CyberWire Daily - Is Interim The New Permanent

Starting point is 00:00:00 You're listening to the Cyberwire Network, powered by N2K. Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full-stack, zero-trust networks, including hardware, firmware, and software, all designed to work seamlessly together. The result? Fast, reliable, and secure connectivity without the constant. and patching, vendor juggling, or hidden costs.

Starting point is 00:00:40 From wired and wireless to routing, switching, firewalls, DNS security, and VPN, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless. transform complexity into simplicity and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo at meter.com slash cyberwire.

Starting point is 00:01:17 That's METER.com slash cyberwire. The NSA reshuffles its cybersecurity leadership. A new report unmasks ICE's latest surveillance system. Sisa marks a milestone by a retiring 10 emergency. directives. Trend Micro patches a critical vulnerability. Grock dials back the nudes a bit. Cambodia extradites a cybercrime kingpin to China. Ghost tap malware intercepts payment card data. Researchers disrupt a highly sophisticated VMware hypervisor exploit. European law enforcement arrests dozens of suspects linked to the international cybercrime group Black Axe.

Starting point is 00:02:13 Our guest is Sinali Shah, CEO of Cobalt, who says 2026 is the, year, AI stops being a concept and becomes the central battleground of cybersecurity. And after firing the experts, Doge hangs a help-wanted sign. It's Friday, January 9th, 2026. I'm Dave Bittner, and this is your Cyberwire Intel briefing. Thanks for joining us here today. Happy Friday. It's great to have you with us. The National Security Agency is reshuffling leadership within its Cybersecurity Directorate, as it continues to wait for a Senate-confirmed chief, a vacancy that has stretched more than nine months.

Starting point is 00:03:17 David Mbordino, currently the Directorate's Deputy Chief, is expected to step in as acting head at the end of the month. Holly Baroudi, now serving in the United Kingdom, is slated to return this summer as acting deputy. The NSA declined to confirm personnel changes. The Directorate has lacked permanent leadership since early last year, following the departure of its top officials, Greg Smithberger, who has been leading in an acting role, will retire soon,

Starting point is 00:03:50 established in 2019 to improve intelligence sharing and collaboration on cyber threats, the Directorate has played a visible role in election security and public advisories, including a recent malware warning with U.S. and Canadian partners. Leadership uncertainty remains across the agency, pending comfort, for senior roles at NSA and U.S. Cyber Command. U.S. Immigration and Customs Enforcement, that's ICE, has purchased access to a powerful surveillance system that allows agents to monitor neighborhoods, track individual mobile phones over time, and infer where people live and work, according to documents obtained by 404

Starting point is 00:04:34 media. The system, built by data broker Penlink, relies on commercially sourcing. location data from hundreds of millions of phones and under ICE's internal legal analysis can be queried without a warrant. The tool allows users to draw geographic perimeters, identify devices present, and trace their movements across cities or the country. Civil liberties advocates warn this creates a sweeping surveillance dragnet with few safeguards, particularly amid ICE's mass deportation efforts. Critics argue the agents is exploiting legal loopholes to bypass Fourth Amendment protections, despite Supreme Court limits on telecom-based location tracking.

Starting point is 00:05:19 ICE and DHS declined to address detailed questions, while Penlink says its products use lawful data to support criminal investigations. Sisa announced it has formally retired 10 emergency directives issued between 2019 and 24, the largest number closed at 1.4. time. The move reflects that the directives have fulfilled their purpose of addressing urgent cyber risks facing the federal civilian executive branch agencies. SISA determined that required remediation actions are complete, or that the risks are now covered under binding operational directive 22-01, which focuses on known exploited vulnerabilities. Several directives tied to specific vulnerabilities

Starting point is 00:06:06 were retired because those issues are now tracked through SISA's known exploited vulnerabilities catalog. Others were closed because their objectives were met and the threat landscape is changed. Acting Director Madhu Gadamukala said the milestone highlights strong collaboration across federal agencies and Siss's ongoing focus on rapid risk reduction and secure by design principles to strengthen federal cybersecurity. Security. Trend Micro has patched a critical vulnerability in its Apex Central on-premises management console that could allow unauthenticated attackers to execute code with system privileges.

Starting point is 00:06:46 The flaw enables low-complexity remote code execution through malicious DLL injection without user interaction. The issue was reported by tenable and affects systems exposed to the Internet. Trend Micro urges customers to apply critical patch build 7190 immediately, which also fixes two denial of service flaws and to review access controls and perimeter security. GROC, the AI chatbot developed by XAI, has restricted its image generation feature to paying customers after mounting backlash in the UK over its misuse on X Twitter. Previously, any user could prompt GROC to generate images, which led to widespread abuse, including the creation of sexualized and non-consensual images of real people, sometimes minors. UK ministers and regulators warned that the feature may violate the Online Safety Act, prompting threats of bans or boycotts if X failed to act.

Starting point is 00:07:51 Safeguarding Minister Jess Phillips called the tools use an absolute disgrace, while Prime Minister Kier Starmor said the situation was completely unacceptable and warned that all options remain on the table. Regulators, including Offcom and the Information Commissioner's Office, are now examining potential legal and data protection violations. Cambodian authorities have arrested and extradited Chenji, head of the Prince Group conglomerate, to China, marking a major blow to Southeast Asia's sprawling online scam,

Starting point is 00:08:26 industry. Chen, once a prominent Cambodian businessman with interest spanning banking, real estate, and aviation, is accused by U.S. and U.K. authorities of mastermining a multi-billion-dollar scam empire linked to online fraud, money laundering, and human trafficking. In October, Chen and dozens of Prince Group linked entities were sanctioned, while the U.S. Department of Justice seized roughly $15 billion in Bitcoin tied to his accounts. and the UK confiscated high-value London properties. Experts say the arrest represents Cambodia's most significant action yet against elite scam operators, but note that extraditing Chen to China likely prevents wider scrutiny of alleged political and business complicity

Starting point is 00:09:16 that could have emerged in Western courts. Security researchers report that Chinese-linked threat actors are running an aggressive campaign distributing NFC-enabled Android malware dubbed Ghost Tap, designed to intercept and remotely relay payment card data. According to researchers at Group IB, the malware is tied to groups, including TXNFC and NFU Pay, and is spread through social engineering that tricks victims into installing malicious APKs disguised as legitimate financial apps.

Starting point is 00:09:52 Once installed, the malware relays NFC card data from a victim's phone to attacker-controlled devices, enabling contact list fraud worldwide. Distribution and sales are handled through subscription-based channels on Telegram, complete with tiered pricing and customer support. Researchers say the campaign reflects a highly professionalized criminal operation, highlighting growing risks to mobile payment systems, and the need for stronger endpoint security and user awareness. Huntress reports disrupting a highly sufficient.

Starting point is 00:10:28 Intrusted intrusion in December of last year that leveraged VMware ESXI Hypervisor exploits, likely following initial access through a compromised Sonic Wall VPN. According to the Huntress Tactical Response Team, the attackers used a stolen domain admin account to move laterally, deploy a custom ESXI VM Escape toolkit, and attempt full hypervisor compromise. activity often associated with ransomware campaigns. The exploit chain abused multiple ESXI vulnerabilities later disclosed by VMware in March of last year,

Starting point is 00:11:07 enabling attackers to break out of a guest virtual machine and install a stealthy back door on the host. The toolkit supported 155 ESXI builds, suggesting long-term development, possibly a zero-day, and contained simplified Chinese artifacts pointing to a well-ealthy, resource developer in a Chinese-speaking region. Huntress and its sock stopped the attack before impact, underscoring that basic controls like VPN security and aggressive ESXI patching remain critical despite advanced attacker tradecraft.

Starting point is 00:11:44 European law enforcement agencies have arrested nearly three dozen suspects linked to the international cybercriminal group Black Axe in a coordinated multinational operation. With support from Europol, Spanish National Police and German authorities detained 34 people across Spain, seizing cash and freezing bank accounts tied to the group's activities. Investigators say the Spain-based network caused nearly 6 million euros in fraud losses and was involved in business email compromise, romance scams, fishing, extortion, and related cyber-enabled crimes. Black Axe originated in West Africa and has evolved. into a global operation, generating billions annually, according to law enforcement estimates.

Starting point is 00:12:31 Authorities say the group recruited money mules in high unemployment areas to launder proceeds. Urippol says the arrest significantly disrupted operations and highlighted the value of cross-border cooperation against fragmented transnational cybercrime networks. Coming up after the break, my conversation with Sinali Shah from Cobalt, who says 2026 is the year AI stops being a concept and becomes the central battleground of cybersecurity. And after firing the experts, Doge hangs a help-wanted sign. Stay with us. What's your 2 a.m. security worry? Is it, do I have the right controls in place?

Starting point is 00:13:35 Maybe are my vendors secure? Or the one that really keeps you up at night, how do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale, confidently, and finally, get back to sleep. Get started at vanta.com slash cyber.

Starting point is 00:14:22 That's v-a-t-a-com slash cyber. Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With Threat Locker Allow listing, you stop unknown executables cold. With ring fencing, you control how trusted applications behave,

Starting point is 00:14:49 And with Threat Locker DAC, defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. Threat Locker is the simplest way to enforce zero-trust principles without the operational pain. It's powerful protection that gives CISO's real visibility, real control, and real peace of mind. Threat Locker makes zero-trust attainable, even for small security teams. See why thousands of organizations choose Threat Locker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo at Threatlocker.com slash N2K today. Sonali Shaw is CEO of Cobalt, and in today's sponsored industry voices segment,

Starting point is 00:15:50 we discuss why 2026 is the year AI stops being a concept and becomes the central battleground of cybersecurity. You know, Dave, in 2025, a lot of companies, including Cobalt, experimented with AI. We experimented with AI in sales, in marketing, in engineering, right, in operations. And what I see happening in 26 is a lot of companies, including Cobalt, we're moving from experimentation to widespread usage of AI across the organization. In fact, we do this annual state of pen testing survey, and this year we learned that nearly all of the survey respondents said they are currently integrating Gen AI into their products and services, but only two-thirds said that they're actively conducting regular security assessments. So I think that with this sort of now increased adoption of AI, you know, forget AI, even just web apps, we still have so many, we still have such a.

Starting point is 00:16:54 an issue with vulnerabilities, I think, you know, AI is going to be the next battlefield for cybersecurity. You know, we're not just facing last year's battles. We're facing an entirely new class of machine speed threats that demand an autonomous defense and continuous offensive security mindset. Do you think it's fair to say that a lot of today's AI-driven security failures look a lot like the same old problems we've been dealing with for years? Actually, absolutely. There's a lot of stuff that's old. There are a few things that are new as well. I mean, if you think about identity, right, that's an issue we've, you know, had with humans and now it's the same thing with AI, right? So, you know, the AI agents now have their own identities. And so they'll have the exact same issues like excess privilege, you know, lack of life cycle management, static keys that are not rotated. So that'll be the same with prompt injection is, if you look at the OAS top 10 API threads, a lot of them are the same as we saw with web and API.

Starting point is 00:18:06 Now, there's a twist on some of them. So, for example, SQL injection, right? Now they're sort of a twist and it's called indirect prompt injection, where malicious instructions are embedded in external content that an AI model processes. So the attacker is never directly interacting with the AI prompt. Instead, they are poisoning data or files that the AI's is that they know the AI will ingest. And the AI can't tell the difference between legitimate data and malicious commands. So that's an example of where there's a twist on a well-known security vulnerability that we've seen for a long time.

Starting point is 00:18:58 And I know you've said that you consider that to be a serious blind spot here. Absolutely. You know, as I mentioned just in my opening, so many organizations are adopting these, you know, AI models and using AI models in their workflow. And they're just, they don't have the security in place to really protect. against it. So I think this is something that we need to really focus on. It's not just about looking for people that are trying to steal our data. We also have to learn how to block intent, not just code. Right. So with some of these AI threats, you know, like the indirect attack, or even things like getting the AI to say responses that are not politically correct or not

Starting point is 00:19:45 accurate. That's really going beyond just stealing data. It's about manipulating the truth and manipulating how people are learning from AI systems. So we need to learn to block malicious intent, not just malicious code. Can we talk about authentication and identity? I mean, it seems to me like there's been a bit of a shift in the not, you know, recently that that identity and authentication are really becoming a common point of failure in a lot of security programs. Yeah, I think there's two sides to that. One is that, you know, the legacy controls, like, you know, biometrics, they're not, they were built for human attackers, not AI attacks.

Starting point is 00:20:30 So today, AI can, like this podcast, right, there's a lot of my voice recordings on the internet. An attacker could pretend to be me, have the same. you know, voice, speak the same way I do, have the face, same facial expressions, and pretend to be me. And we don't have the right protections for that. That's really, really hard for, you know, for humans to identify. So you've got these deep, fake, synthetic identities that are being created by AI. Then you also have AI getting really, really good at social engineering and fishing. So that's, again, Fishing is something that's been around forever,

Starting point is 00:21:13 but now it's just gone to another extreme where you have AI, I think, can get really specific information about a human and, you know, and fish them and get, you know, passwords. You know, then the other side of it is that agents, as we just talked about, have their own identities. And we need to make sure that we are restricting what they have access to.

Starting point is 00:21:36 We're making sure that we're rotating the keys. We're making sure that we're giving them access to only the things that they need and properly managing that life cycle. Is this a matter of adding on to our existing controls or do we need to take a fundamentally fresh look at authentication? I think it's both. I think the fresh look comes from like,

Starting point is 00:22:01 I don't know how with these deep fakes, right, what we have in place today is not working, right? So we absolutely, We absolutely do need to think about new ways of doing it. But there are something. So this is actually a funny example. I was having a conversation with my executive team. And one of our new hires said within the day of joining,

Starting point is 00:22:27 he got a text message from me asking for me to buy gift cards, for him to buy gift cards. Now, we're a cybersecurity company. Luckily, this employee knew it's not me, right? but sometimes you just need to think of like old school ways of getting around it. So I'm starting my executive team. Maybe we need to have a code word. So if you think it's me, ask me for my code word. So there's some things that are just kind of going back to the basics that we need to do,

Starting point is 00:22:58 some things that are working that we can continue doing. And then in other cases we need completely new solutions. What about the talent pipeline itself? I mean, to what degree is AI changing the way that we're developing our security talent here? How concerned should organizations be about that? I think AI is really reshaping the talent in every industry. You know, whether it's in cybersecurity, in engineering, in finance, in consulting, AI is automating the lower level jobs. Right.

Starting point is 00:23:33 So even finance, you know, I was talking to a P.E. firm recently, a partner. there. And he was saying, we don't need a first year analyst. We can get AI to go research all the companies for us and suggest which companies we should look at investing in. So this is not just in cybersecurity. I think it's a problem across the board. But what happens then is that if you are using AI for the entry level roles, you still need the senior level rules. So after a while, where are your senior people going to come from if you have no junior people? Yeah. It's think it's an issue where we need to figure out how we're going to, it's, it's not, maybe not an issue today, but five years from now it will be, because we just won't have enough people with the knowledge

Starting point is 00:24:19 and the experience, right? So there's just something that comes with making mistakes and learning from them. And if you're not doing those, you know, entry level jobs, learning, making mistakes, and seeing real world scenarios, right? There's just so much training you can do. in a classroom setting. But if you are, you know, an incoming security analyst and you are working with your CSO on fighting, you know, bots or, you know, remitting vulnerabilities, that's stuff that's really real-world experience,

Starting point is 00:24:53 it's very hard to learn in books. So I don't have a solution, but I do think it's a problem. Well, how do you envision that AI could be used for good in this sort of scenario? I mean, is this a matter of, still having junior people, but we always talk about AI freeing up people's times to focus on the important things. Is that a legitimate approach? So I think it depends on the industry. But, you know, for example, our, my head of engineering says he doesn't even want incoming, you know,

Starting point is 00:25:30 fresh out of school engineers to use AI. So maybe, you know, he's like, until you are an experience, developer. He doesn't want them to use AI because you don't even know if the AI is making mistake because you yourself haven't made the mistakes. And then there's also a case where AI can be used to help train junior level people. So I think in, in there is a role for AI. I think we just have to be careful how we use it. I think there's also a big role AI is playing in defending against threats. Right. So we talked about so. far the threats that AI poses, AI can also really help identify threats. And we've seen just in the last year there's been so much investment in, you know, the AI socks and AI, you know,

Starting point is 00:26:20 every type, every subsegment of cybersecurity now has an AI solution. So I think AI is also going to help in the defense as well. To what degree do you believe that we're in an AI bubble here? We're absolutely in an AI bubble when you think about funding and marketing. The amount of money going into AI security company. It just absolutely baffles. Baffles me, blows my mind and the amount of noise in the market. And there's a lot of good coming out of it, right? There's a lot of interesting things. I think, though, the burst is going to come from unmet expectations, right? So you've got there are tools out there saying you don't need humans at all. AI can do everything. thing, you know, the AI can do a lot of the low-level stuff. You still need humans in the loop.

Starting point is 00:27:10 And I know even just that, you know, a co-bod in our roadmap, we're focusing on leveraging the best of humans, the best of data and the best of AI and automation to create the best offensive security. So I think that there will be a burst in a bubble in the bubble and people will realize that, okay, there's a lot of stuff AI is good for. But still, especially in cybersecurity, a lot of things that really you need the human in the loop. Some of these business logic vulnerabilities are chained together, really novel type attacks where you need the human to really identify the threat. And AI can assist but won't be enough.

Starting point is 00:27:50 What's your advice for the folks in our audience, to the defenders out there to help them properly calibrate their approach to how they're going to integrate AI into their own organizations? Yeah, I would say, you know, with, with, there's so many tools out there today, and every existing cybersecurity tools adding AI, then there's the AI native tools. I would say, don't get, don't get too cut up in all the marketing. For the most part, your existing tools are just fine. But I would look for your vendor to add AI capabilities.

Starting point is 00:28:26 And it's, it's, you know, be careful about adding AI just for the sake of adding AI sort of marketing versus adding AI that creates new functionality. So I think you should absolutely be asking your vendors how they're using AI, but think about what is the problem that you have and is AI solving that, you know? So for example, right, can AI help you with speed or with scale or does it give you a unique insight into how to remediate something, right? So really look for those proof points, but don't get up and all the hype. That's Senali Shah from Cobalt. And finally, after shedding hundreds of thousands of federal workers, including many technologists, the Trump administration is back on the job market, cheerfully asking what could possibly go wrong. The newly minted U.S. Doge service,

Starting point is 00:29:42 born from the rebranding of the U.S. Digital Service under Donald Trump, is recruiting again, pitching massive impact and civic duty after a year of mass firings and agency shutdowns. Doge's short-term operatives became infamous for cutting contracts, accessing sensitive systems and dismantling agencies, while the quieter permanent USDA staff kept working on things like passport renewals and veterans' benefits. Meanwhile, other administration-backed teams, including a White House design studio, and a new U.S. Tech Force are also hiring, despite earlier tech corps already existing. Doge's legacy remains unsettled, promised savings never materialized, spending rose,

Starting point is 00:30:31 and many operatives departed after Elon Musk stepped back. Still, the help-wanted signs are up, optimism included. And that's The Cyberwire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday, and my conversation with Martin Zujik, technical solutions director from Bit Defender. The research we're discussing is titled

Starting point is 00:31:13 Eggstream Malware, unpacking a new APT framework targeting a Philippine military company. That's Research Saturday. Do check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a radio.

Starting point is 00:31:34 and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan.

Starting point is 00:31:54 Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. If you only attend one cybersecurity Conference this year, make it R-SAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands-on learning, and real innovation. I'll say this plainly, I never miss this conference. The ideas and

Starting point is 00:32:53 conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today, at RSAconference.com slash cyberwire 26. I'll see you in San Francisco.

CyberWire Daily - Is Interim The New Permanent

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.