A

You're listening to the Cyberwire network, powered by N2K. AI agents are now reading sensitive data, executing actions and making decisions across our environments. But are we managing their access safely? Join Dave Bittner and Barak Shalef from Oasis Security on on Wednesday, December 3rd at 1pm Eastern for a live discussion on agentic access management and how to secure non human identities without slowing. Innovation can't make it live. Register now to get on demand access after the event, visit events.thecyberwire.com that's events with an s.thecyberwire.com to save your spot.

B

What's your 2am Security worry? Is it do I have the right controls in place?

C

Maybe?

B

Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber.

A

CISA warns of Spyware Targeting Messaging apps Code Red this is not a test. Infostealer campaign spreads via malicious blender files Chai Halludes second coming real estate finance firm Cetus AMC Investigates Breach Dartmouth College Discloses Oracle EBS Breach Dave Bittner is joined by Tim Starks, senior reporter from cyberscoop, to discuss the Trump administration's upcoming cyber strategy and tis the season for deals and digital deception. Today is Tuesday, november 25, 2025. I'm maria varmazes, host of n2k's t minus space daily, in for dave buettner today and this is your cyberwire intel briefing. Thank you for joining me everyone. Let's get started. The U.S. cybersecurity and Infrastructure Security Agency, better known as CISA, issued an advisory yesterday warning of multiple cyber threat actors actively leveraging commercial spyw to target users of mobile messaging applications. The spyware is delivered via phishing, zero click exploits and app impersonation. SISSA notes that quote while current targeting remains opportunistic, evidence suggests these cyber actors focus on high value individuals such as current and former high ranking government, military and political officials. As well as civil society organizations and individuals across the United States, the Middle east and Europe. A sophisticated cyber attack on the Code Red emergency notification system managed by OnSolve has forced its nationwide decommissioning and migration to a new platform due to service disabling infrastructure compromise. The breach exposed thousands of users, names, phone numbers, email addresses and passwords previously used to register for alerts. Although no payment card or financial data was stored, localities across Missouri and Colorado, among others, remain unable to send targeted voice, text or email alerts for water main breaks, severe weather and other emergencies, leaving public safety communications vulnerable. Municipal officials are urging all affected users to change reused passwords immediately while emergency management agencies scramble to deploy alternative alerting channels and prepare communities for a protracted system recovery timeline. The supply chain malware campaign dubbed Shai Second Coming has resurfaced in the NPM ecosystem using malicious packages with a two stage loader that can propagate across 100 packages per execution and wipe a compromised developer's home directory if authentication fails. The threat now leverages randomly named GitHub repos to reduce detection abuses, credential access to packages in CI pipelines, and has prompted security firms to rapidly add affected versions to their malicious package databases. Checkmark's developers and organizations are urged to temporarily block access to public NPM registries, review NPM token permissions and configure endpoint protections to flag the loader, file names and malicious behavior. Real estate finance technology vendor Citus AMC has confirmed that it discovered a breach on November 12th the that resulted in the theft of client information, according to a report from the Register. The company said in a statement, corporate data associated with certain of our clients relationships with CETIS amc, such as accounting records and legal agreements has been impacted. Certain data relating to some of our clients customers may also have been impacted. The scope, nature and extent of such impact remain under investigation by the company AS and its third party advisors. The New York Times cites sources as saying that the company has notified JPMorgan Chase, Citi and Morgan Stanley that their client data may have been affected. The FBI is investigating the breach. Dartmouth College has disclosed that it was among the victims of a wave of zero day attacks targeting Oracle E Business Suite or EBS instances, according to a report from Bleeping Computer. The university hasn't disclosed the total number of impacted individuals, but said in a breach notification with the Maine Attorney General's office that just under 1,500 Maine residents were affected. The breach occurred in August 2025 and involved names and Social Security numbers. The Klopp ransomware gang has posted the alleged stolen data to its leak site. The other confirmed victims of Klopp's Oracle EBS campaign include Logitech, Harvard University, the Washington Post, Envoy Air, and Mazda. John Holtquist, chief analyst at Google's Threat Intelligence Group, told Bleeping Computer that dozens of additional organizations were likely breached. Coming up after the break, we have Dave Bittner sitting down with Tim Starks, senior reporter from cyberscoop, to discuss the Trump administration's upcoming cyber strategy and who's the season for deals and digital deceptions.

B

From phishing to ransomware, cyber threats are constant. But with Nord Layer, your defense can be too. Nordlayer brings together secure access and advanced threat protection in a single, seamless platform. It helps your team spot suspicious activity before it becomes a problem by blocking malicious links and scanning downloads in real time, preventing malware from reaching your network. It's quick to deploy, easy to scale, and built on zero trust principles so only the right people get access to the right resources. Get 28% off on a yearly plan at Nordlayer.com cyberwire daily with code CYBERWIRE28 that's nordlayer.com cyberwire daily Code CYBERWIRE28 that's valid through December 10, 2025. Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With Locker Allow listing, you stop unknown executables cold. With Ring Fencing, you control how trusted applications behave. And with Threat Locker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. Threat Locker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today.

D

Joining me once again is Tim Starks.

B

He is a senior reporter at cyberscoop.

D

Tim, welcome back.

E

Thanks for having me back.

D

So very interested to read your coverage of some comments from National Cyber Director Shawn Cairncross about some upcoming plans from the Trump administration when it comes to.

B

Cyber what do we got here? Tim?

E

Yeah, it feels like they're moving pretty early on compared to the Biden administration, certainly on putting out a national cybersecurity strategy under this second Trump administration, the Draft is complete, according to Brett Leatherman, who's a top FBI official. He says that's been circulated to him. You know, Sean, Ken Cross said it's been circulated to the interagency. So it's not just the FBI from here to when the actual strategy is released is vague. You know, this is where it got hung up in the Biden administration as this interagency process. But he's talked about there are six pillars. He didn't say what all six pillars were. He did say what two of them were, and he hinted at two more.

D

Okay, go on.

E

So two of them are, you know, what the administration, I think, is trying to put out there is sort of its signature cyber difference maker, which is we're going to impose costs on adversaries in a way that we haven't seen before. We're going to make it so that the signal is sent. You're not allowed to do some of these things you've been doing to us in cyberspace. I think that's the big one. Second one is public private partnership. We've heard this before, but to get a little bit more specific, and by before, I mean my entire life partnership. But tweaking it. You'll recall the Biden administration, their sort of big signature thing was, let's shift the burden on who's responsible for protecting people in cyberspace. In their case, it was the private sector was a big part of that. This administration is saying, too many regulations. We need to do something about that. There's some bipartisan sentiment that the regulations have been a little too hasty and that they've been conflicted. They're going to say, we're going to spell out what we expect for each critical infrastructure, sector by sector of the private sector. And then the ones that were hinted at were enhancing the cyber workforce. That's something that's going to be interesting to see, considering how much this administration has done to essentially get rid of a significant portion of the cyber workforce with all the changes they've been making. And then the other is modernizing federal government security, modernizing the technologies that government uses to protect itself, launching some pilot programs for new technologies, speeding up procurement, testing technologies at the national labs. A little bit more skin on the bone than we've seen from Sean Karen Cross on this to date. There have been a little bit of hints that he's trickled out about this, and now they're trickled out even more. It feels like it's starting to get a little bit more concrete.

D

I always feel like those modernizing programs are kind of like painting the Golden Gate Bridge when you start on one end and by the time you get to the other, it's time to go back to the, to the other end and start all over again, you know.

E

Yeah, it's true. And I, and I, you know, to Sean's credit, I think he seems aware of that. You know, the idea of trying to speed up procurement, I mean, certainly one of the issues with modernizing federal government infrastructure is that. Yeah, it's, by the time you put it in place, it's already, it's already obsolete. So how do you, how do you get around that? So it seems like he's at least trying to tackle that, that question that you're raising.

D

Yeah. And speaking of deterrence or imposing cost, I mean, I think it's fair to say that that very much tracks with sort of broader policy trends within the Trump White House.

E

Yeah. This is something that we've heard from more than just Shawn Cairn Cross, and we've heard it from Alexei Blizzell, who is the top NSC official. We've heard this from CISA officials. We've heard it from basically the entire administration, except for, and this is something going back to a story I wrote, a coup couple weeks ago, except for the President himself. Interestingly, you know, there's been a lot of talk about deterrence, talking about salt typhoon and that espionage campaign. When the president himself gets asked about cyber attacks, and again, let's be careful about how we use that word because a lot of people would say salt typhoon, what they were doing was not a cyber attack, it was espionage. And that's different. We can go back and forth, round and round. This is an age old debate in the cyber world. But the president's response when he's heard, when he's been brought up about salt typhoon or like the Russian campaign, the alleged Russian campaign against the US Courts that we've been hearing about in recent months, his response has been, yeah, you think we don't do that? Yeah, we do that too. We're better at it. So the idea of deterring cyber espionage is one that we've been hearing from administration officials under Trump, But Trump himself has been kind of shrugging his shoulders at the idea that that's even something worth noting.

B

Yeah.

D

The other thing that you alluded to that interests me is this notion of building up the cyber workforce amongst the feds. And we've seen folks from CISA talking about 2026 being a year of building up. And in the past year, everything We've seen with Doge and the ongoing kind of adversarial attitude towards certain CISA tasks. Is that a fair way to say it? Like, it's just, it's. I'm sitting back and waiting to see how this is going to play out in 26. How about you?

E

I am, too. I mean, you know, I've been talking to some folk in that area, let's say, without revealing too much. And, you know, morale is terrible at the agencies, from what I've heard, that are working on cyber issues. I mean, Nick Anderson, who's at cisa, has talked about how great morale is, but that's not a lot of what I'm hearing. If you're a federal government employee in general right now, the people who I know who work in federal government, who still have their jobs are really just kind of hanging on until they can find something different or until they hit retirement age. We had a story that we wrote about people who might want to work for the federal government in the future under the Cyber Corps program. Those people are dispirited about the idea of going to work for the federal government.

D

Now.

E

There are not a lot of openings. We've heard more about the administration wanting to cut personnel even more across the federal government. It starts to get difficult to imagine who would want to take these jobs who don't already have them, because not only is there a shrinking availability, but, you know, there's the shutdowns that happen that are, that are morale crushing. Why would you want to go work for the federal government, especially in cyber, where you, you could have a really good paying job in the private sector? So the, the public, the public service element of it has been weakened. That's always been an appeal for the workforce. Let's go, let's go work for the government. Let's go help people. But if you're treated like an adversary, is that something you want to do? And those are some big questions. How do you incentivize these things? I mean, Sean talked about the idea of reaching out to vocational schools. That's something we actually heard from the prior national Cyber Director. That's a very different situation in terms of the idea of federal government service right now than it was under that administration?

D

Yeah. How are you going to incentivize the, the best of the best who, even if they have a true interest in public service. My recollection and understanding is that a federal job, a government job, you might not have been paid as much. It might not have been as glamorous, as exciting, as in the private sector. But part of it was security, the fact that you knew you'd have a job and get a paycheck. And that's not so certain anymore.

E

Yeah, I think that that then starts to narrow the pool of people. One pool of them is the highly desperate, sadly to say, and the other pool is the true believers of the MAGA cause. And how much do we know? And I don't know the answer to this question. I'm not raising it because I'm implying anything, but how much overlap do you have between people who have cyber skills and are desperate and cyber skills and who are right wing true believers? I don't know what that nexus is. And that raises open questions about who would want to come do it. And those are the two pools. And I don't know that we know what the level of cyberskill is in those communities.

D

Well, your reporting here closes with a quote from Sean Cairncross about his desire to kind of shop this around before just dropping it on people generally. Good response from other folks in government of that approach.

E

I think people are impressed by his overall approach in terms of what he's actually using. The word he used, socialized. I don't know that it's a very close hold. Naturally, I've been asking people about what they've seen. But one thing I think is surprising and it seems like I'm being very skeptical of what's going on here. That's my job partially. But also you and I talked long ago when Sean Cairncross was picked for this job and there were a lot of people who were shrugging their shoulders and wondering what kind of job he was going to be able to do. As someone who didn't have virtually any cyber experience, he's impressed a lot of people on both the left and the right with his approach. He seems like he's done his homework. He seems like someone who is approaching these things carefully and thoughtfully is what a lot of the feedback is about his role. And so I think people are impressed by how he's going about this. I think that the questions come in about even if he approaches it well, how good of a job can he do under the circumstances of this administration?

D

Yeah. All right, well, Tim Starks is senior reporter at Cyber Scoop.

B

We will have a link to his.

D

Reporting in our show Notes. Tim, thanks so much for joining us.

E

Thanks for having me.

C

At Talas, they secure what matters most. The most trusted companies and organizations utilize Thales cybersecurity products to protect critical applications, sensitive data and identities. Anywhere at scale. Through their innovative services and integrated platforms, Thales provides customers a greater visibility of risks, the ability to defend against cyber threats, close compliance gaps, and deliver trusted digital experiences for billions of consumers every day. That's Talas T H A L E S learn more@cpltalasgroup.com.

F

Give Big save big with RAC Friday deals at Nordstrom RAC for a limited time, take an extra 40% off red tag clearance for a total Savings up to 75% off. Save on gifts for everyone on your list from brands like Vince Cole, Han, Sam Edelman and more. All sales final and restrictions apply. The best stuff goes fast, so bring your gift list and your wish list to your nearest Nordstrom rack today.

A

And for our last story today. Well, if you thought the holiday season was only stressful for shoppers or think again. It turns out that cyber criminals are also making their lists and checking them twice, according to the latest Semperis ransomware risk report. Attackers love striking when we're distracted. Weekends, holidays, mergers, acquisitions. Basically, anytime your SoC is running on half power. With 78% of companies slashing sock staffing during off hours, attackers basically get the run of the house. And while organizations are distracted, shoppers aren't doing much better. Pre Crime labs says that threat actors are rolling out holiday themed phishing domains like their wrapping paper. More than 1,700 suspicious sites popped up before December even started, with Halloween and Black Friday scams spiking into the triple digits. Fake luxury stores, crypto seasonal tokens, travel deals to zombie festivals. Well, if it sounds festive, if zombies can be festive, someone is weaponizing it. And if you are bargain hunting on your phone, there's one more stalking stuffer for you. Privacy risk Yep, an analysis of top Black Friday apps found that they request an average of 29 permissions. Eight of them are considered dangerous, by the way, and dozens were not exactly truthful in their privacy policies. Big surprise, some apps said that they don't access your location while absolutely accessing your location. So whether you are in the boardroom or in the checkout line, remember that the holidays may slow us down, but they speed cybercriminals up. So stay merry and just stay alert too. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of our podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like this show. Please share a rating and review in your podcast podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our producer is Liz Stokes. We are mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Maria Varmazes in for host Dave Bittner. Thank you for listening. We'll see you tomorrow.