CyberWire Daily - Everything old is new again.
Episode Date: December 22, 2025NATO suspects Russia is developing a new anti-satellite weapon to disrupt the Starlink network. A failed polygraph sparks a DHS probe and deepens turmoil at CISA. A look back at Trump’s cyber policy... shifts. MacSync Stealer adopts a stealthy new delivery method. Researchers warn a popular open-source server monitoring tool is being abused. Cyber criminals are increasingly bypassing technical defenses by recruiting insiders. Scripted Sparrow sends millions of BEC emails each month. Federal prosecutors take down a global fake ID marketplace. Monday business brief. Our guest is Eric Woodruff, Chief Identity Architect at Semperis, discussing "NoAuth Abuse Alert: Full Account Takeover." Atomic precision meets Colorado weather. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today on our Industry Voices, we are joined by Eric Woodruff, Chief Identity Architect at Semperis, discussing "NoAuth Abuse Alert: Full Account Takeover." Tune into the full conversation here. Selected Reading Starlink in the crosshairs: How Russia could attack Elon Musk's conquering of space (AP News) Project West Ford (Wikipedia) Acting CISA director failed a polygraph. Career staff are now under investigation (POLITICO) Dismantling Defenses: Trump 2.0 Cyber Year in Review (Krebs on Security) MacSync macOS Malware Distributed via Signed Swift Application (SecurityWeek) From ClickFix to code signed: the quiet shift of MacSync Stealer malware (Jamf) Hackers Abuse Popular Monitoring Tool Nezha as a Stealth Trojan (Hackread) Cyber Criminals Are Recruiting Insiders in Banks, Telecoms, and Tech (Check Point) Scripted Sparrow Sends Millions of BEC Emails Each Month (Infosecurity Magazine) FBI Seizes Fake ID Template Domains Operating from Bangladesh (Hackread) Adaptive Security raises $81 million in a Series B round led by Bain Capital Ventures. (N2K Pro) NIST tried to pull the pin on NTP servers after blackout caused atomic clock drift (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave, and with
Threat Locker, DAC, defense against configurations, you get real assurance that your environment
is free of misconfigurations and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CISO's real visibility, real control, and real peace of mind.
Threat Locker makes zero-trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K today.
Suspects Russia is developing a new anti-satellite weapon to disrupt the Starlink network.
A failed polygraph sparks a DHS probe and deepens turmoil at Sissa.
A look back at Trump's cyber policy shifts.
Max Sink Steeler adopts a stealthy new delivery method.
Researchers warn a popular open-source server monitoring tool is being abused.
Cybercriminals are increasingly bypassing technical defenses by recruiting insiders.
Scripted Sparrow sends millions of B.E.
EEC emails every month.
Federal prosecutors take down a global fake ID marketplace.
We've got our Monday business brief.
Our guest is Eric Woodruff, chief identity architect at Sempris, discussing no-off-abuse alert, full-account takeover.
And atomic precision meets Colorado weather.
It's Monday, December 22nd, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel Briefing.
Thanks for joining us here today.
It's great to have you with us.
Two NATO intelligence services suspect Russia is developing a new
anti-satellite weapon designed to disrupt Elon Musk's Starlink network by releasing clouds of
high-density pellets into orbit. According to intelligence findings seen by the associated press,
the so-called zone effect weapon could disable many satellites at once, potentially undermining
Western space advantages that have supported Ukraine. Analysts not briefed on the findings
question whether such a system could be used without causing uncontrollable debris.
and widespread damage, including to Russia's own satellites.
Some experts argue the concept may be experimental, exaggerated, or intended as a deterrent
rather than a deployable weapon.
While Russia denies plans to weaponize space, officials have warned that commercial satellites
aiding Ukraine could be legitimate targets, keeping concerns about escalation and orbital chaos alive.
Our history repeats itself desk sent us a link to the Wikipedia page on Project Westford,
a U.S. experiment from the 70s, which involved putting needles in orbit.
We'll have a link in the show notes.
Acting Cybersecurity and Infrastructure Security Agency Director Madhu Gadamukala
failed a polygraph exam in July after seeking access to a highly sensitive intelligence program,
according to multiple current and former officials.
That access required a counterintelligence polygraph,
which senior career staff had questioned,
arguing Gada Mukala lacked a clear need to know
and could rely on less classified material.
He, nevertheless, pushed forward and took the test.
After the failed exam,
the Department of Homeland Security launched an investigation,
alleging that career staff misledged Gada Mukhael.
into taking an unsanctioned polygraph.
At least six employees were placed on paid administrative leave,
a move that angered staff and raised concerns about leadership accountability.
DHS disputes that Gautomukala failed an authorized test,
while career officials contest that characterization.
The episode has intensified instability at SISA,
which is already grappling with staffing losses,
budget cuts, and the absence of a Senate-confirmed director.
A sweeping report by Krebs on Security details how the Trump administration
has pursued rapid policy shifts that critics say are undermining U.S. capacity
to manage cybersecurity, corruption, privacy, disinformation, and press freedom.
The changes span nearly every corner of government
and emphasize reduced enforcement,
dismantled oversight, and tighter political control.
According to the report,
the administration expanded ideological screening and surveillance
through new executive orders affecting speech, immigration, and travel.
At the same time, it scaled back anti-corruption efforts
by halting enforcement of bribery laws,
dissolving kleptocracy and foreign-influenced task forces,
retreating from crypto-regulation and issuing controversial pardons.
Federal cybersecurity suffered acute damage.
Leadership was purged, advisory boards disbanded, budgets slashed, and staff reassigned,
leaving agencies like SISA severely weakened.
The report also describes intensified pressures on the press,
erosion of consumer and privacy protections,
and unprecedented data access under the,
now-defunct Doge initiative, raising long-term national security concerns.
Researchers at JAMPF report that the MacOS malware MacSync Steeler has adopted a new delivery
method that no longer requires users to run commands in the terminal.
Originally, a rebrand of the low-cost MacC Info-Stealer, MacSink Steeler, now uses a code-signed,
notarized Swift app disguised as a legitimate installer. The dropper quietly fetches and executes
malicious scripts, adding stealth, persistence, and gatekeeper evasion. Jampf says the shift reflects
a broader trend toward abusing trusted macOS app mechanisms. Researchers at Antinue warn that
Nesja, a legitimate open source server monitoring tool, is being abused by attackers as a remote
access Trojan. Because Nezha is widely trusted and rarely flagged by security tools,
hackers can use it to gain persistent system-level access across Windows, Linux,
MacOS, and even routers. Its normal-looking network traffic helps it blend in.
Experts say the abuse reflects a growing trend of attackers weaponizing legitimate software,
forcing defenders to focus on behavior and context rather than labels alone.
Researchers at Checkpoint say cybercriminals are increasingly bypassing technical defenses
by recruiting insiders to provide access to corporate networks, devices, and cloud environments.
On darknet forums, employees are solicited or sometimes volunteer to sell credentials,
disable security controls, or share sensitive data in exchange for cash,
often paid in cryptocurrency.
These insider actions create major blind spots.
for security teams and make attacks far harder to prevent.
Financial services, cryptocurrency platforms, banks, technology firms, telecoms, and logistic companies
are frequent targets, with payouts ranging from a few thousand dollars to six figures
for high-value access or data sets.
Ransomware groups have also expanded recruitment through encrypted platforms, offering profit-sharing
schemes.
The trend highlights a growing insider threat.
that combines financial incentives with anonymity.
Defending against it requires employee education,
strict access controls, behavioral monitoring,
and proactive surveillance of dark net activity
alongside traditional cybersecurity tools.
Researchers at Fortra have identified
a prolific business email compromise group
dubbed scripted sparrow,
which sends an estimated 4 to 6 million targeted emails each month.
Active since mid-20204, the group poses as executive coaching firms and targets accounts payable
teams with fake invoices and W-9 forms.
Fortress says the loose collective operates across multiple continents, uses hundreds of domains and
bank accounts, and relies on spoofed reply chains to boost credibility.
U.S. prosecutors have charged Zahid Hassan, a 29-year-old resident of Bangladesh,
with running a global fake ID marketplace that fueled identity theft worldwide.
According to the U.S. Department of Justice, Hassan sold digital templates for forged passports,
driver's licenses, and social security cards through multiple websites from 2021 to 2025.
Investigators say the scheme generated more than $2.5 million from over 1,400 customers.
The operation was dismantled by the FBI with each.
international partners, and Hassan now faces multiple federal fraud charges.
Turning to our Monday business brief, a wave of global cybersecurity funding and deal-making
highlights sustained investor interest across fraud prevention, AI security, identity,
and infrastructure protection. New York-based adaptive security led the week with an $81 million
Series B, bringing its total funding to $146.5 million since launching in early 2025.
Other notable raises include Echo at $35 million, Cassada at $20 million, resemble AI at $13 million,
and EverTrust at $10 million.
Early stage funding went to startups including Ducks, Verasol, Siflens, Soverely, and Realm
security. Mergers were equally active with acquisitions by Outpost 24, silent push, meta-compliance,
Arteris, Spy, and Sidaris, underscoring continued consolidation across the security market.
Be sure to check out our weekly business brief on our website. That's part of Cyberwire Pro.
Coming up after the break, my conversation with Eric Woodruff from Sempris.
We're discussing no-off abuse alert, full account takeover.
And atomic precision meets Colorado weather.
Stay with us.
Eric Woodrow.
is chief identity architect at Sempris.
In today's sponsored industry voices segment,
we discuss their report,
No-Oth Abuse Alert, full account takeover.
If an application is vulnerable to no-off,
like a SaaS application,
if you know the victim or targets email address,
you can essentially sign in to the vulnerable SaaS application
as that person.
And you don't have to fish them
or have any interaction.
you just need to know what their email address is.
And you found that a sizable percentage of applications are vulnerable to this?
Yeah, I mean, the testing of it is, I'd say, it's tough, right?
So when we're going through applications, you really have to sort of understand the context of the application, right, to determine if it's vulnerable.
But yes, out of, you know, the initial round we had was, you know, I think 1,17 apps that we were looking at and we found like we could test 104 of them.
And there was nine that were vulnerable, right?
And that comes out to, you know, roughly nine percent-ish that were vulnerable.
But we also have done more research since we first published that that is going to be coming out soon, where we tested another 38 applications and again found.
two that were vulnerable there, right?
So that's roughly 5%.
So, you know, 5% might not seem like a lot,
but if you think of the number of applications out there, right,
the number would certainly grow.
Yeah.
I guess at the core of this is the notion that
using an email address is a unique identifier
has a certain amount of risk associated with it.
Yeah, I mean, so with no-off,
I mean, at the core of it, it's developers,
no offense to developers,
but not following the spec for Open ID Connect.
And so, again, without getting too nerdy,
with an Open ID Connect,
there's certain attributes like about a user account
that in Microsoft's implementation are immutable, right?
So it guarantees that nobody could forge this
or mimic this attribute that identifies, you know,
you or me in the app.
But developers might take a shortcut
or they might not understand Open ID Connect
or understand the consequences around it
and they'll say, oh, well, we're just going to key off of email, right?
So if I see, you know, Dave Bittner, Eric Woodruff come in with our email addresses,
then, yep, like, that's got to be this person.
But the problem is, in the intro world, email is not a immutable attribute.
There's valid reasons why someone might have an email address that is different
than their actual username.
Well, walk me through this, then.
I'm an attacker and I have access to an entrant tenant and I've got the target's email address.
What happens next?
Yeah, so, right?
So you've found an application that's vulnerable to this.
And so as an attacker, you go stand up an entrant tenant.
You create, you know, some dummy user.
It doesn't really matter what the user is.
And then you just set the email address to whoever your target is, right?
So in our research before we found there was an HR platform that was vulnerable, right?
So, you know, if I'm putting my hacker hat on, you know, the platform's vulnerable.
These days it's easy to go on LinkedIn and try to find, you know, whose customers of this platform.
And then I find their customers.
And then it's easy to figure out probably who their HR admin is, right?
So knowing an HR admin is going to have access to a lot of, you know, juicy data in this system.
I'll put their email address in.
And then essentially, I just browse to the application and sign in.
But again, because the application is just comparing email addresses,
it's going to think, you know, I'm that HR administrator and give me access to whatever they have access to.
Help me understand the cross-tenant angle here, exactly what's going on.
If you think of it in the sense that the application is just looking at a token that comes
from Entra, right?
And so, again, in these scenarios,
it's just looking at the token.
It's looking for an email address attribute in it, right?
So when we're talking cross-tenant,
it's an abuse that can happen outside of, like,
the legitimate customer's tenant because,
right, it's the application that's sort of like the problem here, right?
So whether it's coming from a legitimate tenant or the attacker tenant,
right, this token, which is just sort of encoded, you know, data that will have,
you know, like your first name.
your last name, email address.
It's just looking for email, right?
And it's like, oh, this address matches this user.
So, like, yep, you're allowed in as that user.
That makes sense.
Yeah, as you say, I mean, there's a lot of technical details here.
But can we talk a little bit about the story of the testing that you did?
You all looked at just over 100 apps.
And as you mentioned, you found nine of them were vulnerable.
Was there a particular methodology for selecting the apps?
And I guess question B is how do you go about testing this ethically?
Yeah, no, those are a good question.
So to the first point, so the initial round of testing,
we basically went through the Microsoft Enter Gallery,
which is just a listing of applications that vendors,
software vendors can put their app in there
to sort of make it more visible for use.
So from that list
like we were basically looking for anything that had
a trial, some sort of self-service sign up
that didn't require credit cards
or having to pay money or something
and this system would let you trial it.
So that kind of whittle it down to like the hundred.
And then of the hundred, right,
basically what we would do is so we have our attacker tenant
that we control and, you know,
our quote, legitimate user tenant that we control.
So we would sign up right with like a legitimate user that, you know, we control and just some lab tenant, you know, get the trial set up for whatever it is.
And again, if the system would allow you to place some bit of data or do something right so that we could sort of like mark, so to speak, that like, you know, this is, we've done something in this, you know, demo.
Because you can't always tell from just like looking at, you know, the user interface.
Then we, you know, sort of go over to the attacker tenant.
we'd go to sign into the same application again
with the email address set to like our, you know, quote victim.
And if we get in, right, we would just sort of poke around at the interface.
Again, if we had data in there, right, we could easily see, oh, right, like this is the same thing.
Like in the HR scenario, when we sign in as the attacker, we saw like the dummy users that we added in.
Other times, it wasn't as simple and maybe you'd have to poke around, you know,
the interface a little bit for the application to determine if the accounts are, you know,
sort of one and the same in the app.
And I'll just say to your other question about testing it ethically, actually, maybe I've
answered it in there, right?
So, you know, we have no intention, right, of trying to get in anything we're not
supposed to have access to.
So that's where we also wanted things that we could sign up for trials for, right?
So that way we're making sure that, you know, we're only really attacking ourselves
and we're not doing anything with, you know, real people or data.
Yeah.
Your research points out that this is particularly hard to speak.
bot. Why is that? What makes it so hard? Well, I mean, I'll say like, when I've, when I've
spoken about this, conferences, like the customer is kind of stuck in the middle here, right? So
because the attack is originating from a different tenant than theirs, right? All the conditional
access, any security things that you might do in your Entry ID or your Microsoft 365,
is essentially rendered useless because the authentication, right,
is happening up in the attacker tenant that you have no control over.
So you're not going to have any visibility in your intra.
And then really, it's only on the app developer side of things, right,
where they're going to have, you know, whatever logs they're keeping, right?
But again, applications aren't, you know,
it's not the greatest strength, right, in having log data in there.
And even then, but if an app developer, many times we were asked, like, well, what could the app developer do to, like, check for this?
And we're like, well, they should just fix their application and not to get on a tangent, right?
But the thing is, is like, an app developer isn't going to be looking for if they're vulnerable to this in the sense that if, like, they knew they were vulnerable to this.
I mean, hopefully, right, they would go change their code.
So it is something they can fix in the app.
Sorry, forget about it.
No, I mean, I think you're making a really good.
good point here. I mean, it seems to me like there's a vendor accountability aspect here.
Should customers be asking specific questions to their SaaS vendors?
Yeah, I mean, right. It feels tough because part of me wants to say, absolutely, right?
Like, if you go to buy a SaaS application or procure one, you should, you know,
ask the vendor if they're vulnerable to this and right, linked to our work or D scopes,
not to tell ourselves just because, right, we're the ones who sort of explain
the problem, but
I mean, that could also get heavy, right, to sort of
ask your SaaS app vendor
if they are
vulnerable to this, and then, you know,
it could become a laundry list, right, of all
these things.
But yeah, I mean, it's tough because
Microsoft basically says it's a developer
problem, and
developers aren't going to know that they're
vulnerable to it, right, if they don't know.
So, yeah, I mean, it's a
tough spot for customers because it's also not
feasible for customers to
write, like, go test every application that
they procure for this because, you know,
it might be easy for researchers to
sort of repeat this stuff, but I wouldn't expect
your everyday IT
pro to kind of go
do this in something they're trying to
procure.
What about Microsoft? What
part do they have to play in all
of this? Yeah, I mean, so Microsoft
had, so
when Descope had released
their research, Microsoft had
published an article, again in June
2023, basically explaining, you know,
a path to mitigate this, right?
So they're like, if you are vulnerable to this,
here's how to go, like, fix your SaaS app,
so it's not vulnerable to this.
And they also said at the time, you know,
that they contacted some app owners
that they believe are vulnerable, you know,
and help them work that out.
And that's all great.
You know, the problem is they still sort of point the finger
back at developers, right?
And I guess I'll say from Microsoft's perspective, just because you have the email address as a claim doesn't mean that the app itself is vulnerable, right?
And I think that's sort of how they say, like, right, they don't even know or they can't really tell, right?
If all these apps are vulnerable, and that's why they tend to push it back on the app devs.
And, you know, I get it, but I think the problem is, right, it's one of those things like where if you don't know, you don't know, right?
So all the devs that don't know their app is vulnerable probably isn't out there, you know,
consuming this information from MSRC, you know, about mitigating it.
Right.
It needs to be a detection tool.
Yeah.
How severe do you rate this?
How serious should we consider it?
So we rate it severe.
So I'll say again, so recently we opened another case with Microsoft.
because we have a bit of a new finding where one of the applications that we've tested this round
had integrations with Office 365 or Microsoft 365.
And so in our testing, what we basically did is we went into the SaaS app, right, that was vulnerable as the attacker.
And it allowed us to, you know, send email, read contacts, do other things as this user in Microsoft 365.
And again, we sent emails out to other, you know, of our own test users, right?
basically prove that you can almost pivot right from a vulnerable SaaS app back into Microsoft
365, again, relative to whatever permissions that app might have there.
So we decided to open a case with MSRC, and they came back saying that they find this to be
a moderate severity, and they gave us a blurb that, you know, they've notified sort of like
downstream service owners. They don't specify, I'm assuming they're talking about, like, the exchange
and SharePoint online teams, right, and things like that.
And, you know, they might put additional defense-in-depth things in place down the road,
and then the case was closed.
So Microsoft is saying it's moderate, but, you know, we still stand by it being severe, right?
Because in the HR example, right, it's going to be PII, it's going to be a whole ton of sensitive data
that nobody's going to want out there.
In these examples, right, it's whatever the data is in the SaaS app, right?
however critical that data is to you, effectively is, you know, how severe this vulnerability would be, right, if your application was vulnerable.
So that's Eric Woodruff from Sempris.
And finally, a power outage near Boulder
And finally, a power outage near Boulder, Colorado
briefly put the USA's National Institute of Standards and Technology
in the awkward position of having very precise clocks
and slightly unreliable electricity.
According to NIST physicist Jeffrey Sherman,
who is cheerfully paid to watch the clocks all,
day. The outage disrupted the atomic time scale that underpins NIST's network time
protocol services, a quiet but critical backbone of the internet. The problem was not just losing
power. Backup generators kept systems running, meaning inaccurate time could still be broadcast.
Sherman even considered disabling the generators, a sentence that probably does not appear
often in federal incident reports.
Severe storms prevented access to the site,
adding weather to the list of adversaries of atomic precision.
The good news is the clock drift stayed within a few microseconds,
an eternity for physicists, but negligible for most internet users.
Services were fully restored within a day right on time, more or less.
And that's the Cyberwire for links to all of today's stories.
Check out our daily briefing at the Cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating
and review in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester
with original music by Elliot Keltzman.
Our executive producer is Jennifer Ibin.
Peter Kilty is our publisher,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you.