CyberWire Daily - New sheriff in cyber town.
Episode Date: August 4, 2025The Senate confirms a new national cyber director. A new commission explores the establishment of a separate Cyber Force. Cybercriminals exploit link wrapping to launch sophisticated phishing attacks.... AI agents are hijacked, cameras cracked, and devs phished. Gene sequencers and period trackers settle allegations of oversharing personal data and inadequate security. Today we are joined by Tim Starks from CyberScoop discussing how China accuses the US of exploiting Microsoft zero-day in a cyberattack. OpenAI scrambles after a chat leak fiasco. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. You can read Tim’s article on the topic here. CyberWire Guest Today we are joined by Tim Starks from CyberScoop discussing how China accuses the US of exploiting Microsoft zero-day in a cyberattack. Selected Reading Sean Cairncross confirmed as national cyber director (The Record) Panel to create roadmap for establishing US Cyber Force (The Record) Microsoft 365: Attackers Weaponize Proofpoint and Intermedia Link Wrapping to Steal Logins (WinBuzzer) When Public Prompts Turn Into Local Shells: ‘CurXecute’ – RCE in Cursor via MCP Auto‑Start (Aim Security) LegalPwn Attack Tricks GenAI Tools Into Misclassifying Malware as Safe Code (Hackread) Bitdefender Warns Users to Update Dahua Cameras Over Critical Flaws (Hackread) Mozilla warns of phishing attacks targeting add-on developers (Bleeping Computer) Gene Sequencing Giant Illumina Settles for $9.8M Over Product Vulnerabilities (SecurityWeek) Flo settles class action lawsuit alleging improper data sharing (The Record) ChatGPT users shocked to learn their chats were in Google search results (Ars Technica) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now, a word from our sponsor, ThreatLocker, the powerful zero-trust enterprise solution
that stops ransomware in its tracks.
AllowListing is a deny-by deny by default software that makes application
control simple and fast. Ring fencing is an application containment strategy
ensuring apps can only access the files, registry keys, network resources, and
other applications they truly need to function. Shut out cyber criminals with
world-class endpoint protection from ThreatLocker.
The Senate confirms a new national cyber director. A new commission explores the establishment of a separate cyber force.
Cyber criminals exploit link wrapping to launch sophisticated phishing attacks.
AI agents are hijacked, cameras cracked, and devs fished.
Gene sequencers and period trackers settle allegations of oversharing personal data and
inadequate security.
Our guest today is Tim Starks discussing China's allegations of the US exploiting a Microsoft Zero Day in a cyber attack,
and OpenAI scrambles after a chat leak fiasco.
It's Monday, August 4th, 2025. I'm Dave Fittner and this is your CyberWire Intel Briefing.
Thanks for joining us.
Happy Monday.
It's great to have you with us.
Sean Cairncross, a former Republican National Committee official and Trump advisor, was
confirmed by the Senate as the new National Cyber Director in a 59-35 vote.
Despite having no background in cybersecurity, Cairncross gained bipartisan support and endorsements
from senior cyber experts.
He now leads the office of the National Cyber Director, which shapes federal cybersecurity
policy.
At his Senate hearing, he admitted limited cyber knowledge, but emphasized his management
experience.
He voiced strong support for collaboration and offensive cyber efforts.
Cairncross backed two key bipartisan bills, the Cybersecurity Information Sharing Extension
Act and the Rural Hospital Cybersecurity Information Sharing Extension Act and the
Rural Hospital Cybersecurity Enhancement Act.
He succeeds Harry Coker, a former NSA official, and follows Chris Inglis, the ONCD's first
director.
Cairncross pledged to deliver results for national security.
A new commission has launched to design how the US could establish a
separate cyber force aiming to influence next year's defense bill. Formed by the
Center for Strategic and International Studies and the cyberspace solarium
Commission 2.0, the 17-member group includes top former military and civilian
cyber leaders. Co-chaired by retired Lieutenant General Ed Carden and Josh Stiefel, the panel assumes
presidential support for a cyber force and is focused on how to build it.
This comes amid delays in reforming U.S. cyber command and growing frustration over unprepared
cyber troops.
Critics, including retired Lieutenant General Charles Moore,
argue the Commission may undercut a separate, congressionally mandated feasibility study.
Still, the Commission says it's ready with a detailed blueprint should the President
demand a new cyber service. Cyber criminals are exploiting email security tools like Proofpoint and Intermedia's link wrapping to launch sophisticated phishing attacks, according to CloudFlare.
By compromising protected accounts, attackers send emails containing malicious links.
These links are automatically rewritten by the security provider's trusted domains, making them appear safe. Victims are then lured to fake Microsoft 365 login pages to steal credentials.
Attackers use URL shorteners and multiple redirects to evade detection,
with phishing emails disguised as voicemails or shared documents.
This tactic reflects a broader trend of misusing trusted tech tools,
like AI and security platforms, for cybercrime.
Researchers at AIM Labs discovered a critical vulnerability dubbed
Curexecute in the Cursor IDE developer environment, allowing full remote code
execution via prompt injection. The flaw, with a severity score of 8.6, affects all versions before 1.3.
Exploiting it requires only a poisoned prompt delivered through an external service like
Slack, which rewrites a key file and executes attacker commands without user consent.
Because Cursor runs with developer-level privileges, attackers could steal data, deploy ransomware,
or manipulate AI behavior.
This mirrors past threats like EchoLeak, which showed how untrusted content can hack AI workflows.
The core issue lies in AI agents' reliance on external data, making runtime guardrails
essential.
Cursor patched the bug on July 8, but the attack pattern signals a wider, persistent
threat across developer AI tools.
Elsewhere, researchers at Pangaea Labs have uncovered a new cyberattack method called
LegalPwn, which manipulates generative AI models into misclassifying malware as safe
code.
The technique hides malicious code inside fake legal disclaimers, exploiting AI's tendency
to respect legal-sounding language.
Tested across 12 major AI models, including ChatGPT, Gemini, and Lama, most were vulnerable, while only a few, like Clawed 3.5 and Microsoft's
Pi 4, resisted.
In real-world tools like GitHub Copilot and Gemini CLI, the attack tricked systems into
recommending dangerous commands like reverse shells.
Legal Pwn is a form of prompt injection similar to person in the prompt attacks.
The research emphasizes the need for human oversight in AI security decisions
and recommends guardrails and manual review to prevent such manipulations from compromising systems.
Bitdefender has identified two critical security flaws in Dawah's Hero C1 and other security
camera models.
These bugs allow unauthenticated attackers to remotely execute code via buffer overflows
in the onVIF protocol and file upload handler.
The flaws give full control over the device and affect widely deployed cameras in homes
and businesses.
Dahua patched the issue on July 7.
Users should immediately update firmware or secure devices by disabling UPNP and isolating
them from public networks.
Mozilla has issued a warning about a phishing campaign targeting developer accounts on its AMO platform, that's
addons.mozilla.org, which hosts over 60,000 extensions.
Attackers are sending fake emails impersonating the AMO team, urging developers to update
their accounts to retain access to development features.
Developers are advised to avoid clicking suspicious links, verify sender domains and email authentication,
and log in only via official Mozilla websites.
At least one developer reported falling victim.
Mozilla is monitoring the situation and promises updates.
Gene sequencing firm Illumina will pay $9.8 million to settle allegations it sold genomic systems
with known cybersecurity flaws to U.S. federal agencies from 2016 through 2023.
The DOJ claims Illumina lacked a proper security program, failed to patch vulnerabilities,
and falsely claimed its software met cybersecurity standards. CISA and the FDA had previously issued alerts about critical flaws in Illumina's products
that could allow remote takeovers.
A whistleblower lawsuit triggered the case,
with the informant receiving $1.9 million from the settlement.
Developers of the period-tracking app Flow have settled a class action lawsuit alleging
it shared sensitive reproductive data from millions of users with Meta and others, despite
promises of privacy.
The terms weren't disclosed, but the case involved up to 38 million women and could
have led to billions in damages.
The lawsuit claims Flow let Meta access menstruation data via an SDK for ad
targeting. Meta denies receiving such data. Flow previously settled with the FTC in 2021,
agreeing to obtain user consent for future data sharing. Coming up after the break, Tim Starks from Cyberscoop discusses how China accuses the
US of exploiting Microsoft Zero Days in a cyberattack, and OpenAI scrambles after a
chat leak fiasco.
Stay with us.
New adversary tactics and emerging tech to meet these threats is developing all the time.
On Threat Vector, we keep you a step ahead.
We dig deep into the threats that matter and the strategies that work.
How do they help that customer know
that what they just created is safe?
The future is now and our expectations are wrong.
Join me, David Moulton, Senior Director of Thought Leadership
for Unifor2 at Palo Alto Networks
and our guest who live this work every day.
We're not just talking about some encryption
and paying multimillion dollar ransom.
We're talking about fundamentally being unable to operate.
Automated eradication and containment.
So being able to very rapidly ID what's going on
in an environment and contain that immediately.
Is there a hiding in plain sight?
So if you're looking to sharpen your strategy and stay ahead of what's next, tune in and listen to Threat Vector, your front line for security insights.
CSOs and CIOs know machine identities now outnumber humans by more than 80 to 1, and
without securing them, trust, uptime, outages, and compliance are at risk.
CyberArk is leading the way with the only unified platform purpose-built to secure every
machine identity, certificates, secrets, and workloads across all environments, all clouds, and all AI agents.
Designed for scale, automation, and quantum readiness, CyberArk helps modern enterprises
secure their machine future.
Visit cyberark.com slash machines to see how. Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient than spreadsheets, screenshots,
and all those manual processes, you're right.
GRC can be so much easier, and it can strengthen your security posture while actually driving
revenue for your business.
You know, one of the things I really like about Vanta is how it takes the heavy lifting
out of your GRC program.
Their trust management platform
automates those key areas – compliance, internal and third-party risk, and even customer
trust – so you're not buried under spreadsheets and endless manual tasks.
Vanta really streamlines the way you gather and manage information across your entire
business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta
are 129% more productive.
It's a pretty impressive number.
So what does it mean for you?
It means you get back more time and energy to focus on what actually matters,
like strengthening your security posture and scaling your business.
Vanta, GRC, just imagine how much easier trust can be.
Visit vanta.com slash cyber to sign up today for a free demo.
That's vanta.com slash cyber. It is always my pleasure to welcome back to the show Tim Starks.
He is a senior reporter at CyberScoop.
Tim, welcome back.
Hey, how are you?
I'm doing well, thanks.
So I'm looking at this article that you recently published.
This is about some accusations coming from China that the US may be
Exploiting Microsoft zero day. What's going on here, Tim?
Yeah, we've we've seen in the last few years China step up the
Allegations against the United States about hacking
you know, I wrote a story a couple years back about about them increasingly doing this and
The reaction from the United States being like well, yeah, of course, of course the United States is hacking China and also I wrote a story a couple years back about them increasingly doing this and the reaction
from the United States being like, well, yeah, of course the United States is hacking China.
And also, who are they trying to trick by kind of sort of turning the attention to us?
In this case, the thing that made this particular one interesting was that it would involve,
if it is to be believed, that the US used a zero day
in a Microsoft product specifically,
a US based company and exploited that zero day
to go after a couple of different Chinese military
enterprises that they don't name.
Specifically, they use the zero day in the first one
dating back to 2022, going through 2023.
The other hack didn't necessarily involve the zero day,
so I'm just going to amend what I said. But what's interesting about this is you don't see them
get this specific in some of their allegations. It also kind of makes you scratch your head about
the idea of a government exploiting a zero day of a US company. I mean, you can get into the idea of
how much the United States government maybe makes use of US companies
in some way, shape or form,
but the idea that they might be doing this
without Microsoft knowing is a kind of interesting idea
that I don't think I've heard talked about much before.
Yeah.
And then there's always this element
of essentially burning the zero day, right?
When you use it, then cats out of the bag for that one.
Exactly.
And the other thing of course,
is that Microsoft has had its share of zero days.
It's the biggest player in the field.
It's the most attacked.
It's the one that gives you the most access
to the most things.
So it's fascinating to hear,
whatever you think of whether China is believable on this or not, it's, it's fascinating to hear whatever you think of, whether China is believable on
this or not.
It's a, it's an interesting allegation because it's just, there's a certain part of my brain
that can't get around the idea that they think that the United States would, would not have
the help of the companies or that they would do this against us companies.
Um, that's just a little less discussed in the,, in sort of the sphere of other things that are happening
outside of the United States borders.
What level of credibility can we realistically assign
to this cybersecurity association of China?
You know, I think what we can do is keep in mind
that anything that's coming out of China is propaganda.
Does that mean it's not true? It could be true. I just think you have to view it skeptically. At the same
time, you have to, of course, I think it was just in June that the president himself was
asked on Fox News about how much China is hacking us. And he said, you think we're not
doing it to them? Come on, get real. And you know, that's not the kind of thing you hear public officials say in the United
States very often.
They kind of dance around it.
They're like, we maintain offensive operations against our adversaries, but they won't get
into specifics and they won't treat it like, oh, it's so obvious that we're doing this.
And Trump was like, yeah, it's so obvious that we're doing this.
So I think it's possible for both those things to be true at the same time, right?
One is that we're definitely doing it.
Can you believe this specific allegation?
I think there's reason to be skeptical of it.
Yeah, it is interesting to me how little talk there is
in the press about US offensive operations.
We talk about spiders and snakes and bears,
but not so much about eagles.
I like it.
There have been times where companies have,
companies, independent companies,
meaning companies that are believed to be separate
from any sort of foreign government.
So Kaspersky has outed some US operations in the past.
Some people say, oh, Kaspersky is a Russia-based company, so are they really that independent? But I think
for the most part, even if you question what they would do if they were forced by Russia
to do something, these were things that they were doing in the routine course of their
business when they were having US clients. You will see the occasional other company
expose these things, but it's one of the only
people who are really calling out alleged US hacking is the Chinese government on a
routine basis.
They're the ones who seem to be really making a policy of it really.
And the number of companies who are outside the US who are calling out US operations is
pretty small.
I don't know if it's because we're better.
I don't know if it's because they're scared of the ramifications of going after the United States
compared to going after China.
It is a thing that I've always been fascinated by
that you often don't hear about US operations
unless a reporter breaks a story about it.
You look back at Stuxnet,
you look back at things that the Post reported,
Ellen Nakashima reported about cyber command
during the elections.
You don't get a
lot, we don't get a lot of information about what's going on on our offensive piece. And maybe there's
a good reason for that, right? It's classified. Maybe, you know, you would be extra careful if
you're a news outlet or a threat intelligence organization about, you know, going after that
kind of thing that is done by the country in which you reside.
Maybe there's a reason to be cautious about that,
but at the same time, it's definitely newsworthy
and it's definitely interesting,
and we are widely considered the best
and biggest player in this field.
So it's fascinating that we don't hear about it
as much as we hear about other things.
It's also possible, if I didn't say this already,
it's also possible we're just better
and we're better at hiding it.
Right, right.
To me, it is conspicuous in its absence. Yeah, I agree with you. And when given
the opportunity to interview, you know, practitioners, offensive operators, or
defenders too, you know, I've said does it ever happen that you're in the course
of your business, you're poking around inside of things and you come across something and you think to yourself,
oh, this looks to me like us.
And I don't really get satisfying answers
from that question, at least not so far.
Well, if I were you,
I think some of the earliest times anybody was trying
to crack this particular nut,
before I was at Cyberscript,
so I can't take credit for it,
but there was some reporting that the Cyberscope team did
about companies, you know,
they went to some of the biggest companies and said,
what happens if you happen across a US operation?
And most of the companies were like,
we're not going to talk about it.
So they basically have acknowledged that for the most part,
if you're a US company,
the US company isn't going to out a US operation.
It's just, if that thing, if that line from a few years ago holds true,
um, that would make a certain amount of sense to me.
Yeah, to me too. Before I let you go, I want to switch gears with another article you wrote.
This is about some, uh, legislation here that could, uh, try to protect the federal government
against quantum computing threats. Can you unpack this one for us?
Yeah.
I mean, this actually relates to China to a certain extent because we've seen US policymakers,
both in Congress and in the executive branch, worrying and also outside experts worrying
that China is getting a little ahead of us in the quantum computing game.
And if they do that, obviously that means our encryption regimes are no longer as protected
as we thought they would be.
So there was some legislation that
was bipartisan Senate legislation from Senator
Peters, Democrat of Michigan, and Senator Blackburn,
a Republican of Tennessee, introducing a legislation
to say, let's put together a strategy on quantum safe
cryptography, quantum safe computing.
And let's also, in addition to that,
because I think a strategy is a kind of thing
that a bill can call for, and it's just not that interesting.
But I think the most interesting part of the bill
is actually that it says, part of this
is that every agency that has a responsibility
for critical infrastructure protection must develop
a pilot program to protect at least one of your major,
most high value computing systems or networks.
So I think if this bill happens and, you know,
the Senate Homeland Security and Governmental Affairs
Committee has been a little bit of a dead zone
for legislative activity this year.
They did though, you though, on Wednesday, actually
move their first rule of legislation. And bipartisan part of this maybe gives it a little
bit of life that I could see a bill like this moving forward, especially if, because Senator
Rand Paul, who's the chair of that committee from Kentucky, Republican, doesn't like anything
that costs any money. If he sees that this bill doesn't really cost much of anything
for the federal government, I could see this bill being a reality. It could actually happen.
So it's related to what we're talking about and it's an interesting kind of way to approach the
issue is to say, you know, a lot of the quantum legislation we've seen out there is about U.S.
research or things like that. This is about protecting U.S. federal government networks.
So that's a little different in terms of what we've seen from other quantum related legislation.
Yeah.
We will have links to both of Tim's stories
in our show notes.
Again, Tim Starks is senior reporter at CyberScoop.
Tim, thanks so much for joining us.
Thank you, Dave. And finally, OpenAI quietly pulled a chat GPT feature that left some users deeply personal
chats like family drama, mental health confessions, and even sexcapades,
floating around in Google's search results.
Fast Company rang the alarm, revealing that users who clicked Share and ticked a vaguely
labeled box had unintentionally made their chats searchable.
OpenAI initially claimed the warning text was clear-ish, but soon admitted the
make-this-chat-discoverable setup was ripe for accidental oversharing.
Their chief InfoSec officer called it a short-lived experiment,
which, as Oxford ethicist Carissa Veliz puts it,
sounds a lot like, we tested this on you and hope no one noticed.
Now OpenAI is working to vanish the indexed content and clean up the mess.
There's a bit of a kicker that this comes just as the company is fighting a court order
to keep all deleted chats.
Even the mortWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of this summer.
There's a link in the show notes. Please do check it out.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltsman.
Our executive producer is Jennifer Iben. Peter Kilpey is our publisher.
And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.