A

You're listening to the Cyberwire Network powered by N2K.

B

Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allow listing, you stop unknown executables cold. With ring Fencing, you control how trusted applications behave, and with threatlocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose Threat Locker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. Suspects Russia is developing a new anti satellite weapon to disrupt the Starlink network. A failed polygraph sparks a DHS probe and deepens turmoil at cisa. A look back at Trump's cyber policy shifts. Max sinksteeler adopts a stealthy new delivery method. Researchers warn a popular open source server monitoring tool is being abused. Cybercriminals are increasingly bypassing technical defenses by recruiting insiders. Scripted Sparrow sends millions of BEC emails every federal prosecutors take down a global fake ID marketplace We've got our Monday business brief. Our guest is Eric Woodruff, chief identity architect at Semperis, discussing no auth abuse alert, Full account takeover and atomic precision meets Colorado Weather. It's Monday, December 22, 2020. I'm Dave Buettner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great to have you with us. Two NATO intelligence services suspect Russia is developing a new anti satellite weapon designed to disrupt Elon Musk's Starlink network by releasing clouds of high density pellets into orbit. According to intelligence findings seen by the Associated Press, the so called Zone Effect weapon could disable many satellites at once, potentially undermining Western space advantages that have supported Ukraine. Analysts not briefed on the findings question whether such a system could be used without causing uncontrollable debris and widespread damage, including to Russia's own satellites. Some experts argue the concept may be experimental, exaggerated or intended as a deterrent rather than a deployable weapon. While Russia denies plans to weaponize space, officials have warned that commercial satellites aiding Ukraine could be legitimate targets, keeping concerns about escalation and orbital chaos alive. Our history repeats itself. Desk sent us a link to the Wikipedia page on project Westford, a US experiment from the 70s which involved putting needles in orbit. We'll have a link in the show, notes Acting Cybersecurity and Infrastructure Security Agency Director Madhu Gadamukkala failed a polygraph exam in July after seeking access to a highly sensitive intelligence program, according to multiple current and former officials. That access required a counterintelligence polygraph, which senior career staff had questioned, arguing Gautamukkala lacked a clear need to know and could rely on less classified material. He nevertheless pushed forward and took the test. After the failed exam, the Department of Homeland Security launched an investigation alleging that career staff misled Ghatamukala into taking an unsanctioned at least six employees were placed on paid administrative leave, a move that angered staff and raised concerns about leadership accountability. DHS disputes that Gautamukkala failed an authorized test, while career officials contest that characterization. The episode has intensified instability at cisa, which is already grappling with staffing losses, budget cuts and the absence of a Senate confirmed director. A sweeping report by Krebs on security details how the Trump administration has pursued rapid policy shifts that critics say are undermining U.S. capacity to manage cybersecurity, corruption, privacy disinformation and press freedom. The changes span nearly every corner of government and emphasize reduced enforcement, dismantled oversight and and tighter political control. According to the report, the administration expanded ideological screening and surveillance through new executive orders affecting speech, immigration and travel. At the same time, it scaled back anti corruption efforts by halting enforcement of bribery laws, dissolving kleptocracy and foreign influence task forces, retreating from crypto regulation and issuing controversial pardons. Federal cybersecurity suffered acute damage. Leadership was purged, advisory boards disbanded, budgets slashed and staff reassigned, leaving agencies like CISA severely weakened. The report also describes intensified pressures on the press, erosion of consumer and privacy protections, and unprecedented data access under the now defunct DOGE initiative, raising long term national security concerns. Researchers at JAMF report that the macOS malware MacSync stealer has adopted a new delivery method that no longer requires users to run commands in the terminal. Originally a rebrand of the low cost Mac C InfoStealer, MacSync Stealer now uses a code signed, notarized Swift app disguised as a legitimate installer. The dropper quietly fetches and executes malicious scripts, adding stealth persistence and gatekeeper evasion. JAMF says this shift reflects a broader trend toward abusing trusted macOS app mechanisms. Researchers at Ontinu warn that Neja, a legitimate open source server monitoring tool, is being abused by attackers as a remote access Trojan. Because NESA is widely trusted and rarely flagged by security tools, hackers can use it to gain persistent system level access across Windows, Linux, macOS and even routers. Its normal looking network traffic helps it blend in. Experts say. The abuse reflects a growing trend of attackers weaponizing legitimate software, forcing defenders to focus on behavior and context rather than labels alone. Researchers at Check Point say cybercriminals are increasingly bypassing technical defenses by recruiting insiders to provide access to corporate networks, devices and cloud environments. On Darknet forums, employees are solicited or sometimes volunteer to sell credentials, disable security controls or share sensitive data in exchange for cash, often paid in cryptocurrency. These insider actions create major blind spots for security teams and make attacks far harder to prevent. Financial services Cryptocurrency platforms, banks, technology firms, telecoms and logistic companies are frequent targets, with payouts ranging from a few thousand dollars to six figures for high value access or datasets. Ransomware groups have also expanded recruitment through encrypted platforms offering profit sharing schemes. The trend highlights a growing insider threat that combines financial incentives with anonymity. Defending against it requires employee education, strict access controls, behavioral monitoring and proactive surveillance of Darknet activity alongside traditional cybersecurity tools. Researchers at Fortra have identified a prolific business email compromise group dubbed Scripted Sparrow, which sends an estimated 4 to 6 million targeted emails each month. Active since mid 2024. The group poses as executive coaching firms and targets accounts payable teams with fake invoices and W9 forms. Fortress says the loose collective operates across multiple continents, uses hundreds of domains and bank accounts and relies on spoofed reply chains to boost credibility. US prosecutors have charged Zahid Hassan, a 29 year old resident of Bangladesh, with running a global fake ID marketplace that fueled identity theft worldwide. According to the US Department of Justice, Hassan sold digital templates for forged passports, driver's licenses and Social Security cards through multiple websites from 2021 to 2025. Investigators say the scheme generated more than $2.5 million from over 1400 customers. The operation was dismantled by the FBI with international partners, and Hasan now faces multiple federal fraud charges. Turning to our Monday business brief, a wave of global cybersecurity funding and deal making highlights sustained investor interest across fraud prevention, AI security, identity and infrastructure protection. New York based Adaptive Security led the week with an $81 million Series B, bringing its total funding to $146.5 million since launching in early 2025. Other notable raises include Echo at $35 million, Casada at $20 million, Resemble AI at 13 million and EverTrust at 10 million euros. Early stage funding went to startups including Dux, Verisol, Cyflens, Soverli and Realm Security. Mergers were equally active, with acquisitions by Outpost24, Silent Push, MetaCompliance, Arterys, Spy and Sideras, underscoring continued consolidation across the security market. Be sure to check out our weekly business brief on our website that's part of Cyberwire Pro. Coming up after the break, my conversation with Eric Woodruff from Sempras. We're discussing no AUTH Abuse Alert, Full Account Takeover and Atomic Precision meets Colorado Weather. Stay with us.

A

This message may be shocking to many millennials. If you are one, you might want to sit down. Right now, loads of people are searching the following on Depop Low rise jeans, halter top, velour tracksuit, hookah shell necklace, disc belt. You likely place these in the dark of your closet in 2004, never to be seen again. But if you can find it in yourself to dust them off, there are a lot of people who will give you money for them. Sell on Depop where taste recognizes taste.

C

So good, so good, so good.

A

Give big, Save big with Rack Friday deals at Nordstrom Rack For a limited time, take an extra 40% off red tag clearance for a total Savings up to 75% off. Save on gifts for everyone on your list from brands like Vince Cole, Han, Sam Edelman and more. All sales final and restrictions apply. The best stuff goes fast, so bring your gift list and your wish list to your nearest Nordstrom Rack today.

B

Eric Woodruff is chief Identity Architect at Sempris. In today's sponsored Industry Voices segment, we discuss their report. No AUTH Abuse Alert, Full Account Takeover.

C

If an application is vulnerable to no auth like a SAS application, if you know, you know the victim or target's email address, you can essentially sign in to the vulnerable SaaS application as that person. And you don't have to phish them or have any interaction. You just need to know what their email address is.

B

And you found that a sizable percentage of applications are vulnerable to this?

C

Yeah, I mean, the testing of it is I'd say it's tough, right? So when we're going through applications, you really have to sort of understand the context of the application, Right. To determine if it's vulnerable. But yes, out of, you know, the initial round we had was, you know, I think 10, 17 apps that we were looking at and we found like we could test 104 of them and there was nine that were vulnerable. Right. And that comes out to, you know, roughly 9% ish that were vulnerable. We also have done more research since we first published that that is going to be coming out soon where we tested another 38 applications and again found two that were vulnerable there. Right. So that's roughly 5%. So you know, 5% might not seem like a lot, but if you think of the number of applications out there. Right. The number would certainly grow.

B

Yeah, I guess at the core of this is the notion that using an email address as a unique identifier has a certain amount of risk associated with it.

C

Yeah, I mean, so with, with no auth. I mean at the core of it, it's developers, no offense to developers, but not following the spec for OpenID Connect. And so again, without getting too nerdy, with an OpenID Connect, there's certain attributes like about a user account that in Microsoft's implementation are immutable. Right. So it guarantees that nobody could forage this or mimic, you know, this attribute that identifies, you know, you or me in the app. But developers might take a shortcut or they might not understand OpenID connect or understand the consequences around it and they'll say, oh well, we're just going to key off of email. Right. So if I see, you know, Dave Bittner, Eric Woodruff come in with our email addresses, then, yep, like that's, that's gotta be this person. But the problem is in the entra world, email is not a immutable attribute. There's valid reasons why someone might have an email address that is different than their actual username.

B

So, well, walk me through this then. If I'm an attacker and I have access to an entra tenant and I've got the target's email address, what happens next?

C

Yeah, so, right, so you've found an application that's, that's vulnerable to this. And so as an attacker, you go stand up an entra tenant, you create, you know, some dummy user, it doesn't really matter what the user is, and then you just set the email address to whoever your target is. Right. So in our research before, we found there was an HR platform that was vulnerable. Right. So you know, if I'm putting my hacker hat on, I know the platform is vulnerable. These days it's easy to go on LinkedIn and try to find, you know, who's customers of this platform and then I find their customers and then it's easy to figure out probably who their HR admin is. Right. So knowing An HR admin is going to have access to a lot of, you know, juicy data in the system. I'll put their email address in and then essentially I just browse to the application and sign in. But again, because the application is just comparing email addresses, it's going to think I'm the HR administrator and give me access to whatever they have access to.

B

Help me understand the cross tenant angle here. Exactly what's going on?

C

If you think of it in the sense that the application is just looking at a token that comes from entra. Right. And so again, in these scenarios, it's just looking at the token, it's looking for an email address attribute in it. Right. So when we're talking cross tenant, it's an abuse that can happen outside of like the legitimate customers tenant because it's the application that's sort of like the problem here. Right. So whether it's coming from a legitimate tenant or the attacker tenant, this token, which is just sort of encoded data that will have your first name, your last name, email address, it's just looking for email and it's like, oh, this address matches this user. So, yep, you're allowed in as that user, if that makes sense.

B

Yeah, as you say, I mean, there's a lot of technical details here, but can we talk a little bit about the story of the testing that you did? You all looked at just over 100 apps and as you mentioned, you found nine of them were vulnerable. Was there a particular methodology for selecting the apps? And I guess question B is how do you go about testing this ethically?

C

Yeah, no, those are good questions. So to the first point. So the initial round of testing, we basically went through the Microsoft entry gallery, which is just a listing of applications that vendors, software vendors can put their app in there to sort of make it more, you know, visible for use. So from that list, like we were basically looking for anything that had, you know, a trial, some sort of self service sign up that didn't require, you know, credit cards or having to pay money or something. And this system would let you trial it. So that kind of whittle it down to like the hundred and then of the hundred. Right. Basically what we would do is so we have our attacker tenant that we control and our quote, legitimate user tenant that we control. So we would sign up right, with like a legitimate user that, you know, we control and just some lab tenant, you know, get the trial set up for whatever it is. And again, if the system would allow you to place some bit of data or do something. Right. So that we could sort of like Mark, so to speak, that like, you know, this is. We've done something in this demo because you can't always tell from just like looking at, you know, the user interface. Then we sort of go over to the attacker tenant. We'd go to sign into the same application again with the email address set to our quote, victim. And if we get in, we would just sort of poke around at the interface again, if we had data in there, we could easily see. Oh, right. Like this is the same thing. Like in the HR scenario, when we sign in as the attacker, we saw like the dummy users that we added. In other times it wasn't as simple and maybe you'd have to poke around the interface a little bit for the application to determine if the accounts are sort of one and the same in the app. And I'll just say to your other question about testing ethically, actually maybe I've answered it in there. Right. So we have no intention of trying to get into anything we're not supposed to have access to. So that's where we also wanted things that we could sign up for, trials for. Right. So that way we're making sure that we're only really attacking ourselves and we're not doing anything with, you know, real people or data.

B

Yeah. Your research points out that this is particularly hard to spot. Why is that? What makes it so hard?

C

Well, I mean, I'll say like, and when I've, when I've spoken about this at conferences, like, the customer is kind of stuck in the middle here. Right. So because the attack is originating from a different tenant than theirs. Right. All the conditional access, any security things that you might do in your Entra ID or your Microsoft 365 is essentially rendered useless because the authentication is happening up in the attacker tenant that you have no control over. You're not going to have any visibility in your entra. And then really it's only on the app developer side of things where they're going to have, you know, whatever logs they're keeping. Right. But again, applications aren't, you know, it's not the greatest strength, right. In having log data in there and even then. But if an app developer, many times we were asked like, well, what could the app developer do to like, check for this? And we're like, well, they should just fix their application. And not to get on a tangent, Right. But the thing is, like, an app developer isn't going to be looking for if they're vulnerable to this in the sense that if, like they knew they were vulnerable to this. I mean, hopefully, right, they would go change their code. So it is something they can fix in the app. Sorry for getting.

B

I think you're making a really good point here. I mean, it seems to me like there's a vendor accountability aspect here. Should customers be asking specific questions to their SaaS vendors?

C

Yeah, I mean, right. It feels tough because part of me wants to say, absolutely, right. Like if you go to buy a SaaS application or procure one, you should ask the vendor if they're vulnerable to this and link to our work or descopes not to tell ourselves just because we're the ones who sort of explain the problem. But I mean, that could also get heavy to sort of ask your SaaS app vendor if they are vulnerable to this and then it could become a laundry list of all these things. But yeah, I mean, it's tough because, right. Microsoft basically says it's a developer problem and developers aren't going to know that they're vulnerable to it, right. If they don't know. So, yeah, I mean, it's a tough spot for customers because it's also not feasible for customers to write like, go test every application that they procure for this because, you know, it might be easy for researchers to sort of repeat this stuff, but I wouldn't expect your everyday IT pro to kind of go do this in, in something they're trying to procure.

B

What about Microsoft? What, what part do they have to play in all of this?

C

Yeah, I mean, so Microsoft, right, Had. So when descope had released their research, Microsoft had published an article again in June 2023, basically explaining, you know, a path to mitigate this. Right? So they're like, if you are vulnerable to this, here's how to go, like, fix your SaaS app so it's not vulnerable to this. And they also said at the time that they contacted some app owners that they believe are vulnerable and help them work that out. And that's all great. The problem is they still sort of point the finger back at developers, right? And I guess I'll say from Microsoft's perspective, just because you have the email address is a claim doesn't mean that the app itself is vulnerable. Right? And I think that's sort of how they say, like, right, they don't even know or they can't really tell, right. If all these apps are vulnerable and that's why they tend to push it back on the app devs. And, you know, I, I get it, but I think the problem is, right, it's one of those things like where if you don't know, you don't know. Right. So all the devs that don't know their app is vulnerable probably isn't out there, you know, consuming this information from msrc, you know, about mitigating it. So. Right.

B

Needs to be a detection tool. Yeah. How severe do you rate this? How serious should we consider it?

C

So we rate it severe. So, and I'll say again, so recently we opened another case with Microsoft because we have a bit of a new finding where one of the applications that we've tested this round had integrations with Office 365 or Microsoft 365. And so in our testing, what we basically did is we get it, we went into the SaaS app, right, that was vulnerable as the attacker and it allowed us to send email, read contacts, do other things as this user in Microsoft 365. And again, we sent emails out to other, you know, of our own test users. Right. To basically prove that you can almost pivot, right, from a vulnerable SaaS app back into Microsoft 365 again relative to whatever permissions that app might have there. So we decided to open a case with MSRC and they came back saying that they find this to be a moderate severity. And they gave us a blurb that, you know, they've notified sort of like downstream service owners. They don't specify. I'm assuming they're talking about like the Exchange and SharePoint online teams. Right. And things like that. And you know, they might put additional defense in depth things in place down the road and then the case was closed. So Microsoft is saying it's moderate but you know, we still stand by it being severe. Right. Because in the HR example, right, it's going to be pii. It's going to be a whole ton of sensitive data that nobody's going to want out there in these examples, right. It's whatever the data is in the SaaS app, right. However critical that data is to you, effectively is how severe this vulnerability would be. Right. If your application was vulnerable.

B

That's Eric Woodruff from Sempris.

A

Ford BlueCruise Hands Free highway driving takes the work out of being behind the wheel, allowing you to relax and reconnect while also staying in control. Enjoy the drive. In blue cruise enabled vehicles like the F150 Explorer and Mustang Mach E available features on equipped vehicles terms apply. Does not replace safe driving. See Ford.com BlueCruise for more details. Running a business comes with a lot of what ifs, but luckily, there's a simple answer to them. Shopify. It's the commerce platform behind millions of businesses, including Thrive Cosmetics and Momofuku, and it'll help you with everything you need, from website design and marketing to boosting sales and expanding operations. Shopify can get the job done and make your dream a reality. Turn those what ifs into Sign up for your $1 per month trial at shopify.com specialoffer.

B

Tell me, doctor, where are we going this time? And finally, a power outage near Boulder, Colorado Bridge briefly put the USA's National Institute of Standards and Technology in the awkward position of having very precise clocks and slightly unreliable electricity. According to NIST physicist Jeffrey Sherman, who is cheerfully paid to watch the clocks all day, the outage disrupted the atomic timescale that underpins NIST's network time protocol services, a quiet but critical backbone of the Internet. The problem was not just losing power. Backup generators kept systems running, meaning inaccurate time could still be broadcast. Sherman even considered disabling the generators, a sentence that probably does not appear often in federal incident reports. Severe storms prevented access to the site, adding weather to the list of adversaries of atomic precision. The good news is the clock drift stayed within a few microseconds, an eternity for physicists but negligible for most Internet users. Services were fully restored within a day, right on time, more or less. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Heltzman. Our executive producer is Jennifer Ibin. Peter Kilty is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Sa.