CyberWire Daily - When the Director uses the wrong chat window.

Starting point is 00:00:00 You're listening to the Cyberwire Network, powered by N2K. If securing your network feels harder than it should be, you're not imagining it. Modern businesses need strong protection, but they don't always have the time, staff, or patients for complex setups. That's where Nordlayer comes in. Nordlayer is a toggle-ready network security platform built for businesses. It brings VPN, access control, and threat protection together in one place. No hardware, no complicated configuration, you can deploy it in minutes and be up and running in less than 10. It's built on zero-trust principles, so only the right people can get access to the right resources.

Starting point is 00:00:50 It works across all major platforms, scales easily as your teams grow, and integrates with what you already use. And now, Nordlayer goes even further through its partnership with CrowdStrike, combining Nordlayer's network security with Falcon endpoint protection for small, and mid-sized businesses. Enterprise-grade security made manageable. Try Nordlayer risk-free and get up to 22% off yearly plans, plus an extra 10% with the code Cyberwire10. Visit Nordlayer.com slash Cyberwire Daily to learn more.

Starting point is 00:01:42 SISA's interim director uploaded sensitive government material into the public version of ChatGPT. The cyber attack on Poland's power grid compromised roughly 30 energy facilities, The EU and India sign a new partnership that includes expanded cyber cooperation. Meta rolls out enhanced WhatsApp security features. Researchers uncover a campaign targeting LLM service endpoints. Kordonet and OpenSSSL patch multiple vulnerabilities. A high-severity WynRAR vulnerability continues to see widespread exploitation six months after it was patched.

Starting point is 00:02:17 The SoundCloud data breach affected nearly 30 million users. Ben Yellen explains the council. California lawsuit accusing social media platforms of harming kids, and a Spanish resort town gets hit with low-rent ransomware. It's Wednesday, January 28, 2026. I'm Dave Bittner, and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great to have you with us. Politico reports, the interim director of the Cybersecurity and Infrastructure Security Agency, Madhu Garamukala, triggered in... internal cybersecurity alarms after uploading sensitive government material into the public version of chat GPT,

Starting point is 00:03:19 according to multiple officials. SISA's monitoring systems detected the activity in early August, prompting a Department of Homeland Security-level review to assess potential damage to government security. The outcome of that review has not been disclosed. Sisa said Gadamukala had temporary authorization to use chat GPT under DHS controls and that the use was limited and short-term disputing parts of the reported timeline. However, unlike DHS-approved internal AI tools, the public chat GPT platform shares uploaded data with open AI, raising concerns about exposure beyond federal networks. The incident led to meetings with senior DHS legal and IT leadership and could

Starting point is 00:04:12 carry administrative consequences under federal document handling rules. The episode adds to broader scrutiny of Gada Mukala's leadership, which has included prior internal disputes and security-related controversies. A coordinated cyber attack on Poland's power grid in late December, compromised control and communication systems at roughly 30 energy facilities, according to a new report from cybersecurity firm Dregos. While Polish officials said the attack was stopped before causing outages, researchers found attackers accessed operational technology systems

Starting point is 00:04:51 and permanently disabled some equipment. The electricity transmission backbone remained unaffected and power was not interrupted. The attack targeted distributed energy resources, including combined heat and power plants and systems managing wind, and solar dispatch. Loss of communications limited operators' ability to remotely monitor and control equipment, though it remains unclear whether attackers issued operational commands or focused on disruption. Dregos attributed the incident to the Russian-linked sandworm group with moderate confidence, reinforcing concerns that distributed energy systems, often less protected than centralized infrastructure,

Starting point is 00:05:35 are now a serious target for sophisticated cyber adversaries. The European Union and India signed a new security and defense partnership that includes expanded cyber cooperation, pledging to deepen their existing cyber dialogue and increase exchanges on cybersecurity threats. Behind the public agreement, however, European cyber diplomats, including officials linked to the EU Agency for Cybersecurity,

Starting point is 00:06:05 have privately raised concerns about India's growing hackers-for-hire ecosystem. During closed-door discussions, Indian officials rejected those claims, denying such an ecosystem exists, and arguing that if it did, it would be a private sector matter beyond government control. Meta has begun rolling out strict account settings, a new WhatsApp security feature aimed at journalists, public figures, and other high-risk users facing sophisticated threats like spyware. The opt-in setting applies the platform's most restrictive privacy controls,

Starting point is 00:06:44 including mandatory two-step verification, blocking unknown senders, silencing unknown callers, limiting profile visibility, and disabling features that could be exploited. WhatsApp says the feature is intended for a small subset of users and will roll out gradually, following past spyware campaigns that targeted WhatsApp users through zero-click exploits. Researchers at Pillar Security have uncovered an active cybercrime campaign targeting exposed or weekly protected large language model service endpoints.

Starting point is 00:07:21 Over 40 days, more than 35,000 attack sessions were observed, revealing an operation dubbed bizarre Bazaar. one of the first documented cases of LLM jacking attributed to a specific threat actor. The attackers exploited misconfigured AI infrastructure to steal compute resources, resell API access, exfiltrate prompt data, and attempt lateral movement into internal systems. The campaign targets self-hosted LLMs, exposed AI APIs, and publicly accessible model context protocol servers, often within hours of appearing in Internet scans.

Starting point is 00:08:04 Pillar Security describes a coordinated supply chain involving scanning, validation, and resale of access through an online service. The activity remains ongoing. Fortinette has released emergency patches for a Forta Cloud single sign-on authentication bypass that was actively exploited as a zero-day against Fortigate devices. The flaw with a CVS score of NARDAQAWROWS score of NAPS, score of 9.4 allowed attackers with a FortaCloud account to access other customers registered devices when Fortecloud SSO was enabled. Exploitation was detected after attackers created administrator accounts and exfiltrated configuration files, even on fully patched systems.

Starting point is 00:08:51 Fortinette blocked malicious accounts, briefly disabled ForteCloud SSO, and now requires patching to restore the feature. Sessa added the flaw to its known exploited vulnerabilities catalog. Separately, OpenSSL released updates fixing 12 vulnerabilities, including a high-severity remote code execution risk. Google's threat intelligence group warned that a high-severity WynRAR path traversal vulnerability continues to see widespread exploitation six months after it was patched.

Starting point is 00:09:26 The flaw was exploited in the wild before RAR Lab released a fix in late July and has since attracted a growing mix of attackers. Google attributes activity to at least three financially motivated groups, four Russia-state sponsors, and one China-based attacker. Nation-state groups have used the bug for espionage, including campaigns against Ukrainian military and government targets, while cybercriminals have deployed malware such as remote access trojans and info-stealers across multiple regions. All attackers use a shared technique involving malicious RAR archives that silently drop payloads without user interaction, making detection difficult. Google urged organizations to update WNRRR and hunt for indicators of compromise. The SoundCloud data breach disclosed in December of last year,

Starting point is 00:10:24 year has now been added to have I been poned confirming that nearly 30 million user accounts were affected attackers exploited unauthorized access to an internal service dashboard allowing them to link users email addresses normally private to public profile information exposed data included usernames display names avatars follower counts and sometimes country information but not passwords financial data or private content. SoundCloud detected the activity through internal monitoring, isolated the affected systems, and brought in external security experts stating the breach was contained. Afterward, the company faced denial of service attacks and temporary access issues caused by misconfigured security controls. The attackers allegedly attempted extortion

Starting point is 00:11:17 before leaking the data online in January of this year, after which it was widely. redistributed. Coming up after the break, Ben Yellen explains the California lawsuit accusing social media platforms of harming kids. And a Spanish resort town gets hit with low-rent ransomware. Stick around. What's your 2 a.m. security worry? Is it, do I have the right controls in place?

Starting point is 00:12:04 Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work, so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires.

Starting point is 00:12:22 Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready,

Starting point is 00:12:39 all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally, get back to sleep. Get started at vanta.com slash cyber. That's v-a-n-ta.com slash cyber. When it comes to mobile application security, good enough is a risk. A recent survey shows that 72% of organizations reported at least one mobile application security incident last year, and 92% of responders reported threat levels have increased to the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market, or user experience. Discover how Guard Square

Starting point is 00:13:29 provides industry-leading security for your Android and iOS apps at www.gardesquare.com. And joining me once again is Ben Yellen. He is from the University of Maryland Center for Cyber Health and Hazard Strategies and also my co-host on the caveat podcast. Ben, welcome back. Good to be with you again, Dave. So we've got a trial kicking off here in California, your home state. Go Cali. Yeah, in Los Angeles.

Starting point is 00:14:08 And not to be breathless here, but some of the folks involved with this case are saying that they're putting the internet on trial. What's going on here, Ben? Yeah, so this is a big one. A plaintiff who is not named in the suit because it's somebody who's underage has filed suit in California. Superior Court against basically all of the big tech players. So meta, TikTok, and YouTube through Google. And we're going to have a jury trial here. So this is really the first time that social media companies will have to go in front of a jury

Starting point is 00:14:43 and defend some of their practices and consider claims that their algorithms and their way of doing business is harming the mental health of young people. So the allegation is that in the way these products are designed, they produce these sort of addictive features. So infinite scroll, auto play, persistent notifications, et cetera. They've pointed to some literature saying that these tools in social media have caused or worsened depression, eating disorders, self-harm. In the most extreme case is suicide. And they're going to go through the discovery process to try and prove that these companies knew or should have known about harms to, minors, but fail to act.

Starting point is 00:15:27 This is going to be a very difficult lawsuit for the plaintiff. It's going to be very difficult for them to prevail on the merits here. This is being considered under a products liability framework. Most products liability framework, there's some design defect, and it's very clear how and when a person was injured by that design defect. So there's a law professor in this article who's like, they're trying to analogize this to the Coke bottle that explodes in your face. And if that doesn't make sense to you, that shows you why using this sort of products liability theory is going to be problematic here.

Starting point is 00:16:02 But I think the trial itself, even if the plaintiff ultimately doesn't prevail, is going to be eye-opening. For a couple of reasons. One, you're going to have some high-profile people who are going to be forced to take the stand to testify, including Mark Zuckerberg, who, I don't know about you, Dave, but I've seen him testify in front of Congress. And it has not gone well. No, no, he's not at his best in those situations, it seems to me. That is not his strength, and I wonder if that will have some impact on the jury or just kind of on the public's view of this trial. And then the other big deal here is the discovery process. For the first time, the plaintiffs and their attorneys are going to be able to look through decades' worth of documents on how they've developed some of these tools and algorithms.

Starting point is 00:16:49 And that could be really eye-opening. That's where people are drawing these parallels to the lawsuits against big tobacco companies in the 1990s, where they looked back at this 50-year horizon on strategies these companies used to get young people addicted to their products. And we could certainly see the same thing here. I think from the company's perspective, they're saying that this lawsuit just mispertrays their work, that they have taken steps to improve online safety for young people with things like parental controls, and other safety features. But it's certainly, there's the potential

Starting point is 00:17:26 if the plaintiff prevails that we could see major industry-wide changes that rival some of the changes that came to the tobacco industry after those big lawsuits in the 90s. I'm looking at some of the reporting here from NPR on this story, and they note that the judge in this case

Starting point is 00:17:45 has already struck some of the plaintiff's claims on the grounds that, their third-party content and they're covered by Section 230 of the Communications Decency Act. What do you make of that, Ben? Right. So Section 230 says that the platforms themselves are not liable for content posted on their platforms. Very controversial, but I think that does cover a lot of the claims here. If you're making a direct allegation of injury based on a particular post or a particular series of posts,

Starting point is 00:18:19 I do think that Section 230 is going to immunize these companies, at least the way the law is structured now. They can always change the law, and there have been discussions about doing that. But really, you can only be liable in terms of the products that they themselves have created, not the users. So what are those products that they themselves have created these big tech companies? It is the algorithms. It is the scrolling features, that sort of thing. So when you start to base allegations on particular content, that's where, the plaintiffs are going to run into these 230 issues where parts of the case are going to be dismissed.

Starting point is 00:18:56 Do you suppose this could head in a direction or maybe bolster the arguments of folks who say that these social media platforms should be treated like pornography in that, you know, under a certain age, you're not permitted to interact with them? Yeah, I mean, I think there's the chance that we go down a path like that. they're asserting a First Amendment interest, which they definitely have. I mean, they have the right to freedom of expression, and that includes the way they build out these platforms. They do have a protected First Amendment interest, as do pornographers, by the way.

Starting point is 00:19:32 But I think the law understands things differently when we're talking about non-consenting, or young people who are just not capable of consenting to seeing this type of content. I see. Or for understanding how these algorithms work and how they're being driven. driven to certain pieces of information. Again, I'm not sure that this case is going to be the vehicle to do that, but it might start a long process that ends up with some sort of resolution as to whether these companies can be held responsible for psychological harm,

Starting point is 00:20:03 which would force them to make major design changes, to further enhance protections for the safety of children in ways that they've been reluctant to do in the past, both for cost reasons and also they don't want to restrict access for adults to certain content. So, yeah. You know, I got to ask, Ben, what kind of timeline does this put us on to actually get any results? It's never one of those things, Dave, where it's like, yeah, well, we'll know in a couple of weeks. Yeah, I mean, this is going to be a long trial.

Starting point is 00:20:38 Luckily, we're getting close to the actual trial itself, which is good, because we've gone through months and years of dueling motions and, you know, as you mentioned, the petition to narrow the case based on issues that the plaintiff's not going to win. So things that are protected by Section 230. But I think the litigation itself could take a long time, potentially up to a month, and then several more months after that for a decision from this judge. And then you have to consider the appeals process through the California court system, which could take a long time. And it's unlikely that this case, because it's a state-based case, would be on a direct path to the Supreme Court.

Starting point is 00:21:19 But you never know. It could happen. Ben Yellen is from the University of Maryland Center for Cyber Health and Hazard Strategies and also my co-host on the Caviot podcast. Ben, thanks so much for joining us. Good to be with you, Dave. And finally, in the beautiful coastal town

Starting point is 00:21:53 of San Shenzhou in northwestern Spain, the city council has learned that ransomware does not respect coastal charm. Hackers broke into the town hall's systems on January 26th, encrypting thousands of administrative documents and knocking internal operations offline. The attackers then made their pitch. $5,000 in Bitcoin, a ransom so small it raised questions about whether this was cybercrime or a clearance sale, or maybe a practical joke. City officials were unimpressed. They refused to pay, notified Spain's Civil Guard and began restoring systems from daily backups.

Starting point is 00:22:36 Some services never went down at all, including the online citizen portal and two municipal companies operating on separate networks. Recovery is ongoing, though slower than initially hoped. The attack is part of a wider surge in ransomware hitting Spanish municipalities, but San Shenzhou's case stands out for its unusually low ransom demand. more of a nuisance than anything else. Too small to negotiate, too annoying to ignore. And that's the Cyberwire.

Starting point is 00:23:24 For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review

Starting point is 00:23:41 in your favorite podcast app. Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com. A tip of the hat to our T-minus Space Daily team who are on site in Florida covering Space Week. I had the pleasure of filling in for Maria Vermazes

Starting point is 00:23:59 yesterday on T-minus. So if you want to check that out, we've got a link in the show notes. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibn.

Starting point is 00:24:16 Peter Kilby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. If you only attend one cybersecurity conference this year, make it RASAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands-on learning, and real innovation. I'll say this plainly, I never miss this conference.

Starting point is 00:25:07 The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today at rsacconference.com slash cyberwire 26. I'll see you in San Francisco.

CyberWire Daily - When the Director uses the wrong chat window.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.