Podcast Summary: Cybersecurity Headlines

Host: Sarah Lane (CISO Series)
Episode: Ukraine tightens controls on Starlink terminals, VMware ESXi flaw now exploited, SolarWinds Web Help Desk bug under attack
Date: February 5, 2026

Episode Overview

This daily episode covers major developments in global cybersecurity for February 5, 2026. Highlights include Ukraine’s clampdown on Starlink terminals to prevent Russian exploitation, active exploitation of a VMware ESXi flaw, rapid attacks on a newly patched SolarWinds vulnerability, the U.S. military's use of cyberweapons against Iran’s air defenses, Microsoft's new cybersecurity leadership and AI security tooling, a major leak of Jeffrey Epstein legal files, and new findings on the System BC botnet.

Key Discussion Points and Insights

Ukraine Imposes Stricter Starlink Controls

[00:06 – 01:21]

Main point: Ukraine has implemented a mandatory whitelist for Starlink terminals, disconnecting any unverified devices. This move follows reports of Russian forces using Starlink-enabled drones for real-time control.
Goal: To halt Russian exploitation, since these drones are challenging to jam or intercept.
Additional details:
- Partnership with SpaceX on enforcement.
- Restrictions require stationary or low-speed operation of terminals.
- Over 50,000 Starlink terminals are active in Ukraine.
- Authorities view this as the only way to currently prevent Russian misuse.

“Officials say the move…is meant to stop Russian UAVs that are harder to jam or intercept…” — Sarah Lane [00:17]

VMware ESXi Flaw Now Actively Exploited

[01:21 – 02:00]

Flaw: High-severity sandbox escape bug in VMware ESXi, enabling attackers to write to the kernel and escape a VM.
Recent status: CISA confirms ransomware groups are exploiting the flaw, which Broadcom had patched in March 2025.
Notable:
- Previously used as a zero-day.
- Attributed to Chinese-speaking threat actors.
- Now listed in CISA’s Known Exploited Vulnerabilities catalog.
Urgency: Immediate patching recommended.

“Ransomware groups are now exploiting a high severity VMware ESXi sandbox escape flaw…” — Sarah Lane [01:22]

SolarWinds Web Help Desk Vulnerability Attacks Rise

[02:00 – 02:45]

Issue: Active exploitation of a critical untrusted deserialization bug (rated 9.8/10) allowing unauthenticated remote code execution.
Impacted versions: Web Help Desk prior to 2026.1 (released Jan 28).
Response:
- CISA mandates US Federal agencies patch within three days.
- SolarWinds has not observed widespread exploitation yet, but swift patching is urged.

“Attackers are actively exploiting a critical SolarWinds Web Help Desk flaw just days after it was patched…” — Sarah Lane [02:02]

U.S. Use of Cyberweapons in Iranian Air Defense

[02:45 – 03:26]

Report: The US disabled Iranian air defense during 2025 airstrikes against nuclear facilities, using cyberweapons.
Operation focus: Targeted upstream network nodes, not hardened defense systems.
Significance: Named as one of the most sophisticated cyber operations against Iran, enabling safe airstrikes without Iranian surface-to-air missile launches.

“Officials claim Cyber Command, backed by NSA intelligence, targeted upstream network nodes rather than hardened facilities…” — Sarah Lane [02:55]

Microsoft Brings Back Eyet Galo for Cybersecurity

[03:52 – 04:21]

Staffing change: Microsoft recalls former executive Eyet Galo to lead cybersecurity, as Charlie Bell transitions to engineering quality.
Leadership: Eyet Galo, formerly at Google Cloud, now Executive VP, reports to Satya Nadella.
Background: Charlie Bell joined from AWS in 2021.

“Microsoft is bringing back former executive Eyet Galo to run cybersecurity…” — Sarah Lane [03:52]

Microsoft’s New Scanner for Backdoors in AI Models

[04:21 – 05:00]

Tool: A lightweight scanner able to detect backdoors in open weight large language models.
How it works: Uses three behavioral signals to flag sleeper agent behavior, does not require knowledge of the specific backdoor or retraining the model.
Limitations: Requires access to model files; does not work with proprietary systems.
Strategy: Part of Microsoft's broader efforts to integrate AI-specific protections, such as data poisoning, into development processes.

“The tool can identify trigger-based sleeper agent behavior without retraining the model or knowing the backdoor in advance.” — Sarah Lane [04:35]

Epstein Files Leak exposes Sensitive Victim Data

[05:00 – 05:44]

Incident: Thousands of records tied to Jeffrey Epstein legal files inadequately redacted, exposing sensitive data for ~100 victims.
Exposed info: Photos, names, emails, bank details, SSNs, credit card info, several valid passwords.
Impact: Leaked credentials included access to Outlook, Gmail, Yahoo, LinkedIn, and Apple ID accounts.

“The leaks included photos, names, emails, banking details, Social Security numbers and…credit card information.” — Sarah Lane [05:15]

System BC Botnet Activity and New Variants

[05:44 – 06:24]

Botnet: System BC still active, affecting over 10,000 IPs globally.
Role: Often appears early in intrusions that lead to ransomware, turning victims into SOX5 proxies.
Notable findings:
- Long-lasting infections, mostly on data center infrastructure.
- Newly identified Linux variant with zero antivirus detections.
- Government-linked systems in Burkina Faso and Vietnam compromised.

“Researchers at Silent Push say the System BC Botnet is still active and linked to more than 10,000 infected IP addresses worldwide…” — Sarah Lane [05:44]

Notable Quotes and Memorable Moments

“Ukraine introduced a mandatory whitelist for Starlink terminals, disconnecting any unverified devices after confirming Russian forces are using Starlink equipped drones for real time control.” — Sarah Lane [00:08]
On the ESXi exploit: “The bug lets attackers with VMX-level privileges write to the kernel and escape a virtual machine…” — Sarah Lane [01:31]
“CISA has added the flaw to its known exploited vulnerabilities catalog and is urging immediate patching.” — Sarah Lane [01:46]
“Microsoft says this is part of a broader push to integrate AI specific threats like data poisoning into its secure development processes.” — Sarah Lane [04:50]

Timestamps for Key Segments

00:06 – Ukraine’s Starlink crackdown
01:21 – VMware ESXi flaw exploitation
02:00 – SolarWinds help desk bug under attack
02:45 – U.S. cyber offense in Iran
03:52 – Microsoft leadership change
04:21 – Microsoft detects AI model backdoors
05:00 – Epstein files leak
05:44 – System BC botnet activity

Conclusion

This episode provided a succinct yet comprehensive round-up of global cybersecurity news, from new controls on critical battlefield communications and alarming zero-days to state-sponsored cyber operations and privacy leaks. The reporting maintains an authoritative and factual tone, essential for security professionals needing actionable intel and context on emerging threats.

Transcript

A (0:00)

From the CISO series, it's Cybersecurity Headlines.

B (0:06)

These are the cybersecurity headlines for Thursday, February 5, 2026. I'm Sarah Lane. Ukraine tightens controls on Starlink terminals Ukraine introduced a mandatory whitelist for Starlink terminals, disconnecting any unverified devices after confirming Russian forces are using Starlink equipped drones for real time control. Officials say the move, implemented with SpaceX, is meant to stop Russian UAVs that are harder to jam or intercept, with added restrictions limiting terminal use to stationary or low speed operation. More than 50,000 Starlink terminals are active in Ukraine and authorities say the measure is currently the only way to prevent Russian exploitation of the network. VMware ESXi flaw now exploited CISA said Wednesday that ransomware groups are now exploiting a high severity VMware ESXi sandbox escape flaw, which Broadcom patched back in March of 2025 after it was used as a zero day. The bug lets attackers with VMX level privileges rather right to the kernel and escape a virtual machine and has been linked to earlier sophisticated attacks attributed to Chinese speaking threat actors. CISA has added the flaw to its known exploited vulnerabilities catalog and is urging immediate patching. SolarWinds web help desk bug under Attack Attackers are actively exploiting a critical SolarWinds web help desk flaw just days after it was patched, prompting CISA to give Federal agencies a three day deadline to apply fixes. The 9.8 rated untrusted deserialization bug allows unauthenticated remote code execution and affects SolarWinds web help desk versions prior to 2026.1, which was released on January 28th. SolarWinds says it hasn't seen widespread exploitation, but is urging customers to patch its immediately. US used Cyber Weapons to Disrupt Iranian Air defenses Recorded Future news Sources say the US used cyber weapons to disable Iranian air defense systems during 2025 Airstrikes on nuclear sites at Fordo, Natanz and Eastfahan, preventing Iran from launching surface to air missiles at US Aircraft, officials claim Cyber Command, backed by NSA intelligence, targeted upstream network nodes rather than hardened facilities, marking one of the most sophisticated cyber operations against Iran to date. Huge thanks to our sponsor Strike 48. Strike 48 is the agentic log intelligence platform that actually puts AI agents to work, maximizing log visibility without blowing your budget. Find threats, your siloed tools miss get started today with pre built AI agents and workflows that investigate, detect and respond 24. 7 or build your own at strike48.com security that's strike48.com security Eyette Galo back to run cybersecurity at Microsoft Microsoft is bringing back former executive Eyet Galo to run cybersecurity while current security chief Charlie Bell moves into a new role focused on engineering quality. Gello returns after a stint at Google Cloud and will serve as an Executive VP reporting to CEO Satya Nadella. Charlie Bell joined Microsoft from aws back in 2021. Microsoft develops scanner to detect backdoors in other Microsoft news, the company says it's developed a lightweight scanner to detect backdoors in open weight large language models using three behavioral signals to flag poison models with a low false positive rate. The tool can identify trigger based sleeper agent behavior without retraining the model or knowing the backdoor in advance. It needs access to model files and it doesn't work on proprietary systems. Microsoft says this is part of a broader push to integrate AI specific threats like data poisoning into its secure development processes. Epstein files leak sensitive data, victim info and credentials US Authorities have retracted thousands of records tied to the Jeffrey Epstein files after inadequate redactions exposed sensitive data and affecting around 100 victims. This was first noted by AP News on February 2nd. The leaks included photos, names, emails, banking details, Social Security numbers and in some cases, full credit card information. Cyber News now reports the release exposed multiple passwords, some reportedly still valid, for accounts including outlook, Gmail, Yahoo, LinkedIn and Apple ID. System BC found active across infected systems Researchers at Silent Push say the system BC Botnet is still active and linked to more than 10,000 infected IP addresses worldwide, often appearing early in intrusion chains that later lead to ransomware attacks. The proxy malware was first seen back in 2019 and turns compromised systems into SOX5 relays and has been found lingering for weeks or even months, largely on data center infrastructure with infections concentrated in the U.S. researchers also identified a previously undocumented Linux focused variant with no antivirus detections and found compromised systems tied to government websites in Burkina Faso and Vietnam. If you have some thoughts on the news from today or about the show in general, and we know you do, be sure to reach out to us at Feedback. We would love to hear from you. I'm Sarah Lane reporting for the CISO series. Stay classy out there, Planet Earth and Beyond.