CyberWire Daily - Your phone works for them now.
Episode Date: February 9, 2026Ivanti zero-days trigger emergency warnings around the globe. Singapore blames a China-linked spy crew for hitting all four major telcos. DHS opens a privacy probe into ICE surveillance. Researchers f...lag a zero-click RCE lurking in LLM workflows. Ransomware knocks local government payment systems offline in Florida and Texas. Chrome extensions get nosy with your URLs. BeyondTrust scrambles to patch a critical RCE. A Polish data breach suspect is caught eight years later. It’s the Monday Business Breakdown. Ben Yelin gives us the 101 on subpoenas. And federal prosecutors say two Connecticut men bet big on fraud, and lost. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Ben Yelin, Program Director for Public Policy & External Affairs at the University of Maryland Center for Cyber Health and Hazard Strategies, talking about weaponized administrative subpoenas. Selected Reading EU, Dutch government announce hacks following Ivanti zero-days (The Record) Singapore says China-linked hackers targeted telecom providers in major spying campaign (The Record) Inspector General Investigating Whether ICE's Surveillance Tech Breaks the Law (404 Media) Critical 0-Click RCE Vulnerability in Claude Desktop Extensions Exposes 10,000+ Users to Remote Attacks (Cyber Security News) Payment tech provider for Texas, Florida governments working with FBI to resolve ransomware attack (The Record) Chrome extensions can use unfixable time-channel to leak tab URLs (CyberInsider) BeyondTrust warns of critical RCE flaw in remote support software (Bleeping Computer) Hacker Poland’s largest data leaks arrested (TVP World) LevelBlue will acquire MDR provider Alert Logic from Fortra. (N2K Pro Business Briefing) Men charged in FanDuel scheme fueled by thousands of stolen identities (Bleeping Computer) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Identity is a top attack vector.
In our interview with Kvitha Maria Pan from Rubrik,
she breaks down why 90% of security leaders believe
that identity-based attacks are their biggest threat.
Throughout this conversation, we explore why recovery times are getting longer,
not shorter, and what resiliency will look like in this AI-driven world.
If you're struggling to get a handle on identity risk,
this is something you should tune into.
Check out the full interview at
thecyberwire.com slash rubric.
Maybe that's an urgent message from your CEO,
or maybe it's a deep fake trying to target your business.
Dopple is the AI-native social engineering defense platform
fighting back against impersonation and manipulation.
As attackers use AI to make their tactics more sophisticated,
Dopple uses it to fight back.
from automatically dismantling cross-channel attacks to building team resilience and more.
Doppel. Outpacing what's next in social engineering.
Learn more at doppel.com.
That's D-O-P-P-E-L.com.
Yvante's zero-days trigger emergency warnings around the globe.
Singapore blames a China-linked spy crew for hitting all four major telcos.
DHS opens a privacy probe into ice surveillance.
Researchers flag a zero-click RCE lurking in LLM workflows.
Ransomware knocks global government payment systems offline in Florida and Texas.
Chrome extensions get nosy with your URLs.
Beyond trust scrambles to patch a critical RCE.
A Polish data breach suspect is caught eight years later.
We've got our Monday business breakdown.
Ben Yellen gives us the 101 on subpoenas.
And federal prosecutors say two Connecticut men bet big on fraud.
and lost.
It's Monday, February 9th, 2026.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great as always to have you with us.
A wave of cyber attacks exploiting critical zero-day vulnerabilities
in Yvante endpoint manager mobile
has prompted emergency warnings from governments
and cyber agencies worldwide.
The flaws allow attackers to take control
of managed mobile devices without authentication.
Avanti patched the issues in late January and warned customers to treat exposed systems as potentially
compromised. The Dutch Data Protection Authority and Judicial Council confirmed breaches with work-related
staff data accessed. The European Commission also reported an attack on its mobile device
management infrastructure, though it said the incident was contained quickly. Sisa added one
flaw to its known exploited vulnerabilities catalog, while agencies in Canada, Singapore, and the
UK warned of active exploitation. No public attribution has been made, and investigations continue.
Singapore says a China-linked cyber espionage group targeted all four of the country's major
telecommunications providers in a sustained spying campaign. The Cybersecurity Agency of Singapore said,
the threat actor UNC 3886, carried out a deliberate, targeted, and well-planned operation,
using advanced tools to gain covert long-term access.
The activity was first disclosed in July, with details withheld pending National Security Review.
Singapore later launched Cyber Guardian, its largest-ever cyber-incident response effort,
involving more than 100 defenders over 11 months.
Authorities said attackers accessed parts of telecom networks and in one case limited critical systems
but found no evidence of service disruption or customer data theft.
Officials warned telecom infrastructure remains a prime target for state-backed actors.
The Department of Homeland Security Inspector General has launched an investigation into potential privacy abuses
tied to immigration and customs enforcement, surveillance, and biometric data programs.
In a letter to Senators Mark Warner and Tim Cain, Inspector General Joseph Kofari said his office
has begun an audit examining how DHS collects, shares, and secures personally identifiable
information and biometric data used in immigration enforcement. The audit will assess
compliance with federal law and whether these practices may have resolved.
resulted in unlawful searches or privacy violations.
The Senators' request highlights concerns raised by reporting on DHS technologies,
including contracts with Palantir, Clearview AI, license plate data access,
social media monitoring tools, and biometric databases.
Lawmakers argue DHS has shown disregard for civil liberties,
raising questions about the responsible use of powerful surveillance tools.
Security firm Layer X has disclosed a critical zero-click remote code execution vulnerability
that exposes a fundamental trust boundary failure in large-language model workflows.
The flaw affects clawed desktop extensions and allows full system compromise
through a malicious Google Calendar event without user interaction or confirmation.
Layer X rated the issue a maximum 10 out of 10, citing more than 10,000,
affected users and over 50 extensions.
The problem is architectural rather than a traditional software bug.
Claude's extensions run with full system privileges
and can autonomously chain low-trust data sources like calendars
to high-privileged execution tools.
Researchers warned this creates unsafe trust violations in AI-driven automation.
Layer X disclosed the issue to Anthropic,
which reportedly chose not to remediate.
it for now. A ransomware attack on BridgePay Network Solutions has disrupted payment systems used by
local governments and businesses in Florida and Texas. The Florida-based company said it's working
with the FBI and the United States Secret Service to investigate and recover from the incident,
which caused system-wide outages. Bridge pay has not provided a restoration timeline, but said it
does not believe payment card data was stolen.
The outages forced cities, including Palm Bay and Frisco,
to take online payment portals offline, directing residents to pay in person.
Bridge Pay processes about 40 million transactions monthly.
No ransomware group has claimed responsibility,
and restoration efforts remain ongoing.
A newly disclosed vulnerability in Google Chrome allows browser extensions
to infer the full-drawn.
URL of any open tab without requesting traditional tab or host permissions.
Security researcher Luan Herrera reported the issue in January, showing that extensions
using only the declarative net request API can exploit timing differences between blocked
and allowed network requests. By dynamically injecting blocking rules and measuring page reload
times, a malicious extension can reconstruct URLs character by character, leaking sensitive
data such as oath tokens, password reset links, and private queries.
The flaw affects current stable and development versions of Chrome and appears to stem from
longstanding architectural behavior in chromium. Chromium developers have labeled the issue
won't fix, citing infeasible mitigation. Herrera has urged clearer
permission disclosures, warning users that minimal permissions can still expose browsing history.
Beyond Trust has warned customers to urgently patch a critical pre-authentication remote code
execution flaw, affecting its remote support and privileged remote access products.
The vulnerability stems from an OS command injection issue discovered by researchers at Hacktron
AI. The flaw allows unauthenticated attackers to execute arbitrary.
commands without user interaction. Beyond Trust has secured its cloud systems and urged on-premises
customers to upgrade, noting thousands of exposed instances remain at risk if unpatched.
Polish authorities have charged a suspect nearly eight years after a major data breach at
Morel.net, one of the largest in the country's history. The 2018 breach exposed data for more
than two million customers, including names, contact details, addresses, and hashed passwords.
Investigators initially failed to identify the attacker, but renewed efforts led to the arrest
of a 29-year-old suspect in January. According to the Central Bureau for Combating Cybercrime,
the suspect has admitted the offenses and now faces up to two years in prison.
Turning to our Monday business breakdown, cybersecurity funding and
deal activity remained strong, with multiple companies announcing sizable raises and acquisitions
across the sector. Florida-based Cyber Fox secured a nine-figure growth investment led by level
equity, marking its first external funding and signaling plans for product expansion,
AI development, and acquisitions. Blockchain intelligence firm TRM Labs raised $70 million
at a valuation above $1 billion, while supply chain security firm Rapid Fort and Agentic AI
startup outtake raised $42 million and $40 million, respectively.
Additional funding went to startups, including Orion, Radical, Cassada, and several early-stage
AI security firms.
On the M&A front, Level Blue agreed to acquire alert logic, while Veronis, Sempris, and WestCon,
com store, each announced acquisitions to expand their security portfolios.
Be sure to keep up on the latest business news by subscribing to our Cyberwire Pro
business briefing. You can find out more about that on our website.
Coming up after the break, Ben Yellen gives us the 101 on subpoenas, and federal prosecutors
say two Connecticut men bet big on fraud and lost. Stay with us.
What's your 2am security worry?
Is it do I have the right controls in place?
Maybe are my vendors secure?
Or the one that really keeps you up at night,
how do I get out from under these old tools and manual processes?
That's where Vanta comes in.
Vanta automates the manual work,
so you can stop sweating over spreadsheets,
chasing audit evidence,
and filling out endless questionnaires.
Their trust management platform continuously monitors your systems,
centralizes your data and simplifies your security at scale.
And it fits right into your workflows,
using AI to streamline evidence collection,
flag risks, and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster,
scale confidently, and finally get back to sleep.
Get started at Vanta.com slash cyber.
That's V-A-N-T-A-com slash cyber.
Local news is in decline across Canada, and this is bad news for all of us.
With less local news, noise, rumors, and misinformation fill the void, and it gets harder to separate truth from fiction.
That's why CBC News is putting more journalists in more places across Canada, reporting on the ground from where you live, telling the stories that matter to all of us, because local news is big news.
Choose news, not noise.
CBC News.
It is always my pleasure to welcome back to the show, Ben Yellen.
He is from the University of Maryland Center for Cyber Health and Hazard Strategies and also my co-host over on the caveat podcast.
Ben, welcome back.
Good to be with you again, Dave.
This story caught my eye from the Washington Post.
This is written by John Woodrow Cox with a provocative title Homeland Security is targeting Americans with this secretive legal weapon.
We're talking about administrative subpoenas here.
What's going on, Ben?
So this article has a really interesting hook.
So it's the story of a 67-year-old Pennsylvania man
who decided to email a prosecutor
from the Department of Homeland Security
actually in response to a separate Washington Post article
on the government's attempt to deport an Afghan individual
who was seeking asylum in the United States
because they feared Taliban retribution or retaliation.
Okay.
So it's a very brief message.
He just said like,
common sense and decency indicates that we should grant this person asylum.
Cut to a couple hours later, this individual receives a notice from Google saying that
DHS had issued an administrative subpoena requiring Google to provide John's account information.
For his Google account?
Exactly.
Okay.
And after that, as kind of the fruits of that tree, agents from the Department of Homeland Security
joined with the local police department
and appeared at this guy's house
to question him about the message.
So this is an administrative subpoena.
The standard of obtaining that subpoena
is far lower than most other,
what we would normally call in the legal world,
searches or seizures.
So you do not have to have probable cause
for an administrative subpoena in any context.
You just have to have reasonable suspicion,
which is a lower standard.
And administrative subpoenas are used for all different types of things.
We see them frequently in the national security context.
There's a specific administrative subpoena tool called National Security Letters.
Those are even more severe than the type of subpoena we're talking about here
because those orders usually go to individuals who work for big tech companies.
You know, you need to hand over this data.
And it comes with a gag order.
So it says, not only do you need to hand this over, you are forbidden from discussing the fact that you receive this national security letter, and if you talk about it, you're going to get arrested and prosecuted.
So this is not something that's unique to the Trump administration. DHS and all different types of federal agencies have used administrative subpoenas.
There have always been complaints from civil liberties organizations that these are overbroad.
They have the potential to chill free speech and expression.
This is a way to have kind of a chilling effect on potential critics of an administration's policy.
If you think that you can never go directly to a government official
and express your opinion on a public issue because you think you're going to be harassed by DHS agents,
then that's really going to chill somebody's speech and therefore somebody's First Amendment rights.
So we've seen this type of search proliferate even more over the past several years.
And in response, we've seen some of these civil liberties groups call for not only quashing the subpoena in this case, saying that it was retaliatory and unconstitutional, but also a facial challenge against DHS's statutory authority to conduct these types of searches in the first place.
So just a really, really interesting and kind of disturbing story.
Well, help me understand here because in the news these days, we hear about stories about ICE,
and their authority and so on and so forth.
And what I hear bandied about is these administrative subpoenas
versus judicial subpoenas.
Can you just give us the 101 on the difference?
Sure.
So you can obtain a subpoena just through your own federal agency
if it is an administrative subpoena.
The difference between that and, say, a warrant
is that it doesn't have to go in front of any type of neutral magistrate.
is just a much more insular proceeding.
If it's within the purview of the agency
to obtain that administrative subpoena,
everything can be done internal to that agency.
So it can be all DHS staff and employees
who are the judge, jury, and executioner
of these administrative subpoenas,
which kind of goes against the spirit of the Constitution,
which, you know, in order to search our papers,
which in this modern day and age includes
our electronic communications,
you need to come with a warrant, come back with a warrant.
But that's not the case here.
I think what the legal argument that federal agencies would make is once this individual emailed
a employee of the Department of Homeland Security, he forfeited his reasonable expectation
of privacy in that information.
And therefore, this isn't a search at all in the first place.
And since it's not a search, you don't have to go through the rest of the
the Fourth Amendment process.
Like, is this unreasonable?
Does this require probable cause?
I think that's why DHS could use an administrative subpoena here is they are the ones who
received the email.
If he had emailed this to his friend who didn't work for DHS and they had some type of suspicion,
it might be a little bit more difficult to go that administrative subpoena route,
still be kosher legally.
But because this was an email he sent to somebody at the agency, I think their argument
it would be that he forfeited his reasonable expectation of privacy.
Is the very existence of this type of subpoena a practical one,
that it would be overly burdensome to have to present or have to get judicial oversight on everything?
Right, especially when you're talking about large volumes of records, which agencies do.
I mean, we've seen it with the National Security Agency.
They've made use of certain types of administrative subpoenas to try and access information.
and yeah, it would be far more burdensome
if you had to go through the process of convincing a judge.
Now, for a lot of these things,
like the judicial branch has been a rubber stamp,
especially when it relates to national security matters.
But yeah, this is a way where you don't have to establish probable cause
that a crime is being committed
in order to receive the information you want to receive.
There just has to be a policy interest on behalf of the agency.
And so that really does change the calculus,
and that's why this is such a popular tool among federal agents.
So is there any recourse for the gentleman named in this story?
If he feels as though his email account was unjustly accessed,
that was an unreasonable search.
Is there anything he can do?
No.
He can complain to the Washington Post and their technology page,
and they can put it as an article.
No, I mean, there isn't much recourse.
these types of subpoenas have been upheld as constitutional.
You know, the type of legal recourse he does have is what the ACLU is doing on his behalf,
which is trying to quash the subpoena in the first place,
which is going to be difficult because there are also issues of mootness.
Like, this has already happened.
He presumably the Department of Homeland Security has already obtained the information they need to obtain,
so it's not really a live case or controversy anymore.
but there might be future cases where the ACLU can challenge DHS's statutory authority
and the person who received this administrative subpoena could be part of that lawsuit in one way or another.
So if you have some type of live controversy in the future,
if a company who receives the subpoena, if Google decided that like,
hey, we're going to stand up for our customer base and we're going to refuse to comply,
then you get litigation and the ACL you could join and argue with Google or whomever the company is
that this statutory authority is overbroad and is unconstitutional facially.
I see.
But until we get to that point, there is very little recourse for somebody who's suffered an indignity like this one.
I see.
All right.
Well, Ben Yellen is from the University of Maryland Center for Cyber Health and Hazard Strategies
and also my co-host over on the Caviot podcast, Ben, thank you for helping us understand all this stuff.
Always happy to do it, Dave.
All right.
With Amex Platinum, you have access to over 1,400 airport lounges worldwide.
So your experience before takeoff is a taste of what's to come.
That's the powerful backing of Amex.
Conditions apply.
Welcome aboard via rail.
Please sit and enjoy.
Please sit and sip, play, post, taste, view, and enjoy, via rail, love the way.
And finally, federal prosecutors say two Connecticut men turned online gambling promotions into a long-running side hustle,
allegedly defrauding fan duel and rival betting sites of roughly $3 million.
dollars. According to a 45-count indictment, Amitaj Kapoor and Sidarth Lilani are accused of buying
stolen personal data for about 3,000 victims and using it to create thousands of fake accounts on platforms,
including draft kings and betmGM, all in pursuit of new user bonuses.
Prosecutors say the operation was methodical. Kippur allegedly kept the stolen identities neatly organized in
spreadsheet, while background check services helped answer verification questions. Winning bets were
cashed out through virtual cards, then funneled into accounts they controlled. Authorities say the
scheme ran for years, right up until it didn't. Both men now face charges ranging from wire fraud
to money laundering, with decades of potential prison time on the line.
And that's the Cyberwire. For links to all of today's stories, check out our
our daily briefing at the cyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast
where I contribute to a regular segment
on Jason and Brian's show every week.
You can find grumpy old geeks
where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey
in the show notes or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Kaltzman.
Our executive producer is Jennifer Eben.
Peter Kilby is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
If you only attend one cybersecurity conference this year,
make it RASAC 2026. It's happening March 23rd through the 26th in San Francisco,
bringing together the global security community for four days of expert insights,
hands-on learning, and real innovation. I'll say this plainly, I never miss this conference.
The ideas and conversations stay with me all year. Join thousands of practitioners and leaders
tackling today's toughest challenges and shaping what comes next. Register today at RSA conference,
com slash cyberwire 26. I'll see you in San Francisco.