Transcript
A (0:02)
You're listening to the Cyberwire network. Powered by N2K, the DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot at Thales. They know cybersecurity can be tough and you can't protect everything. But with Thales you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S Learn more at. The House passes a defense policy bill that includes new provisions on cybersecurity and AI Senator Wyden accuses Microsoft of gross cybersecurity negligence after a 2024 ransomware attack crippled health care giant Ascension. The White House shelves plans to split U.S. cyber Command and the NSA. The Pentagon finalizes its long awaited Cybersecurity Maturity Model Certification rule. Akira Ransomware Group targets sonicwall devices. Officials warn solar powered highway infrastructure should be checked for hidden radios. The Atlantic Council maps the global spyware market. Researchers uncover serious flaws in Apple's AirPlay, a European DDoS mitigation provider thwarts a record breaking attack. My caveat? Co hosts Ethan Cook and Ben Yellen unpack the cyber elements of the big beautiful bill and who fixes the vibe code? It's Thursday, September 11th, 2025. I'm Dave Buettner and this is your CyberWire Intel Brief. Thanks for joining us here today. It's great to have you with us. The US House of Representatives has passed an $848 billion defense policy bill that includes new provisions on cybersecurity and artificial intelligence. The National Defense Authorization act was Approved in a 231 to 196 vote and sets Pentagon policy for the year. While less sweeping than past cyber debates, the bill still carries weighty digital measures. It directs the NSA to brief lawmakers on plans for its Cybersecurity Coordination center and requires Combatant commands to report on Cyber Command's support. The Pentagon would also build a software bill of materials for AI enabled tools and pursue up to 12 initiatives using generative AI for cybersecurity and intelligence amendments adopted Allow threat sharing between the NSA and the private sector and task the DoD with studying the National Guard's cyber response role. The Senate will take up its version next week. Senator Ron Wyden is urging the Federal Trade Commission to investigate Microsoft after a 2024 ransomware attack crippled Catholic healthcare giant Ascension. Wyden accuses Microsoft of gross cybersecurity negligence, citing its default support for RC4 encryption, a 1980s era standard vulnerable to a hacking method called Care Bear Roasting. Attackers allegedly exploited this weakness in Ascension's Microsoft Active Directory, spreading ransomware that disrupted 140 hospitals across 19 states and exposed data on nearly 6 million patients. Wyden argues Microsoft failed to warn customers clearly, instead burying guidance in obscure blog posts. Microsoft acknowledges RC4's risks but said abruptly disabling it would break systems, pledging instead to phase it out by 2026. Wyden likened Microsoft to an arsonist selling firefighting services. Given its market dominance in enterprise IT the Trump administration has decided to keep US Cyber Command and the NSA under dual hat leadership, shelving plans to split the roles due to the complexity and risks of restructuring. Officials concluded a separation could take six years, slowing national security priorities. Army Lt. Gen. William Hartman, currently acting leader, is Trump's choice to head both agencies, permanently reinforcing the arrangement's benefit for speed, coordination and unified direction. Lawmakers largely support the move, warning a split could weaken US Cyber and intelligence capabilities. The Pentagon has finalized its long awaited Cybersecurity Maturity Model certification rule requiring stricter cyber standards for defense contractors. The framework, first proposed in 2019, aims to safeguard sensitive but unclassified information across the Defense Defense industrial base, which includes over 300,000 companies rolled out in three phases over three years starting November 10th. CMMC sets three security levels contractors handling federal contract information may self attest, while those with more sensitive data must undergo third party or Defense Industrial based Cybersecurity Assessment center certification. The program reduces the original five levels to three, easing compliance concerns for small businesses. Still, experts warn, most contractors lack strong governance and encryption practices. Ultimately, nearly all defense vendors will need to adjust operations to meet the new requirements. In August 2024, SonicWall disclosed an SSL VPN flaw affecting their Gen 5 through Gen 7 firewalls. Though patches were released, incomplete remediation left devices exposed. The Akira ransomware group has since exploited this, combining the CVE with two additional over provisioned access from ssl, VPN default groups and public exposure of the virtual office portal, which attackers use to Hijack MFA setups. Rapid7 has observed rising intrusions and urges organizations to patch enforce MFA restrictions, restrict portal access, rotate local accounts and monitor SSL VPN activity closely. The U.S. department of Transportation has issued a security advisory warning that solar powered highway infrastructure such as EV chargers, traffic cameras and weather stations should be checked for hidden devices like undocumented radios, Reuters reports. Officials say foreign made inverters and battery management systems have been found with rogue components often linked to Chinese suppliers. These devices could enable remote tampering, triggering outages or data theft. Experts warn they might also sabotage roadside systems or autonomous vehicle networks. The advisory urges transportation operators to inventory inverters, use spectrum analysis to detect unauthorized signals, remove rogue radios and ensure network segmentation. The warning comes amid wider US Efforts to limit Chinese technology and critical infrastructure, including restrictions on Chinese made cars set to take effect by 2026. Spyware the commercial intrusion software enabling covert access to devices poses acute human rights and national security risks. The Atlantic Council's updated Mythical Beasts project maps the market through 2024, expanding its data set to 561 entities across 46 countries. Notably, U S Based investors now make up the largest share despite US Sanctions, visa restrictions and diplomacy aimed at curbing proliferation. Resellers and brokers have also emerged as critical under researched intermediaries that obscure vendor buyer links and expand regional reach. Recent events underscore the stakes. NSO group was fined $168 million in the US over Pegasus targeting WhatsApp. The report highlights persistent patterns like jurisdiction hopping, serial entrepreneurship and hardware partnerships, and major transparency gaps in corporate registries. Policy recommendations center on tightening oversight of outbound US Investment, boosting disclosure and due diligence, scrutinizing intermediaries and improving public registries to increase accountability and slow the spread of abusive malware. Researchers at Oligo uncovered serious flaws in Apple's AirPlay protocol and SDK dubbed Airborne, that could enable remote code execution, data theft and man in the middle attacks. One bug allows wormable zero click exploits. Ologo demonstrated attacks on Apple CarPlay showing hackers could connect via USB, Wi Fi or Bluetooth due to weak authentication. In CarPlay's IAP2 protocol, attackers can impersonate iPhones, steal Wi Fi credentials and hack systems Apple patched back in April. But most automakers have yet to deploy fixes, leaving millions of vehicles exposed. A European DDoS mitigation provider was hit by a record breaking attack, peaking at 1.5 billion packets per second. The assault launched from thousands of compromised IoT devices and Microtik routers across 11,000 networks was mitigated by Fastnetmon using the customers scrubbing facilities and ACLs on edge routers. Though the target wasn't named, the attack highlights the growing weaponization of consumer hardware. Fastnetmon's founder warned that without proactive ISP level filtering, such massive UDP floods could overwhelm defenses and cause widespread service disruptions. Coming up after the break, my Caveat Co hosts Ethan Cook and Ben Yellen unpack the cyber elements of the Big Beautiful Bill and who fixes the vibe code? Stay with us. Compliance regulations, third party risk, and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo that's V A N T a dot com Cyber. This episode is brought to you by Indeed. When your computer breaks, you don't wait for it to magically start working again.