Maria Varmazes

You're listening to the Cyberwire Network powered.

Dave Bittner

By N2K.

Sponsor/Advertisement Voice

Risk and compliance shouldn't slow your business down. Hyperproof helps you automate controls, integrate real time risk workflows and build a centralized system of trust so your teams can focus on growth, not spreadsheets. From faster audits to stronger stakeholder confidence, Hyperproof gives you the business advantage of Smarter compliance. Visit www.hyperproof.IO to see how leading teams are transforming their GRC programs. And now a word from our sponsor, ThreatLocker, the powerful Zero Trust Enterprise Solution that stops ransomware in its tracks. Allow Listing is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from threat locker.

Maria Varmazes

CISA says cooperation between federal agencies and the private sector remains steady. Long standing Linux kernel vulnerability in active ransomware campaigns confirmed A Chinese linked group targets diplomatic organizations in Hungary, Belgium and other European nations. A government contractor breach exposes data of over 10 million Americans luxury fashion brands fall victim to impersonation scams. Phishing shifts from email to LinkedIn. Advocacy groups urge the FTC to block Meta from using chatbot interactions to target ads. A man pleads guilty to selling zero days to the Russians Emily Austin, principal security researcher at Census, discusses why nation state attackers continue targeting critical infrastructure and when M and S went offline. Shoppers hit next Today is Friday, October 31, 2025. Happy Halloween, Maria. I'm Maria Varmazes, host of T Minus Space Daily here on the N2K CyberWire network, filling in today for Dave Buettner, and this is your Cyberwire Intel Briefing. Thanks for joining me today, everyone. Let's get into it. First up, despite the recent Expiration of the 2015 Cybersecurity Information Sharing act, according to Nick Anderson of the Cybersecurity and Infrastructure Security Agency, AKA cisa, cooperation between federal agencies and the private sector on cyber threat data sharing remains steady. Anderson credited the sustained collaboration to CISA's strong reputation and established long term partnerships, but emphasized that the lapsed authority is core and critical to managing national cyber risk. Lawmakers are seeking a 10 year renewal, though efforts have been repeatedly stalled in the Senate amid the ongoing US Government shutdown. National Cyber Director Shawn Cairncross also called the statute vital, urging swift reauthorization to preserve the trust and information exchange that underpins US Cybersecurity. Elsewhere, CISA and the NSA joined by Cyber Agencies in Australia and Canada released new guidance to help organizations secure Microsoft Exchange servers from attack. The advisory urges IT administrators to harden authentication, limit administrative access and enforce strong encryption and adopt zero trust principles. It strongly recommends decommissioning outdated or hybrid Exchange servers after migrating to Microsoft 365. Warning that unsupported systems pose major breach risks, the agencies outlined over a dozen key steps including enabling multi factor authentication, keeping servers patched using Kerberos instead of ntlm, enforcing transport layer security, and applying role based access controls. This guidance follows CISA's August Emergency Directive requiring federal agencies to rapidly address a critical exchange vulnerability. CISA has also confirmed that a high severity Linux kernel flaw is now being exploited in ransomware attacks, and the vulnerability is a use after free bug in the netfilternftables component, and it allows attackers to gain root level privileges. It affects major Linux distributions including Debian, Ubuntu, Fedora and Red Hat. This escalation flaw enables system takeover, lateral movement and data theft once root access is achieved. Organizations that are unable to patch are urged to block NF tables, restrict user namespaces, or load the Linux kernel runtime guard module. Arctic Wolf Labs has uncovered an active cyber espionage campaign by Chinese linked group UNC6384 targeting diplomatic organizations in Hungary, Belgium and other European nations in September and October 2025. The operation exploits a Windows shortcut vulnerability that was disclosed earlier this year. Combined with convincing phishing lures themed around European Commission and NATO events, the multi stage attack delivers Plug X remote access malware via DLL sideloading of legitimate Canon printer utilities. Researchers say that the campaign shows rapid adoption of newly disclosed flaws, advanced social engineering aligned with diplomatic calendars, and expansion beyond UNC6384's usual Southeast Asia focus. Arctic Wolf attributes the campaign with high confidence based on tooling tactics and infrastructure overlaps with prior operations. Government contractor Conduent has disclosed that a January cyber attack exposed personal data belonging to more than 10 million people across multiple US states. The breach investigation found that attackers had access to conduent systems from October 21 to January 13, stealing files that are tied to its government service contracts. Impacted states include Texas, Washington, South Carolina and others with compromised data such as Social Security numbers and health information. The SafePay ransomware gang claimed responsibility, saying that it stole eight and a half terabytes of data. Conduent says no stolen data has surfaced publicly, systems have been restored and law enforcement is investigating. That said, the company provides technology services for Medicaid, child support and EBT programs serving about 100 million U.S. residents. Researchers at Pre Crime Labs, which is part of B4AI, uncovered a surge in malicious domains impersonating luxury fashion brands ahead of the 2025 holiday season. Between mid August and late September they identified 1,330 domains with over 1,200 mimicking 23 major brands. These fraudulent sites exploit brand prestige to lure customers into scams and phishing attacks, causing both financial and reputational harm. Coordinated domain registrations, recurring email operators and exploitation of current events suggest an organized criminal network preparing large scale fraud campaigns. Hackers are exploiting LinkedIn to Phish finance executives with fake invitations to join a Commonwealth Investment Funds Executive Board aiming to steal Microsoft credentials. According to Push Security, victims receive LinkedIn messages containing malicious links that redirect through Google and Firebase to a fake LinkedIn Cloudshare site. The page ultimately displays a spoofed Microsoft login to harvest credentials and session cookies. Push warns that phishing now frequently occurs outside of email, with LinkedIn based attacks rapidly increasing in sophistication and volume. A coalition of more than 30 consumer and children's advocacy groups is urging the Federal Trade Commission to block Meta from using users chatbot interactions to target ads or personalize content. META plans to begin this practice on December 16th without opt in consent. The groups, including EPIC and the center for Digital Democracy, argue that the move violates section 5 of the FTC act on Unfair Practices. They call it an industrial scale privacy abuse, pressing the FTC to act decisively. Former L3Harris executive Peter Williams, aged 39, pleaded guilty to two counts of theft of trade secrets for selling eight US government developed zero day exploits to a Russian broker in exchange for millions in cryptocurrency. Prosecutors said that Williams stole the tools while working at Trenchant, which is an L3Harris subsidiary, and then sold them to a firm believed to be Operation Zero, which is a Russian platform advertising exploits for non NATO clients. This scheme, running from 2022 to 2025, caused approximately $35 million in losses and risked arming adversaries with advanced cyber capabilities. Williams faces up to 20 years in prison, fines exceeding $300,000 and $1.3 million. Sentencing is scheduled for January and stick around after the break when Dave Buettner is joined by Emily Austin, principal security researcher at Census, as they discuss why nation state attackers continue targeting critical infrastructure and when M and S will went offline. Shoppers hit next.

Sponsor/Advertisement Voice

At talas. They know cyber security can be tough and you can't protect everything, but with Talas you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales. T H A L E S learn more@thalesgroup.com Cyber what's your 2am Security worry? Is it do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's v a n t a dot com cyber.

Maria Varmazes

Dave Bittner recently sat down with Emily Austin, principal security researcher at Census, as they discuss why nation state attackers continue targeting critical infrastructure. Here's their conversation.

Dave Bittner

The biggest summary statement I could give around this is that critical infrastructure is it's still exposed on the Internet. This is not a new problem. This is a problem the security community has been talking about for years. But unfortunately there's still interesting and enticing targets for nation state actors, for hacktivists, you name it. They're quite enticing as far as that goes.

Sponsor/Advertisement Voice

Well, let's dig into some of the details of the research you and your colleagues have done here recently. You were looking at things going on with Iranian devices.

Dave Bittner

Yeah, so devices that were actually being targeted by Iran in the past. So over the summer, you know, there was this uptick in kinetic activity in that region and the U.S. department of Homeland Security actually issued an advisory in June warning against a heightened threat environment in the us and then a few days later, CISA came out with an alert as well, telling critical infrastructure operators in the US to stay vigilant for targeted activity by Iranian threat actors. And at Census for the last, I'd say two years or so, we've really focused in different ways on understanding the industrial control systems exposure landscape. And one of the questions that I had was, well okay, we know that Iranian threat actors have gone after particular types of critical infrastructure before. What do we see in terms of things that we know that they've targeted before or been interested in before? And that's really kind of where this research started, was wanting to kind of measure. So, so what do we see? What is the potential blast radius of industrial control systems that they might be interested in?

Sponsor/Advertisement Voice

Well, let's get into some of the details together here. What did you discover?

Dave Bittner

Yeah, so we whittled down the list. There is quite a long list, but I ended up going with four different device types that, you know, again, have been previously targeted or known to be of interest. And that included things like Unitronics Vision PLC or PAC Site Omat, Fuel automation systems, any kind of Red lion equipment or things running the Tritium Niagara framework. And the way we chose that one was actually kind of interesting, I think. So it was based on a 2024 report from OpenAI where they were reporting on influence and cyber operations that they identified on their platform. And in this report they actually were addressing activity that they'd attributed to an Iranian linked hacktivist group called the Cyber Avengers. This group apparently had used OpenAI models to conduct research on different types of ICS devices, asking about different types of industrial routers, PLCs, utility companies in certain regions, and also looking for default passwords for different types of devices. And that included Tritium Niagara devices. So we wanted to look at that as well. We thought that was kind of an interesting perspective.

Sponsor/Advertisement Voice

Well, can you put that in perspective for us as to what those devices are used from and the potential impact here?

Dave Bittner

Yeah, so just kind of at a high level. So Unitronics makes PLCs and HMIs and things like that. Most of these are software that you can find on the Internet through a browser, through vnc, through rdp. And they're essentially used to manage or monitor industrial control processes. You know, in the case of Unitronics, a few years ago, there was an attack, I think it was in late 2023, where Iranian actors were targeting these devices and defacing them. And there were a couple of water plants in the United States that were affected. So they control a variety of processes that relate to energy, water, power, things like that. Things that we do consider very critical. You know, the ORPAC Site OMAT things, those are fuel station automations, types of software, fleet management. Tritium Niagara is used often in building automation and for like H VAC and alarms and security systems and things like that. So kind of a variety of different types of uses, purposes of these types of software. So lots of different ways to potentially have an impact, unfortunately.

Sponsor/Advertisement Voice

And what sort of access do the Iranians seem to be gaining here?

Dave Bittner

So in the cases that we looked at, right, and what we are aware of from previous research, because again, we can't really see attack traffic, we just, we see exposures, we see exposure numbers. But from what we've seen, a lot of these things are access through default credentials. So these interfaces will be available through your browser, available through an RDP session, and they'll use default credentials. And so maybe you can go in and toggle on or off an alarm, or you can maybe change levels of chemicals added to wastewater treatment or water treatment things. Lots of different opportunities to affect processes. Fortunately, it doesn't seem like any of these, the attacks that we've seen reported on sort of a TLP clear sense have been catastrophic in nature, at least in this realm. But it certainly does raise questions around the security of these devices, the management of these devices, and kind of the onus on the manufacturers to make sure that they're not shipping with really insecure default settings.

Sponsor/Advertisement Voice

Do you have any sense for how broad the Iranians interest might be here? In other words, do they seem to have specific interests in specific types of critical infrastructure or do they just go where they have access?

Dave Bittner

So I think it sort of depends, at least in the cases that we've looked at. And again, I'm not an expert necessarily in Iranian threat operations, but based on reporting that I've, that I've read and have, have come to understand, I think it really sort of depends on the group behind it, whether we're talking about like actual nation state affiliation or sort of hacktivism in some ways. And so I think that starts to be where, where things diverge a little bit. Whereas, you know, the hacktivist groups will want to deface things, they'll want to say, you know, look at us, here's what we're doing, you know, down with this country, down with this government, down with these people. Whereas an actual nation state might be more motivated to be a little more stealthy, a little bit more quiet, and potentially a little more disruptive.

Sponsor/Advertisement Voice

Well, based on the information you've gathered here, what are your recommendations then for organizations to best protect themselves?

Dave Bittner

Yeah, so I think this is boring, you know, and I feel like anytime that someone's asked about this, it's the same thing. It's, you know, these systems really shouldn't be exposed directly to the Internet. This is just not a good practice. So if you are a critical infrastructure operator, regardless of your sector. Try not to put these things online, put them behind a vpn, put them behind a firewall, use some kind of protection so that they aren't just sitting out on the Internet. But I also think there's a burden on the manufacturers as well that I don't think we talk about quite as much because at least two of the four systems that we studied in this particular research shipped or used to ship with default credentials, which is just, I mean it's 2025. Like we can't do that anymore. We never should have done it, but we really can't do it now. And I will say one of the manufacturers, Unitronics, who used to ship with default credentials, they actually, after that 2023 campaign I mentioned with their HMIS being defaced about a month later, they actually pushed a patch that removed the default admin username and password. So there' effort. But I think we need to see it maybe a little bit more widespread from these manufacturers.

Maria Varmazes

That was Dave Bittner sitting down with Emily Austin from Census discussing why nation state attackers continue targeting critical infrastructure. And finally, British retailer Next has discovered that one company's cyber misfortune can be another's sales strategy. In a trading update on Wednesday, Next credited favorable weather and competitor disruption, translation marks and Spencer's cyber meltdown for a tidy 7.6% sales jump and a 30 million pound profit boost. M and S while still nursing its digital hangover after months of outages, expected to lose around £300 million this year. And while Next, Zara and H and M cashed in, retailers without robust online stores didn't see the same windfall. Meanwhile, Jaguar Land Rover's separate cyber incident wiped 1.9 billion pounds off of the British economy, a very sobering reminder that not all disruptions come with silver linings. Lawmakers say that stronger cybersecurity laws can't come soon enough.

Sponsor/Advertisement Voice

Foreign.

Maria Varmazes

And that's the CyberWire. For links to all of today's stories, check out our daily briefing@thecyberwire.com and be sure to join us for a new research Saturday, where Dave Bittner sits down with Dario Pasquini, principal researcher at rsac, discussing the team's work on when AI ops become AI. Oops, Subverting LLM driven IT operations via telemetry manipulation. And that is research Saturday, folks. Definitely check it out. And that's the Cyberwire Daily, brought to you by N2K CyberWire. We'd love to know what you think of our podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carouse. Our producer is Liz Stokes. We are mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman. Our Executive Producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Maria Varmazas in for host Dave Bittner. Thank you for listening. Have a lovely weekend.

Sponsor/Advertisement Voice

Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, DC. Discover the startups building the future of cyber. Learn more at cid Datatribe. Com.