CyberWire Daily: "CISA’s steady hand in a stalled senate."

Host: Maria Varmazes (filling in for Dave Bittner)
Date: October 31, 2025
Podcast Network: N2K Networks

Episode Overview

In this episode, Maria Varmazes covers the latest cybersecurity news, focusing on CISA’s ongoing stability in federal-private sector cooperation despite congressional gridlock, major vulnerabilities, and breaches across critical infrastructure and the private sector. The episode features an in-depth interview with Emily Austin, Principal Security Researcher at Censys, discussing why nation-state attackers consistently target critical infrastructure.

Key Discussion Points & Insights

1. CISA’s Steady Collaboration Amid Legislative Stalemate (01:34)

• Main Point: Despite the expiry of the 2015 Cybersecurity Information Sharing Act, CISA maintains strong cooperation with the private sector.
• Quote (Maria Varmazes, 01:50):
  “Anderson credited the sustained collaboration to CISA's strong reputation and established long-term partnerships, but emphasized that the lapsed authority is core and critical to managing national cyber risk.”
• Legislative Focus: Lawmakers are pushing for a 10-year renewal, but efforts stall due to a continuing government shutdown.
• Broader Significance: US National Cyber Director Shawn Cairncross stresses the statute is “vital” for preserving trust and effective threat data exchange.

2. Joint Guidance on Securing Exchange Servers (03:20)

• Agencies Involved: CISA, NSA, Australia, and Canada’s cyber authorities.
• Key Recommendations:
  • Harden authentication
  • Limit admin access
  • Enforce strong encryption
  • Adopt Zero Trust principles
  • Decommission outdated/hybrid Exchange servers
• Urgency: Guidance follows CISA’s August emergency directive after a critical Exchange vulnerability.
• Technical Steps: Enable MFA, patch servers, prefer Kerberos to NTLM, enforce TLS, use RBAC.

3. Active Ransomware Exploiting Linux Kernel Flaw (04:30)

• Vulnerability: Use-after-free bug in ‘netfilter/nftables’, enabling root-level access across various Linux distributions.
• Attack Impact: “Enables system takeover, lateral movement and data theft once root access is achieved.”
• Mitigation Advice:
  • Block NF tables
  • Restrict user namespaces
  • Load Linux kernel runtime guard

4. Chinese Cyber-Espionage Campaigns in Europe (05:10)

• Actor: UNC6384 (China-linked group)
• Targets: Diplomatic organizations in Hungary, Belgium, other European states (Sep–Oct 2025)
• Tactics:
  • Exploiting Windows shortcut vulnerability
  • Phishing tied to European Commission/NATO events
  • Delivered PlugX malware via DLL sideloading
• Trend: Rapid adoption of new vulnerabilities, expansion beyond previous Southeast Asia focus.

5. Conduent Data Breach: 10+ Million Americans Exposed (06:20)

• Details:
  • Attackers accessed Conduent systems (Oct 21–Jan 13)
  • Stolen data includes SSNs, health information
  • SafePay ransomware gang claims 8.5TB stolen
• Corporate Impact: Conduent serves tech for Medicaid, child support, EBT, affecting ~100M Americans.
• Current Status:
  • No data seen publicly
  • Law enforcement investigating

6. Surge in Luxury Brand Phishing Scams (07:20)

• Findings (Pre Crime Labs):
  • 1,330 malicious domains since August, 1,200 mimic 23 major brands
  • Tactics: Exploiting holiday shopping, organized registration patterns
• Outcome: Both financial and reputational harm to brands, indicating large-scale fraud campaigns.

7. LinkedIn as a Phishing Platform (08:00)

• Target: Finance execs lured with invitations to join a fake “Commonwealth Investment Funds Executive Board”
• Technique:
  • Links redirect via Google/Firebase to spoofed LinkedIn/Microsoft login
  • Harvests credentials and session cookies
• Trend: Phishing is moving beyond email—LinkedIn-based attacks are more sophisticated, rapidly increasing.

8. Advocacy Groups Challenge Meta’s Data Practices (08:50)

• Issue: Meta plans to use chatbot interactions for ad targeting (from December 16, without opt-in).
• Response: 30+ organizations urge FTC intervention, citing privacy abuse and FTC Act (Section 5) violations.

9. Former L3Harris Executive Pleads Guilty to Selling Zero-Days (09:30)

• Details:
  • Peter Williams sold 8 zero-day exploits to Russian broker for millions in crypto.
  • Exploits stolen while at L3Harris/Trenchant.
• Impact: Approx. $35 million in losses, adversaries equipped with advanced cyber capabilities.
• Consequence: Faces up to 20 years in prison, over $300k in fines, $1.3M restitution.

Expert Interview: Emily Austin, Censys — Why Nation-State Attackers Target Critical Infrastructure (13:07–21:17)

Exposure and Ongoing Risks

• Emily Austin (13:21): “Critical infrastructure... is still exposed on the Internet. This is not a new problem. This is a problem the security community has been talking about for years.”
• Key insight: Exposure increases attractiveness to a spectrum of threat actors: “They're quite enticing as far as that goes.” (13:35)

Research Focus: Iranian Threat Activity

• Recent Trends: Increased Iranian interest amid Middle East tensions and DHS/CISA advisories (Summer 2025).
• Approach: Censys studied devices previously targeted by Iranian groups (PLCs, fuel automation, building control software).

Notable Devices Researched

• Types Analyzed:
  • Unitronics Vision PLCs
  • ORPAC SiteOmat (fuel automation)
  • Red Lion equipment
  • Devices using Tritium Niagara Framework
• Source of Interest: OpenAI 2024 report highlighted an Iranian-linked group (“Cyber Avengers”) using generative AI to research device vulnerabilities and default passwords.

Threat Impact & Device Roles (16:25)

• Use Cases:
  • Unitronics: Water, energy, chemical processing
  • ORPAC: Fuel stations, fleet management
  • Tritium Niagara: Building automation/HVAC, alarms
• Historical Context: 2023 U.S. water plant defacements via exposed Unitronics devices.

Attacker Access Methods

• Common Flaw: Default credentials commonly left unchanged, granting attackers operational access (toggle alarms, alter chemical levels).
• Emily Austin (17:41):
  “A lot of these things are accessed through default credentials... so maybe you can go in and toggle on or off an alarm, or you can maybe change levels of chemicals added to wastewater treatment.”

Motivations: Hacktivism vs. Nation-State (19:07)

• Differences:
  • Hacktivists seek publicity (“deface things... look at us”)
  • Nation-states act stealthily with potential for disruption

Protective Recommendations

• Standard, but Crucial:
  • “These systems really shouldn't be exposed directly to the Internet.”
  • Use VPNs/firewalls, restrict public access.
• Vendor Accountability: Manufacturers must stop shipping with default credentials.
  • Positive example: Unitronics removed default admin credentials after 2023 campaign.
• Emily Austin (20:01):
  “I also think there's a burden on the manufacturers... at least two of the four systems... shipped or used to ship with default credentials, which is just—I mean it's 2025. Like, we can't do that anymore. We never should have done it, but we really can't do it now.”

Market Fallout: Retailers & Cyber Disruption (21:17)

• UK Retailer Next: Credits a 7.6% sales jump and £30 million profit boost to competitor M&S’s ongoing cyber-driven outages.
• Wider Impact: M&S suffers expected losses of £300 million; retailers with robust online operations (Next, Zara, H&M) capitalize, while those without lag behind.
• Automotive Sector: Jaguar Land Rover’s cyber incident cost the British economy £1.9 billion.
• Policy Takeaway: Lawmakers push for stronger cybersecurity laws, underlining the broad economic stakes.

Notable Quotes & Timestamps

• Maria Varmazes (01:50):
  “Anderson credited the sustained collaboration to CISA's strong reputation and established long term partnerships, but emphasized that the lapsed authority is core and critical to managing national cyber risk.”

• Emily Austin (13:21):
  “Critical infrastructure… is still exposed on the Internet. This is not a new problem…”

• Emily Austin (17:41):
  “A lot of these things are accessed through default credentials... maybe you can go in and toggle on or off an alarm, or change levels of chemicals added to wastewater treatment...”

• Emily Austin (20:01):
  “At least two of the four systems... shipped or used to ship with default credentials, which is just—I mean it's 2025. Like, we can't do that anymore. We never should have done it, but we really can't do it now.”

Important Timestamps

• CISA’s Steady Hand & Senate Stalemate: 01:34–03:10
• Exchange Server Security Guidance: 03:20–04:25
• Active Linux Kernel Ransomware: 04:30
• Chinese Cyber-Espionage in Europe: 05:10–06:10
• Conduent Breach – 10 Million Exposed: 06:20–07:10
• Luxury Brand Phishing Campaigns: 07:20–08:00
• Phishing on LinkedIn: 08:00–08:45
• Advocacy Groups vs. Meta: 08:50–09:20
• L3Harris Exec Sells Zero-Days: 09:30–10:10
• Emily Austin Interview: 13:07–21:17
• Retailer Fallout & Cyber Market Impact: 21:17–22:43

Takeaway

This episode underscores the persistent vulnerabilities and the human and economic consequences of cyber-attacks—from government and critical infrastructure to global retail. Even as federal-level cooperation endures, experts like Emily Austin stress both organizational and vendor responsibility in stamping out basic but dangerous weaknesses, such as devices exposed with default credentials. The episode also illustrates evolving attacker tactics (e.g., phishing via LinkedIn and luxury brand scams) and the dire need for continual vigilance and regulatory modernization.