 2025, for example, is the Biden cash marketplace, which is one that sold payment cards.
and PII. In June, they seized about 145 related Biden cash domains and cryptocurrency funds,
which according to the DOJ's announcement at the time, this one store had more than
117,000 customers and facilitated tracking more than 15 million payment card numbers. So even just
that one disruption, you can see the size of the impact of that, which is why law enforcement
I think rightfully continues try to disrupt those operations in particular.
And what are the trends that you're tracking here?
Where do we see this heading in the new year?
Yeah.
So, you know, underground marketplaces rapidly facilitate the exchange of stolen data,
but they also foster this sort of competitive environment
where operators are continually trying to enhance their offerings to beat out the next person.
So, you know, when it comes to 2026, what we're most likely going to see,
is how automation starts becoming embedded in these marketplaces so that they can start offering
more products than their competitors. We're already seeing that being used across cybercriminals
for things like fishing lures and things like that. But the other thing that we're going to see
probably is the continued growth of credential-based crime. So, you know, info, stealers, session
hijacking, account takeovers. These are all really becoming foundational for many downstream attacks
by cyber criminals, anything from gift card fraud, business email compromise, everything in
between. So, you know, these markets are going to continue and already are optimizing around speed
so that these stolen credentials can get monetized faster and faster before they can be detected by
defenders. So that's something that we're definitely going to see, I think, going into the next
year. We're also seeing more emphasis on fraud infrastructure than a single attack. So services like
card checkers, bot frameworks, and access brokers are also becoming more refined. So we'll likely
see maybe specialized marketplaces start to grow in these offerings as well because these allow
criminals to scale their operations without necessarily needing to be technically skilled in and of
themselves. And then the other thing we'll see because as I was just talking about, there is a lot
of law enforcement focus on these marketplaces is resilience. I think we're going to see resilience
kind of be a major theme of these cyber criminals trying to grow some roots for their marketplace
and kind of try to evade what they've been seeing law enforcement do. So they're already
becoming more decentralized. They're becoming more cautious. They're spreading their activity across
multiple platforms, multiple domains, private channels in an attempt to make takedowns less effective
and allow their infrastructure to persist even if part of it gets disrupted. So I think they're
going to continue to look more like a business optimized for these things, efficiency,
scale, return on investment, and defenders are going to need to adapt to that reality as well.
For the defenders in our audience, what sorts of things should be on their radar?
What should they be looking out for in their day to day?
Yeah, I mean, depends obviously on what they're defending against, but things like credential
monitoring, things like multi-factor authentication on your accounts to keep them secure,
even if the password gets like, you know, stolen.
All of that is still very, very effective, you know, being able to quickly having, you know,
password change policies and things like that.
Things when it comes to, you know, credit cards in general, recognizing the pattern of
card testing, you know, that looks like a lot of small rapid fire transactions that mostly
fail.
So looking for things like that, rate limiting by IP, adding, you know, step up verification.
and then, yeah, just hardening your accounts so that they can't be used.
You know, don't leak overly specific decline reasons.
Don't say it was a CVV mismatch.
You know, add friction to your ad card or save card actions.
And the main thing is having some sort of response playbook for when you detect this type of activity.
That's Ashley Jess, senior intelligence analyst from Intel 471.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application security incident last year,
and 92% of responders reported threat levels have increased in the past two years.
Guard Square delivers the highest level of security for your mobile apps
without compromising performance, time-to-market, or user experience.
Discover how Guard Square provides industry-leading security for your Android and iOS apps at www.gardsquare.com.
And finally, Australia's recent mega-breaches at Optus, Metabank, and Latitude Financial left millions wondering how cyber disasters keep slipping through.
The usual answer is technical inevitability, complex systems, clever attackers, and bad luck.
But research suggests another quieter defense has been hiding in plain sight, the auditors.
Auditors do not write code or chase hackers.
They ask awkward questions about controls, oversight, and whether anyone is actually paying attention.
The study found that auditors who have lived through a client's cyber breach
become noticeably tougher everywhere else, flagging more weaknesses and issuing more meaningful
clean bills of health. Those clean reports, it turns out, correlate with fewer future breaches.
For Australia, where regulators like Australian Securities and Investments Commission and the Australian
Prudential Regulation Authority are pressing boards on cyber governance, the message is simple.
Firewalls matter. So does skepticism, preferably from someone who has already seen a glowing
red screen, ruin their week.
And that's the Cyberwire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to Cyberwire at n2K.com.
N2K's senior producer is Alice Caruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
If you only attend one cybersecurity conference this year, make it RASAC 2026.
It's happening March 23rd through the 26th in San Francisco.
bringing together the global security community for four days of expert insights,
hands-on learning, and real innovation.
I'll say this plainly, I never miss this conference.
The ideas and conversations stay with me all year.
Join thousands of practitioners and leaders tackling today's toughest challenges
and shaping what comes next.
Register today at rsacconference.com slash cyberwire 26.
I'll see you in San Francisco.