CyberWire Daily - White House reboots cybersecurity priorities.
Episode Date: June 9, 2025A new White House executive Order overhauls U.S. cybersecurity policy. The EU updates its “cybersecurity blueprint”. The Pentagon’s inspector general investigates Defense Secretary Hegseth’s... Signal messages. Chinese hackers target U.S. smartphones. A new Mirai botnet variant drops malware on vulnerable DVRs. 17 popular Gluestack packages on NPM have been compromised. Attackers exploit vulnerabilities in Fortigate security appliances to deploy Qilin ransomware. A Nigerian man gets five years in prison for a hacking and fraud scheme. Our guest is Tim Starks from CyberScoop, discussing Sean Cairncross’ journey toward confirmation as the next National Cyber Director. Fire Stick flicks spark a full-on legal blitz. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Tim Starks from CyberScoop, to discuss Sean Cairncross, who’s bringing a focus on policy coordination if confirmed as the next National Cyber Director. Selected Reading Trump Administration Revises Cybersecurity Rules, Replaces Biden Order (Infosecurity Magazine) Europe arms itself against cyber catastrophe (Politico) Pentagon watchdog investigates if staffers were asked to delete Hegseth’s Signal messages (Associated Press) Chinese hackers and user lapses turn smartphones into a 'mobile security crisis' (Associated Press) iMessage Zero-Click Attacks Suspected in Targeting of High-Value EU, US Individuals (SecurityWeek) New Mirai botnet infect TBK DVR devices via command injection flaw (Bleeping Computer) Malware found in NPM packages with 1 million weekly downloads (Bleeping Computer) Hackers Actively Exploiting Fortigate Vulnerabilities to Deploy Qilin Ransomware (Cyber Security News) Nigerian Involved in Hacking US Tax Preparation Firms Sentenced to Prison (SecurityWeek) Hacked Fire Sticks now come with more than just malware – a possible jail sentence (Cybernews) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed.
Indeed's Sponsored Jobs helps you stand out and hire fast.
Your post jumps to the top of search results, so the right candidates see it first.
And it works.
Sponsored jobs on Indeed get 45% more applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed, according
to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75 sponsored job credit to get
your jobs more visibility at indeed.com slash cyber wire. Just go to indeed.com slash cyber
wire right now and support our show by saying you heard about indeed on this podcast. Indeed.com
slash cyber wire. Terms and conditions apply. H hiring indeed is all you need.
A new White House executive order overhauls U.S. cybersecurity policy.
The EU updates its cybersecurity blueprint.
The Pentagon's inspector general investigates defense secretary Hegseth's signal messages.
Chinese hackers target U.S. smartphones.
A new Mirai botnet variant drops malware on vulnerable DVRs.
Seventeen popular glue stack packages on NPM have been compromised. Attackers exploit
vulnerabilities in FortiGate security appliances to deploy Keelin ransomware. A Nigerian man
gets five years in prison for a hacking and fraud scheme. Our guest is Tim Starks from
CyberScoop discussing Sean Cairncross's journey toward confirmation as the next national cyber director.
And fire stick flick spark a full on legal blitz.
It's Monday, June 9th, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here today. It's great to have you with us.
Thanks for joining us here today. It's great to have you with us.
President Trump has issued a new executive order that overhauls U.S. cybersecurity policy,
replacing earlier directives from Presidents Obama and Biden.
Announced on June 6, the order narrows cyber sanctions to target only foreign malicious
actors, reversing broader authorities that critics feared
could be misused domestically. The order also scraps several Biden-era initiatives,
including requirements for software vendors to meet federal security
standards, AI research for cyber defense, and post-quantum encryption readiness.
Trump's directive eliminates the IoT security labeling program, eases supply chain restrictions,
revises AI security rules, and removes mandates for phishing-resistant authentication in federal
agencies.
Instead, the new policy prioritizes secure software development, stronger network protections,
and AI use focused on vulnerability detection.
The White House framed the shift as a move toward more focused, professional cybersecurity
practices while removing what it called distracting issues introduced by the Biden administration
shortly before Trump took office.
The European Union has updated its cybersecurity blueprint to better coordinate responses to
large-scale cyber attacks, strengthening ties with national militaries and NATO.
Approved by ministers meeting in Luxembourg, the plan clarifies which institutions will
act during cyber crises across technical, operational, and political levels.
Poland, which reports about 700 daily cyber incidents,
highlighted the need for collective preparedness.
The new strategy includes establishing NATO contact points
and launching joint cyber exercises starting in June of 2026,
involving private sector players and countries like Ukraine and Moldova.
The blueprint stresses the growing threat
from geopolitical tensions and hybrid attacks
that could disrupt the EU's security, economy, and society.
It also urges the EU to enhance secure communications,
calling on the European Commission
to propose crisis communication solutions by the end of 2026, and for governments to develop
contingency plans for disrupted networks. The Pentagon's Inspector General is
investigating whether Defense Secretary Pete Hegseth's aides were told to delete
signal messages possibly containing sensitive information about U.S.
airstrikes in Yemen.
The inquiry focuses on March 15 communications and whether they compromised military operations.
One signal chat reportedly included Hegseth's family.
Another included top officials andently, a journalist. Hegseth denies sharing classified data, saying messages were informal and unclassified.
The probe also examines access to Hegseth's phone and who posted strike details.
Critics argue the posts risked pilot safety and would have led to disciplinary action
if done by lower-ranking personnel.
Hegseth is also under scrutiny for installing an unsecured internet line in his office.
Amid the fallout, Hegseth has limited press engagements and faces congressional testimony
next week.
The investigation, requested by Senate Armed Services leaders, could release unclassified
findings to the public.
A recent cyber attack targeting smartphones of U.S. officials and professionals in politics,
tech, and journalism has raised alarms among cybersecurity experts.
Investigators at iVerify linked the unusual crashes to a zero-click hack,
likely by Chinese hackers, that allowed access to phones without user
interaction.
Victims had ties to fields of interest to China's government.
Experts say smartphones, often less protected than other systems, are becoming key targets
for espionage.
Devices belonging to Donald Trump's campaign and top aides were also reportedly targeted.
Lawmakers fear Chinese state-owned firms could exploit their tech presence in global networks.
The U.S. is responding with new initiatives like a cyber trust mark for secure connected
devices.
Still, officials warn that even the most secure device is vulnerable if users ignore basic
precautions. Cyber lapses
like misconfigured apps or unsecured connections remain a serious national
security risk. A new Mirai botnet variant is exploiting a command injection flaw
in TBK DVR models to hijack them for cyberattacks. Discovered by researcher NetSec Fish in April 2024, the vulnerability allows shell command
execution via a crafted POST request.
Kaspersky has confirmed active exploitation using this method, with the botnet dropping
ARM32 malware to connect infected DVRs to a command and control server.
These compromised devices are then used for DDoS attacks and malicious traffic routing.
Around 50,000 DVRs remain exposed, primarily in China, India, and several other countries.
The devices have been rebranded under multiple names, complicating patch management. It's unclear if TBK Vision has issued a fix.
A major supply chain attack has compromised
17 popular glue stack at React native ARIA packages
on NPM, affecting over one million weekly downloads.
NPM, short for Node Package Manager,
is the default package manager for Node.js,
a popular JavaScript runtime.
The attack began on June 6th,
inserting obfuscated remote access Trojan code.
The malware connects to a command and control server
and can execute shell commands, upload files,
and hijack Python paths to silently run malicious
binaries.
Cybersecurity firm Akito discovered the attack and linked it to the same group behind recent
NPM compromises.
Affected packages span across UI components used in React-native apps.
Despite attempts to contact GlueStack, there was initially no response. GlueStack
has now revoked the access token used in the attack and deprecated the compromised packages,
redirecting users to safe versions.
A new wave of cyberattacks is exploiting vulnerabilities and FortiGate security appliances
to deploy KeyLin ransomware across critical infrastructure.
The campaign marks a shift in ransomware tactics targeting network security devices rather
than traditional phishing methods.
Threat actors are exploiting vulnerabilities to gain initial access and maintain persistence
inside enterprise networks.
KeyLin, also known as Agenda Ransomware,
is a sophisticated ransomware as a service operation
featuring strong encryption and evasion capabilities.
The malware uses advanced obfuscation
and anti-analysis techniques to avoid detection.
Security researchers warn that these attacks
bypass perimeter defenses,
giving attackers privileged
access to internal systems.
This evolution highlights the growing threat to network infrastructure, increasing the
risk of operational disruption, regulatory penalties, and reputational damage.
Analysts stress the urgent need for organizations to patch vulnerabilities and strengthen defenses
against infrastructure-based
ransomware attacks.
A U.S. court has sentenced Nigerian national Kingsley Ukelu Uthulu to over five years in
prison for his role in a hacking and fraud scheme targeting U.S. tax preparation companies.
Since at least 2019, Uthulu and co-conspirators stole personal data from tax firms in Texas
and New York to file fraudulent tax returns, seeking $8.4 million and successfully obtaining
$2.5 million.
They also used stolen identities to fraudulently claim $819,000 through the Small Business Administration's
Disaster Loan Program.
Utulu was extradited from the UK and must pay over $3.6 million in restitution and forfeit
$290,000.
The case is linked to others who face similar charges for participating in the same cybercrime
ring.
U.S. authorities continue to pursue justice against international cybercriminals exploiting
financial and government systems.
Coming up after the break, my conversation with Tim Starks from CyberScoop discussing
Sean Cairncross's journey toward confirmation as the next National Cyber Director.
And fire stick flicks spark a full on legal blitz.
Stay with us. Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites, and they
keep me updated with detailed reports, so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
DeleteMe also offers solutions for businesses helping companies protect their employees'
personal information and reduce exposure to social engineering and phishing threats.
And right now our listeners get a special deal 20% off your DeleteMe plan. Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n2k code n2k.
And now, a word from our sponsor, ThreatLocker. Keeping your system secure shouldn't mean constantly reacting to threats.
ThreatLocker helps you take a different approach by giving you full control over what software
can run in your environment.
If it's not approved, it doesn't run.
Simple as that.
It's a way
to stop ransomware and other attacks before they start without adding extra complexity
to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com. It is my pleasure to welcome back to the show Tim Starks.
He is a senior reporter at Cyber Scoop.
Tim, welcome back.
Hi there, Dave.
There are two of your articles that I want to highlight in our time together here today. The first I want to touch on, you were there when
Sean Cairncross was getting grilled, his aspirations to be National Cyber
Director. Tell us about that.
I think he was grilled in some, I know you use that phrase loosely, but there was one topic that I think he got grilled on.
The rest of the questioning was relatively friendly, relatively open to the idea of Sean
Cairncross.
The subject he got grilled on was the cuts at CISA.
He's obviously coming there and talking about how important cybersecurity is, and he's touting
himself for the job.
And lawmakers naturally ask, well, OK,
if cyber is so important, how are you
going to be ultimately presiding over these gigantic $495
million cuts to CISA?
In one sense, it's a fair question to ask him.
In another sense, it's not, because he's obviously not
directly responsible for CISA's budget.
But he specifically mentioned the authority
he has with OMB to set budget guidance.
That's something that is an authority that has been used by past people who have run
this office.
So he does have some say in that budget.
And he more or less sidestepped the question.
There were a couple different ways he kind of answered around the edges of it, saying,
you know, well, we're going to look at the most efficient way to do things.
Form follows function. A lot of cyber defenses in the private sector.
He never directly said this is okay because or he never said this is wrong because.
So I think that's a topic I grilled on and they touched on the sort of things that you might expect.
Bigger picture vision, the threats that he's most worried about, that kind of thing.
Yeah. What about his, I guess, comparative lack of cyber experience?
How much did he get questioned about that?
He got one question on that, but he answered it rather extensively.
I don't get the impression it was an answer that the lawmakers found unsatisfactory.
He pointed out that he has management experience, which I think is true.
He does have...
He said he talked about running operations
with thousands of people and billions of dollars.
He talked about surrounding himself with smart people.
I think the answer that was maybe a little less credible
is that he's been, he said,
I've dealt with cyber on the user end of things.
Well, haven't we all?
Exactly, probably not.
I mean, you can't rightly say, oh, you know, I've dealt with the FBI and intelligence community
on attacks against organizations I was part of.
Obviously he was part of the RNC and that was an organization that probably dealt with
a fair share of cyber attacks.
But I don't know if that answer was a little less, that was a little weaker answer.
If you look at the people who endorsed him in a letter earlier this week, industry
officials include a lot of past intelligence and cyber folk from administrations, mostly
GOP administrations, but not entirely. They talk up his management piece. And I think
that's an argument that he can point to and say, this is why I deserve the job. Those
were people who were very cyber experts. We're still endorsing him on the job, didn't mention his lack of cyber experience. They seemed to think
the other parts of his resume were more important. And he came off as a serious guy. It seemed
like he'd done his homework. He didn't fumble any answers. At the same hearing, there was
a person who was at FEMA and even though there was the recent kerfuffle with the story about
the FEMA director not knowing when hurricane season was, this person failed the answer.
So if you're looking at his credibility from that standpoint, he really did seem to me
like someone who was taking this very seriously and has studied up on the subject.
Whatever information he lacked before, he came off as someone who who had a grasp if not command of the issues
Yeah, was your sense that the the folks who were doing the questioning came came along satisfied
That he's up for the job unclear Gary Peters
Who's the top Democrat on that committee, you know a couple reporters tried to ask him
How are you gonna vote and he said basically you'll find out when I vote
There's it probably a little bit of snake-bitten quality
to Democrats having voted for some of these Republican
nominees who they've later turned out to just really think
are doing a terrible job.
So I don't know if he gets much of a benefit
of the doubt from Democrats.
Obviously, he can get confirmed as long
as he has Republicans on his side in the Senate.
So it may not matter that much. But the answers that he gave on CISA's budget were not satisfactory
to the senators who asked about it, is what I would say.
So we'll see how it goes.
A little unclear if you want over anyone, but I don't think he hurt himself per se in
the sense that he needs Republicans and there was no sign that Republicans were dumping
ship.
Yeah. I want to shift here to another story you wrote. You had a scoop here.
This was a letter that Representative Garbarino wrote about CISA's mobile app
security program and he's taking issue with that program coming to an end. Yes?
It's like I say, cyber scoopcoop, it's in the name.
So we shouldn't be surprised when these scoops come
one after the other, right?
That's one way to look at it.
Yeah, yeah.
So when the legislators are thinking to themselves,
who should I give this scoop to?
Wait, what's publication has scoop in their name?
Right, yes.
It's very smart of you all.
Good marketing.
So yes, this is an example of where
Republicans and the administration are not
necessarily seeing eye to eye.
There's been a lot of lockstep.
I think one of the issues where there hasn't been lockstep
is on cyber.
The Republicans have, in a number of positions of power,
have been raising some doubts about what the administration
wants to do on cyber.
In this case, Andrew Garbarino, who's the top Republican on the cybersecurity subcommittee
of House Homeland, had sent a letter to Kristi Noem saying, hey, you're ending this so-called
mobile app vetting program in June.
I think that's maybe a bad idea.
The program is used to help agencies in the federal civilian executive branch
test out apps that they either create or third party apps.
There was a clever bit of craftsmanship on this letter
that I'll talk about in one second.
But the gist is, Garberino thinks this is a good program.
It's very helpful, especially in a time when Salt Typhoon
affected the telecommunications sector,
and it was discovered in the executive branch first,
if accounts were to be believed.
So the craftsmanship part that I found entertaining
and interesting was it pointed to ICE,
the Immigrations and Customs Enforcement Agency,
having made use of this program.
I think we all know how near and dear ICE is to the administration.
They're talking about plusing it up.
They're obviously making thousands of arrests.
I think it was smart to say, hey, look, ICE had some problems with some untrustworthy,
risky apps.
They turned to this program as part of the solution to that.
And he requested a briefing here. He's on a bit of a timeline.
Yeah, he asked for one by June 13th. We will see if they get that. As I pointed out,
Garbarino and others on the House Homeland Security Committee have said, hey, we're waiting
for answers and briefings
on CISA personnel cuts.
That was a few weeks ago.
They may have gotten an answer since then,
but I have not heard that they have.
So yeah, he's asked for that.
He also did bring up something that we,
you and I talked recently about the Salt Typhoon series
that we did at CyberScoop,
where one of the points that people made,
it wasn't unanimous, but that some people brought up was,
hey, CISA
has so many sector risk management agency responsibilities. They're the lead coordinator,
essentially, for certain critical infrastructure sectors and working with the private sector
on all sorts of security issues. CISA has eight of those out of the 16 sectors, I believe.
And I think DHS broadly has, I think, part of at least 10.
So one of the things people have suggested to me for my story
was, hey, look, these agencies, the telecom sectors
doesn't seem to be getting the kind of attention it needs.
The relationship is not as strong as it should be.
And maybe one of the reasons is that CISA
has too much going on on its plate.
Maybe they gave short shrift to the telecom sector at a time when they shouldn't have.
So as part of this letter, he also said,
hey, you need to prioritize your review,
Kristi Noem, of the idea of whether CISA should have
these kinds of SMRA roles,
and that would be something he wants
as part of the briefing as well.
It's interesting to me.
Well, my take, and I'm very curious to see if you agree with me, is that
my impression is that with the answers I've seen Kristi Noem give when questioned about
CISA and the funding and the future of the organization, they all come back to the beef that the Trump administration
has with CISA going back to the 2016 election.
And it just seems to me like that's this bump in the road
that they just can't get past.
Like it doesn't seem to me an objective argument,
it's an emotional one.
Am I on base there? I think you are potentially on base. It doesn't seem to me an objective argument. It's an emotional one.
Am I on base there?
I think you are potentially on base.
I think if you look at,
let me suggest an alternative hypothesis here.
If you look at the proposal
that the Trump administration has for fiscal 2026 for CISA,
and you look at some reporting in Axios
that others have confirmed,
that not only are they proposing in the budget cutting more than 1,000 people,
we're talking about approximately a third of the agency,
that if you look at it, they've actually already have cut those numbers.
And if you look at the numbers, they're not all coming out of the election security piece of things,
where the administration where the
Conservatives have been very fired up towards this about this
That's 14 people 14 right?
We'll count of 1,083 and if you look at who they're proposing cutting or who had they actually already cut
It's every kind of person and it's been it's they're not filling vacancies
Naturally, those jobs are cyber jobs. They're not just jobs where you're like,
oh, these people incidentally worked on misinformation.
They didn't. So it might be more a justification for doing something.
That the argument they're making is,
look at how dangerous this so-called censorship was.
When in fact, they're just looking for a reason to cut the size of government overall.
And this is sort of the face of that.
This is the tip of the spear toward getting rid of a vast amount of the federal government.
Yeah.
I mean, it could be my own failure in that, you know, Kristi Noem, when speaking about
this, that is the thing I think she is most passionate about.
So maybe I'm, you know, in my own mind, I'm taking great measure of that because with the determination that she speaks with it
and maybe that's not justified.
No, I think, I think, I think that's the thing that, yeah, the things when you bring up CISA,
the first words out of her mouth is we're getting back on mission. We're not going to
have this censorship that we had in the past. So I think that's definitely what she's most interested in CISA about.
But I think it's possible that both hypotheses are true here, right?
That it's this idea that this agency is bad because it did something bad ever in their
minds and or it's also an excuse to cut down the size of government.
Yeah.
All right.
Well, Tim Starks is senior reporter at CyberScoop.
We will have a link to both of these stories in our show notes.
Tim, thank you so much for taking the time for us.
Thank you, Dave. Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or
wrangling manual processes just to keep your GRC program
on track, you're not alone.
But let's be clear, there is a better way.
Banta's Trust Management Platform takes the headache out of governance, risk, and compliance.
It automates the essentials, from internal and third-party risk to consumer trust, making
your security posture stronger, yes, even
helping to drive revenue.
And this isn't just nice to have.
According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity.
That's not a typo, that's real impact.
So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious
efficiency to your GRC game.
Vanta.
GRC.
How much easier trust can be.
Get started at Vanta.com slash cyber. And finally, our Jolly Roger desk tells us millions of Brits are reportedly risking prison
time for using hacked Amazon fire sticks to stream their favorite shows on the cheap.
According to The Mirror, this national pastime of streaming Netflix, HBO, and Disney Plus
for the price of a takeaway coffee may now come with a side of malware or a court date.
These jailbroken devices, which disable Amazon's restrictions to allow third-party apps, can
expose users to shady software and hackers eager to swipe your personal information. Worse still, the money saved might be lining the pockets of a 21 billion pound black market
empire.
Sellers promote pirated bundles on Facebook and close deals via WhatsApp, that favored
tool of modern pirates and high school group chats alike.
Authorities aren't amused. Kieran Sharp of the Federation Against Copyright Theft warns users are breaking the law, and
yes, some sellers have already done time.
Because nothing ruins movie night like malware and a court date. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment
on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights until the end of August this year.
There's a link in the show notes and we do hope you will check it out.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben. Peter Kilpe is our publisher.
And I'm Dave Bittner. Thanks for listening. We'll see you back here, tomorrow. And now a word from our sponsor, Spy Cloud.
Identity is the new battleground and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what
attackers already know.
That's spycloud.com slash cyberwire.