CyberWire Daily - When politics break the firewall.
Episode Date: October 1, 2025Major federal cybersecurity programs expire amidst the government shutdown. Global leaders and experts convene in Riyadh for the Global Cybersecurity Forum. NIST tackles removable media. ICE buys vast... troves of smartphone location data. Researchers claim a newly patched VMware vulnerability has been a zero-day for nearly a year. ClickFix-style attacks surge and spread across platforms. Battering RAM defeats memory encryption and boot-time defenses. A new phishing toolkit converts ordinary PDFs into interactive lures. A trio of breaches exposes data of 3.7 million across North America. Tim Starks from CyberScoop unpacks a report from Senate Democrats on DOGE. The Lone Star State proves even the internet isn’t bulletproof. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Tim Starks, Senior Reporter from CyberScoop, is back and joins Dave to discuss a report from Senate Democrats on the Department of Government Efficiency (DOGE). You can read Tim’s article on the subject here. Selected Reading Cyber information-sharing law and state grants set to go dark as Congress stalls over funding (The Record) Live - Global Cybersecurity Forum in Riyadh tackles how technology can shape future of cyberspace (Euronews) NIST Publishes Guide for Protecting ICS Against USB-Borne Threats (SecurityWeek) ICE to Buy Tool that Tracks Locations of Hundreds of Millions of Phones Every Day (404 Media) Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability (SecurityWeek) Don’t Sweat the ClickFix Techniques: Variants & Detection Evolution (Huntress) Battering RAM Attack Breaks Intel and AMD Security Tech With $50 Device (SecurityWeek) New MatrixPDF toolkit turns PDFs into phishing and malware lures (Bleeping Computer) 3.7M breach notification letters set to flood North America's mailboxes (The Register) A Bullet Crashed the Internet in Texas (404 Media) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
At TALIS, they know cybersecurity can be tough and you can't protect everything,
but with TALIS, you can secure what matters most.
With TALIS's industry-leading platforms, you can protect critical applications,
data and identities, anywhere and at scale with the highest RR.
That's why the most trusted brands and largest banks, retailers, and health care companies in the world rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALIS.
T-H-A-L-E-S.
Learn more at talusgroup.com slash cyber.
Major federal cybersecurity programs expire amidst the government shutdown.
Global leaders and experts convene in Riyadh for the global cybersecurity forum.
NIST tackles removable media.
ICE buys vast troves of smartphone location data.
Researchers claim a newly patched VMware vulnerability has been a zero-day for nearly a year.
Click-fix-style attacks, surge, and spread across plans.
platforms, battering ram defeats memory encryption and boot time defenses. A new fishing toolkit converts
ordinary PDFs into interactive lures. A trio of breaches exposes data of 3.7 million across North
America. Tim Starks from CyberSoup unpacks a report from Senate Democrats on Doge. And the lone star state
proves even the internet isn't bulletproof.
It's Wednesday, October 1st, 2025. I'm Dave Bittner, and this is your Cyberwire Intel Briefing.
Thanks for joining us here today. Welcome to October. It's great to have you with us. Two major federal cybersecurity programs are set to
to expire this morning as Congress remains deadlocked over government funding.
The Cybersecurity Information Sharing Act of 2015, which shields companies that share threat
intelligence, and the $1 billion state and local cybersecurity grant program will both lapse
without reauthorization.
The House advanced renewal bills earlier this month, but Senate Gridlock has left the programs
tied to a stalled stopgap spending measure.
Tensions boiled over Tuesday, with Senator Gary Peters, a Democrat from Michigan,
warning the lapse would weaken U.S. defenses,
while Senator Rand Paul, a Republican from Kentucky, blocked an extension,
citing concerns about alleged free speech abuses by Sissa.
Former Sisa Deputy Director Nitten Natarajan said
both efforts are critical for resilience,
particularly for smaller jurisdictions.
Without them, he warned,
threat sharing and cyber defenses will diminish,
raising risks for everyday Americans.
Global leaders and experts convened in Riyadh
for the Global Cybersecurity Forum,
focusing on scaling cohesive advancements in cyberspace,
discussions centered on artificial intelligence,
quantum computing,
and the urgent need for global cooperation
to counter-rapidly evolving cyber threats.
Speakers highlighted AI's dual role as both a defensive tool and attack enabler,
stressing the importance of resilience over purely preventive strategies.
ITU Secretary General Doreen Bogdan Martin underscored the value of standards for trust in communications,
while Interpol officials compared personal cyber defense to securing one's home.
Other panelists warned that cyber attacks target people,
as much as machines, with rising risks from disinformation and low-cost AI-driven exploits.
Saudi Arabia and the UN announced a new global capacity-building initiative
to strengthen training, research, and policy development worldwide.
NIST has released Special Publication 1334,
a concise guide to managing cybersecurity risks from removable media in operational technology environments.
The document highlights USB flash drives as common tools for firmware updates and diagnostics,
but also major malware vectors threatening industrial control systems.
The two-page guide outlines procedural, physical, technical, and transportation controls,
urging strict policies, secure storage, malware scanning, and data sanitization.
NIST warns infected devices can disrupt operations or compromise safety,
underscoring the growing sophistication of OT-targeted threats.
Immigration and customs enforcement has resumed purchasing access to vast troves of
smartphone location data, according to documents reviewed by 404 Media.
ICE selected surveillance tools from Penlink, whose products tangles and weblock
aggregate billions of daily signals from hundreds of millions of devices
and link them with social media data for analysis.
The decision reverses earlier assurances
that ICE had ended such practices
after a Department of Homeland Security Inspector General report found
the agency violated the law
by using location data without adequate safeguards.
Critics, including Senator Ron Wyden,
warn the program enables warrantless tracking
of Americans' movements in sensitive areas,
such as abortion clinics or houses abortion.
ICE maintains the data is necessary to support investigative missions.
A newly-patched VMware vulnerability has been exploited as a zero-day since October 24, according to Enviso Labs.
The flaw rated high severity with a CVS score of 7.8 impacts VMware ARIA operations and VMware tools,
allowing attackers to escalate privileges to root on virtual machines.
While Broadcom released patches this week, its advisory did not acknowledge in the wild
exploitation. Enviso attributes the activity to Chinese state-sponsored group UNC-5174, which has
used the bug for at least a year. The issue also affects the open-source variant open-vm tools
included in major Linux distributions. Enviso warns attackers can exploit weak rejects logic to
elevate malicious binaries staged in writable directories.
Broadcom has patched affected products with Linux vendors to deliver updates for OpenVM
tools.
ClickFix style attacks are surging and spreading across platforms.
Huntress reports a 631% rise in incidents over six months, with techniques now abusing
native MacOS and Linux functions, not just Windows.
adversaries weaponize user helpfulness.
Fake verifications and interstitials copy attacker commands to the clipboard,
then prompt execution via run, file explorer shell, or stage downloads.
Variants include file fix, terminal fix, and download fix.
Observed payload flows show explorer.exc or a browser spawning scripting interpreters
and making outbound connections, with registered.
and file artifacts that aid detection.
This matters because these lures bypass technical controls and target behavior.
Detection choke points focus on interpreters,
suspicious parent processes, and network egress,
plus behavioral analytics and process relationship monitoring
to cover future iterations and payload swaps, including scams and fishing.
Researchers representing K.U. Lujan in Belgium
and the University of Birmingham and Durham University in the UK
disclosed battering RAM, a hardware attack that uses a $50 interposer
placed between CPU and DRAM to gain plain text access to protected memory
on Intel and AMD systems.
The technique can bypass Intel SGX and AMD SEVSNP,
defeating memory encryption and boot-time defenses by redirecting protection,
addresses to attacker-controlled locations.
The proof-of-concept targets DDR-4 requires brief physical access and cannot be patched by software.
Intel and AMD say physical access attacks fall outside their threat models.
Full technical details were published by the researchers.
A new Fishing and Malware Toolkit called Matrix PDF converts ordinary PDFs into interactive lures that
and bypass email defenses and redirect victims to credential theft pages or malware.
Veronis researchers told bleeping computer.
First seen on cybercrime forums and promoted via telegram,
the builder marketed as a fishing simulation and black teaming product,
lets attackers import legitimate PDFs, add blurred content and fake secure document prompts,
and embed JavaScript and clickable overlays that open external payload URLs.
Because the PDFs carry no malicious binaries, Gmail's viewer does not execute PDF JavaScript
and treat subsequent fetches as user-initiated clicks, enabling a filter bypass.
Matrix PDF is sold by subscription.
Veronis urges AI-driven email defenses that analyze PDF structure, detect overlays, and detonate
embedded URLs in sandboxes.
Three companies disclosed breaches this week impacting about 3.7 million people across North America.
A Lion's Life confirmed nearly 1.5 million customers, staff, and financial professionals
were exposed in a third-party CRM break-in with social security numbers among the data stolen.
Canadian airline WestJet reported 1.2 million Americans' information compromised in a June attack linked to scattered spider,
though no payment data was taken.
Meanwhile, Ohio-based motility software solutions
said ransomware affected 766,000 people,
potentially exposing personal and licensed data.
All firms offered credit monitoring.
Coming up after the break,
Tim Starks from CyberSoup unpacks a report from Senate,
Democrats on Doge, and the Lone Star State proves even the Internet isn't bulletproof.
Stay with us.
Is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right.
GRC can be so much easier, and it can strengthen your security posture while actually driving revenue for your business.
You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program.
Their trust management platform automates those key areas, compliance, internal and third-party risk, and even customer trust, so you're not buried under spreadsheets and endless manual tasks.
Vanta really streamlines the way you gather and manage information across your entire business.
And this isn't just theoretical.
A recent IDC analysis found that compliance teams using Vanta are 129% more productive.
It's a pretty impressive number.
So what does it mean for you?
It means you get back more time and energy to focus on what actually matters,
like strengthening your security posture and scaling your business.
Vanta, GRC, just imagine how much easier trust can be.
Visit Vanta.com slash cyber to sign up today for a free demo.
That's V-A-N-T-A-com slash cyber.
AI adoption is exploding, and security teams are under pressure to keep up.
That's why the industry is coming together at the Datasek AI conference,
the premier event for cybersecurity data and AI leaders, hosted by data security leader,
Saira. Built for the industry, by the industry, this two-day conference is where real-world insights and bold solutions take center stage.
Datasek AI 25 is happening November 12th and 13th in Dallas.
There's no cost to attend.
Just bring your perspective and join the conversation.
Register now at Datasek AI 2025.com backslash Cyberwire.
Joining me once again is Tim Starks.
reporter at CyberScoop. Tim, it's great to have you back. Always my pleasure.
So we've got a group of Senate Homeland Security and Governmental Affairs Committee members,
Democrats, we should note, who put out a new report recently that you've chronicled over on
CyberScoop. What's going on with this report, Tim? Yeah, so the committee Democrats said we're
going to take a look at what Doge was doing, the Department of Government Efficiency.
What they were doing at a few agencies, Social Security Administration, General Services Administration, and the Office of Personal Management.
And what they found and concluded in the report that they released was that essentially they're operating outside of privacy and cybersecurity laws.
Some of these things are things we've heard before.
Some of these things have been reported.
Some of these things have been alleged in court disclosures.
But they do get into the weeds a little bit more on those specific agencies, a couple specific things that are happening at those.
And they detail the way in which they've been rebuffed as, you know, overseers, the check on the federal government.
The oversight role, they say, was being squashed here.
Before we dig into the details, reading through this report, what is your take on the seriousness of it versus the partisan nature of it?
Obviously, this is all Dems.
What's your take?
It's a really good question.
I mean, I think if Republicans were doing this report, it wouldn't exist.
They just wouldn't do it.
Certainly for a Republican administration, they just wouldn't pursue it with the state of the party today.
I'm sure the Democrats don't mind sticking it to the Trump administration.
But the person leading the committee is Gary Peters on the Democrat side.
And Gary Peters is one of the more bipartisan senators in the entire body.
If you just look at his track record and look at the way he's worked on cyber issues particularly.
You know, before the current chairman, Rand Paul, he worked with the predecessor there to pass a lot of legislation.
So I can't say that there's no partisan motive, but I can say that the history of the person who's leading it would suggest that at least a significant amount of it is coming from a legitimate desire to have oversight in the face of a Republican leadership that doesn't seem to be interested in saying anything negative whatsoever about this administration.
Well, let's dig into some of the details here.
What are some of the things that you think should have the attention of our audience?
You know, there were some sections in there about the GSA and them having a Starlink link that, or network that potentially puts information security at that agency in jeopardy.
They already have a secure internet connection was what the report said.
Starlink just gives opportunities, certainly for, you know, what they think it was about, which was people from the Department of Government Efficiency.
being able to communicate outside of official channels,
but gives a way in for attackers.
The other thing that struck me as new and noteworthy was
that there was after the uploading of a big file of personal information
at the Social Security Administration known as Nubedent,
that there was a risk assessment done by the SSA,
and they looked at it and said,
as a result of this and not having additional protections against authorized access,
the risk of a catastrophic cyber attack or breach is at 35 to 65%.
They said that sensitive personal information could be exposed.
They talked in the report about some things we've heard about before,
which is that some of these things,
some of these kind of changing of environments and moving things around,
is giving an opportunity to foreign adversaries.
They talked about good old big balls.
Somewhat infamous Doja employee,
you know, there's been some reporting about his past.
working at a cybersecurity firm and getting fired allegedly for sharing sensitive information
with a competitor.
So there's a lot of stuff that's familiar.
There's a lot of stuff that is new.
And there's a lot of stuff that's about, okay, these people were blocked at basically
every turn, they say.
They were invited to come in and do some touring.
They would say, no, but you can't go into that office.
And then when they said, can we go into this off, you know, we can't go in today?
Can we go in another day?
They say, sure, come on back X day.
And then when they go to follow up, suddenly they're not getting responses about returning that day.
So there's a few things that jumped out at me.
You've reached out to some of the agencies here.
What's their response been?
Yeah, the response has been, you know, there's a certain kind of Trumpian response to any negative feedback that is, these people are partisan hacks.
You know, this is the fake news.
They didn't quite go there.
But they did reject the gist of it.
They pointed to past responses that they've made to allegations
about the nubinant database being insecure.
They just essentially said that those people aren't here.
Maybe that's the case now, but was that the case?
That's interesting.
The way they phrased it was very specific to make you wonder,
oh, well, there aren't people here now,
to what degree were they doing some of these things?
So they pushed back, but they didn't push back quite,
as hard as we've seen from time to time
what this administration has done
when somebody says something they don't like.
So what happens next here?
Is this report at all actionable?
Interesting question.
Yeah.
I mean, I think if you're looking at the things
that would normally be levers
of an attempt to get these organizations
into the law,
to be doing things that are legal,
because one of the things this report says
is they operated in violation
of existing cybersecurity laws,
You start looking at the fact that those laws exist.
You're not obviously going to see Congress pass new laws about the FISMA law that we will know for governs security of federal agencies.
They could maybe tweak that law.
But I think the other thing is that's when if you see a switch over in power with Republicans getting out of power in the Senate or House or both, then you get into a situation where appropriators can start putting conditions on funding, saying, hey, we need evidence that you've, you've.
trained these people or else we're going to cut funding to your agency. I wonder how much that
would be something that the Trump administration would be sad about, because in a lot of cases,
they're wanting to cut these agencies down in size. There are a few avenues, but I think
there are questionable effectiveness, even if they do happen. I don't think it's impossible that
something could happen if there was a changeover in Congress, but I just wouldn't put a lot of
money on it if it were me. Yeah. So in the end, how valuable is this report? I think if you're a
person who has any of their information in the federal government, which is all of us,
you know, things like our social security numbers that's caused for concern. Does that mean
you can do anything about it? I think that's what you're getting at a certain way, Dave.
It is as a private individual, there's not much you can do other than voting, you know,
or getting involved in the campaign process. Well, I guess it should back up. I mean, there are
ways you could maybe take court action. If you were able to say,
my privacy rights have been violated
maybe you have a way to pursue
any kind of redress in court
so it's another one where there's a few
different maybes
but also that I wouldn't put a lot of money on
it is I think just from the standpoint of
being a little bit of a nerd about the Constitution
and being excited about the fact that I
a reporter am in the very First Amendment
I think an informed nation
is better off so I hope that
in a way reporting on something like this contributes
to that information
and then I guess it starts to get a little bit more amorphous out of there
about who could be what about it.
But I'm going to do my job
and then let the people figure out what they're going to do in response.
Yeah, it's so strange to be in this place
operating outside of history's norms.
Yeah, I mean, it's, you know,
I think what we've seen happen in past administrations
with something like this might have come out
is you might have seen an administration jump to
and say,
ah, yes, we'll fix this. We want to be responsive to Congress. We want to be responsive to the voters.
This administration has exposed a lot of ways in which, unless there's something that really actually makes you do something,
and there's somebody from the outside who can actually force you to do something, how much the weaknesses in our system have been exposed in that way.
Tim Starks is a senior reporter at CyberScoop. We will have a link to his coverage in our show notes.
Tim, thanks so much for joining us.
Happy to do it.
Think your certificate security is covered.
By March 26, TLS certificate lifespans will be cut in half, meaning double today's renewals.
And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times
the renewal volume. That's exponential complexity, operational workload, and risk, unless you modernize
your strategy. CyberArk, proven in identity security, is your partner in certificate security.
CyberArc simplifies life cycle management with visibility, automation, and control at scale.
Master the 47-day shift with CyberArk. Scan for vulnerabilities, streamline operations, scale security.
Visit cyberarc.com slash 47-day.
That's cyberark.com slash the numbers 47-D-A-Y.
And now a word from our sponsor, Threat Locker,
the powerful zero-trust enterprise solution that stops ransomware in its tracks.
Allow listing is a deny-by-default software that makes application.
control simple and fast. Ring fencing is an application containment strategy. Ensuring apps can only
access the files, registry keys, network resources, and other applications they truly need to
function. Shut out cybercriminals with world-class endpoint protection from threat locker.
And finally, the internet, it turns out of the squirrels and
finally, the internet, it turns out, is just as fragile as the squirrels and snakes that
occasionally gnaw or slither their way into service outages.
Last week in Texas, though, the culprit wasn't wildlife, but a bullet.
A stray round pierced a fiber optic cable, cutting off spectrum service for 20,
thousand people across Dallas, Austin, San Antonio, and beyond. Customers lost internet, phones,
and TV, mid-meeting, mid-bing, mid-life. Spectrum confirmed the gunshot damage but offered no
clues about who fired the shot or how they figured it out. In sprawling Texas, with its
abundance of firearms and jurisdictions, tracing one stray bullet is like hunting tumbleweeds. America has
seen wildlife take out the internet before, but only here do bullets sometimes join the food
chain of digital disruption.
And that's the Cyberwire for links to all of today's stories. Check out our daily
at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to Cyberwire at n2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester
with original music by Elliot Peltzman.
Our executive producer is Jennifer Eibin,
Peter Kilpney is our publisher,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Cyber Innovation Day is the Preparation Day is the
premier event for cyber startups, researchers, and top VC firms building trust into tomorrow's
digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's
technology. In the afternoon, the eighth annual Data Tribe Challenge takes center stage as elite
startups pitch for exposure, acceleration, and funding. The Innovation Expo runs all day, connecting
founders, investors, and researchers around breakthroughs in cybersecurity.
It all happens November 4th in Washington, D.C.
Discover the startups building the future of cyber.
Learn more at cid. datatrib.com.