CyberWire Daily - The spy who sold out.
Episode Date: October 24, 2025A former defense contractor is charged with attempting to sell trade secrets to Russia. Researchers uncover critical vulnerabilities in TP-Link routers. Microsoft patches a critical Windows Server Upd...ate Service flaw. CISA issues eight new ICS advisories. “Shadow Escape” targets LLMs database connections. Halloween-themed scams spike. Our guest is Chris Inglis, first National Cyber Director, speaking on cybercrime and the upcoming documentary on cyber war, "Midnight in the War Room". WhatsApp’s missing million-dollar exploit. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Chris Inglis, first National Cyber Director, speaking on cybercrime and the upcoming documentary on cyber war, "Midnight in the War Room" presented by Semperis. Learn more and check out the trailer. Selected Reading Hacking Lab Boss Charged with Seeking to Sell Secrets (Bloomberg) Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals (Recorded Future) New TP-Link Router Vulnerabilities: A Primer on Rooting Routers (Forescout) Windows Server emergency patches fix WSUS bug with PoC exploit (Bleeping Computer) CISA Releases Eight Industrial Control Systems Advisories (CISA) Cyberattack on Russia’s food safety agency reportedly disrupts product shipments (The Record) Shadow Escape 0-Click Attack in AI Assistants Puts Trillions of Records at Risk (Hackread) Trick or Treat: Bitdefender Labs Uncovers Halloween Scams Flooding Inboxes and Feeds (Bitdefender) Pwn2Own WhatsApp Hacker Says Exploit Privately Disclosed to Meta (SecurityWeek) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Are you ready for AI in cybersecurity?
Demand for these skills is growing exponentially for cybersecurity professionals.
It's why Comptia, the largest vendor-neutral certification authority, is developing SEC AI Plus.
It's their first ever AI certification focused on artificial intelligence and cybersecurity
and is designed to help mid-career cybersecurity professionals demonstrate their competencies with AI tools.
And that's why N2K's SEC AI Plus practice exam is coming out this year to help you prepare for this certification release in 2026.
To find out more about this new credential and how N2K can help you prepare today,
check out our blog at certify.
cybervista.net slash blog.
And thanks.
At TALIS, they know cybersecurity can be tough, and you can't protect everything.
But with TALIS, you can secure what matters most.
With TALIS's industry-leading platforms, you can protect critical applications, data and identities,
anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks,
retailers, and health care companies in the world
rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALES.
T-H-A-L-E-S.
Learn more at talusgroup.com slash cyber.
A former defense contractor is charged with attempting to sell trade secrets to Russia.
Researchers uncover critical vulnerabilities in TP-link routers.
Microsoft patches a critical Windows server update service flaw.
Sisa issues eight new ICS advisories.
Shadow Escape targets LLM's database connections.
Halloween-themed scams, Spike.
Our guest is Chris Inglis,
first national cyber director
speaking on cyber crime
and the upcoming documentary
on Cyber War
Midnight in the War Room
and WhatsApp's missing
million-dollar exploit.
It's Friday, October 24th,
2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today, and happy Friday.
It is great as always to have you with us.
We begin today with several stories related to Russia.
Peter Williams, a former director at the Trenchant Division,
of defense contractor L3 Harris Technologies
has been charged with stealing
and attempting to sell trade secrets
to a buyer in Russia,
according to the U.S. Justice Department.
Prosecutors allege,
Williams, a 39-year-old Australian,
took seven trade secrets
from two unidentified companies
between April 2022 and August 2025.
He resigned from L3 Harris in August
and is scheduled for arraignment
and plea proceedings
on October 29th in Washington Federal Court.
Authorities are seeking $1.3 million in forfeiture,
along with luxury goods and cryptocurrency accounts
allegedly tied to the theft.
L3 Harris and Trenchant are not accused of wrongdoing.
Trenchant, known for zero-day vulnerability research,
supports national security and defense cyber operations.
Elsewhere, Russia's cybercriminal ecosystem
is undergoing a major upheaval, as law enforcement pressure, political control, and international
crackdowns reshape long-standing dynamics. Operation Endgame in 2024 disrupted ransomware and
money laundering networks, prompting Russia to make rare domestic arrests, signaling a shift from
tolerance to selective enforcement. Leaked communications reveal coordination between cybercriminals
and Russian intelligence, blurring the line between the line between.
crime and statecraft. Within underground forums, mistrust is rising amid scams, infiltration fears,
and decentralized operations. At the same time, Western nations are escalating counter-ransomware
measures from payment bans to preemptive cyber strikes. Recorded Futures Insigroup
concludes that Russia now actively manages cybercriminals, using them as geopolitical tools
while balancing external pressure, internal control, and strategic utility.
And wrapping up Russia, a major cyber attack on Russia's agricultural watchdog,
Russell Koznor, this week disrupted food shipments nationwide.
The agency said a large-scale DDoS attack hit its VETIS and Saturn tracking systems,
paralyzing product certification and logistics for several hours.
The Mercury Platform, required for electronic veterinary documents, was unavailable, halting
deliveries of dairy and baby food products.
Authorities deny data compromise and say systems have resumed normal operation, though
it's unclear if full restoration occurred.
For Scout Research's Vedera Labs discovered two critical vulnerabilities in TPLink Omada and Festa VPN routers
that enable root access and remote code execution.
The first vulnerability is a wireguard private key sanitization flaw
permitting authenticated OS command injection.
The second flaw exposes hidden CLI debug functionality
that allows root SSH logins.
Researchers rooted one of the devices
by chaining the web UI injection to create a missing debug file
then escalated via the debug backdoor.
By analyzing bytecode variations and protocol implementations,
they found additional potentially remote vulnerabilities across TPLink families.
Fixes are under coordinated disclosure and expected by the first quarter of next year.
For Scout urges immediate patching, perimeter controls, hardened admin access, and monitoring,
and warns that recurring firmware patterns and support features,
routinely enable routing across network devices.
Microsoft issued out-of-band updates to fix a critical Windows server update service remote code execution flaw
and warned customers to apply patches immediately.
The vulnerability affects only Windows servers with the W-SUS server role enabled,
can be exploited remotely without user interaction,
and allows attackers to run code with system privileges,
making it potentially wormable between WSUS servers.
Administrators should install the cumulative OOB update and reboot
or temporarily disable WSUS or block inbound ports 8530 and 8531 if patches cannot be applied right away.
SISA has issued eight new industrial control systems advisories.
These cover vulnerabilities affecting control system products from major vendors
including Schneider Electric, Hitashi Energy, Siemens, and Delta Electronics.
The notices emphasize that operators should review affected devices,
apply patches, and follow the vendor-recommended mitigations.
SISA urges organizations to prioritize these updates,
given the critical role of ICS in infrastructure security.
Researchers at Operant AI have uncovered a new zero-click attack,
dubbed shadow escape that exploits the model context protocol or MCP used to connect large language models
like ChatGBT and Gemini to company databases. The flaw allows attackers to hide malicious
instructions in ordinary documents, triggering AI assistance to exfiltrate sensitive records,
such as social security numbers, financial data, and medical files without user interaction or
detection. Because the data theft occurs through legitimate MCP access inside corporate networks,
traditional defenses can't see or stop it. Operant AI warns that trillions of records may
already be at risk and urges organizations to audit AI integrations immediately to prevent
silent data leaks from trusted internal systems.
We are a week away from Halloween and Bit Defender Labs reports a worldwide
spike in Halloween-themed scams, combining fake retail sales, giveaways, crypto offers, and
dating lures to trick users. Sixty-three percent of these campaigns were fishing schemes
impersonating major brands like Walmart, Amazon, and Home Depot. Most originated from
U.S. servers and targeted American consumers. On social media, scammers purchased meta-ads
to spread malware disguised as crypto rewards or brand deals.
Bit Defender urges caution, advising users to verify links, avoid add downloads, and treat seasonal free gifts with skepticism.
Coming up after the break, my conversation with former national cyber director Chris Inglis.
We're talking cybercrime and the upcoming documentary Midnight in the War Room.
and WhatsApp's missing million-dollar exploit.
Stay with us.
What's your 2 a.m. security worry?
Is it, do I have the right controls in place?
Maybe are my vendors secure?
Or the one that really keeps you up at night?
How do I get out from under these old?
old tools and manual processes.
That's where Vanta comes in.
Vanta automates the manual work, so you can stop sweating over spreadsheets,
chasing audit evidence, and filling out endless questionnaires.
Their trust management platform continuously monitors your systems,
centralizes your data, and simplifies your security at scale.
And it fits right into your workflows, using AI to streamline evidence collection,
flag risks, and keep your program audit ready.
all the time. With Vanta, you get everything you need to move faster, scale confidently, and
finally get back to sleep. Get started at Vanta.com slash cyber. That's V-A-N-T-A-com slash cyber.
And now a word from our sponsor. The Johns Hopkins University Information Security Institute
is seeking qualified applicants for its innovative Master of Science and Security Informatics
degree program. Study alongside world-class interdisciplinary experts and gain unparalleled educational
research and professional experience in information security and assurance. Interested U.S.
citizens should consider the Department of Defense's Cyber Service Academy program, which covers
tuition, textbooks, and a laptop, as well as providing a 30-year-old.
$34,000 additional annual stipend.
Apply for the fall 2026th semester and for this scholarship by February 28th.
Learn more at c.j.j.u.edu slash MSSI.
The folks at Sempris have produced a new documentary titled Midnight in the War Room.
Chris Inglis, the first national cyber director, plays a key role in the documentary.
Here's a preview.
It was clear that at that moment in time, the Chinese government was a fan of big data.
They were after all of it.
And we suddenly realized that no one was safe.
The Chinese were burrowing deep.
into some of our most sensitive critical infrastructure.
Water unavailable, trains derailed,
comms severed, power going down.
Every single day, there's a war going on in cyberspace.
Cyber attacks aren't just taking offline computers.
You can take out power grids, poisoning water, food supply chains.
This war's been going on a long time.
Countries like North Korea that are so poor,
they have to feed their people with grass,
can build a nuclear weapons program,
nuclear weapons program based on stolen Bitcoin infrastructure.
Russia in China, their goal is to stay just below the threshold of kinetic war.
In a dictatorship, you target the dictator, in a democracy, you target the people.
Because you don't know anymore who is calling you, you don't know who's emailing you,
because all of these things can be spoofed or faked.
When you think you're the safest, that's usually when something is going to go wrong.
People are going to die, and they'll do it without ever firing a shot.
You're in the war room at midnight, something's gone wrong.
But we're not going to stop fighting.
Chris Inglis was the first national cyber director here in the U.S.
I recently caught up with him to discuss cybercrime
and the upcoming documentary on Cyber War, Midnight in the War,
presented by Sempris.
So today we're talking about the new documentary
midnight in the war room,
I'd love to start off with some high-level stuff.
What originally attracted you to this documentary
and made you want to participate?
Well, when the documentaries producers came to me
and said that they wanted to tell the story
about what was going on in digital infrastructure,
what we all call cyberspace,
and to address the complacency
that the society and others has about what's going on,
I thought it was a wonderful opportunity
to actually shed some light into the business.
that space. Because I think that while there are many threats that are coursing through
cyberspace from criminals to the nation states, the greatest threat is complacency,
either a lack of understanding or a willful ignorance of what's going on.
Can we dig into that? I mean, in this current moment, where do you suppose we find ourselves
as a society? I think we're on our back foot. We're massively dependent on digital infrastructure
for all the right reasons. It delivers efficiency, effectiveness.
in so many things that we couldn't otherwise accomplish in a physical day.
But at the same time, that dependence is something that criminals and rogue nation states
are taking advantage of holding us at risk because of that dependence.
We can have our cake and eat it too if we make the necessary investments in digital
infrastructure cyberspace, but we haven't.
They've not made those investments in terms of the inherent resilience of the technology
in the skills of the people, not just IT and cyber specialists, but everybody who use
that space. And in the doctrine or the allocation of roles, responsibilities, understanding
who's responsible for one. What do you suppose is holding us back now from the proper investment
in those areas? Several things hold us back, not least of which is the technology is moving
so fast. It's hard enough to figure out what the next innovation is to then deploy that at scale
so that it has some efficiency in the marketplace without worrying about the third laid under the
which is inherent resumes and robustness.
For 50 years of the Internet,
we've always promised ourselves
that once we innovate the next iteration of the technology
and deploy it,
we'll then put an overlay on it
that makes it safe, the resilient-robust.
But we never come back because we keep going forward.
The second thing that makes it far to get our arms around this
is that the weaknesses are in cities.
I don't mean by that that they're always malevolent,
but they come on so slowly or they're so subtle
that we just don't recognize it for what they're.
it's not the kind of physical reality of the automobile crash or a bomb sitting at your street
corner however fantastic that may seem if you saw it you immediately react to it and the sorts of
things that are hazards in cyberspace are hard to see until you experience them and even then
they emerge so slowly but perhaps the third and most pernicious issue is that there's a broad
expectation that people who have IT or cyber in their job title are going to take
care of this for us, that they will remove the risk before we encounter it. Many of the risks
are established by the people who use the technology. Clicking on links and emails is still a very
popular form of ransomware attacks. And that's not something that an IT or cyber specialist can
step in and manage by restricting you from doing that at the moment you touch the keyboard.
And so the skills and the complacency and a part of the ordinary garden variety users,
which I'm one, is oftentimes the biggest weakness in this space.
Well, how do we balance the necessity to educate and empower people with the technical backdrop
that they need to protect them as well?
I think first we need to meet the people who need to make the changes where they are.
We should no longer kind of bang on about we need to get serious.
about cyber or cybersecurity, we should talk more plainly about what they already care about.
I care about following my grandchildren on social media. I care about banking online.
I care about in my business accessing markets that I can't get to in a physical day.
All of that then motivates me to understand and to make the necessary investments in the assets
that make that possible. Digital infrastructure, cyberspace, the internet, that's a very critical
ask that to all of that. So we need to flip the script. There's a great question that's often asked
at this moment. It's a little bit work fog and also the line of flow of our discussion, but
it's why to race cars have bigger breaks. They have bigger breaks so they can go faster. It's about the
performance of the car. We shouldn't focus on the brakes. We should focus on the performance
of the car. That's what motivates us to then keep the car in good condition to put the right
brakes on it. Maybe to put seat belts in it, their safety values in it. But let's focus for a change
on what it is people already cared on,
and then help them understand what they can do
to actually ensure that digital infrastructure
meets their expectations.
We talk about password management.
We talk that understanding what happens
when we click on a link and email.
But we need to make that more personal,
more real to them by never talking about cybersecurity
for its own sake,
but rather for the conduct of the things I want to do in cyberspace
for the reasons they already care.
In your estimation,
how vulnerable is our critical national infrastructure?
In a word, very.
I would just take something called Volt Typhoon.
It's a term that's been applied to a Chinese government initiative
that has inserted malware into our critical infrastructure.
And that malware has one purpose in the case of Volt Typhoon,
that particular actor within the Chinese government,
and that is to hold that critical infrastructure at risk.
There's a great dependence of critical infrastructure.
the water flows, the electrical flows, telecommunications.
It's a great dependence of that on regional infrastructure.
If the software, the hardware, and the data stores work well,
then critical infrastructure meets our expectations.
If they don't, then critical infrastructure doesn't need their expectations.
We're recording this just a couple of days after Amazon Web Services
had a global kind of problem where massively customers who use that without access that.
Now, I don't think that.
that that's going to be found to be attributable to a particular actor and malicious actor.
But it shows the kind of dependence we have on critical infrastructure that when it works,
you know, it's an out-of-sight, out of mind.
We never complain about it.
And it doesn't work.
We'll suddenly wonder, you know, what is the nature of our dependence on that and what made that fail?
We need to think about that beforehand.
So I think that our critical infrastructure being so dependent upon digital infrastructure,
the Internet Plus, is something that we need.
think through and get it into the right place.
Now, I would offer that we've done this before.
If you think about the automobile transportation system, which is not without its risks,
we've done a lot of investment to make sure that the cars, the devices that we use,
have safety features built in.
We've done a lot of work to make sure that the road systems have safety features built in
in terms of the width of the road, the signage on the road, even the surface of that road.
We've done a lot of work to govern those spaces by making sure that we find and pull off
scooters or drunk drivers or people who text while they drive. And we've levied some degree of
responsibility on the drivers themselves so that they understand what their role is to get
safely from place A to place to. And it's possible to do that, except that you don't obsess about
what the risks are as you drive your car down the highway. You think about what your role is
alongside all the other roles that have been accounted for so that you can have every expectation
that if you do the right thing, that you've got a very, very, very high, very high.
probability in there safely.
We don't have that same competence in cyberspace.
We've done none of that foundational work.
We're seeing significant cuts to cybersecurity-related agencies
in the federal government these days.
What's your reaction to that?
I think it's an own goal.
It's an unfortunate issue at the moment.
I would give the administration credit for this,
which is that it is recognized that it's cyber cybersecurity.
Again, if I would have flipped that script,
It's recognized that our dependence of digital infrastructure means that we have to have serious people in the roles that are applying government efforts to help make that a better thing.
So when you look at the U.S. national cyber director, the nominated and the director of the cybersecurity infrastructure security agency, the serving director of the FBI component, all of those are serious people who, when I listen to them, understand the nature of this and fully intend to apply the resources they do have to helping the private sector get this right.
So give the administration credit in that regard.
But the downsizing, which is not focused on downsizing cyber or cybersecurity.
It's focused on a broad range of other issues, has the collateral effect,
the unfortunate collateral effect, of taking some of these resources out at the very moment
that we should be investing in them and upsizing them.
So it's a mixed bag, I would say, in the main,
with the resources that are there and have every confidence that they will make a difference
that matters, but we need more.
getting back to the documentary midnight in the war room what do you hope viewers take away from it
a sense that this matters to them not because we're getting them to care about a problem that belongs to
somebody else but we're getting them to care about an issue of a strategic resource that they
already value but just didn't know that it was tucked inside things that they care about
so if there's one issue that I worry about more than any other at this moment in time the perspective
to our reliance, U.S. and nations of like mind, is that our reliance on critical functions,
which are in turn reliant on digital infrastructure, that reliance is not well understood,
and it's not well defended. And so my hope in this picture, this full-length motion picture,
which is a documentary, is that we shed some light on this such that people begin to realize
what hangs in the balance and what they might do to make a difference to it.
kind of on the far side of that.
One of my favorite quotes is from a guy named Edmund Burke,
the two centuries ago.
There was a British or an Irish statesman in the British Parliament.
One of the great tragedies in life is doing nothing when we can only do a little.
Each of us can do a little.
Some of us might do more than a little, but each of us can do a little.
And that can, in some, add up to each of us,
makes a contribution to the defense of all of us.
Because we're not all addressing similar challenges with similar issues
and our use of digital infrastructure,
we're all addressing the exact same challenge,
often challenged by the exact same adversarial
whether that's a criminal area of a nation.
And so my hope is that this picture can help people understand
of what the nature of that is
and mobilize them to make that small contribution,
however small, that will make a positive difference
in the collective defense
of something valuable to all of us.
Our thanks to Chris Inglis for joining us,
the documentary is titled Midnight in the War
room, it's presented by Sempris.
We'll have a link in the show notes.
With Amex Platinum, access to exclusive Amex pre-sale tickets can score you a spot
track side.
So being a fan for life turns into the trip of a lifetime.
That's the powerful backing of Amex.
Presale tickets for future events subject to availability and varied by race.
Terms and conditions apply.
Learn more at mx.ca.
This episode is brought to you by Peloton.
A new era of fitness is here.
Introducing the new Peloton Cross Training Tread Plus, powered by Peloton IQ, built for breakthroughs
with personalized workout plans, real-time insights, and endless ways to move.
Lift with confidence, while Peloton IQ counts reps, corrects form, and tracks your progress.
Let yourself run, lift, flow, and go.
Explore the new Peloton Cross-Trainings.
TRED Plus at OnePeloton.CA.
And finally, Pone to Own Ireland 2025 had everything.
Record payouts, routers laid bare, and printers brought to their digital knees.
But what really got the crowd talking was what didn't happen.
A researcher known only as Eugene, poised to unveil.
a million-dollar zero-click WhatsApp exploit pulled out at the last minute.
Officially, it was due to travel complications.
Unofficially, folks wonder if the exploit just wasn't ready for its close-up.
Trend Micro's zero-day initiative said Meta will still get a private peak,
while everyone else is left with only 73 other zero days,
a million dollars in payouts, and a lingering sense of what might have been.
Sometimes in cybersecurity, as in show business, the biggest headline is the one that never hits the stage.
And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at
cyberwire.com.
Be sure to check out this weekend's
Research Saturday and my conversation
with Noah Moshe, Clarity's
Vulnerability Research Team Lead.
We're discussing their work
turning camera surveillance on its
axis. That's Research
Saturday. Check it out.
We'd love to know what you think of this podcast.
Your feedback ensures
we deliver the insights that keep you a step
ahead in the rapidly changing world of
cybersecurity. If you like our show,
please share a rating and review in
your favorite podcast app.
Please also fill out the survey
in the show notes
or send an email
to Cyberwire
at N2K.com.
N2K's senior producer
is Alice Carruth.
Our Cyberwire producer
is Liz Stokes.
We're mixed by
Trey Hester
with original music
by Elliot Peltzman.
Our executive producer
is Jennifer Iben.
Peter Kilpe is our publisher
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here
next week.
Cyber Innovation Day is the premier event for cyber startups,
researchers and top VC firms building trust into tomorrow's digital world.
Kick off the day with unfiltered insights.
and panels on securing tomorrow's technology.
In the afternoon, the eighth annual Data Tribe Challenge takes center stage as elite startups
pitch for exposure, acceleration, and funding.
The Innovation Expo runs all day, connecting founders, investors, and researchers around
breakthroughs in cybersecurity.
It all happens November 4th in Washington, D.C.
Discover the startups building the future of cyber.
Learn more at CID.
datatribe.com.