A

You're listening to the Cyberwire Network powered by N2K. Are you ready for AI in cybersecurity? Demand for these skills is growing exponentially for cybersecurity professionals. It's why CompTIA, the largest vendor neutral certification authority, is developing SEC AI Plus. It's their first ever AI certification focused on artificial intelligence and cybersecurity and is designed to help mid career cybersecurity professionals demonstrate their competencies with AI tools. And that's why N2K's SEC AI practice exam is coming out this year to help you prepare for the certification release in 2026. To find out more about this new credential and how N2K can help you prepare today, check out our blog@certify.cybervista.net blog and thanks.

B

@ Thales they know cybersecurity can be.

C

Tough and you can't protect everything. But with Thales you can secure what matters most.

B

With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and.

C

Largest banks, retailers and healthcare companies in.

B

The world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S. Learn more@thalesgroup.com cyber.

C

An AWS outage sparks speculation An F5 exposure and breach raise patching and supply chain concerns SALT Typhoon breaches a European Telecom via a netscaler flaw A judge bans NSO group from WhatsApp China alleges irrefutable evidence of NSA hacking Connectwise patches adversary in the middle risks a Dolby decoder flaw enables zero click remote code execution on Android. We've got a Cyber M and A and funding surge that signals a busy consolidation cycle. Our guest is Jeff Collins, CEO of Wanaware, sharing how hospital consolidations are reshaping it, asset visibility and what it takes to close Those gaps and one man's quest to make AI art legit.

D

Foreign.

C

October 20, 2025 I'm Dave Buettner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It is great to have you with us and good to be back from a lovely week long vacation last week. My thanks to Maria Vermazes for filling in on the mic. A widespread Amazon Web Services outage disrupted major apps worldwide, fueling attack rumors that sources say lack evidence. Amazon's status page reported increased error rates and latency in the US East 1 region, cascading across services like Snapchat, Robin Hood Roblox and Fortnite Down Detector logged thousands of reports in the United States, Canada and Europe. AWS said engineers were mitigating the issues and services were gradually recovering Monday morning. It's noteworthy that a single cloud region's failure can interrupt trading, communications and gaming at scale. Security teams should stress test multi region failover and vendor resilience. The speculation shows how routine outages can trigger geopolitical anxiety so clear timely incident communication remains essential. The Shadow Server foundation found over 262,000 F5 Big IP systems exposed online, while F5 disclosed a nation state breach with stolen Big IP source code. Over 130,000 exposed systems are in the United States. Patch status remains unclear. F5 says attackers accessed big IP development and engineering systems in August, the company reports containment no tampering with source code or supply chain and limited customer configuration data stolen. F5 is notifying clients they filed a Form 8K and and delayed disclosure at the US government's request. F5 privately links the activity to China Nexus Group UNC5221 and warns about the Brickstorm backdoor. Broad exposure plus uncertain patching increases exploitation risk. NCSC and CISA urge customers to locate F5 assets, secure management interfaces, assess for compromise and and apply current updates. China based group Salt Typhoon is exploiting a Citrix netscaler gateway flaw to infiltrate a European telecom darktrace reports in July, attackers moved from the gateway to Citrix Virtual Delivery agent hosts. Attackers hid behind softether VPN infrastructure. They deployed Snappy Bee, also called DeeDrat via dll sideloading with antivirus executables from Norton BCAV and IOBIT Command and Control used HTTP and unidentified TCP with Internet Explorer headers observed. The case underscores persistent stealthy tradecraft that blends into trusted software. It highlights the need for anomaly based detection and proactive defense across critical sectors. Organizations should harden exposed appliances and monitor lateral movement from remote access gateways. A federal judge barred NSO group from targeting WhatsApp and cut Meta's jury award to just over $4 million. U.S. district Judge Phyllis Hamilton found evidence Pegasus Spyware could still infiltrate WhatsApp, granted a permanent injunction and capped punitive damages at 9 to 1. Meta's 2019 suit alleged violations of the Computer Fraud and Abuse act and the California Comprehensive Computer Data Access and Fraud act, plus terms of service. The injunction covers WhatsApp only. Hamilton wrote that NSO continued trying to bypass WhatsApp's security and that the unauthorized access harms users informational privacy. This matters because the order blocks data collection and addresses zero click techniques while signaling consequences for commercial spyware targeting encrypted communications. China accused the USNSA of hacking its National Time Service center, citing irrefutable evidence and a detailed timeline. The Ministry of State Security said NSA exploited mobile phone vulnerabilities of center employees since March 25, 2022 and used stolen credentials from April of 2023 to access computers private servers. Masked origins the Xi' an facility supports high precision time services and international time calculation. The claims point to risks for critical infrastructure that supports government, civil society and industry. They also come amid escalating U S China tensions and mutual cyber accusations. Defenders should review protections for time sources and monitor for credential abuse and mobile exploitation. ConnectWise has patched two adversary in the middle flaws, urging on prem customers to Update and enforce TLS 1.2. The first vulnerability, with a CVSS of 9.6, exposed clear text transmissions. The second lacked integrity checks on downloads. Agents configured for HTTP or weak encryption risked intercepted communications or malicious update replacement. The patch enforces HTTPs for all agent traffic. The vulnerabilities meant local network attackers could view, modify and tamper with automate operations. Users should patch immediately and validate secure configurations. A Dolby Unified decoder flaw enables remote code execution, including zero click exploitation on Android, researchers from Google report. The decoder processes Dolby Digital plus AC4 and other formats. Project Zero found an out of bounds write triggered by Evolution data handling. Integer wrap caused an undersized buffer and bounds check failure, enabling overwrite of struct members, including a pointer used on a following sync frame. Audio messages can trigger the flaw. Android decodes audio automatically, enabling zero click code execution in the media codec context. Microsoft addressed the issue in October. Updates with user interaction required on Windows and Google included patches in Chrome OS releases in this week's business roundup. Cyber deal making accelerated across spyware, managed security, email and identity as NSO confirmed a sale and major roll ups. Advanced NSO said. A U.S. investment group acquired the firm for tens of millions while keeping Israeli regulatory and operational control, Calcalist reported. A Robert Simons led investor group not confirmed by nso Level Blue agreed to acquire Cyber Reason, adding Softbank Corp. SoftBank Vision Fund 2 and Liberty Strategic Capital as Level Blue investors and aligning with prior trustwave and Strauss Friedberg deals. Kaseya acquired Inki, which remained standalone and joins Kaseya365 user Pantera bought Devotion to extend from adversarial testing to remediation. French MSSP Nomui acquired Intragen targeting 650 million euros revenue in 2026 capital flowed to core security segments. Resistant AI raised a $25 million Series B. Pantheron secured $12 million in a Series A Authenticate obtained $12 million in debt financing. Site Hop raised 7.5 million pounds. Arcjet announced $8.3 million in a Series A Mind the Hack closed a 2.8 million euro seed. Nimiz raised 2 million euros. Talion secured 2 million pounds while Hyperbunker raised €800,000. The pattern points to bundling XDR, MDR, DFIR, email security and IAM at scale Coming up after the break, Jeff Collins from Wanaware shares how hospital consolidations reshape it, asset visibility and what it takes to close those gaps and one man's quest to make AI art legit. Stay with us.

B

What's your 2am security worry? Is it do I have the right controls in place? Maybe? Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber.

C

And now.

B

A word from our sponsor. The Johns Hopkins University Information Security Institute.

C

Is seeking qualified applicants for its innovative.

B

Master of Science in Security Informatics degree program, Study alongside world class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition, textbooks and a laptop, as well as providing a $34,000 additional annual stipend.

C

Apply for the fall 2026 semester and.

B

For this scholarship by February 28th.

C

Learn more at CS JHU.

B

Edu MSSI.

C

Jeff Collins is CEO of Wanaware. I recently sat down with him to learn how hospital consolidations are reshaping it, asset visibility and what it takes to close the gaps.

D

When we think about hospitals, especially healthcare institutions holistically over the last let's call it five years, definitely this even occurred prior to that. But there's a lot of consolidation going on, Lots of mergers, lots of acquisitions, lots of large institutions buying up smaller hospitals, buying up smaller clinics, ambulatory surgery centers, et cetera. One of the things that we found is, as those acquisitions happen, a lot of risk is happening within those organizations, specifically within the realm of assets that they just don't know about, which creates security and operational concerns and constraints. Whether those assets are laptops or desktops, maybe they're a machine that is used by a doctor or a nurse. IoT devices, you know, smart healthcare systems, smart EKG, smart patient monitors, all those types of things. We see large amounts of these gaps within the healthcare space.

C

Yeah, I mean, I can imagine just anybody who's visited a hospital lately. There's just so many devices, and of course, they're all connected in one way or another these days. To what degree is this a matter of devices that are in active use or devices that are sitting in a storeroom somewhere, or is it a combo of both?

D

Well, where we see the gap is really certainly active devices become problematic. The devices that are even more problematic, though, are those devices that are technically active but nobody knows about them. They're connected to the hospital WI FI network. They're connected to an ethernet jack plugged into a wall somewhere. Those are the ones that become even more problematic because nobody knows they exist. They're not patched, they're not maintained, they're not controlled. Sometimes they have, you know, ubiquitous access outbound or ubiquitous access inbound, where, you know, if we're thinking about it from a security perspective, you know, a bad actor outside of the four walls or even inside of the four walls of a hospital can leverage those. Or inside of a healthcare facility, when we think about operational risk, oftentimes those devices have risks. They can generate DDoS attacks. They can be leveraged to perform a whole multitude of attack vectors inside of a health institution. Sometimes those devices are unknown, but they're part of something that is known. Maybe it's a backend system that's required for an MRI or for a CAT scan. That device goes down. Nobody has any idea that a device exists, and that becomes problematic across the board within that healthcare institution, regardless of if they're a hospital or a physician's office or a surgery center or whatever it may be.

C

So what is the typical fallout when a merger happens between a couple of medical facilities and they suddenly find they have to blend all of these devices?

D

Yeah. So what we've seen, certainly within our surveys that we've sent out, and we do lots of Surveys each year to try to understand what is the scope of this. You know, when we look at those surveys, certainly high percentages of organizations don't know everything that they have. When we think about fallout, fallout is somewhat harder to measure. We can look at fallout in the realm of publicly disclosed breaches. Certainly there's, you know, those keep continuing upward in trajectory. We see more and more of those every single year. As we see those breaches, those give us a good insight into what's going on, primarily because generally those breaches are disclosed where they started. And oftentimes they're started from a machine that's either known or unknown, or a machine that has some level of compromise that could be leveraged by an attacker. Operational risks become harder because oftentimes those don't get disclosed to the general public because there's not. There's not really a regulatory constraint unless something happens and a patient outcome is affected directly, which is extremely problematic. But the reporting within that, and the reporting of such is certainly noticeably less.

C

Well, I mean, obviously this is your area of expertise, being able to inventory what's on someone's network. Can you help us understand, like, where do we stand today? What is the state of the art when it comes to best practices for trying to get a handle of what exactly you got on your network?

D

Yeah, so certainly best practice today is to leverage technologies that allow organizations to, number one, understand what assets they have without creating operational or security risk to the organization. There's lots of technologies out there that will do scanning that you can deploy agents, you can deploy all those things. The risk is, is that anytime you do a scan or anyt, especially if it's an authenticated scan, and anytime you deploy agents, that creates additional risk for the organization. As we talk to healthcare institutions, whether those are hospitals or all the way down the line, we find that, generally speaking, they have technologies already that they could leverage to get this information. They just historically haven't had a great capability of correlating that data, tying it all collectively together and being able to action on it. And so as we talk to organizations, that's really the big piece that we push on, is don't go buy and deploy new scanners or don't go and deploy new agents, that creates additional risk, but rather leverage the technologies you have, whether they're endpoint protection technologies, whether they're existing firewalls and all those individual components, and then how you can take all of that and collectively understand the scope of what you have organizationally, and you can now quantify your Risk, understand that and then ultimately over time, minimize and mitigate that risk, both from a cybersecurity as well as an operational perspective.

C

What happens once you've gotten past that.

B

Initial evaluation period and now you've got.

C

Let'S call it ongoing monitoring of the situation? Because an organization like a hospital is practically a living, breathing organism of its own. Right? There's. Things are constantly changing when you're running a place at that scale.

D

Yeah, yeah, so what? So once you've, once you've actually got those assets ingested, once you understand the relationships, really the reality is, is twofold. Number one, you have to make sure that quickly you can understand new assets. That living and breathing organism, which is a healthcare organization, whether it's a hospital or even a physician's office, the reality is they're constantly getting new technologies, deploying new technologies, changing older technologies out. That is a constant change that's happening. The reality is you have to be able to keep up with that. Getting, getting an understanding of everything we have today is certainly that's a benefit and we should, we should applaud for that. But when the world changes tomorrow, there's only so much that we can rest on our laurels. And so the reality is, is that we have to continuously be able to understand new things coming in. We have to have flexible systems that allow changes in technology, that allow innovation, which is drastically happening inside of the healthcare environment. All of us hear about AI and we hear about how AI is changing all of this and how AI is changing patient outcomes and technology stacks. And we have machine learning going on and we have massive scale data lakes and data warehouses happening, all those things occur. But really that first big piece is you have to be able to adapt and change as your environment evolves. The second major piece is once you've had that capability of evolving and understanding and being able to change with the business, the second thing you really have to do is to be able to action upon that. So just because you have things and just because you have knowledge, if there's an outage, you have to have the ability to resolve that quicker. Outages are operational. If there's a breach, you have to be able to get to the source, understanding what we call the blast radius. You know, when something happens, whether that's operational or cybersecurity related, that happens generally in one device or in one application, but that expands and grows oftentimes across an organization. If it's a breach, maybe it's one machine that was originally breached and then that grew to 100 or 1,000 or sometimes even more than 1,000 machines, if it's an operational risk. That may have been one machine that went down, but that was crucial in, let's say the entire EHR system or the entire EMR system. That one individual machine became something that problematically took out the entire healthcare organization. And really that resolution time of being able to leverage this, provide benefit to the business itself is crucially important.

C

What's your advice for that security professional.

B

Who'S looking at their own situation and is feeling intimidated by the potential for what they're going to find out? They're afraid that they might be overwhelmed with the information that's going to be presented to them.

D

Well, what I would say is every health, I mean every healthcare cybersecurity professional should be concerned. The reason why is because what's happened historically, anytime they've heard, I can get more information, what that is equated to is more non actionable alerts, more non actionable events. That's the reality of what has happened. You know, if I go back in my history, 25 years in technology, all of us that have been in the space a long time, that's what we've heard for 25 years, you can get this brand new technology and it'll give you all the insight in the world. And the reality is it was a whole bunch of alerts and a whole bunch of events that just wasted time. It's what cybersecurity people call the false positive. False positives are what break everything. That's what creates the work effort that can't be resolved. The key is, is you have to do this without getting false positives. Now how do we do that? You do it by understanding context. Cybersecurity professionals understand that things are false positive because they understand the context around that alert. They can look at that alert, they can see it's associated with this device. They understand if they have a compensating control that might be mitigating, that they understand if it's, you know, siloed. Maybe it's in a zero trust model where it's only that machine sure that machine is breached. It's very low priority and very low risk to the organization. And while it came across as a critical event, it's really something that can be dealt with tomorrow or in a week or whatever it may be. It has no patient data on, really just has no priority to the organization. That's where cybersecurity professionals have historically provided that context. The key going forward is that technologies as well as processes and procedures have to be able to do that more systematically. Our cybersecurity professionals have to be able to focus on the risks that really matter to the organization, those which require people and the rest of this stuff. Mitigating false positives, mitigating operational risk, doing all these types of things. Those all need to be done by systems and they need to be done in a manner where we're not getting more and more alerts and metrics, tricks and all of this log information that's really just false positives that waste people's time.

C

That's Jeff Collins, CEO of Wanaware.

A

When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together. Use polls to settle dinner plans, send event invites and pin messages so no one forgets mom 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone.

E

Learn more@WhatsApp.com this episode is brought to you by Indeed. When your computer breaks, you don't wait for it to magically start working again. You fix the problem. So why wait to hire the people your company desperately needs? Use Indeed's sponsored jobs to hire top talent fast. And even better, you only pay for results. There's no need to wait. Speed up your hiring with a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply.

C

And finally, Jason Allen is still fighting to prove that a robot assisted masterpiece can in fact, belong to its human co pilot. In 2022, Allen stunned and infuriated the art world by winning the Colorado State Fair's Fine arts competition with an image spun up by midjourney, the then new AI Art generator. Since then, he's spent three years in legal limbo trying to convince the US Copyright Office that his digital muse didn't steal his thunder. In August, he filed yet another brief, hoping to claim authorship over Theatre d' Opera Spacio and conveniently to sell limited edition oil print elegraphs of it that promise the gravitas of a 19th century masterwork minus the hand cramps. Allen insists the creative act lies in the hundreds of prompts he typed to coax the machine into beauty. Whether the courts will agree is anyone's guess. Whether it's art or algorithm, Alan's work has definitely sparked some creative debate. And that's the cyberwire. For links to all of today's stories, check out our daily brief briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our Executive producer is Jennifer Ibin. Peter Kilpie is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

B

Here we have the Limu Emu in its natural habitat, helping people customize their car insurance and save hundreds with Liberty Mutual. Fascinating.

D

It's accompanied by his natural ally, Doug.

E

Limu is that guy with the binoculars watching us.

D

Cut the camera. They see us.

B

Only pay for what you need@libertymutual.com Liberty Liberty Liberty Liberty Savings Very Underwritten by Liberty Mutual Insurance Co. Affiliates excludes Massachusetts Cyber Innovation Day is the premier event for cyber startups, researchers and top VC funds firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, DC. Discover the startups building the future of cyber. Learn more at cid datatribe.

C

Com.