CyberWire Daily - The oversized file that stalled the internet.
Episode Date: November 19, 2025Cloudflare’s outage is rooted in an internal configuration error. The Trump administration is preparing a new national cyber strategy. CISA gives federal agencies a week to secure a new Fortinet fla...w. MI5 warns that China is using LinkedIn headhunters and covert operatives to target lawmakers. Experts question the national security risks of TP-Link routers. The China-aligned PlushDaemon threat group hijacks software updates. Researchers discover WhatsApp’s entire global member directory accessible online without protection. LG Energy Solution confirms a ransomware attack. ShinySp1d3r makes its debut. Rotem Tsadok, Director of Security Operations and Forensics at Varonis, is sharing lessons learned from thousands of forensics investigations. A judge says Google’s claims to water use secrecy are all wet. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, we are joined by Rotem Tsadok, Director of Security Operations and Forensics at Varonis, sharing lessons learned from thousands of forensics investigations. Listen to Rotem's full conversation here. Selected Reading Cloudflare blames this week's massive outage on database issues (Bleeping Computer) National cyber strategy will include focus on ‘shaping adversary behavior,’ White House official says (The Record) CISA gives govt agencies 7 days to patch new Fortinet flaw (Bleeping Computer) Chinese Spies Are Using LinkedIn to Target U.K. Lawmakers, MI5 Warns (The New York Times) No evidence that TP-Link routers are a Chinese security threat (CSO Online) PlushDaemon compromises network devices for adversary-in-the-middle attacks (welivesecurity) 3.5 Billion Accounts: Complete WhatsApp Directory Retrieved and Evaluated (heise online) LG Energy Solution reports ransomware attack, hackers claim theft of 1.7 terabytes of data (beyondmachines) Meet ShinySp1d3r: New Ransomware-as-a-Service created by ShinyHunters (Bleeping Computer) Google Strives To Keep Data Center Water Use Secret After Judge Orders Records Released (Roanoke Rambler) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
From fishing to ransomware, cyber threats are constant, but with Nordlayer, your defense can be too.
Nordlayer brings together secure access and advanced threat protection in a single, seamless platform.
It helps your team spot suspicious activity before.
for it becomes a problem by blocking malicious links and scanning downloads in real time,
preventing malware from reaching your network.
It's quick to deploy, easy to scale, and built on zero-trust principles,
so only the right people get access to the right resources.
Get 28% off on a yearly plan at Nordlayer.com slash Cyberwire Daily with code Cyberwire-28.
That's Nordlayer.com slash Cyberwire Daily, code Cyberwire Daily, code Cyberwire Daily,
code CyberWire dash 28.
That's valid through December 10th, 2025.
Cloudflare's outage was rooted in an internal configuration error.
The Trump administration prepares a new national cyber strategy.
Sisa gives federal agencies a way.
week to secure a new Fortinette flaw. MI5 warns that China is using LinkedIn headhunters and
covert operatives to target lawmakers. Experts question the national security risks of TPLink
routers. The China-aligned plush Damon threat group hijacked software updates. Researchers discover
WhatsApp's entire global member directory accessible online without any protection. LG Energy
solution confirms a ransomware attack. Chinese Spider makes its debut.
We've got Rotem Sadak, Director of Security Ops and Forensics at Verona,
is sharing lessons learned from thousands of forensics investigations.
And a judge says Google's claims to water use secrecy are all wet.
It's Wednesday, November 19, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us.
It's great as always to have you with us here today.
Yesterday, Cloudflare suffered its worst outage in six years after a routine database
permissions change triggered a cascading failure across its global network.
The issue began when the update caused.
the bot management system to generate an oversized configuration file that exceeded built-in limits
and crashed critical traffic routing software. The faulty file contained duplicate metadata
that pushed the system past its 200 feature cap. Clusters alternated between healthy and
broken states as machines produced conflicting configuration files every five minutes. The oversized
file then propagated across the network, causing system panics and widespread errors.
Engineers restored core traffic by replacing the file with an earlier version.
The Trump administration is preparing to release a new national cyber strategy,
according to National Cyber Director Sean Karncross, who said the effort is moving quickly
and aims to provide a single coordinated approach, unlike previous attempts.
Speaking at the Aspen Cyber Summit, Cairncross outlined six planned pillars, including a focus on shaping adversary behavior and improving public-private partnerships.
He argued the United States has not effectively signaled consequences to cyber adversaries, noting that ransomware responses remain fragmented and lack a long-term government-wide plan.
Karen Cross said the forthcoming strategy will be concise and paired with immediate action items,
and that his office is modernizing federal processes, including technology procurement and collaboration with national labs.
Officials across government have already contributed input, according to FBI Assistant Director Brett Leatherman.
Former Acting National Cyber Director Kemba Walden emphasized that clear deliverables and aligned budgets are essential
to make the strategy effective.
Sisa has ordered U.S. federal agencies to secure Fortinette Forta-Web devices within a week
after discovering active exploitation of an OS command injection flaw.
The vulnerability allows unauthenticated attackers to execute unauthorized code through crafted HTTP requests or CLI commands.
Added to Sissa's known exploited vulnerabilities catalog, the flaw must be remediated by November
25th. Sisa warned that such vulnerabilities are common attack vectors and pose significant
risks to federal networks. Britain's MI5 warned that China's Ministry of State Security is using
LinkedIn headhunters and covert operatives to target lawmakers, parliamentary staff,
consultants, economists, and think-tank researchers. The alert follows a collapsed
espionage case involving two men accused of aiding Beijing.
MI5 identified two China-based headhunters as recruiters who approached targets under corporate
cover to solicit geopolitical reports that feed wider intelligence efforts.
China denied the allegations as fabrication.
Security Minister Dan Jarvis called the activity a calculated attempt to interfere with
UK affairs and announced new countermeasures, including 170,000,
billion pounds to upgrade government networks, expanded election security efforts, and steps
to protect universities from covert influence.
Experts say the U.S. House Select Committee on the Chinese Communist Party's request to investigate
TP link for national security risks is built on weak evidence and selectively targets one
Chinese manufacturer. The lawmakers cite open-source reports, including work from former
FCC Commissioner Michael O'Reilly at the Hudson Institute and research from checkpoints
E. T.P. Cohen, with neither showing T.P. Link acting maliciously. O'Reilly notes past T.P. Link
vulnerabilities were patched, and Cohen's findings show Chinese APT malware could just as easily infect
routers from Cisco or Netgear. Additional claims about Volt Typhoon overlook that DOJ removals involved
Cisco and Netgear devices, not TPLink.
Researchers, including Cohen and Nobofor's Roger Grimes,
stress that all routers are broadly vulnerable
because users rarely patch them.
Critics argue focusing on TPLink distracts from larger risks
tied to widespread dependence on China-made technology.
Researchers from ESET detail how the China-aligned
plush-Daman threat group uses its previously undocumented
documented Edge Stepper network implant to hijack software updates through adversary-in-the-middle
attacks. Edge-Stepper redirects all DNS queries on compromised network devices to a malicious DNS
node, which reroutes legitimate update traffic to attacker-controlled servers. From there, victims
receive Little Damon, followed by the Damon Logistics Downloader, which ultimately deploys
the group's Slow Stepper Backdoor. Active since at least 20
2018, Plush Damon has targeted individuals and organizations across China, Taiwan, Hong Kong,
Cambodia, South Korea, the United States, and New Zealand.
ESET's analysis shows the group compromising routers or servers, exploiting weak credentials or
vulnerabilities, and hijacking updates for software to deliver malware.
Austrian researchers discovered that WhatsApp's entire global member directory, more than
3.5 billion accounts was accessible online without protection, allowing them to download phone numbers,
profile data, public keys, and profile photos at scale. Meta ignored their warnings for a year
before responding, ultimately calling the issue a scraping problem and saying no private messages
or non-public data were exposed. The data set revealed sensitive information such as workplace details,
political or sexual orientation, links to social profiles and device usage patterns.
Researchers also identified millions of active accounts in countries where WhatsApp was banned,
creating potential safety risks for users.
Roughly 57% of users had publicly visible profile photos,
enabling large-scale facial recognition mapping between faces and phone numbers.
LG Energy Solution confirmed a ransomware attack on one of its overseas facilities
after the Akira gang listed the company on its leak site.
The group claims to have stolen 1.7 terabytes of data, including corporate documents,
financial records, SQL databases with employee information, confidential projects,
and partner data.
LG says the affected site has been restored and that headquarters and other facilities were
impacted. The company has not disclosed how many individuals were affected and has launched an
investigation. Shiny Spider, a new ransomware as a service platform, developed by threat actors
tied to shiny hunters, scattered spider, and Lapsis, has surfaced through early builds uploaded
to virus total. Researchers found the group is shifting from using others encryptors to building
its own from scratch. Analysis by coveware.
shows the Windows Encryptor includes event logging evasion, process killing, network propagation,
anti-analysis features, shadow copy deletion, and Chacha 20 encryption with RSA 2048 protected keys.
Each file receives a unique extension and metadata-rich header.
Victims get hard-coded ransom notes and a warning wallpaper.
Shiny Hunters says Linux, ESXI, and a faster lightning version.
are in development
with the operation to run
under the Scattered Lapsis Hunter's brand.
Coming up after the break,
Rotem Saddak from Veronis
shares lessons learned
from thousands of forensic investigations,
and a judge says
Google's claims to water use secrecy
are all wet.
Stay with us.
At TALIS, they know cybersecurity can be tough and you can't protect everything.
But with TALIS, you can secure what matters most.
With TALIS's industry-leading platforms, you can protect critical applications, data and identities, anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks, retailers, and health care companies in the world rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALIS.
T-H-A-L-E-S.
Learn more at TALIS Group.com slash cyber.
Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple?
Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack zero-trust networks, including hardware, firmware, and software, all designed to work seamlessly together.
The result? Fast, reliable, and secure connectivity without the constant patching, vendor juggling, or hidden costs.
From wired and wireless to routing, switching firewalls, DNS security, and VPN, every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles.
meter even buys back your old infrastructure to make switching effortless transform complexity into simplicity
and give your team time to focus on what really matters helping your business and customers thrive
learn more and book your demo at meter dot com slash cyberwire that's m et e r dot com slash cyberwire
Rotem Sadak is Director of Security Operations and Forensics at Veronis.
In today's sponsored industry voices segment, he shares lessons learned from thousands of forensic investigations.
A rather small oversight that has kept us very busy for a few months.
Microsoft DirectSend is a feature in exchange online that allows devices or applications like,
printers or scanners to send emails directly to recipients inside your organization without
authenticating through a mailbox. And I repeat, without requiring any authentication at all.
So what happens is once an attacker abuses this feature, the victim receives an email that
appears to come from themselves. To create the urgency, like typical fishing attacks and so on,
the attackers frame the message as a missed call or facts
and include a QR code in as the attachment,
asking the user to scan or to retrieve the message in some way or another.
Basically, boom, credentials are stolen, right?
So in the past few months, we've been swamped with cases
where this direct send feature was enabled without anyone realizing
what that really means.
Essentially, it's like, you know, leaving the front door wide open for attackers.
So the redactors actually figured out they can use the setup to send spooked emails to bypass security controls without ever logging or touching the tenant.
And the impact in multiple incident was sometimes even scary.
Like we had to contain compromises of dozens accounts.
Attackers in some cases managed to log on to some customers enter ID and pivoted into administrative apps, expanding their reach and then sending it and then really stealing sensitive data.
what's the rationale for the functionality itself what's the good side of this the good side of it i think
it's basically to allow devices that cannot authenticate to send you messages within the organization
but i think if you think this through you should allow that only from internal endpoints and not
necessarily from anyone over the internet right so the idea was just for devices that cannot support
different authentication mechanisms.
Well, when you're out and about
and you have to explain
what the current cyber threat landscape looks like
and you're talking to non-technical people,
how do you describe it?
I'd say the cyber threat landscape today
is even more hyper-focused than ever before
on humans as the weakest link.
Look, like it's dominated by AI-powered fishing
and identity takeovers like attackers
have dozens of ways
to succeed using just these two vectors, right?
And you can add ransomware as a service and supply chain compromises.
And I think this is what really gets you threats,
all laser focused on one thing, which is the data,
the most expensive digital asset there is.
And what has you most concerned?
What are the things that you're seeing emerging that are on your radar?
So without a doubt, the threats against AI and those emerging,
because of its extensive use, right?
Now, I'm going to try to break this down
to explain why this is more complex than we imagine.
Not long ago, before AI took the center stage,
we were in a relatively comfortable position.
We understood the core principles of security
and how to apply them across different technologies.
We train an entire generation of developers
on secure coding this practices.
We quote unquote mastered software and hardware
risk modeling, and most importantly, we understood those technologies as a tap surface, inside
out, right? But with AI, that's no longer the case. Right now, as far as I see it, at least,
there are two, let's say, concerning trends that are happening simultaneously. On one side,
we are witnessing a wave of developers pushing products of all kinds to market at incredible
speed, thanks to AI-driven development, but what they lack is the deep understanding of secure
coding principles. And this might create a regression and security knowledge compared to the pre-AI
era. And then there is the other side of it, which is the world is adopting AI across almost every
domain that pays far faster than our ability to understand AI as an attack surface. And yes,
research exists, vulnerabilities are documented, but we're barely scratching the surface.
So then comes my biggest concern, how do we investigate an incident that occurs entirely within an AI ecosystem?
What investigation artifacts will matter beyond just the prompts and attacker to model interactions?
And then what happens when there will come a day, and I think it's just a matter of time,
when an ALM trained on the most sensitive business data of my organization is stolen.
And I have extremely limited ability to trace the full chain of events.
So in my eyes, I think this is one of the major topics to be concerned about.
Help me understand how you as a practitioner separate the hype from the reality when it comes to AI.
Because we see we're being bombarded with marketing.
messages about AI, about the power of AI, about the vulnerabilities of AI. But you're in the
middle of this doing the actual work. How do you separate the signal from the noise?
Right. So first of all, you've got to have a lot of hands-on experience with AI to really
understand what it can and can't do. And from our research and from general experience within
the operation, we also utilize AI to some extent. And we understand that AI by itself,
is not really a plug-in-play product that you can simply provide a prompt to, and things will happen.
Things will, the magic will happen, right?
With AI, you have to provide sometimes even a lot of context, right?
You have to set clear boundaries as to what you want the AI to do and what you don't want the AI to do,
and even really limit the kind of roles you want the AI to play in your operation.
It could be anything, could be a product,
could be just automation, pure automation you would like to orchestrate
and turn to a fully automatic flow, right?
So we have to set the boundaries and we have to understand
that AI is not always consistent and deterministic
when it comes to vague or ambiguous prompts and roles that we give it.
Do you have any examples and any real-world use cases
where AI has either prevented or maybe mid-endous?
mitigated a major incident?
It happens more than we think, let's say, right?
A lot of security products nowadays use AI for various use cases,
such as threat detection, classification, enrichment, and so on.
These are like the most common ones that we typically see in our domain,
the cybersecurity domain.
And from my experience, AI has already proven its value many times.
I've seen AI-driven systems block-compromised domain accounts
or attempting password resets for lateral movement,
I've also seen AI classifying ransomware threats based on known and unknown file extensions and file system activity,
essentially containing the encryption in a relatively short time.
So this is magic, you know?
Some people with less experience could call this magic.
But I think it's also worth talking about what it takes to make it so good and precise.
Because like I said before, AI is far from being just pure plug and play.
As of today, and especially in cybersecurity domain, like I said,
Therefore, AI and LLMs, on their own, are still neither fully autonomous nor deterministic
enough to inspire a complete trust that we would justify relying solely on AI as a defense
mechanism.
And this raises the question about how to shape an AI-driven defense strategy.
Like, we have to somewhat consider using AI and try to prepare for the tomorrow because
the threat landscape is evolving very quickly, also thanks to AI.
So first and foremost, even for AI, the context really matters.
Sometimes we really have to provide heavy context to AI to understand what is the role and what we want to do here.
So it's critical for these models because they need to understand, for example, in detection engineering,
what is more significant and what is less?
There is multiple ways to do that.
But while some might call the context bias, it's actually necessary to reduce the hallucination.
and poor decisions, those that in the hindsight we would consider to be pretty bad.
So because the model lacked sufficient context or knowledge to make the best decision for whatever
the situation, I think this begs the question, where does AI truly shine as a critical security
function, either within my operation or within my security stack?
So at this stage at least, AI primarily acts as a force multiplier for human teams'
monitoring the infrastructure.
And in some cases, even takes on decision-making roles,
such as whether to respond to a threat or how to respond to that threat.
And we know that when you provide AI with enough context and clear rules
and very specific responsibility boundaries,
that's where it really outperforms human operators.
And for example, predictive threat detection platforms typically use some form of machine
learning model, which often really helps with the explainability.
This explainability introduces a kind of healthy bias for this AI model,
allowing it to really whether a certain anomaly is malicious or not in a more deterministic way
and even choose from a predefined set of actions on how to respond.
So you're really confident here that these tools are useful
and there's a positive future for them.
Absolutely.
Yeah.
You know, looking at the big picture,
what do you think is the low-hanging fruit?
What are some of the easier things that an organization can do to improve their security posture?
So you're not going to be surprised at all, but you can start because easy wins, I think it has to be common and known to everyone.
It's just a decision whether to do that or not.
But I would say you can start by protecting your identities, apply multifactor authentication wherever possible.
and for a strict off-boarding process,
which means to really disable and remove stale accounts quickly to reduce the risk.
And the next relatively quick win is to patch aggressively,
because if you don't really protect your identity well,
the second, I would say, most, the easiest attack factor would be to just get in through unpatched systems.
What's your advice for the security leaders out there who are preparing for this AI-driven future,
these AI-driven threats.
What are your words of wisdom?
There's a saying by our CEO, Yaki Fatelson,
that I really like.
AI security, this is what he says all the time,
AI security is data security.
What that means is simple.
AI systems eventually are inseparable from data.
They consume the data they process and generate.
So AI runs on data and really learns massive data set during the training process,
and it continues to handle sensitive inputs in production,
it's always about data, right?
So what makes data an integral part of the attack surface
is the fact that AI is based on this sole parameter.
So my advice to security leaders is just put your data in order.
Know where your data lives, what's sensitive,
and what your AI models can access.
Because if data is not secure, your AI isn't secure either.
That's Rotem Saddock, Director of Security Operations and Forensics at Veronis.
What's your 2 a.m. security worry? Is it, do I have the right controls in place? Maybe are my vendors secure? Or the one that really
keeps you up at night, how do I get out from under these old tools and manual processes?
That's where Vanta comes in.
Vanta automates the manual works, so you can stop sweating over spreadsheets,
chasing audit evidence, and filling out endless questionnaires.
Their trust management platform continuously monitors your systems,
centralizes your data, and simplifies your security at scale.
And it fits right into your workflows, using AI to streamline evidence collection,
flag risks and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster, scale confidently, and finally, get back to sleep.
Get started at Vanta.com slash cyber.
That's V-A-N-T-A dot com slash cyber.
At Desjardin, we speak business.
We speak startup funding and comprehensive game plans.
We've mastered made-to-measure growth and expansion advice,
and we can talk your ear-off about transferring your business when the time comes.
Because at Desjardin Business, we speak the same language you do, business.
So join the more than 400,000 Canadian entrepreneurs who already count on us,
and contact Desjardin today.
We'd love to talk, business.
And finally, for months, local governments guarded Google's projected data center water use
in Botator County, Virginia, as though the numbers were national security secrets rather than
estimates about H2O. Each agency redacted the figures, insisting they were proprietary
because Google said so. The founder of local newspaper The Roanoke Rambler disagreed,
and, armed with an $86 filing fee and a stubborn streak,
took the Western Virginia Water Authority to court.
Judge Lisa Chafone sided with transparency,
ruling that water usage estimates are not corporate property
and that the public has a right to know
what its government plans to pump into billion-dollar data center projects.
She noted that disclosing consumption only after Google signs on the dotted line
is effectively useless.
The victory may be temporary.
Google, worried competitors might reverse-engineer its data center strategy from water totals,
is urging an appeal.
The water authority now appears ready to fight on, sending the case toward the Virginia Court of Appeals,
where judges may soon decide whether mere gallons can truly be treated as trade secrets.
And that's the Cyberwire, or links to all of today's stories.
Check out our daily briefing at the Cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you.
Thank you.
BOR.