CyberWire Daily - TikTok lives to scroll another day.
Episode Date: January 23, 2026At long last, a TikTok deal. Officials urge lawmakers to keep an eye on the quantum ball. Fortinet confirms active exploitation of a critical authentication bypass flaw. Ireland plans to authorize spy...ware for law enforcement. Okta warns customers of sophisticated vishing kits. Under Armour investigates data breach claims. CISA adds a Zimbra Collaboration Suite flaw to the known exploited vulnerabilities list. Poor OpSec enables recovery of data stolen by the INC ransomware gang. The DOJ deports a pair of Venezuelans convicted of ATM jackpotting. Our guest is Chris Nyhuis, Founder and CEO of Vigilant, sharing practical steps to protect money, identity, and devices. Curl pulls the plug on bug bounties after drowning in AI slop. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Chris Nyhuis, Founder and CEO of Vigilant, sharing "practical steps consumers can take in 2026 to protect their money, identity, and devices." Selected Reading TikTok Strikes Deal to Create New U.S. Entity and Loosen App’s Ties to China (New York Times) US Officials Urge Congress to Reauthorize Key Quantum Law (BankInfo Security) Fortinet confirms critical FortiCloud auth bypass not fully patched (Bleeping Computer) Ireland plans law allowing law enforcement to use spyware (The Record) Okta SSO accounts targeted in vishing-based data theft attacks (Bleeping Computer) Under Armour Investigates Data Breach (Infosecurity Magazine) Organizations Warned of Exploited Zimbra Collaboration Vulnerability (SecurityWeek) INC ransomware opsec fail allowed data recovery for 12 US orgs (Bleeping Computer) 2 Venezuelans Convicted in US for Using Malware to Hack ATMs (SecurityWeek) Curl ending bug bounty program after flood of AI slop reports (Bleeping Computer) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Most security conferences talk about Zero Trust.
Zero Trust World puts you inside.
This is a hands-on cybersecurity event designed for practitioners who want real skills, not just theory.
You'll take part in live hacking labs where you'll attack real environments, see how modern threats actually work, and learn how to stop them before they turn into incidents.
But Zero Trust World is more than labs.
You'll also experience expert-led sessions, practical case studies, and technical deep dives focused on real-world implementation.
Whether your blue team, red team, or responsible for securing an entire organization, the content is built to be immediately useful.
You'll earn CPE credits, connect with peers across the industry, and leave with strategies you can put into action right away.
Join us March 4th through the 6th in Orlando, Florida.
Register now at ZTW.com and take your zero-trust strategy from theory to execution.
At long last, a TikTok deal. Officials urge lawmakers to keep an eye on the quantum ball.
Quartanet confirms active exploitation of a critical authentication bypass.
Ireland plans to authorize spyware for law enforcement.
Octa warns customers of sophisticated fishing kits.
Under Armour investigates data breach claims.
Sessa adds a Zimbra Collaboration Suite flaw to the known exploited vulnerabilities list.
Poor UPSEC enables recovery of data stolen by the Inc. Ransomware Gang.
The DOJ reports a pair of Venezuelans convicted of ATM jackpotting.
Our guest is Chris Nihice, founder and CEO of Vigilant,
sharing practical steps to protect money, identity, and devices.
And Curl pulls the plug on bug bounties after drowning in AI.
Slop. It's Friday, January 23, 26. I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today. It's great to have you with us.
TikTok announced it has reached a deal for its U.S. operations to be majority owned by non-Chinese
investors, ending a six-year political and legal battle over national security concerns.
under the agreement investors including oracle m gx silver lake and michael dell's investment office
will now own more than 80 percent of a new u.s-based ticot entity while bite dance will retain just under
20 percent former ticot executive adam presser will lead the new company the deal aims to address
u.s fears that china could exploit ticot to surveil or influence american users a concern that led
Congress to pass a 2024 law threatening a ban if bite dance did not divest. While the agreement
allows TikTok to remain in the U.S. market, critics note that bite dance will still license its algorithm
to the new company, raising questions about whether security concerns are fully resolved.
President Trump praised the deal, calling it a decisive conclusion to the long-running dispute.
Federal officials warned lawmakers that the lapse of the national quantum
Initiative Act, risks undermining U.S. leadership in quantum computing, despite the law's success
in strengthening coordination across government, academia, and industry. Testifying before the House
Science Committee, leaders from the Department of Energy, NIST, NASA, and the National Science Foundation
said the 2018 law created a unified national framework, aligned federal investments, and
accelerated progress from lab research toward early-stage quantum systems.
with scientific and security relevance.
The Act expired in 2023, creating uncertainty for funding and workforce pipelines.
Lawmakers have introduced a bipartisan reauthorization bill that would authorize nearly
$1.5 billion to expand research, commercialization, and workforce development.
Witnesses cautioned that without sustained investment and stable authorization, the U.S. could
fall behind global competitors, particularly China.
in the accelerating race to quantum capabilities.
Fortinette confirmed active exploitation of a critical Forta Cloud SSO authentication bypass
after customers reported compromises of fully patched firewalls.
Researchers at Arctic Wolf say automated attacks began January 15th, with attackers rapidly
creating admin and VPN accounts and exfiltrating configurations.
Fortinette acknowledged the activity mirroring.
December exploitation and is working on a complete fix.
Until then, Fortinet urges customers to restrict admin access,
disable Fortecloud SLO, and treat effective systems as compromised.
Sisa has listed the flaw as actively exploited.
Ireland plans to draft legislation that would explicitly authorize law enforcement to use spyware,
according to Justice Minister Jim O'Callaghan.
The proposal would create a legal basis for covert surveillance software and expand lawful
interception powers to combat serious crime and security threats.
Use of spyware would require court authorization and include safeguards to ensure necessity and
proportionality.
The bill would also allow electronic scanning tools to collect a mobile device identifiers for
location tracking.
Ireland's Department of Justice will develop the framework with other state agencies.
AQTA is warning customers about sophisticated fishing kits designed specifically for voice-based
social engineering or vishing attacks that steal single sign-on credentials in real time.
According to AQTA and reported by bleeping computer, the kits are sold as a service and actively
used by multiple threat groups. During phone calls impersonating IT staff, attackers guide victims
through fake login pages that dynamically mirror real authentication and multi-factor prompts,
allowing credentials and one-time pass codes to be intercepted and immediately abused.
The attacks can bypass push-based MFA and have been used for large-scale data theft and extortion
with some activity linked to shiny hunters.
Octa urges customers to adopt fishing-resistant MFA such as Fido2 keys or pass keys.
Under Armour is investigating claims of a major data breach after hackers allegedly posted 72 million customer records online.
The incident was flagged by Have I Been Poned, which linked it to a November 2025 attack attributed to the Everest Ransomware Group.
Exposed data reportedly includes emails, names, demographics, locations, and purchase details, but not payment card data.
Under Armour says it's investigating and disputes claims that sensitive systems or passwords were compromised.
SISA is urging federal agencies to immediately patch a Zimbra Collaboration Suite flaw that is being actively exploited.
The vulnerability is a local file inclusion issue in Zimbra's webmail interface that allows unauthenticated attackers to access arbitrary files by manipulating request routing.
exploitation could expose sensitive information and enable further compromise if combined with other weaknesses.
Although Zimbra released patches in November of last year, Sisa added the bug to its known exploited vulnerabilities catalog this week.
Researchers at CrowdSec reported targeted intelligence-driven attacks and rising exploitation.
Sisa also flagged three additional actively exploited vulnerabilities and reminded organizations,
to prioritize K-EV-listed flaws.
Researchers uncovered a major operational security lapse
by the Inc. Ransomware Gang
that allowed full recovery of data stolen
from a dozen U.S. organizations.
The work was conducted by CyberCentars,
which shared full findings with bleeping computer.
While investigating a Rain-Ink ransomware attack on a client,
analysts discovered remnants of the backup tool RESTIC
that exposed long-lived attacker infrastructure.
Scripts with hard-coded credentials pointed to cloud repositories
storing encrypted data from multiple victims.
Controlled analysis confirmed data from 12 unrelated U.S. organizations
across healthcare, manufacturing, technology, and service sectors.
Researchers decrypted and preserved the data, contacted law enforcement,
and released detection rules to help defenders spot restic abuse,
tied to ink ransomware activity.
The U.S. Justice Department has announced the deportation of two Venezuelan nationals
convicted of ATM jackpotting using malware.
U.S. Department of Justice said Luz Granados and Johann Gonzalez Jimenez installed malware
on ATMs to force machines to dispense cash.
Granados received time served and restitution orders,
while Gonzalez Jimenez was sentenced to 18 months in prison
before deportation.
The cases follow broader prosecutions
tied to Venezuelan crime groups
using the plautous malware,
which authorities say remains active.
Coming up after the break,
my conversation with Chris Neheis,
founder and CEO of Vigilant,
we're discussing practical steps
to protect your money,
your identity, and your devices,
and curl pulls the plug on bug bounties
after drowning in AI slop.
Stick around.
Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple?
Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack, zero-trust networks, including hardware, firmware, and software,
all designed to work seamlessly together.
The result?
Fast, reliable, and secure connectivity without the constant patching, vendor-juggling, or hidden costs.
From wired and wireless to routing, switching firewalls, DNS security, and VPN, every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles.
Meter even buys back your old infrastructure to make switching effortless.
Transform complexity into simplicity and give your team time to focus on what really matters.
helping your business and customers thrive.
Learn more and book your demo at meter.com slash cyberwire.
That's M-E-T-E-R dot com slash cyberwire.
What's your 2am security worry?
Is it, do I have the right controls in place?
Maybe are my vendors secure?
Or the one that really keeps you up at night,
how do I get out from under these old tools and manual processes?
That's where Vanta comes in.
Vanta automates the manual.
work so you can stop sweating over spreadsheets, chasing audit evidence, and filling out
endless questionnaires. Their trust management platform continuously monitors your systems,
centralizes your data, and simplifies your security at scale. And it fits right into your
workflows, using AI to streamline evidence collection, flag risks, and keep your program audit
ready all the time. With Vanta, you get everything you need to move faster, scale confidently,
and finally get back to sleep.
Get started at vanta.com slash cyber.
That's v-a-n-ta-com slash cyber.
Chris Nehice is founder and CEO of Vigilant.
I recently caught up with him
to discuss some practical steps
to protect money, identity, and devices.
So, Chris, as we are heading into the early part of this year,
I'd love to get kind of a reality check from you
where you estimate most organizations stand in terms of being prepared for the challenges that face them when it comes to cybersecurity this year?
I would actually tell you from experience, I would say most organizations are not prepared for what's coming their way.
It is a combination of two things.
The cyber industry isn't prepared, but then the organizations out there that are purchasing technology or the implementing that
they either don't have the resources on their staff to man some of the technology they're purchasing in the way that they need to to fight the threat actor of today.
Or they are buying things that just really can't hit the mark at defending them.
And it's going to be a big problem this year, especially as we accelerate with a lot more nation state activity from China and Iran and Russia.
Can you give us some examples of some of the things that are top of mind for you in terms of concerns?
Sure. You know, over, I would say, the last 10 years of evolution, what you see is, you know, cybersecurity used to fit across, I'm sure your audience is from this, but the OSI model, the TSP model, where you have this full stack detection within an organization.
And as we've started moving things out to the cloud,
or we start using things like virtualized firewalls,
or we're implementing detection more at the endpoint
because our users are remote and we're not really,
we're starting to disregard the network.
What we're seeing is a lot of attackers are taking advantage of that.
And so they're going downstack in terms of their attacks,
and you're seeing a lot of detections.
go upstack. And where that benefits a lot of the cyber companies out there is it's a lot less
expensive to do security upstack than it is to do full stack. But the issue to the consumer is that
now you have a technology that's only seen a portion of your environment. And when you
then go and look at how a lot of these things are deployed, the very means by which they
collect data is diminished or flawed.
So you're making cyber decisions with a lot less information and data than you had before.
Is your sense that folks out there are aware that they're not seeing the whole picture, or is there sort of a blissful ignorance?
I think there's a – I wouldn't say blissful ignorance. I think there's a desire.
You know, I think the consumer is saying, look, we want cyber at this level. We need these things.
but I think a lot of the approach, a lot of the education even at, you know, inside cyber programs.
And I would even say most of the marketing that's out there really markets heavy towards this upstack, you know, approach.
And so, you know, when you're looking at the things that are, you know, best practices, those best practices, you really have to question them sometimes because they're really.
driven in a lot of cases by who's marketing the best. And whose marketing the best is not always
the best at cyber warfare. And so a lot of the decision making now at the consumer level,
from what I see is they're driven by those top 10 lists or the best practices or the bright
vendors. And those are not always the vendors or the technologies that actually work.
It reminds me, you know, that old chestnut about how, from decades ago, how nobody ever got fired for choosing IBM.
Right.
You heard that.
Yeah.
I mean, is it a similar type thing.
Right.
Until they did.
And, you know, the thing, it is a very similar thing.
You know, it is the way in which these organizations have driven.
And I'll even say this, you know, a lot of our, and this is a controversial topic, but a lot of cyber is driven by private equity.
And that's not always a good thing.
you know, it's the decision-making inside those rooms are a lot different than, you know, does this work on the ground.
And when you deal with something like cybersecurity, you know, I'm a big believer that cyber should be a standard of care industry.
And, but I'm also a capitalist. I'm a big fan of high-growth organizations. I own a company as well.
And you have to balance that as a decision-maker and organization. You have to look at this and go, you know,
We're fighting cyber warfare.
This applies to the organizations that trust us to secure them.
Those organizations are primarily, you know, a large chunk of the financial stability of the United States.
And you have to make decisions to say, okay, will we allow ourselves to reduce our margin but make the right decision to fight against the threat actor, right?
Because the threat actor out there isn't, they're not making a, a,
capability decision, right? But that does happen across the cyber industry. And organizations that
purchase these things, they don't really know that a capability has been diminished, you know,
especially as you look at AI coming into play, AI is a hyperscaler in some sense to help assist
cyber detection and cyber professionals. But it isn't even close to be in a place where it can be
replaced, but a lot of consumers are buying AI technology. But if you look at why a cyber
company would want to deploy AI first, a lot of cases it's to replace the very costly human
analyst and increase their margins. So I would just say that this year is going to be a very
interesting year where you have the consumers going to have to ask some really hard
questions of the people they're buying technology from.
What sorts of questions do you recommend they ask?
It depends on where you're applying, what you're applying.
You know, if you're looking at things like endpoint technology,
I would be very concerned as a consumer of asking the cyber providers that you're purchasing from
on how they are precisely curating detection to your organization.
You know, because when you look at things, like take marketing, for instance,
You know, we're told that aggregation is good, right?
And that taking technology from all of these organizations and doing an aggregation
across what's it being attacked and then using those aggregated detection
detections and Intel with inside your environment to detect.
Well, when you start to ask questions of, well, how does that company actually create those aggregations,
you know, and how do those averages come around?
And you start to see that a lot of that comes from some of the larger customers that they have
because that's where that average is coming from.
And so most of their organizations that they protect are a lot of the smaller companies that are out there,
they're not getting any curation to the detection of their environment.
And in fact, the smaller companies, the mid-sized organizations are the primary targets for these hackers
because they're going through them to get to the larger companies.
And so, you know, when it comes to endpoint technology or even just Intel in general, that Intel is nowhere near curated to what you actually need to protect your organization.
So unless you have people on your staff that are going to, you know, curate or modify that intel, it's not going to detect what you needed to in your environment.
When you look at things like the network, for instance, it poses the same problem.
most people do detection in their firewalls,
or they do detection with appliances that use span ports or mirror ports.
And when you look into the way that these technologies work,
a mirror port just by itself running on a daily basis
loses 30% of the packets going across your network.
And the reason for that is a couplefold.
One, the primary function of a firewall or switch is not to collect security data.
It's to be a firewall or a switch.
And so the processing priority for a spanport and rearport is lower.
And as those devices start to use more bandwidth or more of their backplane, they just start
dropping packets to things that have less priority, which is your span ports and mirror ports.
And the other factor there is that a lot of these technologies like firewalls, for instance,
you know, you have detection systems.
They're all using an ASIC chip set, you know, mostly in these.
And ACIC chipsets can't do deep packet inspection the way you needed to.
They're really meant to store and forward traffic.
And so when you're purchasing a network detection technology,
you really have to get into the architecture.
saying, hey, do you have Intel processors with enough cores, you know, or, you know, show me,
show me deep pack and inspection. You know, a lot of these companies even have reduced the storage
on these devices. And so you can't do continuous PCAP anymore. And so they marketed things like
smart PCAP, right? Where, you know, it's smart because it turns on when an event happens. Well,
that doesn't help you because, frankly, in events happened, you need to know what happened
before it, right? So, you know, the questions when it comes to these things are more around, you know,
architecture now. And you have to ask, you know, how are you doing what you're doing? Because
there's a lot of corners being cut in this industry, and you can see that by how many companies
are getting hacked. So what are your recommendations then? I mean, for folks who are responsible for
turning these dials and figuring out how to get the most for their security budget.
Any words of wisdom?
Yeah, I'd speak first to CEOs.
I think that you have to put yourself, and if you're a professional listening to this,
it's in cyber and your CEO isn't listening to this podcast,
I would strongly suggest that you sit down with them and really challenge them to become
the cyber leader at the organization.
Now, they're going to say, hey, I don't have the skill set to do that.
And really, what I would say is become their coach, you know, because they have to be able to
understand how to wield cyber warfare at their company.
They have to.
The CEO has to get to that point.
And I would say it's one of the reasons why cybersecurity does not get the budget at most
organizations.
And because the sea level, they just don't understand it.
And so I would say as you're purchasing, do not purchase the cheapest solution.
You have to purchase the things at work and the best in class.
I would 100% do side-by-side comparisons.
And I would ask them hard questions.
Like, can you forensically prove this?
And I would ask them to show you the real data behind the reporting that they give you.
because there's a lot of reports that just frankly are just skewed to be false.
As a consumer of these technologies, I would highly and very strongly from a cyber standpoint,
really challenge yourself to work with U.S.-based companies that have U.S. citizens protecting your infrastructure.
we're going to see over the next few years, I think, significant change in the boundaries of cybersecurity,
and they're going to start looking more like nation lines.
We're already seeing that in Europe, et cetera.
And when you work with organizations that have more foreign presence, things like that, as we're starting to do incidents,
you're going to start seeing a lot of compliant requirements that restrict them from even doing analysis.
within your environment.
That's Chris Neihis from Vigilant.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application
security incident last year, and 92% of responders reported threat levels have increased in
the past two years.
Guard Square delivers the highest level of security for your mobile apps without compromising
performance, time to market, or user experience.
Discover how Guard Square provides industry-leading security for your Android and iOS apps at
www.gardesquare.com.
Security works best in layers, and when those layers actually work together, that's when
things get interesting.
NordLayer is a network security platform designed for modern teams.
It secures connections, controls access, and helps stop threats all without.
hardware or long deployment cycles.
Now, Nordlayer has partnered with CrowdStrike to bring Falcon endpoint protection into the mix,
giving small and mid-sized businesses a multi-layered security approach that's practical to deploy and easy to manage.
NordLayer handles secure access and zero-trust networking.
CrowdStrike Falcon adds endpoint visibility and protection.
Together, they cover more ground than either could alone without requiring a large IT staff.
For business leaders, that means clearer control and easier compliance.
For IT teams, it means granular access policies, faster onboarding and protection that scales.
If you're looking for enterprise-grade security without enterprise-grade complexity,
take a look at Nordlayer.
Get up to 22% off yearly plans, plus an additional 10% with code Cyberwire-10.
There's even a 14-day money-back guarantee.
Check out Nordlayer.com slash Cyberwire.com.
daily to learn more.
And finally, the curl project is an open-source effort that builds and maintains
curl, a command line tool and software library used to transfer data over networks.
The curl project has decided it has had quite enough of being told, repeatedly and creatively,
that it might be vulnerable.
Its maintainer, Daniel Stenberg, announced that Curl will shut down its Hacker One bug bounty
program at the end of January after being swamped by low-quality, often AI-generated vulnerability
reports. Since 2019, Curl and its sibling library Lib Curl have offered cash rewards through
Hacker 1. Recently, however, the signal-to-noise ratio collapsed. Stenberg says the security team has
been buried under reports that sound impressive, require hours to triage, and ultimately describe
non-issues. The fix is blunt, remove the bounty, remove the incentive, and restore sanity. Starting
February 1st, Curl will accept reports directly via GitHub, offer no money, and reserve the right
to publicly mock especially bad submissions. A blog post, presumably more polite, is promised.
And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at
the Cyberwire.com.
Be sure to check out this weekend's research Saturday.
My Conversation with Andrew Northern,
principal security researcher at Census.
The research we're discussing is titled from evasion to evidence,
exploiting the funneling behavior of injects.
That's Research Saturday.
Check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review
in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Keltzman.
Our executive producer is Jennifer Iben.
Peter Kilpie is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week.
If you only attend one cybersecurity conference this year, make it R-S-A-C-C-E.
2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global
security community for four days of expert insights, hands-on learning, and real innovation.
I'll say this plainly, I never miss this conference. The ideas and conversations stay with me
all year. Join thousands of practitioners and leaders tackling today's toughest challenges
and shaping what comes next. Register today at rsacconference.com.com slash
Cyberwire 26. I'll see you in San Francisco.
Attackers don't go through your tools, they go around them.
In our interview with Jared Atkinson, CTO at SpectorOps,
he reveals how attackers look to exploit our identities, steal tokens,
and quietly snowball their access across Active Directory, cloud apps, and GitHub.
We talk through attack paths, why least privilege keeps failing,
and how one misconfiguration can hand over the key,
to your organization.
Want to see risk as attackers do?
Then check out the full interview now
on thecyberwire.com
slash specterops.