CyberWire Daily — "Everything old is new again."

Date: December 22, 2025
Host: Dave Bittner (N2K Networks)
Guest: Eric Woodruff, Chief Identity Architect at Semperis

Episode Overview

This episode delivers a packed roundup of the latest cybersecurity news, exploring both new and recurring threats across the global landscape. Key stories include the development of anti-satellite weapons, CISA leadership turmoil, analysis of shifting US cyber policies, evolving malware and insider threats, and a notable interview with Eric Woodruff about the widespread vulnerability of SaaS applications to "No Auth" account takeover attacks. Industry funding news and a quirky tale of atomic clocks under storm duress add context and levity to a wide-ranging episode.

Key News and Analysis

1. Russia Suspected of Developing Anti-Starlink Space Weapon

• [00:45] Two NATO intelligence services believe Russia is prototyping an anti-satellite device ("Zone Effect weapon") that would disrupt Elon Musk’s Starlink network by dispersing dense clouds of pellets in orbit.
• Experts question its feasibility, warning about uncontrollable debris and collateral damage—including to Russia’s own satellites.
  • “Some experts argue the concept may be experimental, exaggerated, or intended as a deterrent rather than a deployable weapon.” — Host [01:22]
• Historical parallel: The 1970s US "Project Westford," which put needles in orbit.

2. DHS Polygraph Fiasco Escalates CISA Instability

• [02:03] Acting CISA Director Madhu Gadamukkala failed a polygraph for access to highly sensitive intelligence, resulting in a DHS probe and at least six career staffers on leave.
• Conflicting accounts between DHS leadership and career officials have "intensified instability at CISA," already challenged by staffing and budget cuts.
  • “The episode has intensified instability at CISA, which is already grappling with staffing losses, budget cuts and the absence of a Senate-confirmed director.” — Host [03:05]

3. Trump’s Cyber Policy Shifts Scrutinized

• [03:24] A Krebs on Security report details sweeping cyber policy changes under the Trump administration, including:
  • Reduced enforcement and oversight
  • Cutbacks in anti-corruption and cryptocurrency regulation
  • Purged federal cybersecurity leadership, disbanded advisory boards
  • Intensified press and data access pressures
• “...unprecedented data access under the now defunct DOGE initiative, raising long-term national security concerns.” — Host [04:13]

4. Malware and Software Abuse Trends

• [04:27] Jamf researchers report MacSync Stealer malware now uses notarized Swift apps as install droppers, reflecting a trend of abusing trusted macOS mechanisms.
• [05:00] Ontinu raises alarms over "Neja," a trusted open-source server monitoring tool, being abused as a cross-platform remote access trojan (RAT).
  • “Experts say the abuse reflects a growing trend of attackers weaponizing legitimate software, forcing defenders to focus on behavior and context rather than labels alone.” — Host [05:30]

5. Insider Threats Rise via Cybercriminal Recruitment

• [06:03] Check Point highlights increased tactics of cybercriminals recruiting insiders via darknet forums to sell credentials or provide backdoor access.
  • “Ransomware groups have also expanded recruitment through encrypted platforms offering profit sharing schemes.” — Host [06:43]
  • Industries affected: finance, crypto, tech, telecom, logistics.
• Defenses: Awareness, strict access, insider threat monitoring.

6. Scripted Sparrow BEC Group & Global Fake ID Operation

• [07:15] Fortra tracks "Scripted Sparrow," which pushes 4–6 million BEC emails per month, posing as executive coaching firms.
• [08:08] DOJ charges Zahid Hassan of Bangladesh for running a fake ID marketplace, netting $2.5M from over 1,400 global customers.

7. Cybersecurity Business Brief

• [09:12] Robust funding and M&A activity in security:
  • Adaptive Security raises $81M (Series B)
  • Additional investments: Echo ($35M), Kasada ($20M), Resemble AI ($13M), EverTrust (€10M)
  • Acquisitions: Outpost24, Silent Push, MetaCompliance, Arterys, Spy, Sideras

Featured Interview: "No Auth" Account Takeover with Eric Woodruff (Semperis)

Segment Start: [13:35]

What is No Auth Abuse?

• Attackers can sign into vulnerable SaaS apps as their target, simply by knowing the victim's email address—no phishing or direct user interaction required.
  • Eric Woodruff [13:47]: "If you know the victim or target's email address, you can essentially sign into the vulnerable SaaS application as that person."

Prevalence of the Vulnerability

• Out of 104 tested apps, 9 (~9%) were vulnerable in the first round; in a subsequent test of 38 apps, 2 (~5%) were found vulnerable.
  • Woodruff [14:18]: "5% might not seem like a lot, but if you think of the number of applications out there… the number would certainly grow."

The Technical Roots

• Vulnerability often arises when developers use an email as the unique identifier, instead of an immutable attribute per the OpenID Connect specification.
  • Woodruff [15:23]: "Developers… might not understand OpenID Connect or the consequences… they'll say, 'oh well, we're just going to key off of email.'… But in the Entra world, email is not an immutable attribute."

How the Attack Works

• Attacker sets up an Entra tenant, creates an account with the victim’s email as the identifier, and accesses the application, which admits them as the legitimate user.
  • Woodruff [16:39]: "You go stand up an Entra tenant, you create…some dummy user…and then you just set the email address to whoever your target is.…The application is just comparing email addresses, it's going to think I'm the HR administrator and give me access…"

Cross-Tenant Attack Complexity

• Attacks can originate from outside the customer’s own tenant, bypassing conditional access policies and making detection challenging.
  • Woodruff [17:48]: "Because the attack is originating from a different tenant…all the conditional access…is essentially rendered useless because the authentication is happening up in the attacker tenant that you have no control over."

Testing Methodology & Ethics

• Researchers selected apps from Microsoft Entra Gallery that allowed for self-service, non-production testing accounts.
  • Woodruff [19:01]: "We wanted things that we could sign up for…so that way we're making sure that we're only really attacking ourselves and not doing anything with real people or data."

Why It's Hard to Detect

• App-side only logs may help, but most apps lack the sophistication to spot this attack. Customers are “stuck in the middle,” with no practical detection.
  • Woodruff [21:20]: "The customer is kind of stuck in the middle here."

Accountability: Vendors, Customers, and Microsoft

• Vendors: "Should customers be asking SaaS vendors about vulnerability?" Maybe, but it's a tall order for most buyers.
  • Woodruff [22:55]: "It's also not feasible for customers…to test every application."
• Microsoft: Offers mitigation guidance but pushes responsibility to app developers. Microsoft rates it "moderate" severity; Semperis considers it "severe."
  • Woodruff [25:31]: "Microsoft is saying it’s moderate but…we still stand by it being severe…It's going to be a whole ton of sensitive data that nobody's going to want out there."

Memorable Quotes and Highlights

• On space warfare escalation risks:
  "While Russia denies plans to weaponize space, officials have warned that commercial satellites aiding Ukraine could be legitimate targets, keeping concerns about escalation and orbital chaos alive." — Host [01:55]

• On No Auth Attack Detection:
  "You're not going to have any visibility in your Entra. And then really it's only on the app developer side of things where they're going to have, you know, whatever logs they're keeping." — Woodruff [21:20]

• On vulnerability prevalence:
  "Nine of 104 tested; two of 38 tested.... You know, 5% might not seem like a lot, but... the number would certainly grow." — Woodruff [14:18]

• Classification disagreement:
  "Microsoft is saying it's moderate but you know, we still stand by it being severe." — Woodruff [25:31]

Other Notable Segments

Atomic Precision vs. Colorado Weather

• [28:38] NIST’s network time protocol briefly suffered due to a power outage and backup generators; precision clocks survived, but accurate time broadcasts could have been compromised.
  • “The good news is the clock drift stayed within a few microseconds, an eternity for physicists but negligible for most Internet users.” — Host [29:10]

Timestamps for Major Segments

• Intro & news rundown: [00:11]
• Russian anti-satellite weapon: [00:45]
• CISA/DHS turmoil: [02:03]
• Trump cyber policy analysis: [03:24]
• Malware/software abuse trends: [04:27]
• Insider recruitment threat: [06:03]
• BEC and fake ID cases: [07:15]/[08:08]
• Business brief: [09:12]
• Interview: No Auth Abuse (Eric Woodruff): [13:35]
• Atomic clock story: [28:38]

Takeaways

• New and recycled cybersecurity threats continue apace; attackers evolve by abusing trust, whether through software design, insider recruitment, or social engineering.
• The "No Auth" vulnerability is surprisingly prevalent, highlights a disconnect between vendor/developer responsibility and customer risk, and remains under-recognized by major platforms.
• Sustained funding and consolidation suggest continued market growth and opportunity for innovation (and specialization).
• Even atomic clocks are vulnerable—to Colorado weather, if nothing else.