New sheriff in cyber town.

Dave Bittner

You're listening to the Cyberwire network, powered by N2K.

Tim Starks

And now a word from our sponsor, ThreatLocker, the powerful Zero Trust Enterprise Solution that stops ransomware in its tracks. Allow Listing is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only act access the files, registry keys, network resources and other applications they truly need to function shut out cybercriminals with world class endpoint protection from Threat Locker the Senate Confirms a New National Cyber Director A new commission explores the establishment of a separate cyber force. Cyber criminals exploit link wrapping to launch sophisticated phishing attacks. AI agents are hijacked, cameras cracked and devs phished, gene sequencers and period trackers settle allegations of oversharing personal data and inadequate security. Our guest today is Tim Starks discussing China's allegations of the US exploiting a Microsoft zero day in a cyber attack and OpenAI scrambles after a chat leak fiasco. Its Monday, August 4, 2025 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us. Happy Monday. It's great to have you with us. Sean Cairncross, a former Republican National Committee official and Trump advisor, was confirmed the Senate as the new National Cyber director in a 59:35 vote. Despite having no background in cybersecurity, Cairn Cross gained bipartisan support and endorsements from senior cyber experts. He now leads the Office of the National Cyber Director, which shapes federal cybersecurity policy. At his Senate hearing, he admitted limited cyber knowledge but emphasized his management experience. He voiced strong support for collaboration and offensive cyber efforts. Cairn Cross backed two key bipartisan bills, the Cybersecurity Information Sharing Extension act and the Rural Hospital Cybersecurity Enhancement Act. He succeeds Harry Coker, a former NSA official, and follows Chris Inglis, the ONCD's first director. Cairncross pledged to deliver results for national security. A new commission has launched to design how the US could establish a separate cyber force aiming to influence next year's defense bill. Formed by the center for Strategic and International Studies and the Cyberspace Solarium Commission 2.0, the 17 member group includes top former military and civilian cyber leaders. Co chaired by retired Lt. Gen. Ed Cardin and Josh Stifel, the panel assumes presidential support for a cyber force and is focused on how to build it. This comes amid delays in reforming US Cyber Command and growing frustration over unprepared cyber troops. Critics, including retired Lt. Gen. Charles Moore, argue the commission may undercut a separate congressionally mandated feasibility study. Still, the commission says it's ready with a detailed blueprint should the president demand a new cyber service. Cybercriminals are exploiting email security tools like proofpoint and Intermedia's link wrapping to launch sophisticated phishing attacks, according to Cloudflare. By compromising protected accounts, attackers send emails containing malicious links. These links are automatically rewritten by the security provider's trusted domains, making them appear safe. Victims are then lured to fake Microsoft 365 login pages to steal credentials. Attackers use URL shorteners and multiple redirects to evade detection with phishing emails disguised as voicemails or shared documents. This tactic reflects a broader trend of misusing trusted tech tools like AI and security platforms for cybercrime. Researchers at AIM Labs discovered a critical vulnerability dubbed COR Execute in the Cursoride developer environment, allowing full remote code execution via prompt injection. The flaw, with a severity score of 8.6, affects all versions before 1.3. Exploiting it requires only a poisoned prompt delivered through an external service like Slack, which rewrites a key file and executes attacker commands without user consent. Because Cursor runs with developer level privileges, attackers could steal data, deploy ransomware, or manipulate AI behavior. This mirrors past threats like Echo Leak, which showed how untrusted content can hack AI workflows. The core issue lies in AI agents reliance on external data, making runtime guardrails essential. Cursor patched the bug on July 8, but the attack pattern signals a wider persistent threat across developer AI tools. Elsewhere, researchers at Pangea Labs have uncovered a new cyber attack method called LegalPWN, which manipulates generative AI models into misclassifying malware as safe code. The technique hides malicious code inside fake legal disclaimers, exploiting AI's tendency to respect legal sounding language. Tested across 12 major AI models, including ChatGPT, Gemini, and Llama, most were vulnerable, while only a few, like Claude 3.5 and Microsoft's PI 4, resisted. In real world tools like GitHub, Copilot, and Gemini CLI, the attack tricked systems into recommending dangerous commands like reverse shells. Legal PWN is a form of prompt injection similar to Person in the prompt attacks. The research emphasizes the need for human oversight in AI security decisions and recommends guardrails and manual review to prevent such manipulations from compromising systems. Bitdefender has identified two critical security flaws in Dahua's Hero C1 and other security camera models. These bugs allow unauthenticated attackers to remotely execute code via buffer overflows in the onvif protocol and File Upload handler. The flaws give full control over the device and affect widely deployed cameras in homes and businesses. Dahua patched the issue on July 7th. Users should immediately update firmware or secure devices by disabling UPNP and isolating them from public networks. Mozilla has issued a warning about a phishing campaign targeting developer accounts on its AMO platform. That's add ons.mozilla.org, which hosts over 60,000 extensions. Attackers are sending fake emails impersonating the AMO team, urging developers to update their accounts to retain access to development features. Developers are advised to avoid clicking suspicious links, verify sender domains and email authentication, and log in only via official Mozilla websites. At least one developer reported falling victim. Mozilla is monitoring the situation and promises updates. Gene sequencing firm illumina will pay $9.8 million to settle allegations it sold genomic systems with known cybersecurity flaws to U.S. federal agencies from 2016 through 2023. The DOJ claims Illumina lacked a proper security program, failed to patch vulnerabilities, and falsely claimed its software met cybersecurity standards. CISA and the FDA had previously issued alerts about critical flaws in Illumina's products that could allow remote takeovers. A whistleblower lawsuit triggered the case, with the informant receiving $1.9 million from the settlement. Developers of the period tracking app Flo have settled a class action lawsuit alleging it shared sensitive reproductive data from millions of users with Meta and others, despite promises of privacy. The terms weren't disclosed, but the case involved up to 38 million women and could have led to billions in damages. The lawsuit claims Flo let Meta access menstruation data via an SDK for ad targeting. Meta denies receiving such data. Flo previously settled with the FTC in 2021, agreeing to obtain user consent for future data sharing. Coming up after the break, Tim Starks from Cyberscoop discusses how China accuses the US of expressing exploiting Microsoft Zero Days in a cyber attack and OpenAI scrambles after a chat leak fiasco. Stay with us.

David Moulton

New adversary tactics and emerging tech to meet these threats is developing all the time on threatvector. We keep you a step ahead. We dig deep into the threats that matter and the strategies that work.

Dave Bittner

How do they help that customer know that what they just created is safe? The future is now and our expectations are wrong.

David Moulton

Join me David Moulton, senior director of thought leadership for Unit 42 at Palo Alto Networks and our guests who live this work every day.

Dave Bittner

We're not just Talking about some encryption and paying multimillion dollar ransom. We're talking about fundamentally being unable to oper automated eradication and containment. So being able to very rapidly ID what's going on in an environment and contain that immediately.

David Moulton

They're hiding in plain sight. So if you're looking to sharpen your strategy and stay ahead of what's next, tune in and listen to threatvector, your front line for security insights.

Dave Bittner

Foreign.

Tim Starks

Identities now outnumber humans by more than 80 to 1. And without securing them, trust uptime, outages and compliance are at risk. Cyber ARC is leading the way with the only unified platform purpose built to secure every machine identity, certificates, secrets and workloads across all environments, all clouds and all AI agents. Designed for scale, automation and quantum readiness, Cyber ARC helps modern enterprises secure their machine future. Visit cyberark.com machines to see how compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key areas compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo. That's v a n-t a.com cyber it is always my pleasure to welcome back to the show Tim Starks. He is a senior reporter at cyberscoop. Tim, welcome back.

Dave Bittner

Hey, how are you?

Tim Starks

I'm doing well, thanks. So I'm looking at this article that you recently published. This is about some accusations coming from China that the US may be exploiting Microsoft zero day. What's going on here, Tim?

Dave Bittner

Yeah, we've, we've seen in the last few years China step up the allegations against the United States about hacking. You know, I wrote a story a couple of years back about, about them increasingly doing this and the reaction from the United States being like, well, yeah, of course, of course the United States is hacking China. And also who are they trying to trick by, by kind of sort of turning the attention to us in this case, the, the thing that made this particular one interesting was that it would involve, if it is to be believed, that the US used a zero day in a Microsoft product, specifically a US based company, and exploited that zero day to go after a couple different Chinese military enterprises that they don't name specifically they use the zero day and the first one dating back to 2022, going through 2023. The other hack didn't necessarily involve the zero day. So I'm just going to amend what I said. But what's interesting about this is you don't see them get this specific in some of their allegations and also kind of makes you scratch your head about the idea of a government exploiting a zero day of a US Company. I mean, you can get into the idea of how much the United States government maybe makes use of US Companies in some way, shape or form, but the idea that they might be doing this without Microsoft knowing is a kind of interesting idea that I don't think I've heard talked about much before.

Tim Starks

Yeah. And I. And there's always this element of essentially burning the zero day. Right. When you use it, then cat's out of the bag for that one.

Dave Bittner

Exactly. And you know, the other thing, of course, is that Microsoft has had its share of zero days. You know, it's, it's the biggest player in the field, it's the most attacked, it's the one that gives you the most access to the most things. So it's fascinating to hear whatever you think of whether China is believable on this or not. It's an interesting allegation because there's a certain part of my brain that can't get around the idea that they think that the United States would not have the help of the companies or that they would do this against US Companies. That's just a little less discussed in the sphere of other things that are happening outside of the United States borders.

Tim Starks

What level of credibility can we realistically assign to this cybersecurity association of China?

Dave Bittner

You know, I think, I think what we can do is keep in mind that anything that's coming out of China is propaganda. Does that mean it's not not true? It could be true. I Just think we have to. You have to view it skeptically. At the same time, you have to. Of course, you know this. I think it was just in June that the president himself was asked on Fox News, like, about how much China's hacking us. And he said, you think we're not doing it to them? Come on, get real. And that's not the kind of thing you hear public officials say in the United States. Very often they kind of dance around it. They're like, we maintain offensive operations against our adversaries, but they won't get into specifics and they won't treat it like, oh, it's so obvious that we're doing this. And Trump was like, yeah, it's so obvious that we're doing this. So I think it's possible for both those things to be true at the same time.

Tim Starks

Right.

Dave Bittner

One is that we're definitely doing it. Can you believe this specific allegation? I think there's reason to be skeptical of it.

Tim Starks

Yeah. It is interesting to me how little talk there is in the press about U.S. offensive operations. You know, we talk about, you know, spiders and snakes and bears, but not so much about eagles.

Dave Bittner

Now, there was. There was some. There have been times where companies have companies, independent companies, meaning, you know, companies that are believed to be separate from any sort of, you know, foreign government. So Kaspersky has outed some US Operations in the past. You know, some people say, oh, Kaspersky is in. Is a Russian based company. So are they really that independent? But I think. I think for the most part, even if you question, you know, what they would do if they were forced by Russia to do something, these were things that they were doing in the routine course of their business when they were having US Clients. You will see the occasional other company expose these things. But one of the only people who are really calling out alleged US Hacking is the Chinese government on a routine basis. They're the ones who seem to be really making a policy of it, really. And the number of companies who are outside the US who are calling out US Operations, it's pretty small. I don't know if it's because we're better. I don't know if it's because they're scared of the ramifications of going after the United States compared to going after China. It is a thing that I've always been fascinated by that you often don't hear about US Operations unless a reporter breaks a story about it. You look back at stuxnet, you look back at things that the Post reported. Ellen Nakashima reported about Cyber Command during the elections. We don't get a lot of information about what's going on on our offensive piece, and maybe there's a good reason for that. It's classified. Maybe you would be extra careful if you're a news outlet or a. Or a media, a threat intelligence organization about going after that kind of thing that is done by the country in which you reside. Maybe there's a reason to be cautious about that. But at the same time, it's definitely newsworthy and it's definitely interesting, and we are widely considered the best and biggest player in this field. So it's fascinating that we don't hear about it as much as we hear about other things. It's also possible, if I didn't say this already, it's also possible we're just better and we're better at hiding it.

Tim Starks

Right, Right. To me, it is conspicuous in its absence.

Dave Bittner

Yeah, I agree with you.

Tim Starks

And when given the opportunity to interview practitioners, offensive operators, or defenders, too, I've said, does it ever happen that in the course of your business, you're poking around inside of things and you come across something and you think to yourself, oh, this looks to me like us. And I don't really get satisfying answers.

Dave Bittner

From that question, at least not so far. You. I think some of the earliest times anybody was trying to crack this particular nut, it was before I was at cyberscript, so I can't take credit for it. But there was some reporting that the CyberScript team did about companies. You know, they went to some of the biggest companies and said, what happens if you happen across a US Operation? And most of the companies were like, we're not going to talk about it. So they basically have acknowledged that for the most part, if you're a U.S. company, a U.S. company isn't going to out a U.S. operation. If that line from a few years ago holds true, that would make a certain amount of sense to me.

Tim Starks

Yeah, to me, too. Before I let you go, I want to switch gears with another article you wrote. This is about some legislation here that could try to protect the federal government against quantum computing threats. Can you unpack this one for us?

Dave Bittner

Yeah, I mean, this actually, you know, this relates to China to a certain extent because we've seen US Policymakers, both in Congress and in the executive branch worrying and also, you know, outside experts worrying that China is getting a little ahead of us in the quantum computing game. And if they do that, obviously that means our encryption regimes are no longer as protected as we thought they would be. So there was some legislation that was bipartisan Senate legislation from Senator Peters, Democrat of Michigan, and Senator Blackburn, a Republican of Tennessee, introducing a legislation to say let's put together a strategy on quantum safe cryptography, quantum safe computing. And let's also, in addition to that, because I think a strategy is a kind of thing that a bill can call for and it's just not that interesting. But I think the most interesting part of the bill is actually that it says part of this is that every agency that has a responsibility for critical infrastructure protection must develop a pilot program to protect at least one of your major, most high value computing systems or networks. So I think if this bill happens, and the Senate Homeland Security and Government Affairs Committee has been a little bit of a dead zone for legislative activity this year, they did though, on Wednesday actually moved their first real legislation. And you know, bipartisan part of this maybe gives it a little bit of life that I could see a bill like this moving forward. Especially if, you know, because Senator Rand Paul, who's the chair of that committee from Kentucky, Republican, doesn't like anything that costs any money. If he sees that this bill doesn't really cost much of anything for the federal government, I could see this bill being a reality. It could actually happen. So it's related to what we're talking about and it's an interesting kind of way to approach the issue is to say, you know, a lot of the quantum legislation we've seen out there is about US research or things like that. This is about protecting US federal government networks. So that's a little different in terms of what we've seen from other quantum related legislation.

Tim Starks

Yeah. We will have links to both of Tim's stories in our show Notes again, Tim Starks is senior reporter at cyberscoop. Tim, thanks so much for joining us.

Dave Bittner

Thank you, Dave.

Tim Starks

And finally, OpenAI quietly pulled a ChatGPT feature that left some users deeply personal chats like family drama, mental health, confessions, and even sexcapades floating around in Google's search results. Fast Company rang the alarm, revealing that users who clicked share and ticked a vaguely labeled box had unintentionally made their chats searchable. OpenAI initially claimed the warning text was clear, but soon admitted the make this chat discoverable setup was ripe for accidental oversharing. Their chief infosec officer called it a short lived experiment, which, as Oxford ethicist Carissa Veliz puts it, sounds a lot like we tested this on you and hope no one noticed. Now OpenAI is working to vanish the indexed content and clean up the mess. There's a bit of a kicker that this comes just as the company is fighting a court order to keep all deleted chats, even the mortifying ones. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment on Jason and Brian Show. Every week you can find Grumpy Old Geeks where all the fine podcasts are listed. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of this summer. There's a link in the show notes. Please do check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Iban. Peter Kilpie is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.