CyberWire Daily — “A softer touch on cyber.”
Date: February 4, 2026
Host: Dave Bittner, N2K Networks
Featured Guest: Zach Edwards, Senior Threat Researcher at Silent Push
Episode Overview
This episode focuses on evolving approaches in U.S. cybersecurity policy, high-profile cyber threats against telecoms and critical infrastructure, and a deep-dive interview with researcher Zach Edwards on bulletproof hosting and its continued challenge for law enforcement globally. Other major stories include new zero-day exploitations, campaigns against Citrix Netscaler, critical risks in SolarWinds, and a data breach “encore” for the Police Service of Northern Ireland.
Key Discussion Points & Insights
1. White House Prepares Overhaul of U.S. Cybersecurity Policy
- Main Theme: The Trump administration, under National Cyber Director Harry Coker Jr., signals a move toward private sector collaboration over strict mandates.
- Focus on eliminating overlapping federal requirements.
- Enhanced legal protections for companies sharing threat intelligence.
- Prioritizing cross-sector coordination and building the cyber workforce.
- Insightful Quote:
“Coker has signaled a shift away from top down mandates toward a more bottom up approach, actively soliciting industry input on which rules create friction without improving outcomes.” (02:33) - Timestamps:
- [00:57] — Policy overhaul framing.
- [01:18] — Focus on private sector collaboration.
2. Federal Regulatory Rollbacks and Security Risks
- Story: Removal of officials from Commerce’s Bureau of Industry and Security (ICTS office).
- Linked to weakening of national technology supply chain defenses.
- ICTS originally created to block high-risk foreign tech (e.g., Kaspersky, foreign vehicles).
- Critics worry about lasting negative consequences.
- Notable Quote:
“Critics argue that recent personnel moves, combined with cuts across agencies like CISA and regulatory reversals collectively undermine U.S. efforts to counter escalating cyber and supply chain threats with damage that may be difficult to reverse.” (03:45) - Timestamps:
- [03:10] — Personnel changes context.
- [04:00] — Broader implications.
3. Congress Scrutinizes Telecoms After Salt Typhoon Breach
- Summary: Senator Maria Cantwell urges hearings with AT&T and Verizon after Chinese APT ‘Salt Typhoon’ breached U.S. telecom networks.
- Calls for transparency, accountability, and answers about public safety for Americans’ data.
- DHS review board investigation was dropped; Trump administration rescinded new FCC rules.
- Memorable Quote:
“Cantwell argues telecoms have taken minimal action due to cost concerns and says executives must testify to restore public confidence.” (05:47) - Timestamps:
- [04:55] — Lawmaker actions.
4. Active Exploitation of React Native Metro’s ‘Metro for Shell’ Vulnerability
- Story: Attackers actively exploiting a vulnerability allowing remote code execution on exposed developer servers.
- Discovered by JFrog, observed in the wild by VulnCheck.
- Persisting with ~3,500 exposed servers even after patches released.
- Timestamps:
- [06:43] — Vulnerability description and risk.
5. Amaranth Dragon Espionage: Advanced Chinese APT Tactics
- Highlights: Checkpoint researchers identify ‘Amaranth Dragon’ (linked to APT41) exploiting WinRAR flaw, heavily targeting SE Asian governments.
- Uses custom malware loaders, geofenced lures, and Telegram-based RAT.
- Urgent need for WinRAR patching.
- Timestamps:
- [07:42] — Threat actor and tradecraft.
- [08:40] — Implications and recommended defenses.
6. Citrix Netscaler Under Coordinated Reconnaissance
- Findings: GrayNoise reports 63,000+ residential proxies scanning for login panels and software versions—prelude to possible exploitation of known Citrix flaws.
- Timestamps:
- [09:20] — Pattern and risks.
7. Critical SolarWinds Web Help Desk Flaw
- Update: CISA adds SolarWinds remote code execution bug to its High Exploitation List; agencies must remediate within three days.
- Timestamps:
- [10:07] — Official response and urgency.
In-Depth Interview: Zach Edwards on Bulletproof Hosting
(13:02 – 25:29)
Who is Zach Edwards?
- Senior Threat Researcher at Silent Push.
- Focused on Internet infrastructure, mapping malicious networks, and threat feeds.
What is Bulletproof Hosting (BPH)?
- Definition: Hosting providers that intentionally ignore abuse complaints about malicious activity (phishing, malware, fraud, CSAM, etc.).
- Originated with the Russian Business Network in mid-2000s.
- Now operates in numerous geopolitical “safe havens” worldwide (Russia, HK, UK, Wyoming, etc.).
- Quote:
“A bulletproof hosting company... ignores legitimate abuse complaints. So when a cybersecurity company identifies a domain that's promoting malware or phishing infrastructure, they may send in abuse complaints...and try and get that infrastructure taken offline. When you do that with a Cloudflare or Google...they take action. But a bulletproof hosting company...that complaint just goes right into the dumpster.” —Zach Edwards, (14:23)
Why Do BPHs Persist?
- Geography: Operate in places where international cyber laws are weak or unenforced.
- In Russia: US DMCA takedown requests have no authority.
- Increasingly global (over 100 Autonomous System Numbers (ASNs) tracked as BPH).
- Quote: “They're everywhere. We're tracking over a hundred ASNs that are operating as bulletproof hosts...legally registered in the UK, some are legally registered in Wyoming.” —Zach Edwards, (16:55)
How Do BPHs Stay Online?
- Peering Relationships:
- BPHs “peer” with other networks to achieve Internet connectivity.
- Often only demonstrate a handful of peering agreements, sometimes with other shady or low-quality hosts.
- Tactic: Law enforcement targets peering partners in more robust jurisdictions for sanctions rather than the unreachable BPH.
- Example:
“It was a really savvy way to try and disconnect that BPH from the Internet.” —Edwards on sanctions against BPHs via their UK peering partners (20:59)
Are Law Enforcement Actions Effective?
- “Whack a Mole” Problem:
- When a BPH is disrupted, clients quickly move to another provider.
- Success stories: Dutch raid on Crazy RDP was “gold standard” for direct action.
- Financial sanctions increasingly used for indirect disruption—e.g., against Medialand, Hypercore, Funnel CDN (linked to $200M in fraudulent investments/losses).
- Quote:
“But the second-best option really is still those financial sanctions... All of those clients immediately lose their infrastructure and it really creates chaos for them.” —Edwards, (22:24)
What Can Defenders Do?
- Top-5 Threat Priority:
- Over 100 known BPH ASNs, almost everything hosted is malicious.
- Defenders should at least alert, if not outright block, traffic to/from these ASNs.
- Knowledge and visibility are key to not becoming a victim of “threat actors’ favorite tools.”
- Quote:
“We urge people to know what the bphs are, to have a defense strategy, and at the very least be alerting on connections from those BPH hosts.” —Edwards, (24:08)
Data Privacy Fumble: Police Service of Northern Ireland
- Incident: Officers’ names re-disclosed briefly on court website after a major breach in 2023.
- Reactions:
- Described as “avoid-able and embarrassing.”
- Politicians warn of heightened anxiety; officers considering further compensation, likening it to a bad “subscription service.”
- Quote:
“In Northern Ireland's data handling saga, even mistakes appear to be compounding and possibly accruing interest.” (26:46) - Timestamps:
- [26:46] — Data breach update and commentary.
Notable Quotes & Memorable Moments
-
On the interconnectedness of the Internet:
“The Internet is a series of tubes.” —Zach Edwards, referencing Sen. Ted Stevens, (18:21) -
On BPH global expansion:
“Now, two decades or so since the start of this problem, they're everywhere.” —Zach Edwards, (16:37) -
On law enforcement effectiveness:
“It is absolutely true that whack a mole would be the simplest way to describe them...” —Zach Edwards, (21:35) -
On evidence-based threat defense:
“If we aren't approaching [BPH] as though it's a threat that every threat actor loves to use…you’re going to be attacked by a lot of stuff you don’t have defenses for.” —Zach Edwards, (24:05)
Important Segment Timestamps
- White House cyber policy analysis: [00:57]–[03:10]
- Commerce/ICTS regulatory rollback: [03:10]–[04:00]
- Telecom APT breach Congressional inquiry: [04:55]–[05:47]
- Metro for Shell exploit: [06:43]–[07:41]
- Amaranth Dragon threat actor: [07:42]–[09:17]
- Citrix Netscaler reconnaissance: [09:20]–[10:06]
- SolarWinds exploitation update: [10:07]–[11:13]
- Interview: Zach Edwards (start): [13:02]
- Defining bulletproof hosting: [13:31]–[14:23]
- Law enforcement and sanctions discussion: [17:50]–[22:24]
- Defensive recommendations: [23:59]–[25:29]
- Police Service of Northern Ireland breach: [26:46]–[28:10]
Summary
This episode delivers a nuanced snapshot of today’s cybersecurity landscape: federal policy is shifting to foster more collaboration and less counterproductive regulation, even as some security agencies face cuts that worry industry experts. Meanwhile, major infrastructure and platforms face ongoing threats from advanced attackers, and the law enforcement “whack a mole” with bulletproof hosting remains a global challenge. The expert interview with Zach Edwards provides a practical lens on how defenders can proactively counter one of the most persistent enablers of cybercrime: bulletproof hosting providers and their web of complicit networks.
Listeners come away with both a big-picture understanding of evolving cybersecurity policy and ground-level details about current threats and pragmatic defenses.
