CyberWire Daily - Message in the malware.
Episode Date: November 25, 2025CISA warns of spyware targeting messaging apps. CodeRED, this is not a test. Infostealer campaign spreads via malicious Blender files. Shai-Hulud’s second coming. Real estate finance firm SitusAMC i...nvestigates breach. Dartmouth College discloses Oracle EBS breach. Dave Bittner is joined by Tim Starks, Senior reporter from CyberScoop, to discuss the Trump administration’s upcoming cyber strategy. And tis the season for deals — and digital deception. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Dave Bittner is joined by Tim Starks, Senior reporter from CyberScoop, to discuss the Trump administration’s upcoming cyber strategy. Read Tim’s piece on the topic “Completed draft of cyber strategy emphasizes imposing costs, industry partnership”. Selected Reading Spyware Allows Cyber Threat Actors to Target Users of Messaging Applications (CISA) CodeRED cyber attack leaves emergency notification system down, exposes user data (First Alert 4) Morphisec Thwarts Russian-Linked StealC V2 Campaign Targeting Blender Users via Malicious .blend Files (Morphisec) Shai-Hulud’s Second Coming: NPM Malware Attack Evolved (Checkmarx) SitusAMC confirms breach of client data after cyberattack (The Register) Clop's Oracle EBS rampage reaches Dartmouth College (The Register) 2025 Retail Holiday Threat Report: Scams and Impersonation Attacks Targeting Retailers (BforeAI) The data privacy costs of Black Friday bargains: 100 Black Friday apps analyzed (Comparitech) 2025 Ransomware Holiday Risk Report (Semperis) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
AI agents are now reading sensitive data, executing actions, and making decisions across our environments.
But are we managing their access safely? Join Dave Bittner and Barack Shalef from Oasis Security on Wednesday, December 3rd, at 1-Py,
Eastern for a live discussion on agentic access management and how to secure non-human identities
without slowing innovation. Can't make it live? Register now to get on-demand access after the event.
Visit events.thecyberwire.com. That's events with an s.thecyberwire.com to save your spot.
What's your 2 a.m. security worry? Is it, do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual works so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralized,
your data and simplifies your security at scale.
And it fits right into your workflows,
using AI to streamline evidence collection,
flag risks, and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster,
scale confidently, and finally get back to sleep.
Get started at Vanta.com slash cyber.
That's V-A-N-T-A-com slash cyber.
CESA warns of spyware targeting messaging apps.
Code red, this is not a test.
Info-Steeler campaign spreads via malicious blender files.
Shy haludes second coming.
Real estate finance firm Cetus AMC investigates breach.
Dartmouth College discloses Oracle EBS breach.
Dave Bittner is joined by Tim Starks, senior reporter from CyberSoup
to discuss the Trump administration's upcoming cyber strategy.
And is the season for deals and digital deception.
Today is Tuesday, November 25th, 2025.
I'm Maria Varmazis, host of N2K's T-minus Space Daily,
in for Dave Bittner today.
And this is your CyberWire Intel briefing.
Thank you for joining me, everyone.
Let's get started.
The U.S. Cybersecurity and Infrastructure Security Agency, better known as SISA,
issued an advisory yesterday warning of multiple cyber threat actors
actively leveraging commercial spyware to target users of mobile messaging applications.
The spyware is delivered via phishing, zero-click exploits, and app impersonation.
Sisa notes that, quote, while current targeting remains opportunistic,
evidence suggests the cyber actors focus on high-value individuals,
such as current and former high-ranking government, military, and political officials,
as well as civil society organizations and individuals across the United States, the Middle East, and Europe.
A sophisticated cyber attack on the Code Red Emergency Notification System managed by Onsolve
has forced its nationwide decommissioning and migration to a new platform due to service-disabling
infrastructure compromise. The breach exposed thousands of users' names, phone numbers, email addresses,
and passwords previously used to register for alerts, although no payment card or financial data
was stored. Localities across Missouri and Colorado, among others, remain unable to send
targeted voice, text, or email alerts for water main breaks, severe weather, and other emergencies,
leaving public safety communications vulnerable. Municipal officials are urging all affected users
to change reused passwords immediately, while emergency management agencies scramble to deploy
alternative alerting channels and prepare communities for a protracted system recovery timeline.
The supply chain malware campaign dubbed Shai Hulud Second Coming has resurfaced in the NPM ecosystem
using malicious packages with a two-stage loader that can propagate across 100 packages per execution
and wipe a compromised developer's home directory if authentication fails.
The threat now leverages randomly named GitHub repo.
to reduce detection, abuses credential access to packages in CI pipelines, and has prompted
security firms to rapidly add affected versions to their malicious package databases.
Checkmarks developers and organizations are urged to temporarily block access to public NPM
registries, review NPM token permissions, and configure endpoint protections to flag the
loader file names and malicious behavior.
Real estate finance technology vendor Citus AMC has confirmed that it discovered a breach on November 12th that resulted in the theft of client information, according to a report from the register.
The company said in a statement, corporate data associated with certain of our client's relationships with Cetus AMC, such as accounting records and legal agreements, has been impacted.
Certain data relating to some of our client's customers may also have been impacted.
the scope, nature, and extent of such impact
remain under investigation by the company
and its third-party advisors.
The New York Times cites sources
as saying that the company has notified
J.P. Morgan Chase, City, and Morgan Stanley
that their client data may have been affected.
The FBI is investigating the breach.
Dartmouth College has disclosed
that it was among the victims of a wave of zero-day attacks
targeting Oracle e-business suite or EBS instances,
according to a report from bleeping computer.
The university hasn't disclosed the total number of impacted individuals,
but said in a breach notification with the Maine Attorney General's office
that just under 1,500 Maine residents were affected.
The breach occurred in August 2025 and involved names and social security numbers.
The Klopp ransomware gang has posted the alleged stolen data to its leak site.
The other confirmed victims of Klopp's Oracle EBS campaign include Logitech, Harvard University,
The Washington Post, Envoy Air, and Mazda.
John Holtquist, chief analyst at Google's Threat Intelligence Group,
told Bleeping Computer that dozens of additional organizations were likely breached.
Coming up after the break, we have.
Dave Bittner sitting down with Tim Starks, senior reporter from CyberSoup, to discuss the Trump
administration's upcoming cyber strategy, and lose the season for deals and digital deception.
your defense can be too.
Nordlayer brings together secure access
and advanced threat protection
in a single, seamless platform.
It helps your team spot suspicious activity
before it becomes a problem
by blocking malicious links
and scanning downloads in real time,
preventing malware from reaching your network.
It's quick to deploy,
easy to scale, and built on zero-trust principles,
so only the right people get access
to the right resources.
Get 28% off on a yearly plan
at Nordlayer.com slash Cyberwire Daily with code Cyberwire-28.
That's Nordlayer.com slash Cyberwire Daily code Cyberwire-28.
That's valid through December 10th, 2025.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by
enforcing default deny at the point of execution. With Threat Locker Allow listing, you stop
unknown executables cold. With ring fencing, you control how trusted applications behave, and with
Threat Locker DAC, defense against configurations, you get real assurance that your environment is free
of misconfigurations and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain. It's
powerful protection that gives SISO's real visibility, real control, and real peace of mind.
Threat Locker make zero trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K today.
Joining me once again is Tim Starks.
He is a senior reporter at CyberScoop.
Tim, welcome back.
Thanks for having me back.
So very interested to read your coverage of some comments from National Cyber Director
Sean Kerencross about some upcoming plans from the Trump administration when it comes to cyber.
What do we got here, Tim?
Yeah, it feels like.
they're moving pretty early on, compared to the Biden administration, certainly, on putting
out a national cybersecurity strategy under this second Trump administration. A draft is complete,
according to Brett Leatherman, who's a top FBI official, he says that's been circulated to him.
Sean Ken Cross said it's been circulated in the interagency, so it's not just the FBI.
From here to when the actual strategy is released is vague, you know, this is where it got
hung up in the Biden administration as this interagency process. But he's talked about there's six
pillars. He didn't say what all six pillars were. He didn't say what two of them were,
and he hinted at two more. Okay, go on. So two of them
are, you know, what the administration, I think, is trying to put out there as sort of
its signature cyber difference maker, which is we're going to impose costs on
adversaries in a way that we haven't seen before. We're going to make it so that
the signal is sent. You're not allowed to do some of these things you've been doing,
to us in cyberspace.
I think that's the big one.
Yeah.
The second one is public-private partnership.
We've heard this before, but to get a little bit more specific.
And before, I mean, my entire life.
I've been great about the public-profit partnership.
But tweaking it, you'll recall the Biden administration,
their sort of big signature thing was let's shift the burden on who's responsible for protecting
people in cyberspace.
in their case it was the private sector was a big part of that this administration is saying too many regulations
you know we need to do something about that there's some bipartisan sentiment that there have been
that the regulations have been a little too hasty and that they've been conflicted they're going to say
we're going to spell out what we expect for each critical infrastructure sector by sector of the private
sector and then the ones that were hinted at were enhancing the cyber workforce
that's something that's going to be interesting to see,
considering how much this administration has done
to essentially get rid of a significant portion of the cyber workforce
with all the changes they've been making.
And then the other is modernizing federal government security,
modernizing the technologies that government uses to protect itself,
launching some pilot programs for new technologies, speeding up procurement,
testing technologies at the national labs,
a little bit more skin on the bone than we've seen from Sean, Karen Cross,
on this to date, there have been a little bit of hints that he's trickled out about this,
and now they're trickled out even more.
It feels like it's starting to get a little bit more concrete.
I always feel like those modernizing programs are kind of like painting the Golden Gate Bridge.
You know, like when you start on one end and by the time you get to the other,
it's time to go back to the other end and start all over again, you know?
Yeah, sure.
And I, you know, to Sean's credit, I think he seems aware of that.
You know, the idea of trying to speed up procurement, I mean, certainly one of the issues with modernizing federal government infrastructure is that, yeah, it's by the time you put it in place, it's already obsolete.
So how do you get around that?
So it seems like he's at least trying to tackle that question that you're raising.
Yeah.
And speaking of deterrence or imposing cost, I mean, I think it's fair to say that that very much tracks with sort of broader policy trends within the,
the Trump White House?
Yeah, you know, this is something that we've heard from more than just Sean Karen
Cross, and we've heard it from the Alexei Bliselle, who is the top NSC official.
We've heard this from SISA officials.
We've heard it from basically the entire administration, except for, and this is something
going back to a story I wrote a couple weeks ago, except for the president himself.
Interestingly, you know, there's been a lot of talk about deterrence, talking about
Salt Typhoon and that espionage campaign.
When the president himself gets asked about cyber attacks, and again, let's be careful about how we use that word, because a lot of people would say, Salt Typhoon, what they were doing was not a cyber attack.
It was espionage, and that's different.
We can go back and forth round and round.
This is an age-old debate in the cyber world.
But the president's response, when he's heard, when he's been brought up about Salt Typhoon or like the Russian campaign, the alleged Russian campaign against the U.S. courts that we've been hearing about in recent.
months. His response has been, yeah, you think we don't do that? Yeah, we do that too. We're better at it.
So the idea of deterring cyber espionage is one that we've been hearing from administration officials under Trump,
but Trump himself has been kind of shrugging his shoulders at the idea that that's even something worth
noting. Yeah. The other thing that you alluded to that interests me is this notion of building up the
cyber workforce amongst the feds.
And we've seen folks from SISA talking about 2026 being a year of building up.
And, you know, in the past year, everything we've seen with Doge and the ongoing kind of
adversarial attitude towards certain SISA tasks.
Is that a fair way to say it?
Like, it's just, I'm sitting back and waiting to see how this is going to play out in
26. How about you? I am too. I mean, I've been talking to some folk in that area, let's say,
without revealing too much. And, you know, morale is terrible at the agencies. From what I've heard
that are working on cyber issues, I mean, Nick Anderson, who's at Sissa, has talked about how great
morale is, but that's not a lot of what I'm hearing. You know, if you're a federal government
an employee in general right now.
You know, the people who I know who work in federal government, who are still have their
jobs, are really just kind of hanging on until they can find something different or until
they hit retirement age.
We had a story that we wrote about people who might want to work for the federal government
the future under the Cyber Corps program.
Those people are dispirited about the idea of going to work for the federal government now.
They're not a lot of openings.
You know, we've heard more about the administration wanting to cut personnel even more.
across the federal government
it starts to get difficult to imagine
who would want to take these jobs
who don't already have them
because not only is there
a shrinking availability
but there's the shutdowns that happen
that are morale crushing
why would you want to go work for the federal government
especially in cyber
where you could have a really good paying job
in the private sector
so the public service element of it
has been weakened. That's always been an appeal for the workforce. Let's go work for the government.
Let's go help people. But if you're treated like an adversary, is that something you want to do?
And those are some big questions. How do you incentivize these things? I mean, Sean talked about
the idea of reaching out to vocational schools. That's something we actually heard from the prior
national cyber director. That's a very different situation in terms of the idea of federal
government service right now than it was under that administration.
Yeah. How are you going to incentivize the best of the best who, even if they have a true interest in public service, you know, my recollection and understanding is that, you know, a federal job, a government job, you might not have been paid as much. It might not have been as, you know, glamorous as an exciting as in the private sector. But part of it was security, you know, the fact that you knew you'd have a job and get a paycheck. And that's not so certain anymore.
Yeah, I think that that then starts to narrow the pool of people.
One pool of them is the highly desperate, sadly to say, and the other pool is the true believers of the mega cause.
And how much do we know, and I don't know the answer to this question, I'm not raising it because I'm implying anything, but how much overlap do you have between people who have cyber skills and are desperate and cyber skills and who are.
right-wing-tri-believers. I don't know what that nexus is. And that raises open questions about
who would want to come to it. And those are the two pools. And I don't know that we know what
the level of cyber skill is in those communities. Well, you're reporting here closes with a quote
from Sean Cancross about his desire to kind of shop this around before just dropping it on people.
generally good response
from other folks in government of that
approach? I think people
are impressed by his overall
approach. In terms of what
he's actually using the word he used
socialized,
I don't know that
it's a very close hold. Naturally, I've been asking people
about what they've seen.
But one thing I think is surprising
and it seems like
I'm being very skeptical of what's going
on here.
That's my job partially, but also
So you and I talked long ago when Sean Karen Cross was picked for this job.
And there were a lot of people who were shrugging their shoulders and wondering what kind of job he was going to be able to do as someone who didn't have virtually any cyber experience.
He's impressed a lot of people on both the left and the right with his approach.
He seems like he's done his homework.
He seems like someone who is approaching these things carefully and thoughtfully is what a lot of the feedback is about his role.
And so I think people are impressed by how he's going about this.
I think that the questions come in about even if he approaches it well,
how good a job can he do under the circumstances of this administration.
Yeah.
All right.
Well, Tim Starks is senior reporter at CyberScoop.
We will have a link to his reporting in our show notes.
Tim, thanks so much for joining us.
Thanks for having.
at talus they secure what matters most the most trusted companies and organizations utilize talus cybersecurity products to protect critical applications sensitive data and identities anywhere at scale through their innovative services and integrated platforms talus provides customers a greater visibility of risks the ability to defend against cyber
threats, close compliance gaps, and deliver trusted digital experiences for billions of consumers
every day. That's Talis. T-H-A-L-E-S. Learn more at CPL.tallis Group.com.
At Desjardin, we speak business. We speak startup funding and comprehensive game plans. We've mastered
made to measure growth and expansion advice,
and we can talk your ear off
about transferring your business
when the time comes.
Because at Desjardin Business,
we speak the same language you do,
business.
So join the more than 400,000 Canadian entrepreneurs
who already count on us
and contact Desjardin today.
We'd love to talk, business.
And for our last story,
today. Well, if you thought the holiday season was only stressful for shoppers, think again.
It turns out that cyber criminals are also making their lists and checking them twice.
According to the latest Semperis Ransomware Risk Report, attackers love striking when we're
distracted, weekends, holidays, mergers acquisitions, basically any time your sock is running on
half hour. With 78% of companies slashing sock staffing during off hours, attackers basically get the
run of the house. And while organizations are distracted, shoppers aren't doing much better. Pre-crime
Labs says that threat actors are rolling out holiday-themed fishing domains like their wrapping paper.
More than 1,700 suspicious sites popped up before December even started, with Halloween and
Black Friday scams spiking into the triple digits. Fake luxury stores, crypto-seasonal tokens,
travel deals to zombie festivals. Well, if it sounds festive,
if zombies can be festive,
someone is weaponizing it.
And if you are bargain hunting on your phone,
there's one more stocking stiffer for you.
Privacy risk.
Yep.
An analysis of top Black Friday apps
found that they request an average of 29 permissions.
Eight of them are considered dangerous, by the way.
And dozens were not exactly truthful
in their privacy policies, big surprise.
Some apps said that they don't access your location
while absolutely accessing your location.
So whether you are in the boardroom or in the checkout line,
remember that the holidays may slow us down,
but they speed cybercriminals up.
So stay merry and just stay alert too.
And that's The CyberWire.
For links to all of today's stories,
check out our daily briefing at theCyberwire.com.
We'd love to know what you think of our podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like this show,
please share a rating and review in your podcast app.
Please also fill out the survey in the show notes
or send an email to
cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our producer is Liz Stokes.
We are mixed by Elliot Peltzman and Trey Hester
with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilpie is our publisher.
And I'm Maria Vermazes in for host Dave Bittner.
Thank you for listening.
We'll see you tomorrow.
I'm going to be.