CyberWire Daily - The UN’s big push for global cybercrime rules.
Episode Date: October 27, 2025The UN launches the world’s first global treaty to combat cybercrime. A House Democrats’ job portal left security clearance data exposed online. A new data leak exposes 183 million email addresses... and passwords. Threat actors target Discord users with an open-source red-team toolkit. A new campaign targets unpatched WordPress plugins. The City of Gloversville, New York, suffers a ransomware attack. Jen Easterly hopes AI could eliminate the buggy software that fuels cybercrime. A Connecticut health system agrees to an $18 million settlement following a ransomware attack. Monday business brief. Tim Starks from CyberScoop is discussing concerns over budget cuts and visibility. Meta’s privacy safeguard goes dark. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Tim Starks from CyberScoop who is discussing concerns over budget cuts and visibility. You can read the articles Tim references here: US ‘slipping’ on cybersecurity, annual Cyberspace Solarium Commission report concludes (CyberScoop) F5 vulnerability highlights weak points in DHS’s CDM program (CyberScoop) Selected Reading UN Cybercrime Treaty wins dozens of signatories (The Register) Hundreds of People With ‘Top Secret’ Clearance Exposed by House Democrats’ Website (WIRED) Gmail passwords confirmed in 183 million account data breach (Tribune Online) Hackers steal Discord accounts with RedTiger-based infostealer (Bleeping Computer) Year-Old WordPress Plugin Flaws Exploited to Hack Websites (SecurityWeek) Gloversville hit by ransomware attack (WNYT.com NewsChannel 13) Ex-CISA chief says AI could mean the end of cybersecurity (The Register) Yale New Haven Health Will Pay $18M to Settle Hack Lawsuit (GovInfo Security) Veeam to acquire Securiti AI for $1.7 billion. (N2K Pro) A $60 Mod to Meta’s Ray-Bans Disables Its Privacy-Protecting Recording Light (404 Media) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Risk and compliance shouldn't slow your business down.
Hyperproof helps you automate controls, integrate real-time risk workflows,
and build a centralized system of trust so your teams can focus on growth, not spreadsheets.
From faster audits to stronger stakeholder confidence,
hyperproof gives you the business advantage of smarter compliance.
Visit www.hyperproof.io to see how leading teams are transforming their GRC programs.
At TALIS, they know cybersecurity can be tough and you can't protect everything.
But with TALIS, you can secure what matters most.
With Talis's industry-leading platforms, you can protect critical applications, data, and
identities, anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks, retailers, and healthcare companies in the
world rely on Talis to protect what matters most.
Applications, data, and identity.
That's Talas.
T-H-A-L-E-S.
Learn more at talisgroup.com slash cyber.
The UN launches the world's first global treaty to combat cybercrime.
A House Democrats' job portal left security clearance data exposed online.
A new data leak exposes 183 million email addresses and passwords,
threat actors target discord users with an open source red team toolkit,
a new campaign targets unpatched WordPress plug-ins,
the city of Gloversville, New York, suffers a ransomware attack.
Jen Easterly hopes AI could eliminate the buggy software that fuels cybercrime.
A Connecticut health system agrees to an $18 million settlement following a ransomware attack.
We've got Monday's business brief.
Tim Starks from CyberScoop discusses concerns over budget cuts and visibility,
and META's privacy safeguard goes dark.
It's Monday, October 27, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
thanks for joining us here today. It's great to have you with us. The United Nations has launched
the world's first global treaty to combat cybercrime, with 72 nations signing the new
Convention Against Cybercrime at a ceremony on Saturday. The agreement, five years in the making,
aims to improve prevention, cooperation, and capacity building to fight online crime, particularly
in developing countries.
However, critics warn the treaty could undermine human rights.
Groups including the Electronic Frontier Foundation,
Human Rights Watch, and Privacy International argue
it grants overly broad surveillance powers without sufficient safeguards.
Even Cisco has voiced concerns
that the Convention risks eroding the rule of law.
Despite these objections,
U.S. Secretary General Antonio Gutierrez called the signing
an important milestone towards safer digital spaces, highlighting the treaty's mechanisms for cross-border
sharing of digital evidence. Still, the agreement won't take effect until countries ratify it,
and the UN has yet to publish a full list of signatories.
An unsecured database connected to DomeWatch, a website managed by U.S. House Democrats,
exposed the personal details of more than 450 individuals holding top-secret security clearances,
according to research shared with Wired.
The database contained data on about 7,000 job applicants, including names, contact details,
military service, clearance levels, and political affiliations.
It was discovered in late September by an independent security researcher
and secured within hours after being reported,
While resumes were not included, experts warned the data set could be a gold mine for foreign intelligence or cybercriminals seeking to target government personnel.
House officials say an outside vendor was responsible and a full investigation is underway.
The incident highlights ongoing risks from poorly secured online databases and their potential use in espionage or social engineering.
A new data leak has exposed 183 million email addresses and passwords just months after another massive breach.
Security researcher Troy Hunt, founder of Have I Been Poned, says the data, about 3.5 terabytes and 23 billion rows, came from threat intelligence firm Synthiant and included stolen Gmail logins and website credentials.
Hunt found 8% of the entries were new, adding 16 million previously unseen addresses.
Have I been poned verified some records with affected users?
Experts urge password changes and avoiding reuse across accounts.
Threat actors are abusing the open-source Red Tiger Red Team Toolkit
to deploy an info-stealer targeting Discord users, primarily in France,
according to Netscope.
Originally built for penetration testing,
Red Tiger includes network scanning,
password cracking, and malware building features.
Attackers compiled it into standalone executables
disguised as gaming or Discord apps.
Once installed, the malware steals Discord credentials,
payment details, browser passwords,
crypto wallets, and game data
while capturing screenshots and webcam images.
Stolen data is uploaded to GoFile and sent to attackers via Discord webhooks.
The malware uses anti-sandbox features and flood systems with fake processes to hinder analysis.
Security experts urge users to avoid unofficial downloads,
revoke Discord tokens, and enable multi-factor authentication if compromise is suspected.
A new campaign is exploiting three critical vulnerabilities in the Goudoirs,
kit and hunk companion WordPress plugins, according to Defiant.
Since October 8th, over 9 million exploit attempts have been blocked.
The flaws allow unauthenticated attackers to upload malicious files,
install rogue plugins, and achieve remote code execution.
Attackers are distributing a fake plugin via GitHub containing backdoors and persistence scripts.
Despite patches released over a year ago,
the campaign highlights ongoing risks for outdated WordPress sites.
The city of Gloversville, New York,
suffered a ransomware attack in March that exposed personal and payroll information
of current and former employees.
Officials say the attackers, believed to be from Eastern Europe,
demanded $300,000 for the stolen data.
After hiring consultants, the city negotiated a $150,000 payment for its return.
The incident was reported to the FBI, state police, and DHS.
Federal investigators are now working to identify the attackers and recover the ransom funds.
Former CISA director Jen Easterly says artificial intelligence could eventually make cybersecurity obsolete
by eliminating the buggy software that fuels cybercrime.
Speaking at Audit Board's user conference in San Diego,
Easterly argued that the real issue isn't cyber attacks themselves, but poor software quality
driven by vendors prioritizing speed and cost over safety. She said AI is already improving
attackers' tools, creating stealthier malware and targeted fishing, but can also help defenders
rapidly identify and fix vulnerabilities. Easterly believes a secure-by-design approach,
supported by the White House's AI action plan
could tip the balance toward defenders
and make breaches rare exceptions
rather than expected events.
She criticized the glamorization of hackers
and stressed that most attacks
still exploit long-known flaws
like SQL injection and memory unsafe code.
Her core message,
the industry must demand accountability
from software vendors
to fix systemic weaknesses at their source.
Yale New Haven Health System will pay $18 million to settle a class action lawsuit over a March 2025 ransomware attack
that compromised data from nearly 5.6 million individuals, the largest reported U.S. health care breach so far this year.
The attack exposed patient information such as names, birth dates, and social security numbers,
but did not affect medical records or payment data.
The settlement, preliminarily approved by a federal court, offers victims up to $5,000 for documented losses or an alternative $100 payment plus two years of medical data monitoring.
Class counsel will receive one-third of the fund in legal fees.
The health system also agreed to strengthen its cybersecurity controls.
The breach was discovered March 8th and reported to regulators a month later.
A final settlement hearing is scheduled for.
March 3, 26.
In our Monday business brief, the cybersecurity and data resilience sector saw major merger and
investment activity last week.
Veem announced a $1.7 billion acquisition of security AI, integrating data security posture
management into its resilience platform.
Data miner will acquire Threat Connect for $290 million, combining internal and external
threat data for real-time intelligence.
Other notable deals include Audit Board acquiring Fair Now to expand AI governance,
Impravata buying Veracinth for Healthcare Identity Threat Detection,
and Panther acquiring datable to enhance its AI SOC platform.
Meanwhile, Riveron, Early Health Group, and Maine Capital Partners also completed strategic acquisitions.
On the investment front, Core Stack raised $50 million to,
to fuel cloud governance growth.
Keycard emerged from stealth with $38 million,
and basis theory, de facto, and one layer
raised over $25 million each.
Startups, including conceal,
Gravwell, Lux Quanta, and Cyberverse
also secured new funding,
signaling continued momentum
in AI-driven cybersecurity innovation.
Be sure to check out our complete business brief
on our website,
part of CyberWire Pro.
Coming up after the break, Tim Starks from CyberScoop discusses concerns over budget cuts and visibility, and META's privacy safeguard goes dark.
Stay with us.
and now a word from our sponsor threat locker the powerful zero trust enterprise solution
that stops ransomware in its tracks allow listing is a deny by default software that makes
application control simple and fast ring fencing is an application containment strategy ensuring
apps can only access the files registry keys network resources and other applications they
truly need to function. Shut out cybercriminals with world-class endpoint protection from
threat locker.
What's your 2 a.m. security worry? Is it, do I have the right controls in place? Maybe are my
vendors secure? Or the one that really keeps you up at night, how do I get out from under
these old tools and manual processes? That's where Vanta comes in. Vanta automates. Vanta automates. Vanta
the manual work so you can stop sweating over spreadsheets, chasing audit evidence, and
filling out endless questionnaires. Their trust management platform continuously monitors your
systems, centralizes your data, and simplifies your security at scale. And it fits right into
your workflows, using AI to streamline evidence collection, flag risks, and keep your program
audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently,
and finally get back to sleep.
Get started at vanta.com slash cyber.
That's v-a-n-ta.com slash cyber.
Once again, it is my pleasure to welcome to the show.
Tim Starks, he is a senior reporter at CyberSoup.
Tim, you had a couple of stories over on CyberSoup
I want to discuss today.
The first was some information from the Cyberspace Silarium Commission.
They're saying that perhaps the U.S. needs to up our game a little bit.
What's going on here, Tim?
Yeah, I'd say they went even a little further than that in what they said.
So the Cyberspace Salarium Commission was a big deal.
We have a bipartisan commission created by Congress that recommended a lot of things that have become policy and structures in our government these days.
And one of them is the creation of the National Cyber Director.
So there were a few things that were noteworthy about this.
The CSC 2.0, which has kind of been the organization keeping track of how the
CLAM Commission recommendations are going, for the first time ever, in the five years they've
been doing these reports, said, actually, we're getting worse on cyber.
Every other thing they'd looked at, they said, you know, looking at the implementation
of the recommendations, all of them had ticked upward for the most part or stayed level
at worst.
So this is the first time they backtracked.
And one of the reasons was Trump administration budget cuts.
another was a sort of a vague mention of technology
just getting more complicated
that there was a transition at all
they said that maybe there wasn't that surprising
that there was some change
that could be negative
but that was that surprising part of the report
and the part where they talked about upping the game
which was what your question was
they had a series of recommendations
one of them was to increase
the power of the office of the National Cyber Director
restore some of the cuts that had been happening
in this administration
to SISA, the way they've broken up some State Department offices that were focused on
cyber. A few recommendations of note that stood out to me. Yeah, it's hard to imagine the cuts
to Sisa and other agencies, but really to Sisa primarily is not playing a part of this.
I mean, it's just been so deeply cut there. Yeah, they've cut it, you know, by all credible
estimates, at least a third. That was one thing they proposed in their budget, but it turns out
they'd already done most of it. And every, every, it feels like almost every day, every week,
there are more stories about more things they're cutting. So it doesn't even seem like they're done
getting rid of massive parts of the agency. Yeah. Another story you posted, this is about the recent
vulnerability with F5 and highlighting some weaknesses in DHS's CDM program. Can you describe that for us?
Yeah, this one was a little bit of a deeper dive. What happened was my editor said,
this F5 vulnerability, the cybersecurity vendor F5
that announced that they'd been infiltrated
by nation state hackers
for a lengthy period of time, there was an emergency directive
that CISO put out last week
the week before and said, hey, if you're a federal agency,
you need to show this up now. And one of the things that stood out to my editor
was like, they were saying, as part of this emergency directive,
they were going to find out where F5 was.
Well, he was like, isn't that what continuous diagnostics
and mitigation is supposed to be doing? Isn't that the thing
we've spent billions of dollars on, isn't that the point of that program? And I poked around and
started hearing that, yeah, it is part of the point of the program, but this is a part of the
program that it's not very good at. That CDM is not very good at detecting the areas where
F5 products live. You know, one person, Matt Hartman, who was a former CSA official, who
is now in the private sector, said there's stuff kind of lives in these DMZs, these demilitarized
zones between that CDM is good at identifying. I mean,
identifying the cybersecurity posture of federal agencies is one of its main four goals.
So the fact that CDM is good at keeping track of actual hardware, computers, servers,
that's a good news story for CDM, but the fact that it's not capable of doing these kinds of things is a knock on the program, I think.
And to their credit, they're aware that this is a problem and they're trying to fix it.
But there's the speed at which government moves and there's a speed at which technology moves.
and I don't think people were envisioning
that CDM would have a big role doing this
keeping track of these edge devices
back when CDM was created
more than a decade ago.
Is there any reaction to this?
Are folks saying, again,
more attention needs to be paid here?
Or are people saying,
hey, this is the pace at which we operate at
and given the budget we have,
this is where we are?
I think that there's a certain amount of understanding
from the people I spoke to
that this could take some time.
That doesn't mean they weren't.
of it, it means, you know, this is a problem. They say it's a problem and they say they're
glad sister's aware it's a problem. The one kind of voice of concern that we got, and this ties
back to, you know, the earlier story that we were talking about, was from Congresswoman
Chantelle Brown, who's the top Democrat on the House Oversight Cybersecurity Subcommittee.
She said, I'm a supporter of CDM, but I'm worried that CDM, like other parts of SISA that are
seeing their budget cut, that's going to be bad news for this program. So she's going to be
watching that closely.
Is there a general sense among folks in government?
I mean, well, we're in the middle of a government shutdown.
People are getting cuts.
Shocker that, you know, things might not be going as well as perhaps people had hoped for.
But like you said, I mean, the Solarium Commission had had us heading in the right direction
for many years, and now by their account, we're not.
is how are people reacting to that on the hill?
There is some concern on the hell about the shutdown and it's an impact on cyber operations.
I do think one of the areas where the government is on a little safer ground
because a lot of the IT teams are considered essential workers
that maybe an emergency directive like this isn't going to be as much of a concern.
And certainly CIS's viewpoint was, no, we'll be fine.
We'll be able to take care of this.
The shutdown isn't going to impact this.
It's hard to imagine not having any impact at all, though.
I mean, there are people who are furloughed who work on these things,
even if the majority of them are not.
And the Hill, you know, what I was hearing from not just the people I quoted in the story,
but other people is that the shutdown is not great for, it's not great for Sissor.
You know, during this time, they've been apparently cutting more people.
You know, some significant percentage of the agency is furloughed.
So there is concern about the work that they should be doing,
not being able to get it done for two reasons, the shutdown and the cuts.
Yeah.
I have to think about some of the other implications here.
My son has a friend who works at the Starbucks on base at NSA,
and she has not gone into work for a couple weeks now.
I don't want our defenders to be under-caffeinated, Tim.
No. God, no.
Right.
I think they're running on that and Adderall and all sorts of things,
so we need to get all their supplies to keep them.
That's right. That's right. Keep them properly dosed.
Tim Starks is senior reporter at CyberScoop.
Tim, thanks so much for joining us.
Great space.
an ex-con who ran this place for years.
And now, now you can't do that.
And BAFTA award winner Lenny James.
You're about to have a plague of outsiders descend on your town.
Let me tell you this.
It's going to be consequences.
Mayor of Kingstown, new season now streaming on Paramount Plus.
And finally, META's Rayban smart glasses were supposed to make recording your surroundings less creepy.
A goal achieved, at least in theory, by adding a little LED that lights up whenever you're filming.
Unfortunately, some enterprising hobbyists have decided that privacy lights are for amateurs.
As 404 media reports, one modder has been selling $60 stealth editions of the glasses,
no LED, no warning, just effortless covert recording.
The craftsmanship is impressive if you overlook the whole ethics.
thing. Meta, for its part, sternly reminded everyone that disabling the light violates its
terms of service, a terrifying deterrent, surely. Still, for those who'd rather not risk an eBay purchase,
Amazon now sells sticker packs for covering the light entirely. So, if Zuckerberg's ideal
social experience involves quietly filming your friends, the future has never looked brighter or dimmer.
And that's the Cyberwire.
For links to all of today's stories, check out our daily briefing at the Cyberwire.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment on Jason and Brian's show every week.
You can find grumpy old geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilby is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Cyber Innovation Day is the premier event for cyber startups, researchers, and top VC firms
building trust into tomorrow's digital world.
Kick off the day with unfiltered insights and panels on securing tomorrow's technology.
In the afternoon, the eighth annual Data Tribe Challenge takes center stage as elite startups pitch for exposure, acceleration, and
and funding. The Innovation Expo runs all day connecting founders, investors, and researchers around
breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. Discover the
startups building the future of cyber. Learn more at c.d.d.d.tribe.com.