CyberWire Daily - When encryption meets enforcement.
Episode Date: January 26, 2026Microsoft granted the FBI access to laptops encrypted with BitLocker. The EU opens an investigation into Grok’s creation of sexually explicit images. Glimmers of access pierce Iran’s internet blac...kout. Koi Security warns npm fixes fall short against PackageGate exploits. Some Windows 11 devices fail to boot after installing the January Patch Tuesday updates. CISA warns of active exploitation of multiple vulnerabilities across widely used enterprise and developer software. ESET researchers have attributed the cyberattack on Poland’s energy sector to Russia’s Sandworm. This week's business breakdown. Brandon Karpf joins us to talk space and cyber. CISA sits out RSAC. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest today is cybersecurity executive and friend of the show Brandon Karpf with Dave Bittner and T-Minus Space Daily host Maria Varmazis, for our monthly space and cyber segment. Brandon, Maria and Dave discuss “No more free rides: it’s time to pay for space safety.” Selected Reading FBI Accessed Windows Laptops After Microsoft Shared BitLocker Recovery Keys (Hackread) European Commission opens new investigation into X's Grok (The Register) Amid Two-Week Internet Blackout, Some Iranians Are Getting Back Online (New York Times) Hackers can bypass npm’s Shai-Hulud defenses via Git dependencies (Bleeping Computer) Microsoft investigates Windows 11 boot failures after January updates (Bleeping Computer) CISA says critical VMware RCE flaw now actively exploited (Bleeping Computer) CISA confirms active exploitation of four enterprise software bugs (Bleeping Computer) ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 (ESET) Aikido secures $60 million in Series B funding. (N2K Pro Business Briefing) CISA won't attend infosec industry's biggest conference (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
If securing your network feels harder than it should be, you're not imagining it.
Modern businesses need strong protection, but they don't always have the time, staff, or patients for complex setups.
That's where Nordlayer comes in.
Nordlayer is a toggle-ready network security platform built for businesses.
It brings VPN, access control, and threat protection together in one place.
No hardware, no complicated configuration, you can deploy it in minutes and be up and running in less than 10.
It's built on zero-trust principles, so only the right people can get access to the right resources.
It works across all major platforms, scales easily as your teams grow, and integrates with what you already use.
And now, Nordlayer goes even further through its partnership with CrowdStrike,
combining Nordlayer's network security with Falcon endpoint protection for small,
and mid-sized businesses.
Enterprise-grade security made manageable.
Try Nordlayer risk-free and get up to 22% off yearly plans,
plus an extra 10% with the code Cyberwire10.
Visit Nordlayer.com slash Cyberwire Daily to learn more.
Microsoft granted the FBI access to laptops encrypted with BitLocker.
The EU opens an investigation into Grok's creation of sexually explicit images,
glimmers of access, Pierce Iran's internet blackout.
Coy Security warns NPM fixes fall short against package gate exploits.
Some Windows 11 devices fail to boot after installing the January Patch Tuesday updates.
CISHA warns of active exploitation of multiple vulnerabilities across widely used enterprise and developer software.
E-SED researchers have attributed the attack on Poland's energy sector to Russia's sandworm.
We got your business brief.
Brandon Karph joins us to talk space and cyber, and Sissa sits out R-S-A-C.
It's Monday, January 26, 2026. I'm Dave Bittner, and this is your Cyberwire Intel Briefing.
Thanks for joining us here today. It's great as always to have you with us.
A recent court case in Guam highlights a little-known privacy trade-off in Windows security during a federal investigation into alleged COVID-19
relief fraud. The Federal Bureau of Investigation accessed encrypted laptops protected by BitLocker without
breaking the encryption. Instead, investigators obtained the recovery keys directly from Microsoft
after securing a warrant. The reason this was possible is that many Windows users choose to
back up their BitLocker recovery keys to their Microsoft accounts for convenience. When those keys
are stored in the cloud, Microsoft can legally provide them to authorities. Microsoft says it fulfills
about 20 such requests a year. The case underscores a familiar trade-off between convenience and
control. Users who want maximum privacy can store recovery keys offline rather than in the cloud,
ensuring only they can unlock their data. The European Commission has opened a new investigation
into X over concerns that its generative AI model, GROC, enabled the creation of sexually explicit
images, including sexualized images of children. The probe is being conducted under the Digital
Services Act, which requires platforms to assess and mitigate systemic risks, such as illegal content
and serious harm to users. The Commission says GROC may have exposed EU citizens to significant
harm and will assess whether X met its legal obligations.
X says it has zero tolerance for child sexual exploitation and has taken steps to restrict
image generation, including limiting it to paying users.
The investigation could lead to fines of up to 6% of X's global turnover and expands
existing DSA proceedings already underway.
After more than 17 days of a near-total internet blackout,
some Iranians are gaining brief, sporadic online access
amid a violent crackdown on nationwide protests.
These short windows have allowed people to reassure families
and share videos and testimony with journalists and rights groups,
offering new insight into the scale of repression.
human rights organizations now believe deaths may far exceed earlier estimates of about 5,200.
The shutdown imposed as protests escalated and calls to overthrow the Islamic Republic
has severely limited reporting by outlets such as the New York Times.
Experts at NetBlocks and the Digital Rights Group Mian say the fleeting access
likely reflects government experiments with tightly controlled, tiered internet access.
The blackout remains the longest and most extensive Iran has imposed.
Security researchers have identified weaknesses in defenses introduced after the Shai-Hulud supply chain attacks
that allowed attackers to bypass protections in JavaScript package managers using Git-based dependencies.
The issues, dubbed PackageGate, were discovered by researchers at Koi Security and affect multiple tools.
The findings stem from mitigations added after shy Hulud compromised hundreds of packages and exposed hundreds of thousands of developer secrets.
While measures such as disabling lifecycle scripts with ignore scripts were recommended,
Koi found that NPM installs from Git repositories can be abused via malicious configuration files to achieve full code execution even when scripts are disabled.
The researchers say this technique has already been used in proof-of-concept attacks.
Other package managers patched similar flaws.
NPM rejected the report saying the behavior works as expected.
Parent company GitHub said it is scanning for malware
and urged stronger supply chain security practices,
according to reporting by bleeping computer.
Microsoft is investigating reports that some Windows 11 devices
failed to boot after installing the January 2026 Patch Tuesday updates. The issue triggers an
unmountable boot volume stop error during startup. Affected physical devices cannot boot into
windows and require manual recovery while virtual machines appear unaffected. Microsoft has asked users to
submit reports via Feedback Hub and says it is still determining whether the problem is update-related,
according to reporting, first noted by Ask Woody.
Sissa has warned that attackers are actively exploiting multiple vulnerabilities
across widely used enterprise and developer software,
adding them to its known exploited vulnerabilities catalog.
The flaws affect products from Versa, Zimbra, the Vite JavaScript framework,
and the prettier code formatter.
Exploitation includes authentication bypasses, improper access controls,
and supply chain attacks involving malicious NPM packages.
SISA also flagged a separate critical heap overflow vulnerability
in VMware V Center server that enables remote code execution
and has no workaround beyond patching.
Federal civilian agencies are required to apply fixes or mitigations by mid-February.
Sisa has not disclosed details about the attacks or their connection to ransomware.
Researchers at ESET have a different.
attributed a major late-2025 cyber attack on Poland's energy sector to the Russia-aligned
advanced persistent threat group Sandworm. The incident described as Poland's largest cyber
attack in years involved data-wiping malware that ESET has dubbed DinoWiper, detected as
Wyn32 slash killfiles.NMO. Based on malware analysis and overlapping tactics, techniques, and procedures,
ESET says it made the attribution with medium confidence,
though it found no evidence the attack caused a successful disruption.
The timing is notable, coming during the 10th anniversary of Sandworm's 2015 attack on Ukraine's power grid,
the first malware-induced blackout.
ESET says Sandworm continues to regularly target critical infrastructure,
particularly in Ukraine, using destructive wiper attacks.
Looking at our business brief, last week the global cybersecurity sector saw a wave of funding and consolidation,
with multiple startups raising capital and a surge of mergers and acquisitions across five countries.
Belgium-based developer security firm Akito led funding with a $60 million series B,
while post-quantum security startup Project 11 raised 20 million.
Additional funding rounds supported firms focused,
on human risk management, cyber intelligence, software security, and digital forensics across
Europe, the U.S. and India. M&A activity was equally strong with 10 announced deals. Notable transactions
include info blocks acquiring exposure management firm Axor, Delinia buying strong DM, and
Thinksd Canary acquiring Decept IQ. The deals reflect continued investment in identity security, managed services,
governance and proactive threat detection as the market matures.
Be sure to check out our weekly business briefing on our website.
It's all part of CyberWire Pro.
Coming up after the break, Brandon Carf joins us to talk space and cyber,
and Sissa sits out R-S-AC.
Stick around.
What's your 2 a.m. security worry?
Is it, do I have the right controls in place?
Maybe are my vendors secure?
or the one that really keeps you up at night,
how do I get out from under these old tools and manual processes?
That's where Vanta comes in.
Vanta automates the manual works,
so you can stop sweating over spreadsheets,
chasing audit evidence,
and filling out endless questionnaires.
Their trust management platform continuously monitors your systems,
centralizes your data,
and simplifies your security at scale.
And it fits right into your workflows,
using AI to streamline evidence collection
flag risks and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster, scale confidently, and finally, get back to sleep.
Get started at Vanta.com slash cyber.
That's V-A-N-T-A dot com slash cyber.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application.
application security incident last year, and 92% of responders reported threat levels have
increased in the past two years.
Guard Square delivers the highest level of security for your mobile apps without compromising
performance, time to market, or user experience.
Discover how Guard Square provides industry-leading security for your Android and iOS apps
at www.gardesquare.com.
Brandon Karp is leader of international public-private partnerships at NTT,
and before that, he was one of our colleagues here at the Cyberwire.
I recently sat down with him and Maria Vermazas from the T-Minus Space Daily podcast
to talk space and cyber.
So I want to talk about space safety and who's keeping track of what's where in orbit.
Maria, is it fair for me to start with you to give us the little,
TLDR on how we track things in orbit and where to begin with this?
I'm going to do my best.
It is confusing.
So I'm sure a listener out there who knows this world inside and out is going to go,
I got half of this wrong.
But I'm going to try.
Our view of what's going on in space is not as complete as I think most people would
think it is.
We know very well, for the most part, what geostationary satellites are in orbit.
Because from our perspective, they don't really go very fast.
We see them and they're up in the sky and they're like, okay,
they're there. Low Earth orbit, we have a somewhat patchwork understanding of what's on orbit,
and there's a lot that we miss. And essentially, there's no one entity that's in charge of
tracking all this. I think that's the thing that surprises a lot of people. There's no central traffic
control. There are a lot of private companies that are tracking space satellites, space debris,
of different sizes, things like that. There are several different governments that are tracking
satellites. The United States government certainly is doing its business.
on that part.
And then there's the U.S. Department of Commerce that is sort of seen as like the best that
we have at a central repository for understanding what's on orbit.
But again, there is no complete knowledge of everything that's up there.
So when people are saying how many satellites are in orbit, it's always an estimate
because we can't know at one time.
Like, you think of a sci-fi movie.
Oh, we can see all the satellites up there and we know exactly where they are.
No, we don't.
It's just not that complete.
We have a good sense of it.
And there are different ways to Patches and information.
to get it, but it's not like a complete accurate picture of like our asset management system
or our network. We just don't know entirely.
So this article talks about a system. Do I have it right, refer to as tracks?
Tracks, yeah. And what is that?
Tracks is a system that is currently in beta, that is coming out of beta, that is headed by the U.S.
Department of Commerce, that is supposed to be the best that we can get at a central understanding
of what's going on in space.
And this is a project that's been in the works for some years.
And in the middle of 2025, there actually was the White House budget a thing to kill it entirely,
which was very alarming for people in the space industry because a lot of people had been banking on this coming out.
So thankfully, it sounds like that didn't happen because the industry rallied to save it.
But it did start this larger conversation of we seriously do not have a great understanding of all of the assets in space.
Tracks was seen as our best bet, but it's still not the best.
And again, there's a lot of confusion about it.
I'm confused as trying to explain it because there really isn't a great clear picture of this.
And every time I try to learn more about it, it's like there's a bazillion small companies that are trying to add to this.
And are they all talking to each other?
No.
It's not great.
It's not great.
Kind of like a disaggregated air traffic control system, right?
Yeah.
And it doesn't exactly engender confidence in this whole thing.
We're talking about space debris, you know, collision avoidance, that kind of thing.
It's like, do we have that one single pane of glass of knowledge?
And the answer is no.
And that's terrifying to me, to be honest.
So what this article gets to, Brandon, is we closed out last year with an executive order from President Trump,
which was titled Ensuring American Space Superiority, which talks about
these traffic management services, and there was a subtle shift in the language used here.
Can you unpack that for us?
Yeah, I'll start with kind of like a lie.
This is so important right now.
Years ago, when I was an undergrad in college, I somehow got myself accepted into an internship
program at the National Reconnaissance Office, so NRO in Chantilly, Virginia.
And so as an intern at this place, I got to tour their, their,
wash floor in their operations center,
and this kind of really cool dark room
with all of these computer screens
and these big screens on the wall
with abstractions of orbits
and things like that.
This massive floor,
there was about five people there.
And there were mostly like 20-year-old
Air Force enlisted
airmen.
This was way before the Space Force.
When I was asking this one,
what he was doing,
he was looking at all these conjunction
warnings. Yeah. And really,
conjunction warning is when a piece of
debris or two satellites get within
100 miles or something like that
of each other, there's a warning based
on what we're actually tracking.
And so I was asking, cool, like how many
satellites are there? And he's
like, well, probably about 1,000 that we're tracking.
And cool, how many pieces of debris are we tracking?
That's, oh, another couple thousand.
And that's awesome. So, you know, how many
conjunctions are you addressing? And this
explains why there was only five people
on the swatch floor. He goes,
we get one, like one a day, maybe.
So that was a little bit ago with a thousand satellites.
This was a while ago.
Today we have 14,000 satellites up there.
Approximately.
Approximately, right?
With plans of growing potentially to like 100,000 in the next four years, satellites.
In different orbits.
On top of that, all the space debris continues to increase.
So now conjunction messages have.
have increased from one a day, a couple a day, maybe a few dozen a day, to over 600,000 every single
day.
Yeah.
Wow.
Right.
And who's the central authority for, hey, there's a conjunction event happening?
Who do you talk?
Who coordinates with whom on that?
How do you, how does that, how does it work?
And it's definitely not NRO because they're focused on the few exquisite military and
intelligence community satellites.
it's not NASA because that's not NASA's mission.
It's not really the FAA because the FAA does some stuff with space traffic,
but mostly with launch and recovery.
For some reason, this track system is with the Department of Commerce.
So really what we're getting to is, as Maria pointed out,
there is no central authority to, as the White House is released,
ensure American space supremacy over the coming decade,
especially when it comes to traffic management.
And so what's interesting here in the change is this policy put out by the White House,
I think, I mean, what was it, like December 18th?
It was right before the holidays, is that the U.S. government is going to make this system
available for free, make the data within the traffic management system, this track system.
And I assume others, although it's still kind of unclear exactly what data and from where and to
whom and how to get access to it.
but supposedly making it accessible to the whole industry.
Which would be a good thing because more information is good.
Is there a downside to this?
No, I mean, it's a budget item.
The Government Funding Act, the one big beautiful Bill Act that was passed over the summer,
did increase the FAA's ability to charge commercial space companies
in terms of how much payload by mass they're putting into orbit.
And so there are increased revenue lines for the government to potentially fund things like this.
But I think to me right now, especially this being totally new, without a lot of analysis being put forward,
it's a little unclear where the state is coming from, how people get access to it,
whether Trax is going to be the system of record.
If Department of Commerce is going to continue to manage that, which is a little bit odd.
It's not like, at least I'm not aware that they do traffic management for shipping or for air traffic or things like that.
So why would they do space traffic?
A little bit unclear.
So this article points out that space situational awareness is no longer just a safety function but a strategic one.
And so Brandon, putting on your former military hat, is there a case to be made strategic?
to limiting the availability of this information.
Oh, interesting question.
So certainly within these feeds,
and there will probably be information
on the location that position the vectors
of more exquisite space capabilities.
But then again, that stuff is up there.
It's not like it's a secret, right?
What it does is potentially a secret,
but it's pretty obvious to see the thing
because if you have a clear, unobstructed view of the night sky,
you can pretty much track anything that's up there
with some relatively inexpensive equipment,
whether through radio frequency collection
or from actually measuring
and doing kind of like radar-type telemetry off of satellites.
So I think the analogy here is probably similar to Earth observation,
where all these commercial providers of Earth observation assets,
Now you can go and buy, you know, down to the 10-centimeter level Earth observation data, right?
Pictures of Earth down to that level of granularity of anywhere on Earth.
You can go and buy this of, you know, views of war zones like Ukraine and see that data yourself.
You know, historically, that's just been nation states who have access to that information,
but now private companies are providing that.
Similarly, not just with Earth observation, but also signals intelligence, right?
There's some companies like Hawkeye 360
were providing site surveys
and signals around different areas of the world.
Again, typically an exquisite capability
that was reserved to nation states.
So this is kind of democratization of exquisite data
is nothing new to this industry.
I think the more we see the space industry grow and accelerate,
the more we're going to see exquisite sources of data
being broadly accessible to anyone
who wants to write a check.
to these companies.
What's unique here, I think as you pointed out,
is this is being provided by the government.
And it's not just government data.
It looks like it's some commercial data as well.
Again, who's paying for unknown?
Adding out as a corollary, the space industry overall,
especially in the U.S.,
is at this very interesting point
where a lot of capabilities that have been grandfathered in
are like with the DOC owning tracks
doesn't, at least to my mind,
make a whole lot of sense why it's there.
there's this element of maturity that's happening very quickly right now by necessity.
And it's going to be very interesting to see if we get any transparency about some of this data.
As you said, we don't know where some of the commercial stuff is going from or going to.
And if that's, do we even need to know that?
But I mean, there are some capabilities that tracks can't do that the commercial sector is trying to fill in those gaps.
Like for space debris, for example, there are certain sizes of space debris that are so tiny but still extremely dangerous that a lot of people in the private sector are trying.
trying to make their niche of detecting that space debris.
Is that information going to make it into tracks?
And if it is, I imagine it's going to come on a very premium price.
But it's still extremely important to avoid not just collisions,
but eventually even the Kessler effect, God forbid.
Yeah, I wonder how quickly does this problem or this challenge become hard to manage
or impossible to manage?
Brandon, you talked about going from one a day to 600,000 alerts.
So it doesn't strike me as being linear, right?
The more objects we put up there, the more potential for interactions and debris and collisions
and all that kind of stuff.
So when does this become unmanageable and who's in the best position to manage it?
Yeah, the rules of the road here are kind of interesting.
And pick your analogy.
If we looked at the FAA's air traffic control system, right, the number of flights per day
are still pretty limited and regionally so
and controllable with proper staffing.
That's a separate issue entirely
in terms of the air traffic controllers of the FAA.
But it's a tractable problem at human speeds, right?
And human analysis,
especially with airplanes all having their transponders
and transcoders and sending their location information
and moving relatively slowly.
whereas in low Earth orbit, things moving much faster.
Of course, the distances are greater, but you're having a lot more and a lot more potential
conjunctions.
This quickly, to your point, grows exponentially to a stage where I don't think human intervention
is going to be the proper approach.
So now a different analogy would be like the Security Operations Center, who's looking
at intrusion alerts and things like that, where we're now getting potentially billions
of alerts per day at the largest security operations.
centers and no staff, no human staff can review all those alerts. So you have to implement a layer
of automation and automatic analysis on top of that to elevate the most critical alerts or to
respond automatically, which is what we're seeing in the security world, right? And, you know,
the initial response is happening autonomously without human intervention. And that's just not a
human tractable problem. It's amazing to me that when you mentioned the security operations center,
when I was at one of the space conferences,
I saw something about alert fatigue
and cutting through the noise
and I'm going, oh my gosh,
that language is now in the space world.
And I was just thinking of, you know,
all the things about cutting through the noise
and, you know, how to make sense
of what's in your logs
and I'm going, this is the exact same problem.
But talk about an opportunity
for the folks in the cybersecurity industry,
potentially kind of diversifying,
you know, SOAR, security orchestration,
automation, and response
can now mean space operations.
automation response, right?
Oh, nice.
I mean, the same kind of tools that have the cybersecurity industry has, you've been forced to
innovate around and develop over the last decade could be incredibly helpful.
And the lessons learned of how to build proper operations floors and teams and manage the
human element like alert fatigue, et cetera.
Time will tell.
It strikes me that we're playing a bit of catch up when it comes to this stuff.
But that's just my sense.
All right, Maria Vermazas is host.
of the T-Minus Space Daily podcast, and Brandon Karp is the leader of international public-private
partnerships at NTT.
Thanks for joining us, friends.
Thank you.
Thank you.
Our thanks to Brandon Karp for joining us.
Be sure to check out the T-minus Space Daily podcast wherever you get your favorite podcasts.
And finally, the cybersecurity and infrastructure security agency has decided it will not attend
the RSA conference this March.
a move that leaves much of the cybersecurity world blinking in confusion.
This is, after all, the industry's largest annual gathering,
a week-long exercise in talking about threats, resilience, and coordination,
exactly the sort of thing a national cyber defense agency might be expected to show up for.
Sissa says the decision reflects a renewed focus on core statutory duties
and alignment with President Donald Trump's security priorities,
along with careful use of taxpayer dollars.
Fair enough, except RSAC has long been
where SISA delivered its message,
rallied vendors, and talked directly to defenders.
The absence lands days after former Sisa director, Jen Easterly,
became RSAC's CEO,
her latest stop after a politically turbulent exit from government
in a rescinded role at the United States Military Academy at West Point.
Once, SISA officials headlined RSA, now they're skipping it,
for an agency tasked with national cyber coordination,
opting out of the one place everyone coordinates,
feels less strategic and more baffling.
And that's the CyberWire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibn.
Peter Kilpie is our publisher.
I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
If you only attend one cybersecurity conference this year, make it R-SAC 2026.
It's happening March 23rd through the 26th in San Francisco,
bringing together the global security community for four days of expert insights,
hands-on learning, and real innovation.
I'll say this plainly, I never miss this conference.
The ideas and conversations stay with me all year.
Join thousands of practitioners and leaders.
tackling today's toughest challenges and shaping what comes next.
Register today at rsacconference.com slash cyberwire 26.
I'll see you in San Francisco.
Attackers don't go through your tools, they go around them.
In our interview with Jared Atkinson, CTO at SpectorOps,
he reveals how attackers look to exploit our identities, steal tokens,
and quietly snowball their access across Active Directory,
cloud apps and GitHub.
We talk through attack paths, why least privilege keeps failing,
and how one misconfiguration can hand over the keys to your organization.
Want to see risk as attackers do?
Then check out the full interview now on thecyberwire.com slash specterops.