CyberWire Daily - The day the cloud got foggy.
Episode Date: October 20, 2025An AWS outage sparks speculation. An F5 exposure and breach raise patching and supply-chain concerns. Salt Typhoon breaches a European telecom via a Netscaler flaw. A judge bans NSO Group from Whatsap...p. China alleges “irrefutable evidence” of NSA hacking. Connectwise patches adversary in the middle risks. A Dolby decoder flaw enables zero-click remote code execution on Android. A Cyber M&A and funding surge signals a busy consolidation cycle. Our guest Jeff Collins, CEO of WanAware, sharing how hospital consolidations are reshaping IT asset visibility and what it takes to close these gaps. One man’s quest to make AI art legit. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Jeff Collins, CEO of WanAware, sharing how hospital consolidations are reshaping IT asset visibility and what it takes to close these gaps. Selected Reading Cyberattack: Did China just bring Amazon down, along with Robinhood, Snapchat - what happened? Here's what experts are saying (The Economic Times) F5 breach exposes 262,000 BIG-IP systems worldwide (Security Affairs) Salt Typhoon Uses Citrix Flaw in Global Cyber-Attack (Infosecurity Magazine) Israeli spyware company blocked from WhatsApp (Courthouse News Service) China Says It Found Evidence of US Cyber Attack on State Agency (Bloomberg) ConnectWise Patches Critical Flaw in Automate RMM Tool (SecurityWeek) Vulnerability in Dolby Decoder Can Allow Zero-Click Attacks (SecurityWeek) NSO Group acquired by American investors. LevelBlue to acquire Cybereason. (N2K Pro Business Briefing) Creator of Infamous AI Painting Tells Court He's a Real Artist (404 Media) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Are you ready for AI in cybersecurity?
Demand for these skills is growing exponentially for cybersecurity professionals.
It's why Comptia, the largest vendor-neutral certification authority, is developing SEC AI Plus.
It's their first ever AI certification focused on artificial intelligence and cybersecurity
and is designed to help mid-career cybersecurity professionals demonstrate their competencies with AI tools.
And that's why N2K's SEC AI Plus practice exam is coming out this year to help you prepare for this certification release in 2026.
To find out more about this new credential and how N2K can help you prepare today,
check out our blog at certify.
cybervista.net slash blog.
And thanks.
At TALIS, they know cybersecurity can be tough, and you can't protect everything.
But with TALIS, you can secure what matters most.
With TALIS's industry-leading platforms, you can protect critical applications, data and identities,
anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks,
retailers, and health care companies in the world
rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALES.
T-H-A-L-E-S.
Learn more at talusgroup.com slash cyber.
An AWS outage sparks speculation, an F-5 exposure and breach raise patching in supply chain concerns.
Salt Typhoon breaches a European telecom via a net-scaler flaw, a judge bans NSO group from WhatsApp.
China alleges irrefutable evidence of NSA hacking.
ConnectWise patches adversary in the middle risks.
A Dolby decoder flaw enables zero-click remote code execution on Android.
We've got a cyber M&A and funding surge that signals a busy consolidation cycle.
Our guest is Jeff Collins, CEO of WANaware, sharing how hospital consolidations are reshaping IT asset visibility
and what it takes to close those gaps.
And one man's quest to make AI art legit.
It's Monday, October 20th, 20, 25.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
you with us and good to be back from a lovely week-long vacation last week. My thanks to
Maria Vermazas for filling in on the mic. A widespread Amazon Web Services outage disrupted major
apps worldwide, fueling attack rumors that sources say lack evidence. Amazon's status page reported
increased error rates in latency in the U.S. East One region, cascading across services like
Snapchat, Robin Hood, Roblox, and Fortnite.
Down Detector logged thousands of reports in the United States, Canada, and Europe.
AWS said engineers were mitigating the issues and services were gradually recovering Monday morning.
It's noteworthy that a single cloud region's failure can interrupt trading, communications, and gaming at scale.
Security teams should stress test multi-region failover and vendor resilience.
The speculation shows how routine outages can trigger geopolitical anxiety, so clear, timely
incident communication remains essential.
The Shadow Server Foundation found over 262,000 F5 Big IP systems exposed online, while F5 disclosed
a nation-state breach with stolen Big IP source code.
Over 130,000 exposed systems are in the United States.
patch status remains unclear. F5 says attackers accessed Big IP development and engineering systems
in August. The company reports containment, no tampering with source code or supply chain,
and limited customer configuration data stolen. F5 is notifying clients. They filed a form
8K and delayed disclosure at the U.S. government's request. F5 privately links the action.
activity to China Nexus Group UNC 52221 and warns about the brickstorm backdoor.
Broad exposure plus uncertain patching increases exploitation risk.
NCSC and SISA urge customers to locate F5 assets, secure management interfaces,
assess for compromise, and apply current updates.
China-based group Salt Typhoon is exploiting a Citrix net-scaler gate.
gateway flaw to infiltrate a European telecom, DarkTrace reports.
In July, attackers moved from the gateway to Citrix Virtual Delivery agent hosts.
Attackers hid behind soft ether VPN infrastructure.
They deployed SnappyB, also called Deed Rat, via DLLL side-loading with antivirus executables
from Norton, B-Cav, and Iobit. Command and Control used HTTP,
and unidentified TCP with Internet Explorer headers observed.
The case underscores persistent, stealthy tradecraft that blends into trusted software.
It highlights the need for anomaly-based detection and proactive defense across critical sectors.
Organizations should harden exposed appliances and monitor lateral movement from remote access gateways.
A federal judge barred NSO group from targeting
WhatsApp and cut Meta's jury award to just over $4 million.
U.S. District Judge Phyllis Hamilton found evidence Pegasus SpyWare could still infiltrate
WhatsApp, granted a permanent injunction, and capped punitive damages at 9 to 1.
Mehta's 2019 suit alleged violations of the Computer Fraud and Abuse Act and the California
Comprehensive Computer Data Access and Fraud Act plus terms of service.
The injunction covers WhatsApp only.
Hamilton wrote that NSO continued trying to bypass WhatsApp security
and that the unauthorized access harms users' informational privacy.
This matters because the order blocks data collection and addresses zero-click techniques
while signaling consequences for commercial spyware targeting encrypted communications.
China accused the U.S. NSA of hacking its national
Time Service Center, citing irrefutable evidence and a detailed timeline. The Ministry of State
Security said NSA exploited mobile phone vulnerabilities of center employees since March 25, 2022,
and used stolen credentials from April of 2023 to access computers. Private servers masked origins.
The GEN facility supports high-precision time services and international time calculators,
The claims point to risks for critical infrastructure that supports government, civil society, and industry.
They also come amid escalating U.S.-China tensions and mutual cyber accusations.
Defenders should review protections for time sources and monitor for credential abuse and mobile exploitation.
ConnectWise has patched two adversary in the middle flaws, urging on-prem customers to update and enforce
TLS 1.2.
The first vulnerability with a CVSS of 9.6 exposed clear-text transmissions.
The second lacked integrity checks on downloads.
Agents configured for HTTP or weak encryption risked intercepted communications
or malicious update replacement.
The patch enforces HTTPS for all agent traffic.
The vulnerabilities meant local network attackers could view,
modify and tamper with automate operations.
Users should patch immediately and validate secure configurations.
A Dolby Unified Decoder Flaw enables remote code execution,
including zero-click exploitation on Android, researchers from Google report.
The decoder processes Dolby Digital Plus, AC4, and other formats.
Project Zero found an out-of-bounds right.
triggered by evolution data handling.
Integer wrap caused an undersized buffer and bounds check failure,
enabling override of struct members,
including a pointer used on a following sync frame.
Audio messages can trigger the flaw.
Android decodes audio automatically,
enabling zero-click code execution in the Media Codec context.
Microsoft addressed the issue in October updates
with user interaction required on Windows,
and Google included patches in Chrome OS releases.
In this week's Business Roundup,
cyber dealmaking accelerated across spyware,
managed security, email, and identity,
as NSO confirmed a sale and major roll-ups advanced.
NSO said a U.S. Investment Group
acquired the firm for tens of millions,
while keeping Israeli regulatory and operational,
control. Calculist reported a Robert Simon's-led investor group, not confirmed by NSO.
Level Blue agreed to acquire cyber reason, adding SoftBank Corp, SoftBank Vision Fund 2, and Liberty
Strategic Capital as Level Blue investors, and aligning with prior Trustwave and Straus Friedberg
deals. Kasea acquired Inky, which remained standalone, and joins Kasea 365
user. Pantera bought DevOcean to extend from adversarial testing to remediation. French MSSP
No Moire acquired introgen, targeting 650 million euros revenue in 26. Capital flowed to core security
segments. Resistant AI raised a $25 million series B. Pantheron secured $12 million in a Series A,
Authenticate obtained $12 million in debt financing.
SightHop raised 7.5 million pounds.
Arkjet announced $8.3 million in a Series A.
Mind the Hack closed a $2.8 million seed.
Nymis raised $2 million.
Talion secured $2 million,
while Hyperbunker raised $800,000 euros.
The pattern points to bundling XDR, MDR, DFF,
FIR, email security, and IAM at scale.
Coming up after the break, Jeff Collins from WAN Aware shares how hospital consolidations
reshape IT asset visibility and what it takes to close those gaps.
And one man's quest to make AI art legit.
Stay with us.
What's your 2 a.m. security worry. Is it, do I have the right controls in place?
Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in.
Vanta automates the manual work so you can stop sweating over spreadsheets,
chasing audit evidence, and filling out endless questionnaires.
Their trust management platform continuously monitors your systems,
centralizes your data, and simplifies your security at scale.
And it fits right into your workflows,
using AI to streamline evidence collection, flag risks,
and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster,
scale confidently and finally get back to sleep get started at vanta.com slash cyber that's v a nta.com
slash cyber
and now a word from our sponsor the johns hopkins university information security institute is seeking
qualified applicants for its innovative master of science and security informatics
degree program. Study alongside world-class interdisciplinary experts and gain unparalleled educational
research and professional experience in information security and assurance. Interested U.S.
citizens should consider the Department of Defense's Cyber Service Academy program, which
covers tuition, textbooks, and a laptop, as well as providing a $34,000 additional annual stipend.
Apply for the fall 2026th semester and for this scholarship by February 28th.
Learn more at c.j.j.u.edu slash ms.i.
Jeff Collins is CEO of Wanaware.
recently sat down with him to learn how hospital consolidations are reshaping IT asset visibility
and what it takes to close the gaps.
When we think about hospitals, especially health care institutions holistically over the last,
let's call it five years definitely, this even occurred prior to that, but there's a lot of
consolidation going on. Lots of mergers, lots of acquisitions, lots of large institutions. Lots of large
institutions buying up smaller hospitals, buying up smaller clinics, ambulatory surgery centers,
etc. One of the things that we found is as those acquisitions happen, a lot of risk is happening
within those organizations, specifically within the realm of assets that they just don't know
about, which creates security and operational concerns and constraints, whether those assets or
laptops or desktops. Maybe they're a machine that is used by a doctor or a nurse. IOT devices.
You know, smart healthcare systems, smart EKG, smart patient monitors. All those types of things,
we see large amounts of these gaps within the healthcare space. Yeah, I mean, I can imagine
just anybody who's visited a hospital lately, there's just so many devices.
And of course, you know, they're all connected in one way or another these days.
To what degree is this a matter of devices that are in active use or devices that are sitting in a storeroom somewhere or is the combo of both?
Well, where we see the gap is really, you know, certainly active devices become problematic.
The devices that are even more problematic, though, are those devices that are technically active, but nobody knows about them.
They're connected to the hospital Wi-Fi network.
They're connected to an Ethernet Jack plugged into a wall somewhere.
Those are the ones that become even more problematic because nobody knows they exist.
They're not patched.
They're not maintained.
They're not controlled.
Sometimes they have, you know, ubiquitous access outbound or ubiquitous access inbound,
where, you know, if we're thinking about it from a security perspective, you know,
a bad actor outside of the four walls or even inside of the four walls of a hospital can leverage
those or inside of a health care facility. When we think about operational risk, oftentimes those
devices have risks. They can generate DDoS attacks. They can be leveraged to perform a whole
multitude of attack vectors inside of a health care institution. Sometimes those devices are unknown,
but they're part of something that is known. Maybe it's a back-end system,
that's required for an MRI or for a CAT scan.
That device goes down.
Nobody has any idea that a device exists,
and that becomes problematic across the board
within that health care institution,
regardless of if they're a hospital
or a physician's office or a surgery center
or whatever it may be.
So what is the typical fallout
when a merger happens between a couple of medical facilities
and they suddenly find they have to blend all of these devices.
Yeah.
So what we've seen certainly within our surveys that we've sent out,
and we do lots of surveys each year to try to understand what is the scope of this.
You know, when we look at those surveys, certainly high percentages of organizations
don't know everything that they have.
When we think about Fallout, Fallout is somewhat hard.
harder to measure. We can look at fallout in the realm of publicly disclosed breaches.
Certainly, there's, you know, those keep continuing upward in trajectory. We see more and more
of those every single year. As we see those breaches, those give us a good insight into what's going
on, primarily because generally those breaches are disclosed where they started, and oftentimes
they're started from a machine that's either known or unknown, or a machine that has some
level of compromise that could be leveraged by an attacker. Operational risks become harder,
because oftentimes those don't get disclosed to the general public, because there's not
really a regulatory constraint unless something happens and a patient outcome is affected directly,
which is extremely problematic, but, you know, the reporting within that and the reporting of such is certainly noticeably less.
Well, I mean, obviously this is your area of expertise, being able to inventory what's on someone's network.
Can you help us understand, like, where do we stand today?
What is the state of the art when it comes to best practices for trying to get a handle of what exactly you got on your network?
Yeah. So certainly best practice today is to leverage technologies that allow organizations to, number one, understand what assets they have without creating operational or security risk to the organization. There's lots of technologies out there that will do scanning, that you can deploy agents, you can deploy all those things. The risk is that anytime you do a scan or anytime, especially if it's an authentic,
scan, and any time you deploy agents, that creates additional risk for the organization.
As we talk to health care institutions, whether those are hospitals or all the way down the
line, we find that generally speaking, they have technologies already that they could leverage to get
this information. They just historically haven't had a great capability of correlating that
data, tying it all collectively together and being able to action on it. And so,
As we talk to organizations, that's really the big piece that we push on is, you know, don't go buy and deploy new scanners or don't go and deploy new agents.
That creates additional risk, but rather leverage the technologies you have, whether they're endpoint protection technologies, whether they're existing firewalls, and all those individual components, and then how you can take all of that and collectively understand the scope of what you have, organization.
organizationally, and you can now quantify your risk, understand that, and then ultimately
over time minimize and mitigate that risk, both from a cybersecurity as well as an operational
perspective.
What happens once you've gotten past that initial evaluation period, and now you've got, let's
call it, ongoing monitoring of the situation?
Because an organization like a hospital is practically a living, breathing organism of
its own, right? Things are constantly changing when you're running a place at that scale.
Yeah. Yeah. So once you've actually got those assets ingested, once you understand the
relationships, really the reality is this twofold. Number one, you have to make sure that
quickly you can understand new assets. That living and breathing organism, which is a health
care organization, whether it's a hospital or even a physician's office, the reality is,
is they're constantly getting new technologies, deploying new technologies, changing older
technologies out. That is a constant change that's happening. The reality is you have to be
able to keep up with that. Getting an understanding of everything we have today is certainly that's a
benefit, and we should applaud for that. But when the world changes tomorrow, there's only so
much that we can rest on our laurels. And so the reality is that we have to continuously be
able to understand new things coming in. We have to have flexible systems that allow changes in
technology, that allow innovation, which is drastically happening inside of the health care
environment. All of us hear about AI, and we hear about how AI is changing all of this.
and how AI is changing patient outcomes and technology stacks,
and we have machine learning going on,
and we have massive scale data lakes and data warehouses happening.
All those things occur,
but really that first big piece is you have to be able to adapt and change
as your environment evolves.
The second major piece is once you've had that capability of evolving
and understanding and being able to change with the business,
the second thing you really have to do is to be,
able to action upon that.
So just because you have things and just because you have knowledge, if there's an outage,
you know, you have to have the ability to resolve that quicker.
Outages are operational.
If there's a breach, you have to be able to get to the source.
Understanding what we call the blast radius.
You know, when something happens, whether that's operational or cybersecurity related,
that happens generally in one device or in one application.
But that expands and grows oftentimes across an organization.
If it's a breach, maybe it's one machine that was originally breached.
And then that grew to a hundred or a thousand or sometimes even more than a thousand machines.
If it's an operational risk, that may have been one machine that went down, but that was crucial in, let's say, the entire EHR system or the entire EMR system.
That one individual machine became something that problematically took out the entire health care organization.
And really that resolution time of being able to leverage this, provide benefit to the business itself is crucially important.
What's your advice for that security professional who's looking at their own situation and is feeling intimidated by the potential for what they're going to find out?
They're afraid that they might be overwhelmed with the information that's going to be presented to them.
Well, what I would say is every health care cybersecurity professional should be concerned.
The reason why is because what's happened historically, any time they've heard, I can get more information.
What that is equated to is more non-actionable alerts, more non-actionable alerts, more non-action.
actionable events. That's the reality of what has happened. You know, if I go back in my history,
25 years in technology, all of us that have been in the space a long time, that's what we've
heard for 25 years. You can get this brand new technology and will give you all the inside
in the world. And the reality is it was a whole bunch of alerts and a whole bunch of events
that just wasted time. It's what cybersecurity people call the false positive.
False positives are what break everything. That's what creates the work effort that can't be resolved.
The key is, is you have to do this without getting false positives. Now, how do we do that?
You do it by understanding context. Cybersecurity professionals understand that things are false positive because they understand the context around that alert.
They can look at that alert. They can see it's associated with this device. They understand if they have a
compensating control that might be mitigating that. They understand if it's siloed, maybe it's in a
zero-trust model where it's only that machine. Sure, that machine is breached. It's very low
priority and very low risk to the organization. And while it came across as a critical event,
it's really something that can be dealt with tomorrow or in a week or whatever it may be. It has
no patient data on it. It really just has no priority to the organization. That's where
cybersecurity professionals have historically provided that context. The key going forward is that
technologies as well as processes and procedures have to be able to do that more systematically.
Our cybersecurity professionals have to be able to focus on the risks that really matter
to the organization, those which require people, and the rest of this stuff, mitigating false
positives, mitigating operational risk, doing all these types of things.
Those all need to be done by systems, and they need to be done in a manner where we're not getting more and more alerts and metrics and all of this log information that's really just false positives that waste people's time.
That's Jeff Collins, CEO of Wannerware.
access to exclusive Amex pre-sale tickets can score you a spot trackside.
So being a fan for life turns into the trip of a lifetime.
That's the powerful backing of Amex.
Pre-sale tickets for future events subject to availability and varied by race.
Turns and conditions apply.
Learn more at amex.ca.
This episode is brought to you by Peloton.
A new era of fitness is here.
Introducing the new Peloton Cross Training Tread Plus, powered by Peloton IQ,
built for breakthroughs with personalized workout plans,
real-time insights and endless ways
to move. Lift with confidence.
While Peloton IQ counts reps,
corrects form, and tracks your progress.
Let yourself run,
lift, flow, and go.
Explore the new Peloton cross-training treadplus
at OnePeloton.ca.
And finally, Jason Allen is still fighting to prove that a robot-assisted masterpiece can, in fact, belong to its human co-pilot.
In 2022, Alan stunned and infuriated the art world by winning the Colorado State Fair's fine arts competition with an image spun up by Mid Journey, the then-new AI Art Generator.
Since then, he spent three years in legal limbo, trying to convince the U.S. Copyright Office that his digital muse didn't steal his thunder.
In August, he filed yet another brief, hoping to claim authorship over Theatre de Opera Spatial, and conveniently to sell limited edition oil-print elegraphs of it that promised the gravitas of a 19th-century masterwork, minus the hand cramps.
insists the creative act lies in the hundreds of prompts he typed to coax the machine
into beauty. Whether the courts will agree is anyone's guess. Whether it's art or algorithm,
Alan's work has definitely sparked some creative debate.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.
com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester
with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Cyber Innovation Day is the premier event for cyber startups,
researchers, and top VC firms building trust into tomorrow's digital world.
Kick off the day with unfiltered insights and panels on securing tomorrow's.
technology. In the afternoon, the eighth annual Data Tribe Challenge takes center stage as elite
startups pitch for exposure, acceleration, and funding. The Innovation Expo runs all day,
connecting founders, investors, and researchers around breakthroughs in cybersecurity. It all happens
November 4th in Washington, D.C. Discover the startups building the future of cyber. Learn more at
cid. datatribe.com.